Merge pull request #12415 from MartinPankraz/enhance-sap-logserv

Enhance SAP LogServ

Author: v-atulyadav

.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json

@@ -1,4 +1,24 @@
 [
+  {
+    "id": "e8394afb-82a7-4718-8d31-cc57ad352fa8",
+    "templateName": "SAPLogServ-AuditTrailPolicyChanges.yaml",
+    "validationFailReason": "The name 'Raw' does not refer to any known column, table, variable or function."
+  },
+  {
+    "id": "a9e4b02a-5a8c-4c59-9836-a204d1028632",
+    "templateName": "SAPLogServ-UserAdminActions.yaml",
+    "validationFailReason": "The name 'Raw' does not refer to any known column, table, variable or function."
+  },
+  {
+    "id": "8fb9fb88-693f-4906-8be2-4bb9771418fc",
+    "templateName": "SAPLogServ-DeactivationofAuditTrail.yaml",
+    "validationFailReason": "The name 'Raw' does not refer to any known column, table, variable or function."
+  },
+  {
+    "id": "4981469b-8618-43a7-b44c-5744594fa494",
+    "templateName": "SAPLogServ-AssignAdminAuthorizations.yaml",
+    "validationFailReason": "The name 'Raw' does not refer to any known column, table, variable or function."
+  },
   {
     "id": "5dd72ebe-03ac-43ac-851b-68cfe5106e4f",
     "templateName": "SAPETD-LoginFromUnexpectedNetwork.yaml",

Solutions/SAP LogServ/Analytic Rules/SAPLogServ-AssignAdminAuthorizations.yaml

@@ -0,0 +1,108 @@
+id: 4981469b-8618-43a7-b44c-5744594fa494
+kind: Scheduled
+name: SAP LogServ - HANA DB - Assign Admin Authorizations
+description: |
+  Identifies admin privileges/roles assignment.
+  
+  Source Action: Assign a user with any Admin role / privileges.
+  
+  *Data Sources: SAP LogServ - HANA DB (Syslog)*
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: SAPLogServ
+    dataTypes:
+      - SAPLogServ_CL
+queryFrequency: 10m
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - PrivilegeEscalation
+relevantTechniques: []
+query: |
+  let AuditTimeAgo = 60m;
+  SAPLogServ_CL
+  | where TimeGenerated >= ago(AuditTimeAgo)
+  | where clz_subdir == "hanaaudit"
+  | extend raw_split = split(Raw, ";")
+  | extend
+    event_timestamp__col_0 = tostring(raw_split[0]), 
+    service_name__col_1 = tostring(raw_split[1]), 
+    hostname__col_2 = tostring(raw_split[2]), 
+    sid__col_3 = tostring(raw_split[3]), 
+    instance_number__col_4 = tostring(raw_split[4]), 
+    port_number__col_5 = tostring(raw_split[5]), 
+    database_name__col_6 = tostring(raw_split[6]), 
+    client_ip_address__col_7 = tostring(raw_split[7]), 
+    client_name__col_8 = tostring(raw_split[8]), 
+    client_process_id__col_9 = tostring(raw_split[9]), 
+    client_port_number__col_10 = tostring(raw_split[10]), 
+    policy_name__col_11 = tostring(raw_split[11]), 
+    audit_level__col_12 = tostring(raw_split[12]), 
+    audit_action__col_13 = tostring(raw_split[13]), 
+    session_user__col_14 = tostring(raw_split[14]), 
+    target_schema__col_15 = tostring(raw_split[15]), 
+    target_object__col_16 = tostring(raw_split[16]), 
+    privilege_name__col_17 = tostring(raw_split[17]), 
+    grantable__col_18 = tostring(raw_split[18]), 
+    role_name__col_19 = tostring(raw_split[19]), 
+    target_principal__col_20 = tostring(raw_split[20]), 
+    action_status__col_21 = tostring(raw_split[21]), 
+    component__col_22 = tostring(raw_split[22]), 
+    section__col_23 = tostring(raw_split[23]), 
+    parameter__col_24 = tostring(raw_split[24]), 
+    old_value__col_25 = tostring(raw_split[25]), 
+    new_value__col_26 = tostring(raw_split[26]), 
+    comment__col_27 = tostring(raw_split[27]), 
+    executed_statement__col_28 = tostring(raw_split[28]), 
+    session_id__col_29 = tostring(raw_split[29]), 
+    application_user_name__col_30 = tostring(raw_split[30]), 
+    role_schema_name__col_31 = tostring(raw_split[31]), 
+    grantee_schema_name__col_32 = tostring(raw_split[32]), 
+    origin_database_name__col_33 = tostring(raw_split[33]), 
+    origin_user_name__col_34 = tostring(raw_split[34]), 
+    xs_application_user_name__col_35 = tostring(raw_split[35]), 
+    application_name__col_36 = tostring(raw_split[36]), 
+    statement_user_name__col_37 = tostring(raw_split[37]), 
+    create_time__col_38 = tostring(raw_split[38]), 
+    xsa_message_ip__col_39 = tostring(raw_split[39]), 
+    xsa_tenant__col_40 = tostring(raw_split[40]), 
+    xsa_uuid__col_41 = tostring(raw_split[41]), 
+    xsa_channel__col_42 = tostring(raw_split[42]), 
+    xsa_attachment_id__col_43 = tostring(raw_split[43]), 
+    xsa_attachment_name__col_44 = tostring(raw_split[44]), 
+    xsa_organization_id__col_45 = tostring(raw_split[45]), 
+    xsa_space_id__col_46 = tostring(raw_split[46]), 
+    xsa_instance_id__col_47 = tostring(raw_split[47]), 
+    xsa_binding_id__col_48 = tostring(raw_split[48]), 
+    xsa_object__col_49 = tostring(raw_split[49]), 
+    xsa_data_subject__col_50 = tostring(raw_split[50])
+  | where 
+    audit_action__col_13 =~ "GRANT PRIVILEGE"
+    and privilege_name__col_17 contains "ADMIN"
+  | extend AlertRuleUniqueName = 'hanadb-assignadminauthorizations-logserv'
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: AppId
+        columnName: sid__col_3
+      - identifier: InstanceName
+        columnName: database_name__col_6
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: hostname__col_2
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: client_ip_address__col_7
+alertDetailsOverride:
+  alertDisplayNameFormat: 'SAP LogServ - HANA DB - Assign Admin Authorizations'
+  alertDescriptionFormat: |
+    {{comment__col_27}}
+customDetails:
+  SAP_User: session_user__col_14
+version: 1.0.0

Solutions/SAP LogServ/Analytic Rules/SAPLogServ-AuditTrailPolicyChanges.yaml

@@ -0,0 +1,108 @@
+id: e8394afb-82a7-4718-8d31-cc57ad352fa8
+kind: Scheduled
+name: SAP LogServ - HANA DB - Audit Trail Policy Changes
+description: |
+  Identifies changes for HANA DB audit trail policies.
+  
+  Source Action: Create / update existing audit policy in security definitions.
+  
+  *Data Sources: SAP LogServ - HANA DB (Syslog)*
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: SAPLogServ
+    dataTypes:
+      - SAPLogServ_CL
+queryFrequency: 10m
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Persistence
+  - LateralMovement
+  - DefenseEvasion
+relevantTechniques: []
+query: |
+  let AuditTimeAgo = 60m;
+  SAPLogServ_CL
+  | where TimeGenerated >= ago(AuditTimeAgo)
+  | where clz_subdir == "hanaaudit"
+  | extend raw_split = split(Raw, ";")
+  | extend
+    event_timestamp__col_0 = tostring(raw_split[0]), 
+    service_name__col_1 = tostring(raw_split[1]), 
+    hostname__col_2 = tostring(raw_split[2]), 
+    sid__col_3 = tostring(raw_split[3]), 
+    instance_number__col_4 = tostring(raw_split[4]), 
+    port_number__col_5 = tostring(raw_split[5]), 
+    database_name__col_6 = tostring(raw_split[6]), 
+    client_ip_address__col_7 = tostring(raw_split[7]), 
+    client_name__col_8 = tostring(raw_split[8]), 
+    client_process_id__col_9 = tostring(raw_split[9]), 
+    client_port_number__col_10 = tostring(raw_split[10]), 
+    policy_name__col_11 = tostring(raw_split[11]), 
+    audit_level__col_12 = tostring(raw_split[12]), 
+    audit_action__col_13 = tostring(raw_split[13]), 
+    session_user__col_14 = tostring(raw_split[14]), 
+    target_schema__col_15 = tostring(raw_split[15]), 
+    target_object__col_16 = tostring(raw_split[16]), 
+    privilege_name__col_17 = tostring(raw_split[17]), 
+    grantable__col_18 = tostring(raw_split[18]), 
+    role_name__col_19 = tostring(raw_split[19]), 
+    target_principal__col_20 = tostring(raw_split[20]), 
+    action_status__col_21 = tostring(raw_split[21]), 
+    component__col_22 = tostring(raw_split[22]), 
+    section__col_23 = tostring(raw_split[23]), 
+    parameter__col_24 = tostring(raw_split[24]), 
+    old_value__col_25 = tostring(raw_split[25]), 
+    new_value__col_26 = tostring(raw_split[26]), 
+    comment__col_27 = tostring(raw_split[27]), 
+    executed_statement__col_28 = tostring(raw_split[28]), 
+    session_id__col_29 = tostring(raw_split[29]), 
+    application_user_name__col_30 = tostring(raw_split[30]), 
+    role_schema_name__col_31 = tostring(raw_split[31]), 
+    grantee_schema_name__col_32 = tostring(raw_split[32]), 
+    origin_database_name__col_33 = tostring(raw_split[33]), 
+    origin_user_name__col_34 = tostring(raw_split[34]), 
+    xs_application_user_name__col_35 = tostring(raw_split[35]), 
+    application_name__col_36 = tostring(raw_split[36]), 
+    statement_user_name__col_37 = tostring(raw_split[37]), 
+    create_time__col_38 = tostring(raw_split[38]), 
+    xsa_message_ip__col_39 = tostring(raw_split[39]), 
+    xsa_tenant__col_40 = tostring(raw_split[40]), 
+    xsa_uuid__col_41 = tostring(raw_split[41]), 
+    xsa_channel__col_42 = tostring(raw_split[42]), 
+    xsa_attachment_id__col_43 = tostring(raw_split[43]), 
+    xsa_attachment_name__col_44 = tostring(raw_split[44]), 
+    xsa_organization_id__col_45 = tostring(raw_split[45]), 
+    xsa_space_id__col_46 = tostring(raw_split[46]), 
+    xsa_instance_id__col_47 = tostring(raw_split[47]), 
+    xsa_binding_id__col_48 = tostring(raw_split[48]), 
+    xsa_object__col_49 = tostring(raw_split[49]), 
+    xsa_data_subject__col_50 = tostring(raw_split[50])
+  | where audit_action__col_13 contains 'AUDIT POLICY' 
+  | extend AlertRuleUniqueName = 'hanadb-audittrailpolicychanges-logserv'
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: AppId
+        columnName: sid__col_3
+      - identifier: InstanceName
+        columnName: database_name__col_6
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: hostname__col_2
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: client_ip_address__col_7
+alertDetailsOverride:
+  alertDisplayNameFormat: 'SAP LogServ - HANA DB - Audit Trail Policy Change'
+  alertDescriptionFormat: |
+    {{comment__col_27}}
+customDetails:
+  SAP_User: session_user__col_14
+version: 1.0.0

Solutions/SAP LogServ/Analytic Rules/SAPLogServ-DeactivationofAuditTrail.yaml

@@ -0,0 +1,111 @@
+id: 8fb9fb88-693f-4906-8be2-4bb9771418fc
+kind: Scheduled
+name: SAP LogServ - HANA DB - Deactivation of Audit Trail
+description: |
+  Identifies deactivation of HANA DB audit log.
+  
+  Source Action: Deactivate Audit Log in HANA DB security defnitions.
+  
+  *Data Sources: SAP LogServ - HANA DB (Syslog)*
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: SAPLogServ
+    dataTypes:
+      - SAPLogServ_CL
+queryFrequency: 10m
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Persistence
+  - LateralMovement
+  - DefenseEvasion
+relevantTechniques: []
+query: |
+  let AuditTimeAgo = 60m;
+  SAPLogServ_CL
+  | where TimeGenerated >= ago(AuditTimeAgo)
+  | where clz_subdir == "hanaaudit"
+  | extend raw_split = split(Raw, ";")
+  | extend
+    event_timestamp__col_0 = tostring(raw_split[0]), 
+    service_name__col_1 = tostring(raw_split[1]), 
+    hostname__col_2 = tostring(raw_split[2]), 
+    sid__col_3 = tostring(raw_split[3]), 
+    instance_number__col_4 = tostring(raw_split[4]), 
+    port_number__col_5 = tostring(raw_split[5]), 
+    database_name__col_6 = tostring(raw_split[6]), 
+    client_ip_address__col_7 = tostring(raw_split[7]), 
+    client_name__col_8 = tostring(raw_split[8]), 
+    client_process_id__col_9 = tostring(raw_split[9]), 
+    client_port_number__col_10 = tostring(raw_split[10]), 
+    policy_name__col_11 = tostring(raw_split[11]), 
+    audit_level__col_12 = tostring(raw_split[12]), 
+    audit_action__col_13 = tostring(raw_split[13]), 
+    session_user__col_14 = tostring(raw_split[14]), 
+    target_schema__col_15 = tostring(raw_split[15]), 
+    target_object__col_16 = tostring(raw_split[16]), 
+    privilege_name__col_17 = tostring(raw_split[17]), 
+    grantable__col_18 = tostring(raw_split[18]), 
+    role_name__col_19 = tostring(raw_split[19]), 
+    target_principal__col_20 = tostring(raw_split[20]), 
+    action_status__col_21 = tostring(raw_split[21]), 
+    component__col_22 = tostring(raw_split[22]), 
+    section__col_23 = tostring(raw_split[23]), 
+    parameter__col_24 = tostring(raw_split[24]), 
+    old_value__col_25 = tostring(raw_split[25]), 
+    new_value__col_26 = tostring(raw_split[26]), 
+    comment__col_27 = tostring(raw_split[27]), 
+    executed_statement__col_28 = tostring(raw_split[28]), 
+    session_id__col_29 = tostring(raw_split[29]), 
+    application_user_name__col_30 = tostring(raw_split[30]), 
+    role_schema_name__col_31 = tostring(raw_split[31]), 
+    grantee_schema_name__col_32 = tostring(raw_split[32]), 
+    origin_database_name__col_33 = tostring(raw_split[33]), 
+    origin_user_name__col_34 = tostring(raw_split[34]), 
+    xs_application_user_name__col_35 = tostring(raw_split[35]), 
+    application_name__col_36 = tostring(raw_split[36]), 
+    statement_user_name__col_37 = tostring(raw_split[37]), 
+    create_time__col_38 = tostring(raw_split[38]), 
+    xsa_message_ip__col_39 = tostring(raw_split[39]), 
+    xsa_tenant__col_40 = tostring(raw_split[40]), 
+    xsa_uuid__col_41 = tostring(raw_split[41]), 
+    xsa_channel__col_42 = tostring(raw_split[42]), 
+    xsa_attachment_id__col_43 = tostring(raw_split[43]), 
+    xsa_attachment_name__col_44 = tostring(raw_split[44]), 
+    xsa_organization_id__col_45 = tostring(raw_split[45]), 
+    xsa_space_id__col_46 = tostring(raw_split[46]), 
+    xsa_instance_id__col_47 = tostring(raw_split[47]), 
+    xsa_binding_id__col_48 = tostring(raw_split[48]), 
+    xsa_object__col_49 = tostring(raw_split[49]), 
+    xsa_data_subject__col_50 = tostring(raw_split[50])
+  | where 
+    audit_action__col_13 contains "AUDIT CONFIGURATION" and 
+    parameter__col_24 =~ "global_auditing_state" and
+    new_value__col_26 =~ "false"
+  | extend AlertRuleUniqueName = 'hanadb-deactivationofaudittrail-logserv'
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: AppId
+        columnName: sid__col_3
+      - identifier: InstanceName
+        columnName: database_name__col_6
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: hostname__col_2
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: client_ip_address__col_7
+alertDetailsOverride:
+  alertDisplayNameFormat: 'SAP LogServ - HANA DB - Deactivation of Audit Trail'
+  alertDescriptionFormat: |
+    {{comment__col_27}}
+customDetails:
+  SAP_User: session_user__col_14
+version: 1.0.0