SAP LogServ - HANA DB - Audit Trail Policy Changes

Back


Id	e8394afb-82a7-4718-8d31-cc57ad352fa8
Rulename	SAP LogServ - HANA DB - Audit Trail Policy Changes
Description	Identifies changes for HANA DB audit trail policies. Source Action: Create / update existing audit policy in security definitions. Data Sources: SAP LogServ - HANA DB (Syslog)
Severity	High
Tactics	Persistence LateralMovement DefenseEvasion
Required data connectors	SAPLogServ
Kind	Scheduled
Query frequency	10m
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP LogServ/Analytic Rules/SAPLogServ-AuditTrailPolicyChanges.yaml
Version	1.0.0
Arm template	e8394afb-82a7-4718-8d31-cc57ad352fa8.json

KQL

let AuditTimeAgo = 60m;
SAPLogServ_CL
| where TimeGenerated >= ago(AuditTimeAgo)
| where clz_subdir == "hanaaudit"
| extend raw_split = split(Raw, ";")
| extend
  event_timestamp__col_0 = tostring(raw_split[0]), 
  service_name__col_1 = tostring(raw_split[1]), 
  hostname__col_2 = tostring(raw_split[2]), 
  sid__col_3 = tostring(raw_split[3]), 
  instance_number__col_4 = tostring(raw_split[4]), 
  port_number__col_5 = tostring(raw_split[5]), 
  database_name__col_6 = tostring(raw_split[6]), 
  client_ip_address__col_7 = tostring(raw_split[7]), 
  client_name__col_8 = tostring(raw_split[8]), 
  client_process_id__col_9 = tostring(raw_split[9]), 
  client_port_number__col_10 = tostring(raw_split[10]), 
  policy_name__col_11 = tostring(raw_split[11]), 
  audit_level__col_12 = tostring(raw_split[12]), 
  audit_action__col_13 = tostring(raw_split[13]), 
  session_user__col_14 = tostring(raw_split[14]), 
  target_schema__col_15 = tostring(raw_split[15]), 
  target_object__col_16 = tostring(raw_split[16]), 
  privilege_name__col_17 = tostring(raw_split[17]), 
  grantable__col_18 = tostring(raw_split[18]), 
  role_name__col_19 = tostring(raw_split[19]), 
  target_principal__col_20 = tostring(raw_split[20]), 
  action_status__col_21 = tostring(raw_split[21]), 
  component__col_22 = tostring(raw_split[22]), 
  section__col_23 = tostring(raw_split[23]), 
  parameter__col_24 = tostring(raw_split[24]), 
  old_value__col_25 = tostring(raw_split[25]), 
  new_value__col_26 = tostring(raw_split[26]), 
  comment__col_27 = tostring(raw_split[27]), 
  executed_statement__col_28 = tostring(raw_split[28]), 
  session_id__col_29 = tostring(raw_split[29]), 
  application_user_name__col_30 = tostring(raw_split[30]), 
  role_schema_name__col_31 = tostring(raw_split[31]), 
  grantee_schema_name__col_32 = tostring(raw_split[32]), 
  origin_database_name__col_33 = tostring(raw_split[33]), 
  origin_user_name__col_34 = tostring(raw_split[34]), 
  xs_application_user_name__col_35 = tostring(raw_split[35]), 
  application_name__col_36 = tostring(raw_split[36]), 
  statement_user_name__col_37 = tostring(raw_split[37]), 
  create_time__col_38 = tostring(raw_split[38]), 
  xsa_message_ip__col_39 = tostring(raw_split[39]), 
  xsa_tenant__col_40 = tostring(raw_split[40]), 
  xsa_uuid__col_41 = tostring(raw_split[41]), 
  xsa_channel__col_42 = tostring(raw_split[42]), 
  xsa_attachment_id__col_43 = tostring(raw_split[43]), 
  xsa_attachment_name__col_44 = tostring(raw_split[44]), 
  xsa_organization_id__col_45 = tostring(raw_split[45]), 
  xsa_space_id__col_46 = tostring(raw_split[46]), 
  xsa_instance_id__col_47 = tostring(raw_split[47]), 
  xsa_binding_id__col_48 = tostring(raw_split[48]), 
  xsa_object__col_49 = tostring(raw_split[49]), 
  xsa_data_subject__col_50 = tostring(raw_split[50])
| where audit_action__col_13 contains 'AUDIT POLICY' 
| extend AlertRuleUniqueName = 'hanadb-audittrailpolicychanges-logserv'

YAML

queryPeriod: 1h
query: |
  let AuditTimeAgo = 60m;
  SAPLogServ_CL
  | where TimeGenerated >= ago(AuditTimeAgo)
  | where clz_subdir == "hanaaudit"
  | extend raw_split = split(Raw, ";")
  | extend
    event_timestamp__col_0 = tostring(raw_split[0]), 
    service_name__col_1 = tostring(raw_split[1]), 
    hostname__col_2 = tostring(raw_split[2]), 
    sid__col_3 = tostring(raw_split[3]), 
    instance_number__col_4 = tostring(raw_split[4]), 
    port_number__col_5 = tostring(raw_split[5]), 
    database_name__col_6 = tostring(raw_split[6]), 
    client_ip_address__col_7 = tostring(raw_split[7]), 
    client_name__col_8 = tostring(raw_split[8]), 
    client_process_id__col_9 = tostring(raw_split[9]), 
    client_port_number__col_10 = tostring(raw_split[10]), 
    policy_name__col_11 = tostring(raw_split[11]), 
    audit_level__col_12 = tostring(raw_split[12]), 
    audit_action__col_13 = tostring(raw_split[13]), 
    session_user__col_14 = tostring(raw_split[14]), 
    target_schema__col_15 = tostring(raw_split[15]), 
    target_object__col_16 = tostring(raw_split[16]), 
    privilege_name__col_17 = tostring(raw_split[17]), 
    grantable__col_18 = tostring(raw_split[18]), 
    role_name__col_19 = tostring(raw_split[19]), 
    target_principal__col_20 = tostring(raw_split[20]), 
    action_status__col_21 = tostring(raw_split[21]), 
    component__col_22 = tostring(raw_split[22]), 
    section__col_23 = tostring(raw_split[23]), 
    parameter__col_24 = tostring(raw_split[24]), 
    old_value__col_25 = tostring(raw_split[25]), 
    new_value__col_26 = tostring(raw_split[26]), 
    comment__col_27 = tostring(raw_split[27]), 
    executed_statement__col_28 = tostring(raw_split[28]), 
    session_id__col_29 = tostring(raw_split[29]), 
    application_user_name__col_30 = tostring(raw_split[30]), 
    role_schema_name__col_31 = tostring(raw_split[31]), 
    grantee_schema_name__col_32 = tostring(raw_split[32]), 
    origin_database_name__col_33 = tostring(raw_split[33]), 
    origin_user_name__col_34 = tostring(raw_split[34]), 
    xs_application_user_name__col_35 = tostring(raw_split[35]), 
    application_name__col_36 = tostring(raw_split[36]), 
    statement_user_name__col_37 = tostring(raw_split[37]), 
    create_time__col_38 = tostring(raw_split[38]), 
    xsa_message_ip__col_39 = tostring(raw_split[39]), 
    xsa_tenant__col_40 = tostring(raw_split[40]), 
    xsa_uuid__col_41 = tostring(raw_split[41]), 
    xsa_channel__col_42 = tostring(raw_split[42]), 
    xsa_attachment_id__col_43 = tostring(raw_split[43]), 
    xsa_attachment_name__col_44 = tostring(raw_split[44]), 
    xsa_organization_id__col_45 = tostring(raw_split[45]), 
    xsa_space_id__col_46 = tostring(raw_split[46]), 
    xsa_instance_id__col_47 = tostring(raw_split[47]), 
    xsa_binding_id__col_48 = tostring(raw_split[48]), 
    xsa_object__col_49 = tostring(raw_split[49]), 
    xsa_data_subject__col_50 = tostring(raw_split[50])
  | where audit_action__col_13 contains 'AUDIT POLICY' 
  | extend AlertRuleUniqueName = 'hanadb-audittrailpolicychanges-logserv'  
version: 1.0.0
name: SAP LogServ - HANA DB - Audit Trail Policy Changes
entityMappings:
- fieldMappings:
  - columnName: sid__col_3
    identifier: AppId
  - columnName: database_name__col_6
    identifier: InstanceName
  entityType: CloudApplication
- fieldMappings:
  - columnName: hostname__col_2
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: client_ip_address__col_7
    identifier: Address
  entityType: IP
eventGroupingSettings:
  aggregationKind: SingleAlert
queryFrequency: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP LogServ/Analytic Rules/SAPLogServ-AuditTrailPolicyChanges.yaml
alertDetailsOverride:
  alertDisplayNameFormat: SAP LogServ - HANA DB - Audit Trail Policy Change
  alertDescriptionFormat: |
        {{comment__col_27}}
description: |
  Identifies changes for HANA DB audit trail policies.

  Source Action: Create / update existing audit policy in security definitions.

  *Data Sources: SAP LogServ - HANA DB (Syslog)*  
kind: Scheduled
status: Available
severity: High
requiredDataConnectors:
- connectorId: SAPLogServ
  dataTypes:
  - SAPLogServ_CL
triggerOperator: gt
triggerThreshold: 0
customDetails:
  SAP_User: session_user__col_14
tactics:
- Persistence
- LateralMovement
- DefenseEvasion
id: e8394afb-82a7-4718-8d31-cc57ad352fa8
relevantTechniques: []

ARM