SAP ETD - Execution of Sensitive Function Module

Back


Id	c6111e06-11e2-45eb-86ef-28313a06db35
Rulename	SAP ETD - Execution of Sensitive Function Module
Description	Identifies execution of a sensitive ABAP Function Module using the watchlists provided by the Microsoft Sentinel Solution for SAP Source Action: Execute a sensitive function module directly using SE37. Data Sources: SAP Enterprise Thread Detection Solution - Alerts
Severity	Medium
Tactics	Discovery
Required data connectors	SAPETDAlerts
Kind	Scheduled
Query frequency	5m
Query period	60m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml
Version	1.0.0
Arm template	c6111e06-11e2-45eb-86ef-28313a06db35.json

KQL

let AuditTimeAgo = 60m;
let minThreshold= 1;
let minScore= 50;
let SenseModules = _GetWatchlist('SAP - Sensitive Function Modules')
| project trimmedFunctionModule = trim(@"\s+", FunctionModule);
SAPETDAlerts_CL
| where TimeGenerated > ago(AuditTimeAgo)
| where Threshold >= minThreshold and Score >= minScore
| where PatternName == "Critical Function module call in Test framework calls"
| mv-expand NormalizedTriggeringEvents
| extend sapOriginalEvent = tostring(NormalizedTriggeringEvents.OriginalEvent)
| extend Id_ = NormalizedTriggeringEvents.Id
| extend extracted_user_ip = tostring(NormalizedTriggeringEvents.NetworkIPAddressInitiator)
| extend extracted_sap_user = tostring(NormalizedTriggeringEvents.UserAccountActing)
| extend extracted_sid = tostring(NormalizedTriggeringEvents.SystemIdActor)
| extend extracted_instance_name = tostring(NormalizedTriggeringEvents.NetworkHostnameActor)
| extend extracted_instance_host = tostring(NormalizedTriggeringEvents.ServiceInstanceName)
| extend extracted_function_module = trim(@"\s+", tostring(NormalizedTriggeringEvents.ServiceFunctionName))
| extend extracted_system_role = tostring(NormalizedTriggeringEvents.SystemRoleReporter)
| where extracted_function_module in (SenseModules)
| extend AlertName = strcat("SAP ETD - Sensitive Function Module ", extracted_function_module," was executed by user ", extracted_sap_user, 
" in a ", tolower(extracted_system_role), " system"), Dummy = " "

YAML

name: SAP ETD - Execution of Sensitive Function Module
severity: Medium
triggerOperator: gt
relevantTechniques: []
version: 1.0.0
entityMappings:
- fieldMappings:
  - columnName: extracted_sid
    identifier: AppId
  - columnName: extracted_instance_name
    identifier: InstanceName
  entityType: CloudApplication
- fieldMappings:
  - columnName: extracted_instance_host
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: extracted_user_ip
    identifier: Address
  entityType: IP
queryPeriod: 60m
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - SAPETDAlerts_CL
  connectorId: SAPETDAlerts
tactics:
- Discovery
alertDetailsOverride:
  alertDescriptionFormat: |
    {{PatternDescription}}

    Source: SAP ETD    
  alertDisplayNameFormat: 'SAP ETD - {{PatternName}} '
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml
status: Available
query: |
  let AuditTimeAgo = 60m;
  let minThreshold= 1;
  let minScore= 50;
  let SenseModules = _GetWatchlist('SAP - Sensitive Function Modules')
  | project trimmedFunctionModule = trim(@"\s+", FunctionModule);
  SAPETDAlerts_CL
  | where TimeGenerated > ago(AuditTimeAgo)
  | where Threshold >= minThreshold and Score >= minScore
  | where PatternName == "Critical Function module call in Test framework calls"
  | mv-expand NormalizedTriggeringEvents
  | extend sapOriginalEvent = tostring(NormalizedTriggeringEvents.OriginalEvent)
  | extend Id_ = NormalizedTriggeringEvents.Id
  | extend extracted_user_ip = tostring(NormalizedTriggeringEvents.NetworkIPAddressInitiator)
  | extend extracted_sap_user = tostring(NormalizedTriggeringEvents.UserAccountActing)
  | extend extracted_sid = tostring(NormalizedTriggeringEvents.SystemIdActor)
  | extend extracted_instance_name = tostring(NormalizedTriggeringEvents.NetworkHostnameActor)
  | extend extracted_instance_host = tostring(NormalizedTriggeringEvents.ServiceInstanceName)
  | extend extracted_function_module = trim(@"\s+", tostring(NormalizedTriggeringEvents.ServiceFunctionName))
  | extend extracted_system_role = tostring(NormalizedTriggeringEvents.SystemRoleReporter)
  | where extracted_function_module in (SenseModules)
  | extend AlertName = strcat("SAP ETD - Sensitive Function Module ", extracted_function_module," was executed by user ", extracted_sap_user, 
  " in a ", tolower(extracted_system_role), " system"), Dummy = " "  
queryFrequency: 5m
id: c6111e06-11e2-45eb-86ef-28313a06db35
customDetails:
  SAP_User: extracted_sap_user
  ETD_AlertNumber: AlertId
eventGroupingSettings:
  aggregationKind: SingleAlert
description: |
  Identifies execution of a sensitive ABAP Function Module using the watchlists provided by the Microsoft Sentinel Solution for SAP

  Source Action: Execute a sensitive function module directly using SE37.

  *Data Sources: SAP Enterprise Thread Detection Solution -  Alerts*

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c6111e06-11e2-45eb-86ef-28313a06db35')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c6111e06-11e2-45eb-86ef-28313a06db35')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{PatternDescription}}\n\nSource: SAP ETD\n",
          "alertDisplayNameFormat": "SAP ETD - {{PatternName}} "
        },
        "alertRuleTemplateName": "c6111e06-11e2-45eb-86ef-28313a06db35",
        "customDetails": {
          "ETD_AlertNumber": "AlertId",
          "SAP_User": "extracted_sap_user"
        },
        "description": "Identifies execution of a sensitive ABAP Function Module using the watchlists provided by the Microsoft Sentinel Solution for SAP\n\nSource Action: Execute a sensitive function module directly using SE37.\n\n*Data Sources: SAP Enterprise Thread Detection Solution -  Alerts*\n",
        "displayName": "SAP ETD - Execution of Sensitive Function Module",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "extracted_sid",
                "identifier": "AppId"
              },
              {
                "columnName": "extracted_instance_name",
                "identifier": "InstanceName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "extracted_instance_host",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "extracted_user_ip",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml",
        "query": "let AuditTimeAgo = 60m;\nlet minThreshold= 1;\nlet minScore= 50;\nlet SenseModules = _GetWatchlist('SAP - Sensitive Function Modules')\n| project trimmedFunctionModule = trim(@\"\\s+\", FunctionModule);\nSAPETDAlerts_CL\n| where TimeGenerated > ago(AuditTimeAgo)\n| where Threshold >= minThreshold and Score >= minScore\n| where PatternName == \"Critical Function module call in Test framework calls\"\n| mv-expand NormalizedTriggeringEvents\n| extend sapOriginalEvent = tostring(NormalizedTriggeringEvents.OriginalEvent)\n| extend Id_ = NormalizedTriggeringEvents.Id\n| extend extracted_user_ip = tostring(NormalizedTriggeringEvents.NetworkIPAddressInitiator)\n| extend extracted_sap_user = tostring(NormalizedTriggeringEvents.UserAccountActing)\n| extend extracted_sid = tostring(NormalizedTriggeringEvents.SystemIdActor)\n| extend extracted_instance_name = tostring(NormalizedTriggeringEvents.NetworkHostnameActor)\n| extend extracted_instance_host = tostring(NormalizedTriggeringEvents.ServiceInstanceName)\n| extend extracted_function_module = trim(@\"\\s+\", tostring(NormalizedTriggeringEvents.ServiceFunctionName))\n| extend extracted_system_role = tostring(NormalizedTriggeringEvents.SystemRoleReporter)\n| where extracted_function_module in (SenseModules)\n| extend AlertName = strcat(\"SAP ETD - Sensitive Function Module \", extracted_function_module,\" was executed by user \", extracted_sap_user, \n\" in a \", tolower(extracted_system_role), \" system\"), Dummy = \" \"\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT60M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}