Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SAP ETD - Execution of Sensitive Function Module

SAP ETD - Execution of Sensitive Function Module

Back
Idc6111e06-11e2-45eb-86ef-28313a06db35
RulenameSAP ETD - Execution of Sensitive Function Module
DescriptionIdentifies execution of a sensitive ABAP Function Module using the watchlists provided by the Microsoft Sentinel Solution for SAP



Source Action: Execute a sensitive function module directly using SE37.



*Data Sources: SAP Enterprise Thread Detection Solution - Alerts*
SeverityMedium
TacticsDiscovery
Required data connectorsSAPETDAlerts
KindScheduled
Query frequency5m
Query period60m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml
Version1.0.0
Arm templatec6111e06-11e2-45eb-86ef-28313a06db35.json
Deploy To Azure
let AuditTimeAgo = 60m;
let minThreshold= 1;
let minScore= 50;
let SenseModules = _GetWatchlist('SAP - Sensitive Function Modules')
| project trimmedFunctionModule = trim(@"\s+", FunctionModule);
SAPETDAlerts_CL
| where TimeGenerated > ago(AuditTimeAgo)
| where Threshold >= minThreshold and Score >= minScore
| where PatternName == "Critical Function module call in Test framework calls"
| mv-expand NormalizedTriggeringEvents
| extend sapOriginalEvent = tostring(NormalizedTriggeringEvents.OriginalEvent)
| extend Id_ = NormalizedTriggeringEvents.Id
| extend extracted_user_ip = tostring(NormalizedTriggeringEvents.NetworkIPAddressInitiator)
| extend extracted_sap_user = tostring(NormalizedTriggeringEvents.UserAccountActing)
| extend extracted_sid = tostring(NormalizedTriggeringEvents.SystemIdActor)
| extend extracted_instance_name = tostring(NormalizedTriggeringEvents.NetworkHostnameActor)
| extend extracted_instance_host = tostring(NormalizedTriggeringEvents.ServiceInstanceName)
| extend extracted_function_module = trim(@"\s+", tostring(NormalizedTriggeringEvents.ServiceFunctionName))
| extend extracted_system_role = tostring(NormalizedTriggeringEvents.SystemRoleReporter)
| where extracted_function_module in (SenseModules)
| extend AlertName = strcat("SAP ETD - Sensitive Function Module ", extracted_function_module," was executed by user ", extracted_sap_user, 
" in a ", tolower(extracted_system_role), " system"), Dummy = " "

queryPeriod: 60m
query: |
  let AuditTimeAgo = 60m;
  let minThreshold= 1;
  let minScore= 50;
  let SenseModules = _GetWatchlist('SAP - Sensitive Function Modules')
  | project trimmedFunctionModule = trim(@"\s+", FunctionModule);
  SAPETDAlerts_CL
  | where TimeGenerated > ago(AuditTimeAgo)
  | where Threshold >= minThreshold and Score >= minScore
  | where PatternName == "Critical Function module call in Test framework calls"
  | mv-expand NormalizedTriggeringEvents
  | extend sapOriginalEvent = tostring(NormalizedTriggeringEvents.OriginalEvent)
  | extend Id_ = NormalizedTriggeringEvents.Id
  | extend extracted_user_ip = tostring(NormalizedTriggeringEvents.NetworkIPAddressInitiator)
  | extend extracted_sap_user = tostring(NormalizedTriggeringEvents.UserAccountActing)
  | extend extracted_sid = tostring(NormalizedTriggeringEvents.SystemIdActor)
  | extend extracted_instance_name = tostring(NormalizedTriggeringEvents.NetworkHostnameActor)
  | extend extracted_instance_host = tostring(NormalizedTriggeringEvents.ServiceInstanceName)
  | extend extracted_function_module = trim(@"\s+", tostring(NormalizedTriggeringEvents.ServiceFunctionName))
  | extend extracted_system_role = tostring(NormalizedTriggeringEvents.SystemRoleReporter)
  | where extracted_function_module in (SenseModules)
  | extend AlertName = strcat("SAP ETD - Sensitive Function Module ", extracted_function_module," was executed by user ", extracted_sap_user, 
  " in a ", tolower(extracted_system_role), " system"), Dummy = " "  
version: 1.0.0
name: SAP ETD - Execution of Sensitive Function Module
entityMappings:
- fieldMappings:
  - columnName: extracted_sid
    identifier: AppId
  - columnName: extracted_instance_name
    identifier: InstanceName
  entityType: CloudApplication
- fieldMappings:
  - columnName: extracted_instance_host
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: extracted_user_ip
    identifier: Address
  entityType: IP
eventGroupingSettings:
  aggregationKind: SingleAlert
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml
alertDetailsOverride:
  alertDisplayNameFormat: 'SAP ETD - {{PatternName}} '
  alertDescriptionFormat: |
    {{PatternDescription}}

    Source: SAP ETD    
description: |
  Identifies execution of a sensitive ABAP Function Module using the watchlists provided by the Microsoft Sentinel Solution for SAP

  Source Action: Execute a sensitive function module directly using SE37.

  *Data Sources: SAP Enterprise Thread Detection Solution -  Alerts*  
kind: Scheduled
status: Available
severity: Medium
requiredDataConnectors:
- connectorId: SAPETDAlerts
  dataTypes:
  - SAPETDAlerts_CL
triggerOperator: gt
triggerThreshold: 0
customDetails:
  ETD_AlertNumber: AlertId
  SAP_User: extracted_sap_user
tactics:
- Discovery
id: c6111e06-11e2-45eb-86ef-28313a06db35
relevantTechniques: []