SAP ETD - Login from unexpected network
| Id | 5dd72ebe-03ac-43ac-851b-68cfe5106e4f |
| Rulename | SAP ETD - Login from unexpected network |
| Description | Identifies logons from an unexpected network. Source Action: Logon to the backend system from an IP address which is not assigned to one of the networks. networks can be maintained in the “SAP - Networks” watchlist of the Microsoft Sentinel Solution for SAP package. *Data Sources: SAP Enterprise Thread Detection Solution - Alerts* |
| Severity | Medium |
| Tactics | Discovery |
| Required data connectors | SAPETDAlerts |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml |
| Version | 1.0.3 |
| Arm template | 5dd72ebe-03ac-43ac-851b-68cfe5106e4f.json |
let AuditTimeAgo = 60m;
let regex_sid = @"^([A-Z0-9]{3})/";
let regex_client = @"/(\d{3})$";
let SAPNetworks = _GetWatchlist('SAP - Networks');
SAPETDAlerts_CL
| where TimeGenerated > ago(AuditTimeAgo)
| where PatternName in ("Logon from external with SAP standard users","Access via unallowed IP Address")
| mv-expand NormalizedTriggeringEvents
| extend sapOriginalEvent = tostring(NormalizedTriggeringEvents)
| extend Id_ = NormalizedTriggeringEvents.Id
| extend extracted_user_ip = tostring(NormalizedTriggeringEvents.NetworkIPAddressInitiator)
| where isnotempty(extracted_user_ip)
| extend extracted_sap_user = NormalizedTriggeringEvents.UserAccountTargeted
| extend extracted_sid = extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor))
| extend extracted_client = extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor))
| extend extracted_instance_name = NormalizedTriggeringEvents.NetworkHostnameActor
| extend extracted_instance_host = NormalizedTriggeringEvents.NetworkHostnameInitiator
| evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true)
| where isempty(Network)
| project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status, NormalizedTriggeringEvents
| extend GeoLocation= iff(ipv4_is_private(extracted_user_ip), dynamic({"IsPrivate": true}), geo_info_from_ip_address(extracted_user_ip))
relevantTechniques: []
entityMappings:
- fieldMappings:
- columnName: extracted_sid
identifier: AppId
- columnName: extracted_instance_name
identifier: InstanceName
entityType: CloudApplication
- fieldMappings:
- columnName: extracted_instance_host
identifier: FullName
entityType: Host
- fieldMappings:
- columnName: extracted_user_ip
identifier: Address
entityType: IP
version: 1.0.3
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml
description: |
Identifies logons from an unexpected network.
Source Action: Logon to the backend system from an IP address which is not assigned to one of the networks.
networks can be maintained in the "SAP - Networks" watchlist of the Microsoft Sentinel Solution for SAP package.
*Data Sources: SAP Enterprise Thread Detection Solution - Alerts*
customDetails:
SAP_User: extracted_sap_user
ETD_AlertNumber: AlertId
requiredDataConnectors:
- connectorId: SAPETDAlerts
dataTypes:
- SAPETDAlerts_CL
triggerOperator: gt
alertDetailsOverride:
alertDisplayNameFormat: 'SAP ETD - {{PatternName}} '
alertDescriptionFormat: |
{{PatternDescription}}
eventGroupingSettings:
aggregationKind: AlertPerResult
id: 5dd72ebe-03ac-43ac-851b-68cfe5106e4f
queryFrequency: 5m
query: |
let AuditTimeAgo = 60m;
let regex_sid = @"^([A-Z0-9]{3})/";
let regex_client = @"/(\d{3})$";
let SAPNetworks = _GetWatchlist('SAP - Networks');
SAPETDAlerts_CL
| where TimeGenerated > ago(AuditTimeAgo)
| where PatternName in ("Logon from external with SAP standard users","Access via unallowed IP Address")
| mv-expand NormalizedTriggeringEvents
| extend sapOriginalEvent = tostring(NormalizedTriggeringEvents)
| extend Id_ = NormalizedTriggeringEvents.Id
| extend extracted_user_ip = tostring(NormalizedTriggeringEvents.NetworkIPAddressInitiator)
| where isnotempty(extracted_user_ip)
| extend extracted_sap_user = NormalizedTriggeringEvents.UserAccountTargeted
| extend extracted_sid = extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor))
| extend extracted_client = extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor))
| extend extracted_instance_name = NormalizedTriggeringEvents.NetworkHostnameActor
| extend extracted_instance_host = NormalizedTriggeringEvents.NetworkHostnameInitiator
| evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true)
| where isempty(Network)
| project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status, NormalizedTriggeringEvents
| extend GeoLocation= iff(ipv4_is_private(extracted_user_ip), dynamic({"IsPrivate": true}), geo_info_from_ip_address(extracted_user_ip))
severity: Medium
status: Available
queryPeriod: 30m
name: SAP ETD - Login from unexpected network
tactics:
- Discovery
kind: Scheduled