Skip to content

Commit f5957a6

Browse files
batamigbatamig
committed
adding sap hana rules
1 parent badc9ba commit f5957a6

File tree

1 file changed

+40
-3
lines changed

1 file changed

+40
-3
lines changed

articles/sentinel/sap/collect-sap-hana-audit-logs.md

Lines changed: 40 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -41,9 +41,46 @@ If you have SAP HANA database audit logs configured with Syslog, you'll also nee
4141
> Because the facilities where HANA database events are saved can change between different distributions, we recommend that you add all facilities. Check them against your Syslog logs, and then remove any that aren't relevant.
4242
>
4343
44-
1. In Microsoft Sentinel, check to confirm that HANA database events are now shown in the ingested logs.
45-
46-
## Next steps
44+
## Verify your configuration
45+
46+
In Microsoft Sentinel, check to confirm that HANA database events are now shown in the ingested logs. For example, run the following query:
47+
48+
```KQL
49+
//generated function structure for custom log Syslog
50+
// generated on 2024-05-07
51+
let D_Syslog = datatable(TimeGenerated:datetime
52+
,EventTime:datetime
53+
,Facility:string
54+
,HostName:string
55+
,SeverityLevel:string
56+
,ProcessID:int
57+
,HostIP:string
58+
,ProcessName:string
59+
,Type:string
60+
)['1000-01-01T00:00:00Z', '1000-01-01T00:00:00Z', 'initialString', 'initialString', 'initialString', 'initialString',1,'initialString', 'initialString', 'initialString'];
61+
let T_Syslog = (Syslog | project
62+
TimeGenerated = column_ifexists('TimeGenerated', '1000-01-01T00:00:00Z')
63+
,EventTime = column_ifexists('EventTime', '1000-01-01T00:00:00Z')
64+
,Facility = column_ifexists('Facility', 'initialString')
65+
,HostName = column_ifexists('HostName', 'initialString')
66+
,SeverityLevel = column_ifexists('SeverityLevel', 'initialString')
67+
,ProcessID = column_ifexists('ProcessID', 1)
68+
,HostIP = column_ifexists('HostIP', 'initialString')
69+
,ProcessName = column_ifexists('ProcessName', 'initialString')
70+
,Type = column_ifexists('Type', 'initialString')
71+
);
72+
T_Syslog | union isfuzzy= true (D_Syslog | where TimeGenerated != '1000-01-01T00:00:00Z')
73+
```
74+
75+
Alternately, use the following built-in analytics rules to show that SAP logs are being ingested:
76+
- **SAP - (PREVIEW) HANA DB -Assign Admin Authorizations**
77+
- **SAP - (PREVIEW) HANA DB -Audit Trail Policy Changes**
78+
- **SAP - (PREVIEW) HANA DB -Deactivation of Audit Trail**
79+
- **SAP - (PREVIEW) HANA DB -User Admin actions**
80+
81+
For more information, see [Microsoft Sentinel solution for SAP® applications: security content reference](sap-solution-security-content.md).
82+
83+
## Related content
4784

4885
Learn more about the Microsoft Sentinel solution for SAP® applications:
4986

0 commit comments

Comments
 (0)