SAP LogServ - HANA DB - User Admin actions
| Id | a9e4b02a-5a8c-4c59-9836-a204d1028632 |
| Rulename | SAP LogServ - HANA DB - User Admin actions |
| Description | Identifies user administration actions. Souirce Action: Create/Update/Delete a DB User. *Data Sources: SAP LogServ - HANA DB (Syslog)* |
| Severity | High |
| Tactics | PrivilegeEscalation |
| Required data connectors | SAPLogServ |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP LogServ/Analytic Rules/SAPLogServ-UserAdminActions.yaml |
| Version | 1.0.0 |
| Arm template | a9e4b02a-5a8c-4c59-9836-a204d1028632.json |
let AuditTimeAgo = 60m;
SAPLogServ_CL
| where TimeGenerated >= ago(AuditTimeAgo)
| where clz_subdir == "hanaaudit"
| extend raw_split = split(Raw, ";")
| extend
event_timestamp__col_0 = tostring(raw_split[0]),
service_name__col_1 = tostring(raw_split[1]),
hostname__col_2 = tostring(raw_split[2]),
sid__col_3 = tostring(raw_split[3]),
instance_number__col_4 = tostring(raw_split[4]),
port_number__col_5 = tostring(raw_split[5]),
database_name__col_6 = tostring(raw_split[6]),
client_ip_address__col_7 = tostring(raw_split[7]),
client_name__col_8 = tostring(raw_split[8]),
client_process_id__col_9 = tostring(raw_split[9]),
client_port_number__col_10 = tostring(raw_split[10]),
policy_name__col_11 = tostring(raw_split[11]),
audit_level__col_12 = tostring(raw_split[12]),
audit_action__col_13 = tostring(raw_split[13]),
session_user__col_14 = tostring(raw_split[14]),
target_schema__col_15 = tostring(raw_split[15]),
target_object__col_16 = tostring(raw_split[16]),
privilege_name__col_17 = tostring(raw_split[17]),
grantable__col_18 = tostring(raw_split[18]),
role_name__col_19 = tostring(raw_split[19]),
target_principal__col_20 = tostring(raw_split[20]),
action_status__col_21 = tostring(raw_split[21]),
component__col_22 = tostring(raw_split[22]),
section__col_23 = tostring(raw_split[23]),
parameter__col_24 = tostring(raw_split[24]),
old_value__col_25 = tostring(raw_split[25]),
new_value__col_26 = tostring(raw_split[26]),
comment__col_27 = tostring(raw_split[27]),
executed_statement__col_28 = tostring(raw_split[28]),
session_id__col_29 = tostring(raw_split[29]),
application_user_name__col_30 = tostring(raw_split[30]),
role_schema_name__col_31 = tostring(raw_split[31]),
grantee_schema_name__col_32 = tostring(raw_split[32]),
origin_database_name__col_33 = tostring(raw_split[33]),
origin_user_name__col_34 = tostring(raw_split[34]),
xs_application_user_name__col_35 = tostring(raw_split[35]),
application_name__col_36 = tostring(raw_split[36]),
statement_user_name__col_37 = tostring(raw_split[37]),
create_time__col_38 = tostring(raw_split[38]),
xsa_message_ip__col_39 = tostring(raw_split[39]),
xsa_tenant__col_40 = tostring(raw_split[40]),
xsa_uuid__col_41 = tostring(raw_split[41]),
xsa_channel__col_42 = tostring(raw_split[42]),
xsa_attachment_id__col_43 = tostring(raw_split[43]),
xsa_attachment_name__col_44 = tostring(raw_split[44]),
xsa_organization_id__col_45 = tostring(raw_split[45]),
xsa_space_id__col_46 = tostring(raw_split[46]),
xsa_instance_id__col_47 = tostring(raw_split[47]),
xsa_binding_id__col_48 = tostring(raw_split[48]),
xsa_object__col_49 = tostring(raw_split[49]),
xsa_data_subject__col_50 = tostring(raw_split[50])
| where
audit_action__col_13 =~ "CREATE USER" or
audit_action__col_13 =~ 'ALTER USER' or
audit_action__col_13 =~ 'DROP USER' or
audit_action__col_13 =~ 'DROP SCHEMA'
| extend AlertRuleUniqueName = 'hanadb-useradminactions-logserv'
alertDetailsOverride:
alertDescriptionFormat: |
{{comment__col_27}}
alertDisplayNameFormat: SAP LogServ - HANA DB - User Admin actions
description: |
Identifies user administration actions.
Souirce Action: Create/Update/Delete a DB User.
*Data Sources: SAP LogServ - HANA DB (Syslog)*
kind: Scheduled
tactics:
- PrivilegeEscalation
requiredDataConnectors:
- connectorId: SAPLogServ
dataTypes:
- SAPLogServ_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP LogServ/Analytic Rules/SAPLogServ-UserAdminActions.yaml
severity: High
name: SAP LogServ - HANA DB - User Admin actions
customDetails:
SAP_User: session_user__col_14
triggerThreshold: 0
queryPeriod: 1h
query: |
let AuditTimeAgo = 60m;
SAPLogServ_CL
| where TimeGenerated >= ago(AuditTimeAgo)
| where clz_subdir == "hanaaudit"
| extend raw_split = split(Raw, ";")
| extend
event_timestamp__col_0 = tostring(raw_split[0]),
service_name__col_1 = tostring(raw_split[1]),
hostname__col_2 = tostring(raw_split[2]),
sid__col_3 = tostring(raw_split[3]),
instance_number__col_4 = tostring(raw_split[4]),
port_number__col_5 = tostring(raw_split[5]),
database_name__col_6 = tostring(raw_split[6]),
client_ip_address__col_7 = tostring(raw_split[7]),
client_name__col_8 = tostring(raw_split[8]),
client_process_id__col_9 = tostring(raw_split[9]),
client_port_number__col_10 = tostring(raw_split[10]),
policy_name__col_11 = tostring(raw_split[11]),
audit_level__col_12 = tostring(raw_split[12]),
audit_action__col_13 = tostring(raw_split[13]),
session_user__col_14 = tostring(raw_split[14]),
target_schema__col_15 = tostring(raw_split[15]),
target_object__col_16 = tostring(raw_split[16]),
privilege_name__col_17 = tostring(raw_split[17]),
grantable__col_18 = tostring(raw_split[18]),
role_name__col_19 = tostring(raw_split[19]),
target_principal__col_20 = tostring(raw_split[20]),
action_status__col_21 = tostring(raw_split[21]),
component__col_22 = tostring(raw_split[22]),
section__col_23 = tostring(raw_split[23]),
parameter__col_24 = tostring(raw_split[24]),
old_value__col_25 = tostring(raw_split[25]),
new_value__col_26 = tostring(raw_split[26]),
comment__col_27 = tostring(raw_split[27]),
executed_statement__col_28 = tostring(raw_split[28]),
session_id__col_29 = tostring(raw_split[29]),
application_user_name__col_30 = tostring(raw_split[30]),
role_schema_name__col_31 = tostring(raw_split[31]),
grantee_schema_name__col_32 = tostring(raw_split[32]),
origin_database_name__col_33 = tostring(raw_split[33]),
origin_user_name__col_34 = tostring(raw_split[34]),
xs_application_user_name__col_35 = tostring(raw_split[35]),
application_name__col_36 = tostring(raw_split[36]),
statement_user_name__col_37 = tostring(raw_split[37]),
create_time__col_38 = tostring(raw_split[38]),
xsa_message_ip__col_39 = tostring(raw_split[39]),
xsa_tenant__col_40 = tostring(raw_split[40]),
xsa_uuid__col_41 = tostring(raw_split[41]),
xsa_channel__col_42 = tostring(raw_split[42]),
xsa_attachment_id__col_43 = tostring(raw_split[43]),
xsa_attachment_name__col_44 = tostring(raw_split[44]),
xsa_organization_id__col_45 = tostring(raw_split[45]),
xsa_space_id__col_46 = tostring(raw_split[46]),
xsa_instance_id__col_47 = tostring(raw_split[47]),
xsa_binding_id__col_48 = tostring(raw_split[48]),
xsa_object__col_49 = tostring(raw_split[49]),
xsa_data_subject__col_50 = tostring(raw_split[50])
| where
audit_action__col_13 =~ "CREATE USER" or
audit_action__col_13 =~ 'ALTER USER' or
audit_action__col_13 =~ 'DROP USER' or
audit_action__col_13 =~ 'DROP SCHEMA'
| extend AlertRuleUniqueName = 'hanadb-useradminactions-logserv'
relevantTechniques: []
id: a9e4b02a-5a8c-4c59-9836-a204d1028632
queryFrequency: 10m
status: Available
version: 1.0.0
triggerOperator: gt
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: CloudApplication
fieldMappings:
- columnName: sid__col_3
identifier: AppId
- columnName: database_name__col_6
identifier: InstanceName
- entityType: Host
fieldMappings:
- columnName: hostname__col_2
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: client_ip_address__col_7
identifier: Address