Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SAP LogServ - HANA DB - Deactivation of Audit Trail

Back
Id8fb9fb88-693f-4906-8be2-4bb9771418fc
RulenameSAP LogServ - HANA DB - Deactivation of Audit Trail
DescriptionIdentifies deactivation of HANA DB audit log.



Source Action: Deactivate Audit Log in HANA DB security defnitions.



*Data Sources: SAP LogServ - HANA DB (Syslog)*
SeverityHigh
TacticsPersistence
LateralMovement
DefenseEvasion
Required data connectorsSAPLogServ
KindScheduled
Query frequency10m
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP LogServ/Analytic Rules/SAPLogServ-DeactivationofAuditTrail.yaml
Version1.0.0
Arm template8fb9fb88-693f-4906-8be2-4bb9771418fc.json
Deploy To Azure
let AuditTimeAgo = 60m;
SAPLogServ_CL
| where TimeGenerated >= ago(AuditTimeAgo)
| where clz_subdir == "hanaaudit"
| extend raw_split = split(Raw, ";")
| extend
  event_timestamp__col_0 = tostring(raw_split[0]), 
  service_name__col_1 = tostring(raw_split[1]), 
  hostname__col_2 = tostring(raw_split[2]), 
  sid__col_3 = tostring(raw_split[3]), 
  instance_number__col_4 = tostring(raw_split[4]), 
  port_number__col_5 = tostring(raw_split[5]), 
  database_name__col_6 = tostring(raw_split[6]), 
  client_ip_address__col_7 = tostring(raw_split[7]), 
  client_name__col_8 = tostring(raw_split[8]), 
  client_process_id__col_9 = tostring(raw_split[9]), 
  client_port_number__col_10 = tostring(raw_split[10]), 
  policy_name__col_11 = tostring(raw_split[11]), 
  audit_level__col_12 = tostring(raw_split[12]), 
  audit_action__col_13 = tostring(raw_split[13]), 
  session_user__col_14 = tostring(raw_split[14]), 
  target_schema__col_15 = tostring(raw_split[15]), 
  target_object__col_16 = tostring(raw_split[16]), 
  privilege_name__col_17 = tostring(raw_split[17]), 
  grantable__col_18 = tostring(raw_split[18]), 
  role_name__col_19 = tostring(raw_split[19]), 
  target_principal__col_20 = tostring(raw_split[20]), 
  action_status__col_21 = tostring(raw_split[21]), 
  component__col_22 = tostring(raw_split[22]), 
  section__col_23 = tostring(raw_split[23]), 
  parameter__col_24 = tostring(raw_split[24]), 
  old_value__col_25 = tostring(raw_split[25]), 
  new_value__col_26 = tostring(raw_split[26]), 
  comment__col_27 = tostring(raw_split[27]), 
  executed_statement__col_28 = tostring(raw_split[28]), 
  session_id__col_29 = tostring(raw_split[29]), 
  application_user_name__col_30 = tostring(raw_split[30]), 
  role_schema_name__col_31 = tostring(raw_split[31]), 
  grantee_schema_name__col_32 = tostring(raw_split[32]), 
  origin_database_name__col_33 = tostring(raw_split[33]), 
  origin_user_name__col_34 = tostring(raw_split[34]), 
  xs_application_user_name__col_35 = tostring(raw_split[35]), 
  application_name__col_36 = tostring(raw_split[36]), 
  statement_user_name__col_37 = tostring(raw_split[37]), 
  create_time__col_38 = tostring(raw_split[38]), 
  xsa_message_ip__col_39 = tostring(raw_split[39]), 
  xsa_tenant__col_40 = tostring(raw_split[40]), 
  xsa_uuid__col_41 = tostring(raw_split[41]), 
  xsa_channel__col_42 = tostring(raw_split[42]), 
  xsa_attachment_id__col_43 = tostring(raw_split[43]), 
  xsa_attachment_name__col_44 = tostring(raw_split[44]), 
  xsa_organization_id__col_45 = tostring(raw_split[45]), 
  xsa_space_id__col_46 = tostring(raw_split[46]), 
  xsa_instance_id__col_47 = tostring(raw_split[47]), 
  xsa_binding_id__col_48 = tostring(raw_split[48]), 
  xsa_object__col_49 = tostring(raw_split[49]), 
  xsa_data_subject__col_50 = tostring(raw_split[50])
| where 
  audit_action__col_13 contains "AUDIT CONFIGURATION" and 
  parameter__col_24 =~ "global_auditing_state" and
  new_value__col_26 =~ "false"
| extend AlertRuleUniqueName = 'hanadb-deactivationofaudittrail-logserv'
description: |
  Identifies deactivation of HANA DB audit log.

  Source Action: Deactivate Audit Log in HANA DB security defnitions.

  *Data Sources: SAP LogServ - HANA DB (Syslog)*  
name: SAP LogServ - HANA DB - Deactivation of Audit Trail
requiredDataConnectors:
- connectorId: SAPLogServ
  dataTypes:
  - SAPLogServ_CL
eventGroupingSettings:
  aggregationKind: SingleAlert
alertDetailsOverride:
  alertDisplayNameFormat: SAP LogServ - HANA DB - Deactivation of Audit Trail
  alertDescriptionFormat: |
        {{comment__col_27}}
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP LogServ/Analytic Rules/SAPLogServ-DeactivationofAuditTrail.yaml
triggerThreshold: 0
version: 1.0.0
status: Available
kind: Scheduled
queryPeriod: 1h
id: 8fb9fb88-693f-4906-8be2-4bb9771418fc
customDetails:
  SAP_User: session_user__col_14
query: |
  let AuditTimeAgo = 60m;
  SAPLogServ_CL
  | where TimeGenerated >= ago(AuditTimeAgo)
  | where clz_subdir == "hanaaudit"
  | extend raw_split = split(Raw, ";")
  | extend
    event_timestamp__col_0 = tostring(raw_split[0]), 
    service_name__col_1 = tostring(raw_split[1]), 
    hostname__col_2 = tostring(raw_split[2]), 
    sid__col_3 = tostring(raw_split[3]), 
    instance_number__col_4 = tostring(raw_split[4]), 
    port_number__col_5 = tostring(raw_split[5]), 
    database_name__col_6 = tostring(raw_split[6]), 
    client_ip_address__col_7 = tostring(raw_split[7]), 
    client_name__col_8 = tostring(raw_split[8]), 
    client_process_id__col_9 = tostring(raw_split[9]), 
    client_port_number__col_10 = tostring(raw_split[10]), 
    policy_name__col_11 = tostring(raw_split[11]), 
    audit_level__col_12 = tostring(raw_split[12]), 
    audit_action__col_13 = tostring(raw_split[13]), 
    session_user__col_14 = tostring(raw_split[14]), 
    target_schema__col_15 = tostring(raw_split[15]), 
    target_object__col_16 = tostring(raw_split[16]), 
    privilege_name__col_17 = tostring(raw_split[17]), 
    grantable__col_18 = tostring(raw_split[18]), 
    role_name__col_19 = tostring(raw_split[19]), 
    target_principal__col_20 = tostring(raw_split[20]), 
    action_status__col_21 = tostring(raw_split[21]), 
    component__col_22 = tostring(raw_split[22]), 
    section__col_23 = tostring(raw_split[23]), 
    parameter__col_24 = tostring(raw_split[24]), 
    old_value__col_25 = tostring(raw_split[25]), 
    new_value__col_26 = tostring(raw_split[26]), 
    comment__col_27 = tostring(raw_split[27]), 
    executed_statement__col_28 = tostring(raw_split[28]), 
    session_id__col_29 = tostring(raw_split[29]), 
    application_user_name__col_30 = tostring(raw_split[30]), 
    role_schema_name__col_31 = tostring(raw_split[31]), 
    grantee_schema_name__col_32 = tostring(raw_split[32]), 
    origin_database_name__col_33 = tostring(raw_split[33]), 
    origin_user_name__col_34 = tostring(raw_split[34]), 
    xs_application_user_name__col_35 = tostring(raw_split[35]), 
    application_name__col_36 = tostring(raw_split[36]), 
    statement_user_name__col_37 = tostring(raw_split[37]), 
    create_time__col_38 = tostring(raw_split[38]), 
    xsa_message_ip__col_39 = tostring(raw_split[39]), 
    xsa_tenant__col_40 = tostring(raw_split[40]), 
    xsa_uuid__col_41 = tostring(raw_split[41]), 
    xsa_channel__col_42 = tostring(raw_split[42]), 
    xsa_attachment_id__col_43 = tostring(raw_split[43]), 
    xsa_attachment_name__col_44 = tostring(raw_split[44]), 
    xsa_organization_id__col_45 = tostring(raw_split[45]), 
    xsa_space_id__col_46 = tostring(raw_split[46]), 
    xsa_instance_id__col_47 = tostring(raw_split[47]), 
    xsa_binding_id__col_48 = tostring(raw_split[48]), 
    xsa_object__col_49 = tostring(raw_split[49]), 
    xsa_data_subject__col_50 = tostring(raw_split[50])
  | where 
    audit_action__col_13 contains "AUDIT CONFIGURATION" and 
    parameter__col_24 =~ "global_auditing_state" and
    new_value__col_26 =~ "false"
  | extend AlertRuleUniqueName = 'hanadb-deactivationofaudittrail-logserv'  
entityMappings:
- fieldMappings:
  - columnName: sid__col_3
    identifier: AppId
  - columnName: database_name__col_6
    identifier: InstanceName
  entityType: CloudApplication
- fieldMappings:
  - columnName: hostname__col_2
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: client_ip_address__col_7
    identifier: Address
  entityType: IP
tactics:
- Persistence
- LateralMovement
- DefenseEvasion
queryFrequency: 10m
relevantTechniques: []
severity: High
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8fb9fb88-693f-4906-8be2-4bb9771418fc')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8fb9fb88-693f-4906-8be2-4bb9771418fc')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{comment__col_27}}\n",
          "alertDisplayNameFormat": "SAP LogServ - HANA DB - Deactivation of Audit Trail"
        },
        "alertRuleTemplateName": "8fb9fb88-693f-4906-8be2-4bb9771418fc",
        "customDetails": {
          "SAP_User": "session_user__col_14"
        },
        "description": "Identifies deactivation of HANA DB audit log.\n\nSource Action: Deactivate Audit Log in HANA DB security defnitions.\n\n*Data Sources: SAP LogServ - HANA DB (Syslog)*\n",
        "displayName": "SAP LogServ - HANA DB - Deactivation of Audit Trail",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "sid__col_3",
                "identifier": "AppId"
              },
              {
                "columnName": "database_name__col_6",
                "identifier": "InstanceName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "hostname__col_2",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "client_ip_address__col_7",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP LogServ/Analytic Rules/SAPLogServ-DeactivationofAuditTrail.yaml",
        "query": "let AuditTimeAgo = 60m;\nSAPLogServ_CL\n| where TimeGenerated >= ago(AuditTimeAgo)\n| where clz_subdir == \"hanaaudit\"\n| extend raw_split = split(Raw, \";\")\n| extend\n  event_timestamp__col_0 = tostring(raw_split[0]), \n  service_name__col_1 = tostring(raw_split[1]), \n  hostname__col_2 = tostring(raw_split[2]), \n  sid__col_3 = tostring(raw_split[3]), \n  instance_number__col_4 = tostring(raw_split[4]), \n  port_number__col_5 = tostring(raw_split[5]), \n  database_name__col_6 = tostring(raw_split[6]), \n  client_ip_address__col_7 = tostring(raw_split[7]), \n  client_name__col_8 = tostring(raw_split[8]), \n  client_process_id__col_9 = tostring(raw_split[9]), \n  client_port_number__col_10 = tostring(raw_split[10]), \n  policy_name__col_11 = tostring(raw_split[11]), \n  audit_level__col_12 = tostring(raw_split[12]), \n  audit_action__col_13 = tostring(raw_split[13]), \n  session_user__col_14 = tostring(raw_split[14]), \n  target_schema__col_15 = tostring(raw_split[15]), \n  target_object__col_16 = tostring(raw_split[16]), \n  privilege_name__col_17 = tostring(raw_split[17]), \n  grantable__col_18 = tostring(raw_split[18]), \n  role_name__col_19 = tostring(raw_split[19]), \n  target_principal__col_20 = tostring(raw_split[20]), \n  action_status__col_21 = tostring(raw_split[21]), \n  component__col_22 = tostring(raw_split[22]), \n  section__col_23 = tostring(raw_split[23]), \n  parameter__col_24 = tostring(raw_split[24]), \n  old_value__col_25 = tostring(raw_split[25]), \n  new_value__col_26 = tostring(raw_split[26]), \n  comment__col_27 = tostring(raw_split[27]), \n  executed_statement__col_28 = tostring(raw_split[28]), \n  session_id__col_29 = tostring(raw_split[29]), \n  application_user_name__col_30 = tostring(raw_split[30]), \n  role_schema_name__col_31 = tostring(raw_split[31]), \n  grantee_schema_name__col_32 = tostring(raw_split[32]), \n  origin_database_name__col_33 = tostring(raw_split[33]), \n  origin_user_name__col_34 = tostring(raw_split[34]), \n  xs_application_user_name__col_35 = tostring(raw_split[35]), \n  application_name__col_36 = tostring(raw_split[36]), \n  statement_user_name__col_37 = tostring(raw_split[37]), \n  create_time__col_38 = tostring(raw_split[38]), \n  xsa_message_ip__col_39 = tostring(raw_split[39]), \n  xsa_tenant__col_40 = tostring(raw_split[40]), \n  xsa_uuid__col_41 = tostring(raw_split[41]), \n  xsa_channel__col_42 = tostring(raw_split[42]), \n  xsa_attachment_id__col_43 = tostring(raw_split[43]), \n  xsa_attachment_name__col_44 = tostring(raw_split[44]), \n  xsa_organization_id__col_45 = tostring(raw_split[45]), \n  xsa_space_id__col_46 = tostring(raw_split[46]), \n  xsa_instance_id__col_47 = tostring(raw_split[47]), \n  xsa_binding_id__col_48 = tostring(raw_split[48]), \n  xsa_object__col_49 = tostring(raw_split[49]), \n  xsa_data_subject__col_50 = tostring(raw_split[50])\n| where \n  audit_action__col_13 contains \"AUDIT CONFIGURATION\" and \n  parameter__col_24 =~ \"global_auditing_state\" and\n  new_value__col_26 =~ \"false\"\n| extend AlertRuleUniqueName = 'hanadb-deactivationofaudittrail-logserv'\n",
        "queryFrequency": "PT10M",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "LateralMovement",
          "Persistence"
        ],
        "techniques": [],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}