SAP ETD - Login from unexpected network
| Id | 5dd72ebe-03ac-43ac-851b-68cfe5106e4f |
| Rulename | SAP ETD - Login from unexpected network |
| Description | Identifies logons from an unexpected network. Source Action: Logon to the backend system from an IP address which is not assigned to one of the networks. networks can be maintained in the “SAP - Networks” watchlist of the Microsoft Sentinel Solution for SAP package. *Data Sources: SAP Enterprise Thread Detection Solution - Alerts* |
| Severity | Medium |
| Required data connectors | SAPETDAlerts |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 2d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml |
| Version | 1.0.1 |
| Arm template | 5dd72ebe-03ac-43ac-851b-68cfe5106e4f.json |
let regex_ip = @"user_ip:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})";
let regex_user = @"user_name:(\w+)";
let regex_sid = @"sid:(\w{3})";
let regex_client = @"client:(\d{3})";
let regex_instance_name = @"instance_name:(\w+)";
let regex_instance_host = @"instance_host:([\w-]+)";
let SAPNetworks = _GetWatchlist('SAP - Networks');
SAPETDAlerts_CL
| mv-expand TriggeringEvents
| extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent)
| extend Id_ = TriggeringEvents.Id
| extend extracted_user_ip = extract(regex_ip, 1, sapOriginalEvent)
| extend extracted_sap_user = extract(regex_user, 1, sapOriginalEvent)
| extend extracted_sid = extract(regex_sid, 1, sapOriginalEvent)
| extend extracted_client = extract(regex_client, 1, sapOriginalEvent)
| extend extracted_instance_name = extract(regex_instance_name, 1, sapOriginalEvent)
| extend extracted_instance_host = extract(regex_instance_host, 1, sapOriginalEvent)
| evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true)
| where isempty(Network)
| project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status
| extend GeoLocation= iff(ipv4_is_private( extracted_user_ip), dynamic({"IsPrivate": true}), geo_info_from_ip_address(extracted_user_ip))
entityMappings:
- entityType: CloudApplication
fieldMappings:
- columnName: extracted_sid
identifier: AppId
- columnName: extracted_instance_name
identifier: InstanceName
- entityType: Host
fieldMappings:
- columnName: extracted_instance_host
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: extracted_user_ip
identifier: Address
eventGroupingSettings:
aggregationKind: AlertPerResult
id: 5dd72ebe-03ac-43ac-851b-68cfe5106e4f
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml
severity: Medium
kind: Scheduled
query: |
let regex_ip = @"user_ip:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})";
let regex_user = @"user_name:(\w+)";
let regex_sid = @"sid:(\w{3})";
let regex_client = @"client:(\d{3})";
let regex_instance_name = @"instance_name:(\w+)";
let regex_instance_host = @"instance_host:([\w-]+)";
let SAPNetworks = _GetWatchlist('SAP - Networks');
SAPETDAlerts_CL
| mv-expand TriggeringEvents
| extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent)
| extend Id_ = TriggeringEvents.Id
| extend extracted_user_ip = extract(regex_ip, 1, sapOriginalEvent)
| extend extracted_sap_user = extract(regex_user, 1, sapOriginalEvent)
| extend extracted_sid = extract(regex_sid, 1, sapOriginalEvent)
| extend extracted_client = extract(regex_client, 1, sapOriginalEvent)
| extend extracted_instance_name = extract(regex_instance_name, 1, sapOriginalEvent)
| extend extracted_instance_host = extract(regex_instance_host, 1, sapOriginalEvent)
| evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true)
| where isempty(Network)
| project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status
| extend GeoLocation= iff(ipv4_is_private( extracted_user_ip), dynamic({"IsPrivate": true}), geo_info_from_ip_address(extracted_user_ip))
customDetails:
ETD_AlertNumber: AlertId
SAP_User: extracted_sap_user
status: Available
queryPeriod: 2d
alertDetailsOverride:
alertDescriptionFormat: |
{{PatternDescription}}
alertDisplayNameFormat: 'SAP ETD - {{PatternName}} '
queryFrequency: 1h
triggerOperator: gt
tactics: []
description: |
Identifies logons from an unexpected network.
Source Action: Logon to the backend system from an IP address which is not assigned to one of the networks.
networks can be maintained in the "SAP - Networks" watchlist of the Microsoft Sentinel Solution for SAP package.
*Data Sources: SAP Enterprise Thread Detection Solution - Alerts*
name: SAP ETD - Login from unexpected network
relevantTechniques: []
version: 1.0.1
requiredDataConnectors:
- dataTypes:
- SAPETDAlerts_CL
connectorId: SAPETDAlerts
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5dd72ebe-03ac-43ac-851b-68cfe5106e4f')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5dd72ebe-03ac-43ac-851b-68cfe5106e4f')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{PatternDescription}}\n",
"alertDisplayNameFormat": "SAP ETD - {{PatternName}} "
},
"alertRuleTemplateName": "5dd72ebe-03ac-43ac-851b-68cfe5106e4f",
"customDetails": {
"ETD_AlertNumber": "AlertId",
"SAP_User": "extracted_sap_user"
},
"description": "Identifies logons from an unexpected network.\nSource Action: Logon to the backend system from an IP address which is not assigned to one of the networks.\nnetworks can be maintained in the \"SAP - Networks\" watchlist of the Microsoft Sentinel Solution for SAP package.\n\n*Data Sources: SAP Enterprise Thread Detection Solution - Alerts*\n",
"displayName": "SAP ETD - Login from unexpected network",
"enabled": true,
"entityMappings": [
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "extracted_sid",
"identifier": "AppId"
},
{
"columnName": "extracted_instance_name",
"identifier": "InstanceName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "extracted_instance_host",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "extracted_user_ip",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml",
"query": "let regex_ip = @\"user_ip:(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\";\nlet regex_user = @\"user_name:(\\w+)\";\nlet regex_sid = @\"sid:(\\w{3})\";\nlet regex_client = @\"client:(\\d{3})\";\nlet regex_instance_name = @\"instance_name:(\\w+)\";\nlet regex_instance_host = @\"instance_host:([\\w-]+)\";\nlet SAPNetworks = _GetWatchlist('SAP - Networks');\nSAPETDAlerts_CL\n| mv-expand TriggeringEvents\n| extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent)\n| extend Id_ = TriggeringEvents.Id\n| extend extracted_user_ip = extract(regex_ip, 1, sapOriginalEvent)\n| extend extracted_sap_user = extract(regex_user, 1, sapOriginalEvent)\n| extend extracted_sid = extract(regex_sid, 1, sapOriginalEvent)\n| extend extracted_client = extract(regex_client, 1, sapOriginalEvent)\n| extend extracted_instance_name = extract(regex_instance_name, 1, sapOriginalEvent)\n| extend extracted_instance_host = extract(regex_instance_host, 1, sapOriginalEvent)\n| evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true)\n| where isempty(Network)\n| project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status\n| extend GeoLocation= iff(ipv4_is_private( extracted_user_ip), dynamic({\"IsPrivate\": true}), geo_info_from_ip_address(extracted_user_ip))\n",
"queryFrequency": "PT1H",
"queryPeriod": "P2D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [],
"techniques": [],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}