SAP LogServ - HANA DB - Deactivation of Audit Trail
| Id | 8fb9fb88-693f-4906-8be2-4bb9771418fc |
| Rulename | SAP LogServ - HANA DB - Deactivation of Audit Trail |
| Description | Identifies deactivation of HANA DB audit log. Source Action: Deactivate Audit Log in HANA DB security defnitions. *Data Sources: SAP LogServ - HANA DB (Syslog)* |
| Severity | High |
| Tactics | Persistence LateralMovement DefenseEvasion |
| Required data connectors | SAPLogServ |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP LogServ/Analytic Rules/SAPLogServ-DeactivationofAuditTrail.yaml |
| Version | 1.0.0 |
| Arm template | 8fb9fb88-693f-4906-8be2-4bb9771418fc.json |
let AuditTimeAgo = 60m;
SAPLogServ_CL
| where TimeGenerated >= ago(AuditTimeAgo)
| where clz_subdir == "hanaaudit"
| extend raw_split = split(Raw, ";")
| extend
event_timestamp__col_0 = tostring(raw_split[0]),
service_name__col_1 = tostring(raw_split[1]),
hostname__col_2 = tostring(raw_split[2]),
sid__col_3 = tostring(raw_split[3]),
instance_number__col_4 = tostring(raw_split[4]),
port_number__col_5 = tostring(raw_split[5]),
database_name__col_6 = tostring(raw_split[6]),
client_ip_address__col_7 = tostring(raw_split[7]),
client_name__col_8 = tostring(raw_split[8]),
client_process_id__col_9 = tostring(raw_split[9]),
client_port_number__col_10 = tostring(raw_split[10]),
policy_name__col_11 = tostring(raw_split[11]),
audit_level__col_12 = tostring(raw_split[12]),
audit_action__col_13 = tostring(raw_split[13]),
session_user__col_14 = tostring(raw_split[14]),
target_schema__col_15 = tostring(raw_split[15]),
target_object__col_16 = tostring(raw_split[16]),
privilege_name__col_17 = tostring(raw_split[17]),
grantable__col_18 = tostring(raw_split[18]),
role_name__col_19 = tostring(raw_split[19]),
target_principal__col_20 = tostring(raw_split[20]),
action_status__col_21 = tostring(raw_split[21]),
component__col_22 = tostring(raw_split[22]),
section__col_23 = tostring(raw_split[23]),
parameter__col_24 = tostring(raw_split[24]),
old_value__col_25 = tostring(raw_split[25]),
new_value__col_26 = tostring(raw_split[26]),
comment__col_27 = tostring(raw_split[27]),
executed_statement__col_28 = tostring(raw_split[28]),
session_id__col_29 = tostring(raw_split[29]),
application_user_name__col_30 = tostring(raw_split[30]),
role_schema_name__col_31 = tostring(raw_split[31]),
grantee_schema_name__col_32 = tostring(raw_split[32]),
origin_database_name__col_33 = tostring(raw_split[33]),
origin_user_name__col_34 = tostring(raw_split[34]),
xs_application_user_name__col_35 = tostring(raw_split[35]),
application_name__col_36 = tostring(raw_split[36]),
statement_user_name__col_37 = tostring(raw_split[37]),
create_time__col_38 = tostring(raw_split[38]),
xsa_message_ip__col_39 = tostring(raw_split[39]),
xsa_tenant__col_40 = tostring(raw_split[40]),
xsa_uuid__col_41 = tostring(raw_split[41]),
xsa_channel__col_42 = tostring(raw_split[42]),
xsa_attachment_id__col_43 = tostring(raw_split[43]),
xsa_attachment_name__col_44 = tostring(raw_split[44]),
xsa_organization_id__col_45 = tostring(raw_split[45]),
xsa_space_id__col_46 = tostring(raw_split[46]),
xsa_instance_id__col_47 = tostring(raw_split[47]),
xsa_binding_id__col_48 = tostring(raw_split[48]),
xsa_object__col_49 = tostring(raw_split[49]),
xsa_data_subject__col_50 = tostring(raw_split[50])
| where
audit_action__col_13 contains "AUDIT CONFIGURATION" and
parameter__col_24 =~ "global_auditing_state" and
new_value__col_26 =~ "false"
| extend AlertRuleUniqueName = 'hanadb-deactivationofaudittrail-logserv'
description: |
Identifies deactivation of HANA DB audit log.
Source Action: Deactivate Audit Log in HANA DB security defnitions.
*Data Sources: SAP LogServ - HANA DB (Syslog)*
name: SAP LogServ - HANA DB - Deactivation of Audit Trail
requiredDataConnectors:
- connectorId: SAPLogServ
dataTypes:
- SAPLogServ_CL
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertDisplayNameFormat: SAP LogServ - HANA DB - Deactivation of Audit Trail
alertDescriptionFormat: |
{{comment__col_27}}
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP LogServ/Analytic Rules/SAPLogServ-DeactivationofAuditTrail.yaml
triggerThreshold: 0
version: 1.0.0
status: Available
kind: Scheduled
queryPeriod: 1h
id: 8fb9fb88-693f-4906-8be2-4bb9771418fc
customDetails:
SAP_User: session_user__col_14
query: |
let AuditTimeAgo = 60m;
SAPLogServ_CL
| where TimeGenerated >= ago(AuditTimeAgo)
| where clz_subdir == "hanaaudit"
| extend raw_split = split(Raw, ";")
| extend
event_timestamp__col_0 = tostring(raw_split[0]),
service_name__col_1 = tostring(raw_split[1]),
hostname__col_2 = tostring(raw_split[2]),
sid__col_3 = tostring(raw_split[3]),
instance_number__col_4 = tostring(raw_split[4]),
port_number__col_5 = tostring(raw_split[5]),
database_name__col_6 = tostring(raw_split[6]),
client_ip_address__col_7 = tostring(raw_split[7]),
client_name__col_8 = tostring(raw_split[8]),
client_process_id__col_9 = tostring(raw_split[9]),
client_port_number__col_10 = tostring(raw_split[10]),
policy_name__col_11 = tostring(raw_split[11]),
audit_level__col_12 = tostring(raw_split[12]),
audit_action__col_13 = tostring(raw_split[13]),
session_user__col_14 = tostring(raw_split[14]),
target_schema__col_15 = tostring(raw_split[15]),
target_object__col_16 = tostring(raw_split[16]),
privilege_name__col_17 = tostring(raw_split[17]),
grantable__col_18 = tostring(raw_split[18]),
role_name__col_19 = tostring(raw_split[19]),
target_principal__col_20 = tostring(raw_split[20]),
action_status__col_21 = tostring(raw_split[21]),
component__col_22 = tostring(raw_split[22]),
section__col_23 = tostring(raw_split[23]),
parameter__col_24 = tostring(raw_split[24]),
old_value__col_25 = tostring(raw_split[25]),
new_value__col_26 = tostring(raw_split[26]),
comment__col_27 = tostring(raw_split[27]),
executed_statement__col_28 = tostring(raw_split[28]),
session_id__col_29 = tostring(raw_split[29]),
application_user_name__col_30 = tostring(raw_split[30]),
role_schema_name__col_31 = tostring(raw_split[31]),
grantee_schema_name__col_32 = tostring(raw_split[32]),
origin_database_name__col_33 = tostring(raw_split[33]),
origin_user_name__col_34 = tostring(raw_split[34]),
xs_application_user_name__col_35 = tostring(raw_split[35]),
application_name__col_36 = tostring(raw_split[36]),
statement_user_name__col_37 = tostring(raw_split[37]),
create_time__col_38 = tostring(raw_split[38]),
xsa_message_ip__col_39 = tostring(raw_split[39]),
xsa_tenant__col_40 = tostring(raw_split[40]),
xsa_uuid__col_41 = tostring(raw_split[41]),
xsa_channel__col_42 = tostring(raw_split[42]),
xsa_attachment_id__col_43 = tostring(raw_split[43]),
xsa_attachment_name__col_44 = tostring(raw_split[44]),
xsa_organization_id__col_45 = tostring(raw_split[45]),
xsa_space_id__col_46 = tostring(raw_split[46]),
xsa_instance_id__col_47 = tostring(raw_split[47]),
xsa_binding_id__col_48 = tostring(raw_split[48]),
xsa_object__col_49 = tostring(raw_split[49]),
xsa_data_subject__col_50 = tostring(raw_split[50])
| where
audit_action__col_13 contains "AUDIT CONFIGURATION" and
parameter__col_24 =~ "global_auditing_state" and
new_value__col_26 =~ "false"
| extend AlertRuleUniqueName = 'hanadb-deactivationofaudittrail-logserv'
entityMappings:
- fieldMappings:
- columnName: sid__col_3
identifier: AppId
- columnName: database_name__col_6
identifier: InstanceName
entityType: CloudApplication
- fieldMappings:
- columnName: hostname__col_2
identifier: FullName
entityType: Host
- fieldMappings:
- columnName: client_ip_address__col_7
identifier: Address
entityType: IP
tactics:
- Persistence
- LateralMovement
- DefenseEvasion
queryFrequency: 10m
relevantTechniques: []
severity: High
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8fb9fb88-693f-4906-8be2-4bb9771418fc')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8fb9fb88-693f-4906-8be2-4bb9771418fc')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{comment__col_27}}\n",
"alertDisplayNameFormat": "SAP LogServ - HANA DB - Deactivation of Audit Trail"
},
"alertRuleTemplateName": "8fb9fb88-693f-4906-8be2-4bb9771418fc",
"customDetails": {
"SAP_User": "session_user__col_14"
},
"description": "Identifies deactivation of HANA DB audit log.\n\nSource Action: Deactivate Audit Log in HANA DB security defnitions.\n\n*Data Sources: SAP LogServ - HANA DB (Syslog)*\n",
"displayName": "SAP LogServ - HANA DB - Deactivation of Audit Trail",
"enabled": true,
"entityMappings": [
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "sid__col_3",
"identifier": "AppId"
},
{
"columnName": "database_name__col_6",
"identifier": "InstanceName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "hostname__col_2",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "client_ip_address__col_7",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP LogServ/Analytic Rules/SAPLogServ-DeactivationofAuditTrail.yaml",
"query": "let AuditTimeAgo = 60m;\nSAPLogServ_CL\n| where TimeGenerated >= ago(AuditTimeAgo)\n| where clz_subdir == \"hanaaudit\"\n| extend raw_split = split(Raw, \";\")\n| extend\n event_timestamp__col_0 = tostring(raw_split[0]), \n service_name__col_1 = tostring(raw_split[1]), \n hostname__col_2 = tostring(raw_split[2]), \n sid__col_3 = tostring(raw_split[3]), \n instance_number__col_4 = tostring(raw_split[4]), \n port_number__col_5 = tostring(raw_split[5]), \n database_name__col_6 = tostring(raw_split[6]), \n client_ip_address__col_7 = tostring(raw_split[7]), \n client_name__col_8 = tostring(raw_split[8]), \n client_process_id__col_9 = tostring(raw_split[9]), \n client_port_number__col_10 = tostring(raw_split[10]), \n policy_name__col_11 = tostring(raw_split[11]), \n audit_level__col_12 = tostring(raw_split[12]), \n audit_action__col_13 = tostring(raw_split[13]), \n session_user__col_14 = tostring(raw_split[14]), \n target_schema__col_15 = tostring(raw_split[15]), \n target_object__col_16 = tostring(raw_split[16]), \n privilege_name__col_17 = tostring(raw_split[17]), \n grantable__col_18 = tostring(raw_split[18]), \n role_name__col_19 = tostring(raw_split[19]), \n target_principal__col_20 = tostring(raw_split[20]), \n action_status__col_21 = tostring(raw_split[21]), \n component__col_22 = tostring(raw_split[22]), \n section__col_23 = tostring(raw_split[23]), \n parameter__col_24 = tostring(raw_split[24]), \n old_value__col_25 = tostring(raw_split[25]), \n new_value__col_26 = tostring(raw_split[26]), \n comment__col_27 = tostring(raw_split[27]), \n executed_statement__col_28 = tostring(raw_split[28]), \n session_id__col_29 = tostring(raw_split[29]), \n application_user_name__col_30 = tostring(raw_split[30]), \n role_schema_name__col_31 = tostring(raw_split[31]), \n grantee_schema_name__col_32 = tostring(raw_split[32]), \n origin_database_name__col_33 = tostring(raw_split[33]), \n origin_user_name__col_34 = tostring(raw_split[34]), \n xs_application_user_name__col_35 = tostring(raw_split[35]), \n application_name__col_36 = tostring(raw_split[36]), \n statement_user_name__col_37 = tostring(raw_split[37]), \n create_time__col_38 = tostring(raw_split[38]), \n xsa_message_ip__col_39 = tostring(raw_split[39]), \n xsa_tenant__col_40 = tostring(raw_split[40]), \n xsa_uuid__col_41 = tostring(raw_split[41]), \n xsa_channel__col_42 = tostring(raw_split[42]), \n xsa_attachment_id__col_43 = tostring(raw_split[43]), \n xsa_attachment_name__col_44 = tostring(raw_split[44]), \n xsa_organization_id__col_45 = tostring(raw_split[45]), \n xsa_space_id__col_46 = tostring(raw_split[46]), \n xsa_instance_id__col_47 = tostring(raw_split[47]), \n xsa_binding_id__col_48 = tostring(raw_split[48]), \n xsa_object__col_49 = tostring(raw_split[49]), \n xsa_data_subject__col_50 = tostring(raw_split[50])\n| where \n audit_action__col_13 contains \"AUDIT CONFIGURATION\" and \n parameter__col_24 =~ \"global_auditing_state\" and\n new_value__col_26 =~ \"false\"\n| extend AlertRuleUniqueName = 'hanadb-deactivationofaudittrail-logserv'\n",
"queryFrequency": "PT10M",
"queryPeriod": "PT1H",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"LateralMovement",
"Persistence"
],
"techniques": [],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}