diff --git a/Solutions/SAP/Analytics/Alerts/Scheduled.json b/Solutions/SAP/Analytics/Alerts/Scheduled.json new file mode 100644 index 0000000000..f28f4af566 --- /dev/null +++ b/Solutions/SAP/Analytics/Alerts/Scheduled.json @@ -0,0 +1,1653 @@ +[ + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - Medium - Security Audit Log Configuration Change", + "Description": "Idenitifes changes for configuration in Securiy Audit Log\n\nSource Action: change any Security Audit Log Configuration using SM19/RSAU_CONFIG. (Filters/Status/Recording mode etc..)\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620053781813)/", + "Query": "// Audit Log Classes - Audit Log Configuration Events\r\nlet AuditClasses = dynamic(['AUE','AUF','AUI','AUJ','FU0','E05']); // Relevent messeges\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| project \r\n// Details\r\nTimeGenerated, SystemID_s, User_s, MessageText_s,\r\nAccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s", + "QueryFrequency": { + "Ticks": 216000000000, + "Days": 0, + "Hours": 6, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.25, + "TotalHours": 6, + "TotalMilliseconds": 21600000, + "TotalMinutes": 360, + "TotalSeconds": 21600 + }, + "QueryPeriod": { + "Ticks": 216000000000, + "Days": 0, + "Hours": 6, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.25, + "TotalHours": 6, + "TotalMilliseconds": 21600000, + "TotalMinutes": 360, + "TotalSeconds": 21600 + }, + "Severity": "Medium", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "Persistence", + "Exfiltration", + "DefenseEvasion" + ], + "Name": "2bdaa8f6-f654-496a-9d6f-a532b45da3c1", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a0002f2-0000-0d00-0000-60900f160000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - High - Deactivation of Security Audit Log", + "Description": "Identifies deactivation of Security Audit Log\n\nSource Action: Disable secruity Audit Log using SM19/RSAU_CONFIG.\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620055029659)/", + "Query": "// Audit Log Classes - Audit Log Active Status Events\r\nlet AuditClasses = dynamic(['AUJ']);\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| where Variable1_s == '0' // Audit Active Status = 0\r\n| project \r\n// Details\r\nTimeGenerated, SystemID_s, User_s, MessageText_s, AccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s", + "QueryFrequency": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "QueryPeriod": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "Severity": "High", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "Exfiltration", + "DefenseEvasion", + "Persistence" + ], + "Name": "d09b09b2-e6cf-4ef7-9d0b-dfcaa046999e", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a0077f8-0000-0d00-0000-609013f50000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - Medium - Transaction is unlocked", + "Description": "Identifies unlocking of a transaction. \n\nSource Action: Unlock a transaction code using SM01/SM01_DEV/SM01_CUS.\n\n*Data Sources: SAPcon - Audit Log*\n", + "Enabled": true, + "LastModifiedUtc": "/Date(1620053741896)/", + "Query": "// Audit Log Classes - Transaction UnLock Events\r\n// AUP - Transaction Locked\r\nlet AuditClasses = dynamic(['AUQ']); // AUQ - Transaction Unlocked\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| project-rename TransactionCode = Variable1_s\r\n| parse TransactionCode with \"( TR ) \" _TCODE \" - \" ClientTR // Parse to _TCODE and ClientTR\r\n// Specific Client Action (SM01_CUS) / Cross Client (SM01_DEV)\r\n| extend TransactionCode = iif(_TCODE != \"\",_TCODE, TransactionCode) // Check if _TCODE is not empty\r\n| extend ClientTR = iif(ClientTR != \"\",ClientTR, \"CrossClient\") // Check if ClientTR is not empty\r\n| project \r\n// Details\r\nTimeGenerated, SystemID_s, User_s, MessageText_s,TransactionCode, ClientTR,\r\nAccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s\r\n\r\n", + "QueryFrequency": { + "Ticks": 864000000000, + "Days": 1, + "Hours": 0, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 1, + "TotalHours": 24, + "TotalMilliseconds": 86400000, + "TotalMinutes": 1440, + "TotalSeconds": 86400 + }, + "QueryPeriod": { + "Ticks": 864000000000, + "Days": 1, + "Hours": 0, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 1, + "TotalHours": 24, + "TotalMilliseconds": 86400000, + "TotalMinutes": 1440, + "TotalSeconds": 86400 + }, + "Severity": "Medium", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "Persistence", + "Execution" + ], + "Name": "15dbce1e-ea18-4934-b25c-ebb6416564ab", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a00e8f1-0000-0d00-0000-60900eee0000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - Medium - Assignment of a sensitive profile", + "Description": "Identifies new assignments of a sensitive profile to a user.\n\nSource Action: Assign a profile to a User using SU01.\n\nSensitive profiles should be maintained in watchlist \"SAP - Sensitive Profiles\"\n\n*Data Sources: SAPcon - Change Documents Log*\n", + "Enabled": true, + "LastModifiedUtc": "/Date(1620053647942)/", + "Query": "// Define Variables\r\n// Audit Log Classes - Authorizations for user changed\r\nlet Identity = 'IDENTITY';\r\nlet ProfileChangeDoc = 'SUSR_UST04';\r\nlet Insert = \"I\";\r\nlet logsThreshold = 3; // 3 seconds\r\nlet AuditClasses = dynamic(['AUB']); // Authorizations for user &A changed.\r\n// Maintain these if WatchList is not available\r\nlet SensitiveProfiles = _GetWatchlist('SAP - Sensitive Profiles');\r\nlet fixedProfile = datatable(Profile:string)['SAP_ALL','SAP_NEW'];\r\n// Maintain these if System doesn't have CR's\r\nlet fixedChangeDocs = datatable(User_s : string, ObjectClass_s : string, TableName_s : string, TypeofChange_Item_s : string , ChangedTableKey_s : string, ObjectID_s : string, TimeGenerated : datetime, ValueNew_s : string, SystemID_s : string)[];\r\nlet ChangeDocs = \r\nunion isfuzzy=true table(\"ABAPChangeDocsLog_CL\"), fixedChangeDocs;\r\nlet IdentityChangeDocuments =\r\n// Identity Change documents which represents profiles assignment\r\n ChangeDocs \r\n | where ObjectClass_s == Identity // Identity\r\n and TableName_s == ProfileChangeDoc // Profile Change Doc\r\n and TypeofChange_Item_s == Insert // Insert \r\n | extend Profile = ChangedTableKey_s\r\n | extend UserAssigned = ObjectID_s;\r\nlet UnitedProfiles =\r\ntoscalar(union fixedProfile, SensitiveProfiles\r\n| summarize Profiles = make_list(Profile));\r\n// Query logic\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| summarize by TimeGenerated, TerminalIPv6_s, User_s, Host_s, Email_s\r\n| lookup kind = leftouter (IdentityChangeDocuments) on User_s\r\n| where Profile in (UnitedProfiles)\r\n| project-rename TimeGenAudit = TimeGenerated1 \r\n| where abs(datetime_diff('second',TimeGenerated,TimeGenAudit)) <= logsThreshold\r\nor isnull(TimeGenAudit)\r\n| project \r\n// Details\r\nTimeGenerated, SystemID_s, ClientID_s, Profile, User_s, UserAssigned,\r\nAccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s", + "QueryFrequency": { + "Ticks": 432000000000, + "Days": 0, + "Hours": 12, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.5, + "TotalHours": 12, + "TotalMilliseconds": 43200000, + "TotalMinutes": 720, + "TotalSeconds": 43200 + }, + "QueryPeriod": { + "Ticks": 432000000000, + "Days": 0, + "Hours": 12, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.5, + "TotalHours": 12, + "TotalMilliseconds": 43200000, + "TotalMinutes": 720, + "TotalSeconds": 43200 + }, + "Severity": "Medium", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "PrivilegeEscalation" + ], + "Name": "be58792d-c701-451f-9bfe-f070970ec46a", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a0098f1-0000-0d00-0000-60900e900000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - High - Sensitive privileged user logged in", + "Description": "Identifies Dialog logon of a sensitive privileged user. \n\nSource Action: Logon to the backend system using SAP* or anoter privileged user.\n\nPriveleged users should be maintained in \"SAP - Privileged Users\" Watchlist\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620054993548)/", + "Query": "// Define Variables\r\n// Audit Log Classes - Dialog Logon Succesful\r\nlet AuditClassesSuccess = dynamic(['AU1']);\r\nlet AuditClassesFail = dynamic(['BU1']);\r\nlet AuditRFCSuccess = dynamic(['AU5']);\r\nlet AuditRFCFail = dynamic(['AU6']);\r\nlet LogonTypes = dynamic(['A','H', 'R', 'S']); // Dialog / HTTP\r\n// Get Relevant User from WatchList\r\nlet PrivelegedUsers = _GetWatchlist('SAP - Privileged Users');\r\nlet fixedUsers = datatable(User:string)\r\n// Maintain these if WatchList is not available \r\n [\"SAP*\",\"DDIC\"]\r\n;\r\nlet UnitedPrivileged = union PrivelegedUsers, fixedUsers\r\n| summarize by User;\r\n// Query logic\r\nABAPAuditLog_CL \r\n| where (MessageID_s in (AuditClassesSuccess) and Variable1_s in (LogonTypes)) or // Success login\r\nMessageID_s in (AuditClassesFail) or // Failed login\r\n(MessageID_s in (AuditRFCSuccess) and Variable1_s in (LogonTypes)) or // Success RFC login\r\nMessageID_s in (AuditRFCFail) // Failed RFC login\r\n| where User_s in (UnitedPrivileged)\r\n| project-rename LogonType = Variable1_s\r\n| project TimeGenerated, SystemID_s, ClientID_s, LogonType, User_s, MessageText_s, \r\nAccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s\r\n", + "QueryFrequency": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "QueryPeriod": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "Severity": "High", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "InitialAccess", + "CredentialAccess" + ], + "Name": "564e5827-3432-4fbd-aaa5-2f3bdcf91443", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a0060f8-0000-0d00-0000-609013d20000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - Medium - Assignment of a sensitive role", + "Description": "Identifies new assignments for a sensitive role to a user.\n\nSource Action: Assign a role to a User using SU01 / PFCG.\n\nSensitive roles should be maintained in watchlist \"SAP - Sensitive Roles\"\n\n*Data Sources: SAPcon - Change Documents Log, Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620053607152)/", + "Query": "// Define Variables\r\nlet Roles = 'PFCG';\r\nlet UsersRoles = 'AGR_USERS';\r\nlet Insert = \"I\";\r\nlet logsThreshold = 3; // 3 seconds\r\n// Audit Log Classes - Authorizations for user changed\r\nlet AuditClasses = dynamic(['AUB']); // Authorizations for user &A changed.\r\n// Maintain these if WatchList is not available\r\nlet SensitiveRoles = _GetWatchlist('SAP - Sensitive Roles');\r\nlet fixedRoles = datatable(Role: string)['SAP_BC_BASIS_ADMIN', 'SAP_BC_AUTH_PROFILE_ADMIN'];\r\n// Maintain these if System doesn't have CR's\r\nlet fixedChangeDocs = datatable(User_s : string, ObjectClass_s : string, TableName_s : string, TypeofChange_Item_s : string ,\r\nChangedTableKey_s : string, ObjectID_s : string, TimeGenerated : datetime, ValueNew_s : string, SystemID_s : string)[];\r\nlet ChangeDocs = \r\nunion isfuzzy=true table(\"ABAPChangeDocsLog_CL\"), fixedChangeDocs;\r\nlet ChangeCheck =\r\nChangeDocs \r\n| where ObjectClass_s == Roles // Roles\r\n and TableName_s == UsersRoles // Users Roles\r\n and TypeofChange_Item_s == Insert // Insert \r\n| extend UserAssigned = extract(@\"^.{1,33}\\s*?(.{1,12})\\s*?\\d{16}\", 1, ChangedTableKey_s)\r\n| extend Role = ObjectID_s;\r\nlet UnitedRoles =\r\ntoscalar(union fixedRoles, SensitiveRoles\r\n| summarize Roles = make_list(Role));\r\n// Query logic\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| summarize by TimeGenerated, TerminalIPv6_s, User_s, Host_s, Email_s\r\n| lookup kind = leftouter (ChangeCheck) on User_s\r\n| where Role in (UnitedRoles)\r\n| project-rename TimeGenAudit = TimeGenerated1\r\n| where abs(datetime_diff('second', TimeGenerated, TimeGenAudit)) <= logsThreshold\r\nor isnull(TimeGenAudit)\r\n| project \r\n // Details\r\n TimeGenerated, SystemID_s, ClientID_s, Role, User_s, UserAssigned,\r\n AccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s", + "QueryFrequency": { + "Ticks": 432000000000, + "Days": 0, + "Hours": 12, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.5, + "TotalHours": 12, + "TotalMilliseconds": 43200000, + "TotalMinutes": 720, + "TotalSeconds": 43200 + }, + "QueryPeriod": { + "Ticks": 432000000000, + "Days": 0, + "Hours": 12, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.5, + "TotalHours": 12, + "TotalMilliseconds": 43200000, + "TotalMinutes": 720, + "TotalSeconds": 43200 + }, + "Severity": "Medium", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "PrivilegeEscalation" + ], + "Name": "d8361c08-5035-412c-bed2-5ed0fd6e56ec", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a0068f1-0000-0d00-0000-60900e670000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - High - Execution of a Sensitive ABAP Program", + "Description": "Identifies direct execution of a sensitive ABAP program. \n\nSource Action: Execute a program directly using SE38/SA38/SE80.\n\n**Recommended for Production only**\n\nABAP Programs should be maintained in watchlist \"SAP - Sensitive ABAP Programs\"\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620054936119)/", + "Query": "// Define Variables\r\nlet Role = \"Production\";\r\nlet AuditClasses = dynamic(['AUW']); // Audit Log Classes - Report Started\r\nlet allSystemRoles = dynamic(['Sandbox','Developement','QualityAssurance','Training','Production']); // Available System Roles\r\nlet allSystemUsage = dynamic (['ERP','CRM','BW','Solman','Gateway','Enterprise Portal']); // Available System Usages\r\n// Get Relevant Systems from WatchList\r\nlet systemID = _GetWatchlist('SAP - Systems');\r\nlet fixedSID = datatable(SystemID:string, SystemRole:string, SystemUsage:string)\r\n// Maintain these if WatchList is not available \r\n [\"S4H\",\"Production\",\"ERP\",\r\n \"XXX\",\"Sandbox\",\"BW\"]\r\n; \r\n// Get Relevant ABAP Programs\r\nlet SensitiveABAPReports = _GetWatchlist('SAP - Sensitive ABAP Programs');\r\nlet fixedABAPReports = datatable(ABAPProgram:string)\r\n// Maintain these if WatchList is not available \r\n [\"RSPFLDOC\"]\r\n; \r\nlet UnionAbap = \r\n union SensitiveABAPReports, fixedABAPReports\r\n | summarize by ABAPProgram;\r\nlet UnitedSystem =\r\nunion systemID, fixedSID\r\n| summarize by SystemID, SystemRole, SystemUsage\r\n| where SystemRole == Role; // Reccommended is Production only\r\n//| where SystemRole in (allSystemRoles); // Use this for all system roles\r\n// Query logic\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| where ABAPProgramName_s in (UnionAbap)\r\n| project-rename SystemID = SystemID_s\r\n| lookup kind = inner (UnitedSystem) on SystemID\r\n| order by TimeGenerated asc\r\n| project TimeGenerated, SystemID, ClientID_s, User_s, ABAPProgramName_s, MessageText_s, TransactionCode_s, MessageID_s, AccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s", + "QueryFrequency": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "QueryPeriod": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "Severity": "High", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "Exfiltration", + "LateralMovement", + "Execution" + ], + "Name": "1a792d10-3890-4c0c-b310-c2ccbd44ecf6", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a0039f8-0000-0d00-0000-609013980000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - High - Execution of a Sensitive Transaction Code", + "Description": "Identifies execution of a sensitive Transaction Code.\n\nSource Action: Execute a sensitive Transaction Code.\n\n**Recommended for Production only**\n\nTransaction Codes should be maintained in watchlist \"\"SAP - Sensitive Transaction Codes\"\"\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620054897297)/", + "Query": "// Define Variables\r\nlet Role = 'Production';\r\nlet AuditClasses = dynamic(['AU3']); // Audit Log Classes - Transaction Started\r\nlet allSystemRoles = dynamic(['Sandbox','Developement','QualityAssurance','Training','Production']); // Available System Roles\r\nlet allSystemUsage = dynamic (['ERP','CRM','BW','Solman','Gateway','Enterprise Portal']); // Available System Usages\r\n// Get Relevant Systems from WatchList\r\nlet systemID = _GetWatchlist('SAP - Systems');\r\nlet fixedSID = datatable(SystemID:string, SystemRole:string, SystemUsage:string)\r\n// Maintain these if WatchList is not available \r\n [\"S4H\",\"Production\",\"ERP\",\r\n \"XXX\",\"Sandbox\",\"BW\"]\r\n; \r\n// Get Relevant Transaction Codes\r\nlet SensitiveTcode = _GetWatchlist('SAP - Sensitive Transactions');\r\nlet fixedTcode = datatable(TransactionCode:string)\r\n// Maintain these if WatchList is not available \r\n [\"RSAU_CONFIG\",\"RZ11\",\"SM19\"]\r\n; \r\nlet UnitedCodes = \r\n union SensitiveTcode, fixedTcode\r\n | summarize by TransactionCode;\r\nlet UnitedSystem =\r\nunion systemID, fixedSID\r\n| summarize by SystemID, SystemRole, SystemUsage\r\n| where SystemRole == Role; // Reccommended is Production only\r\n//| where SystemRole in (allSystemRoles); // Use this for all system roles\r\n// Query logic\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| where TransactionCode_s in (UnitedCodes)\r\n| project-rename SystemID = SystemID_s\r\n| lookup kind = inner (UnitedSystem) on SystemID\r\n| order by TimeGenerated asc\r\n| project TimeGenerated, SystemID, ClientID_s, User_s, TransactionCode_s, MessageText_s, MessageID_s, AccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s", + "QueryFrequency": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "QueryPeriod": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "Severity": "High", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "Discovery", + "Execution" + ], + "Name": "25b31645-21c3-4cb5-a598-a539e415a7b3", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a0025f8-0000-0d00-0000-609013720000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - Low - Sensitive Tables Direct Access By Dialog Logon", + "Description": "Identifies generic table access by dialog logon\n\nSource Action: Open table contents using SE11/SE16/SE16N.\n\n**Recommended for Production only**\n\nTables should be maintained in \"\"SAP - Sensitive Tables\"\" Watchlist.\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620052859383)/", + "Query": "// Define variables\r\nlet Role = \"Production\";\r\nlet AuditClasses = dynamic(['DU9']); // Dialog, Audit Log Classes - Generic Table Access \r\nlet allSystemRoles = dynamic(['Sandbox','Developement','QualityAssurance','Training','Production']); // Available System Roles\r\nlet allSystemUsage = dynamic (['ERP','CRM','BW','Solman','Gateway','Enterprise Portal']); // Available System Usages\r\n// Get Relevant Systems from WatchList\r\nlet systemID = _GetWatchlist('SAP - Systems');\r\nlet fixedSID = datatable(SystemID:string, SystemRole:string, SystemUsage:string)\r\n// Maintain these if WatchList is not available \r\n [\"S4H\",\"Production\",\"ERP\",\r\n \"XXX\",\"Sandbox\",\"BW\"]\r\n; \r\n// Get Relevant Tables\r\nlet SensitiveTables = _GetWatchlist('SAP - Sensitive Tables');\r\nlet fixedTables = datatable(Table:string)\r\n// Maintain these if WatchList is not available \r\n [\"USR02\"]\r\n; \r\nlet RelSystemID = union systemID, fixedSID // Create a variable that stores relevent Systems\r\n| where SystemRole == Role // Reccommended is Production only\r\n//| where SystemRole in (allSystemRoles); // Use this for all system roles\r\n| summarize by SystemID;\r\nlet SensitiveUnionTables = union SensitiveTables, fixedTables // Create a variable that stores relevent sensitive tables\r\n | summarize by Table;\r\n// Query logic\r\nABAPAuditLog_CL \r\n | project-rename Table = Variable1_s, Activity = Variable2_s\r\n | where MessageID_s in (AuditClasses)\r\n | where SystemID_s in (RelSystemID)\r\n | where Table in (SensitiveUnionTables)\r\n | order by TimeGenerated asc\r\n | project TimeGenerated, SystemID_s, ClientID_s, User_s, TransactionCode_s, ABAPProgramName_s, Table, Activity, MessageText_s, MessageID_s,\r\nAccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s", + "QueryFrequency": { + "Ticks": 432000000000, + "Days": 0, + "Hours": 12, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.5, + "TotalHours": 12, + "TotalMilliseconds": 43200000, + "TotalMinutes": 720, + "TotalSeconds": 43200 + }, + "QueryPeriod": { + "Ticks": 432000000000, + "Days": 0, + "Hours": 12, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.5, + "TotalHours": 12, + "TotalMilliseconds": 43200000, + "TotalMinutes": 720, + "TotalSeconds": 43200 + }, + "Severity": "Low", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "Discovery" + ], + "Name": "3b05930a-1303-475f-bb9d-d834e95499f1", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a0029ef-0000-0d00-0000-60900b7b0000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - Medium - Multiple Logons by User", + "Description": "Identifies logon of the same user from several terminals within scheduled time interval.\n\nSource Action: Logon using the same user thorugh different IP's.\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620053556371)/", + "Query": "// Define variables\r\n// Audit Log Classes - Dialog Logon Successful, RFC Logon Successful\r\nlet AuditClasses = dynamic(['AU1','AU5']);\r\n// Dialog / CPIC / RFC Int / RFC Ext / SRFC / User Switch / HTTP / Restore Session / API Call\r\nlet DialogLogonTypes = dynamic(['A', 'C', 'F', 'R', 'S', 'U', 'H', 'u', ' ']);\r\nlet excUsers = _GetWatchlist('SAP - Excluded Users'); // Users that should be removed from query\r\nlet fixedExcUsers = datatable(User:string)\r\n// Maintain these if WatchList is not available \r\n [\"SYSWF\"]\r\n; \r\nlet UnitedExcUsers =\r\ntoscalar(union excUsers, fixedExcUsers\r\n| summarize Users = make_set(User));\r\nlet IPThreshold = 1;\r\n// Query Logic\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| where Variable1_s in (DialogLogonTypes)\r\n| where User_s !in (UnitedExcUsers)\r\n| summarize CountIP = dcount(TerminalIPv6_s), IPs = make_set(TerminalIPv6_s), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by SystemID_s, ClientID_s, User_s, Email_s\r\n| where CountIP > IPThreshold // Count of IP logins from the user is higher than threshold\r\n| mv-expand IPs to typeof(string ) // Show for each IP\r\n| project SystemID_s, ClientID_s, User_s, StartTime, EndTime,\r\n AccountCustomEntity = Email_s, IPCustomEntity = IPs", + "QueryFrequency": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "QueryPeriod": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "Severity": "Medium", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "PreAttack", + "CredentialAccess", + "InitialAccess", + "Collection" + ], + "Name": "146454b8-4649-4c4c-a3a3-ab0d4e6d6228", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a0002f1-0000-0d00-0000-60900e340000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - Medium - Multiple Logons by IP", + "Description": "Identifies logon of several users from same IP within scheduled time interval.\n\nSource Action: Logon using several users thorugh the same IP.\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620053459170)/", + "Query": "// Define variables\r\nlet AuditClasses = dynamic(['AU1', 'AU5']); // Audit Log Classes - Dialog Logon Successful, RFC Logon Successful\r\nlet DialogLogonTypes = dynamic(['A', 'C', 'F', 'R', 'S', 'U', 'H', 'u', ' ']); // Dialog / CPIC / RFC Int / RFC Ext / SRFC / User Switch / HTTP / Restore Session / API Call\r\nlet excNetworks = _GetWatchlist('SAP - Excluded Networks'); // Networks that should be removed from query\r\nlet fixedNetworks =\r\ndatatable(Network:string)\r\n// Maintain these if WatchList is not available \r\n [\"111.68.128.0/1\", \"123.68.128.0/1\"]\r\n; \r\nlet UnitedNetworks =\r\ntoscalar(union excNetworks, fixedNetworks\r\n| summarize Networks = make_set(Network));\r\nlet UsersperIP = 1;\r\n// Query logic\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| where Variable1_s in (DialogLogonTypes)\r\n| where TerminalIPv6_s !in (UnitedNetworks)\r\n| extend UserandEmail = pack(\"ID\", User_s, \"Email\", Email_s)\r\n| summarize CountUsers = dcount(strcat(User_s, \"_&_\", Email_s)), Users = make_set(UserandEmail), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \r\n by SystemID_s, ClientID_s, TerminalIPv6_s\r\n| where CountUsers > UsersperIP\r\n| mv-expand Users \r\n| evaluate bag_unpack(Users, \"User_\")\r\n| project SystemID_s, ClientID_s, IPCustomEntity = TerminalIPv6_s, StartTime, EndTime,\r\n column_ifexists(\"User_ID\", \"\"), \r\n AccountCustomEntity = column_ifexists(\"User_Email\", \"\")\r\n", + "QueryFrequency": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "QueryPeriod": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "Severity": "Medium", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "InitialAccess" + ], + "Name": "c82e5b01-3c60-43f8-b6f4-6ac2b291dbb0", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a00b5f0-0000-0d00-0000-60900dd30000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - High - Login from unexpected network", + "Description": "Identifies logons from an unexpected network.\n\nSource Action: Logon to the backend system from an IP address which is not assigned to one of the netwroks.\n\nNetworks should be maintained in watchlist \"SAP - Networks\"\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620054855631)/", + "Query": "let AuditClasses = dynamic(['AU1','AU5']); // Audit Log Classes - Dialog Logon Successful, RFC Logon Successful\r\n// Dialog / CPIC / RFC Int / RFC Ext / SRFC / User Switch / HTTP / Restore Session / API Call\r\nlet DialogLogonTypes = dynamic(['A', 'C', 'F', 'R', 'S', 'U', 'H', 'u', ' ']);\r\nlet Networks = _GetWatchlist('SAP - Networks'); \r\nlet fixedNetworks = datatable(Network: string)['111.68.128.0/17']; // Maintain these if watchlist is not available\r\nlet allNetworks = union Networks, fixedNetworks\r\n | summarize by Network;\r\nABAPAuditLog_CL\r\n// Add audit classes\r\n| where MessageID_s in (AuditClasses)\r\n| where Variable1_s in (DialogLogonTypes) // Is a dialog logon type from the list\r\n| where isnotempty(TerminalIPv6_s) // There is a Ipv6 address\r\n| evaluate ipv4_lookup(allNetworks, TerminalIPv6_s, Network, return_unmatched = true)\r\n// Similar to regular lookup, by ipv4 address, unmatched is like left join\r\n| where isempty(Network) // Network is not familiar\r\n// Details\r\n| project TimeGenerated, SystemID_s, ClientID_s, User_s, TransactionCode_s, MessageText_s, AccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s", + "QueryFrequency": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "QueryPeriod": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "Severity": "High", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "InitialAccess" + ], + "Name": "e6724904-d428-4e9a-be68-58a7b5b8b5fd", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a0013f8-0000-0d00-0000-609013480000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - High - RFC Execution of a Sensitive Function Module", + "Description": "Identifies execution of a sensitive function module using RFC.\n\nSource Action: Execute a function module using RFC.\n\n**Recommended for Production only**\n\nFunction Modules should be maintained in watchlist \"SAP - Sensitive Function Modules\"\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620054771060)/", + "Query": "let Role = \"Production\";\r\nlet AuditClasses = dynamic(['AUK']); // Audit Log Classes - Successful RFC call &C (function group = &A)\r\nlet allSystemRoles = dynamic(['Sandbox', 'Developement', 'QualityAssurance', 'Training', 'Production']); // Available System Roles\r\nlet allSystemUsage = dynamic (['ERP', 'CRM', 'BW', 'Solman', 'Gateway', 'Enterprise Portal']); // Available System Usages\r\n// Get Relevant Systems from WatchList\r\nlet systemID = _GetWatchlist('SAP - Systems');\r\nlet fixedSID = datatable(SystemID: string, SystemRole: string, SystemUsage: string)\r\n // Maintain these if WatchList is not available \r\n [\"S4H\", \"Production\", \"ERP\",\r\n \"XXX\", \"Sandbox\", \"BW\"]\r\n; \r\n// Get Relevant Function Modules\r\nlet SensitiveFM = _GetWatchlist('SAP - Sensitive Function Modules');\r\nlet fixedFM = datatable(FunctionModule: string)\r\n // Maintain these if WatchList is not available \r\n [\"RSAU_CLEAR_AUDIT_LOG\"]\r\n; \r\nlet UnitedSystems = union systemID, fixedSID\r\n| where SystemRole == Role // Reccommended is Production only\r\n| summarize by SystemID;\r\n//| where SystemRole in (allSystemRoles); // Use this for all system roles\r\nlet UnitedSensitive = union SensitiveFM, fixedFM\r\n| summarize by FunctionModule;\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| project-rename FunctionModule = Variable3_s, FunctionGroup = Variable1_s\r\n| where SystemID_s in (UnitedSystems) // The systemID is in this list\r\n| where FunctionModule in (UnitedSensitive) // Function module is sensitive\r\n| order by TimeGenerated asc\r\n| project TimeGenerated, User_s, SystemID_s, ClientID_s, MessageText_s, FunctionGroup, FunctionModule, MessageID_s,\r\n AccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s", + "QueryFrequency": { + "Ticks": 72000000000, + "Days": 0, + "Hours": 2, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.08333333333333333, + "TotalHours": 2, + "TotalMilliseconds": 7200000, + "TotalMinutes": 120, + "TotalSeconds": 7200 + }, + "QueryPeriod": { + "Ticks": 72000000000, + "Days": 0, + "Hours": 2, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.08333333333333333, + "TotalHours": 2, + "TotalMilliseconds": 7200000, + "TotalMinutes": 120, + "TotalSeconds": 7200 + }, + "Severity": "High", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "Execution", + "LateralMovement", + "Discovery" + ], + "Name": "43cd34e4-1168-476c-87cf-4cd7961be96d", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a00d4f7-0000-0d00-0000-609012f30000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - High - Function Module tested", + "Description": "Identifies testing of a function module.\n\nSource Action: Test a function module using SE37 / SE80.\n\n**Recommended for Production only**\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620054727004)/", + "Query": "let Role = 'Production';\r\nlet ProgramName = 'RS_TESTFRAME_CALL';\r\nlet AuditClasses = dynamic(['AUW']); // Audit Log Classes - Report Started\r\nlet allSystemRoles = dynamic(['Sandbox', 'Developement', 'QualityAssurance', 'Training', 'Production']); // Available System Roles\r\nlet allSystemUsage = dynamic (['ERP', 'CRM', 'BW', 'Solman', 'Gateway', 'Enterprise Portal']); // Available System Usages\r\n// Get Relevant Systems from WatchList\r\nlet systemID = _GetWatchlist('SAP - Systems');\r\nlet fixedSID = datatable(SystemID: string, SystemRole: string, SystemUsage: string)\r\n // Maintain these if WatchList is not available \r\n [\"S4H\", \"Production\", \"ERP\",\r\n \"XXX\", \"Sandbox\", \"BW\"]\r\n; \r\nlet UnitedSystem = \r\nunion systemID, fixedSID\r\n| summarize by SystemID, SystemRole, SystemUsage\r\n| where SystemRole == Role; // Reccommended is Production only\r\n//| where SystemRole in (allSystemRoles); // Use this for all system roles\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| where ABAPProgramName_s == ProgramName\r\n| project-rename SystemID = SystemID_s\r\n| lookup kind = inner (UnitedSystem) on SystemID\r\n| order by TimeGenerated asc\r\n| project TimeGenerated, User_s, SystemID, ClientID_s, MessageText_s, MessageID_s,\r\n AccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s ", + "QueryFrequency": { + "Ticks": 216000000000, + "Days": 0, + "Hours": 6, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.25, + "TotalHours": 6, + "TotalMilliseconds": 21600000, + "TotalMinutes": 360, + "TotalSeconds": 21600 + }, + "QueryPeriod": { + "Ticks": 216000000000, + "Days": 0, + "Hours": 6, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.25, + "TotalHours": 6, + "TotalMilliseconds": 21600000, + "TotalMinutes": 360, + "TotalSeconds": 21600 + }, + "Severity": "High", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "Collection", + "DefenseEvasion", + "LateralMovement" + ], + "Name": "a6c5dc96-5674-413b-b6fd-7cdd38e6bdd2", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a00b2f7-0000-0d00-0000-609012c70000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - High - Change in Sensitive privileged user", + "Description": "Identifies changes of sensitive privileged users. \n\nSource Action: Change user details / authorizations using SU01.\n\nPriveleged users should be maintained in \"SAP - Privileged Users\" Watchlist\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620054175092)/", + "Query": "// Audit Log Classes - User Master Changes\r\nlet AuditClasses = dynamic(['AU7', 'BUV', 'BUW', 'AU8', 'AU9', 'AUA', 'AUB', 'AUD', 'DUH', 'BU2']);\r\n// Get Relevant User from WatchList\r\nlet PrivelegedUsers = _GetWatchlist('SAP - Privileged Users');\r\nlet fixedUsers = datatable(User: string)\r\n // Maintain these if WatchList is not available \r\n [\"SAP*\", \"DDIC\"]\r\n;\r\nlet UnitedPrivleged = union PrivelegedUsers, fixedUsers\r\n| summarize by User;\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| where Variable1_s in (UnitedPrivleged) // The user that we are making change in is a sensitive privileged user\r\n| project TimeGenerated, SystemID_s, ClientID_s, User_s, MessageText_s, MessageID_s,\r\n AccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s\r\n", + "QueryFrequency": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "QueryPeriod": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "Severity": "High", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "PrivilegeEscalation", + "CredentialAccess" + ], + "Name": "622281fc-37cb-46d8-b46d-9ef7817c3a9c", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a001df6-0000-0d00-0000-609010a00000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - Medium - Brute force attacks", + "Description": "Identifies brute force attacks on SAP system according to failed logon attempts for the backend system.\n\nSource Action: Attempt to login from the same IP to several systems/clients within the scheduled time interval.\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620053286881)/", + "Query": "// Define variables\r\n// Audit Log Classes - Failed Logons / Password Check\r\nlet AuditClasses = dynamic(['AUO', 'AU2', 'AU6', 'BU1']);\r\nlet perIPLimit = 6;\r\n// Query logic\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| extend DetailsBy = pack(\"User\", User_s, \"Email\", Email_s, \"SystemID\", SystemID_s, \"ClientID\", ClientID_s)\r\n| summarize LoginbyIPAttempts = count(), Details = make_set(DetailsBy), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \r\n by TerminalIPv6_s\r\n// Check if number of login attempts per IP is higher than limit\r\n| where LoginbyIPAttempts > perIPLimit \r\n| mv-expand Details\r\n| evaluate bag_unpack(Details, \"Details_\")\r\n| project \r\n StartTime, EndTime, IPCustomEntity = TerminalIPv6_s,\r\n AccountCustomEntity = column_ifexists(\"Details_Email\", \"\"), column_ifexists(\"Details_User\", \"\"),\r\n column_ifexists(\"Details_SystemID\", \"\"),\r\n column_ifexists(\"Details_ClientID\", \"\")", + "QueryFrequency": { + "Ticks": 216000000000, + "Days": 0, + "Hours": 6, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.25, + "TotalHours": 6, + "TotalMilliseconds": 21600000, + "TotalMinutes": 360, + "TotalSeconds": 21600 + }, + "QueryPeriod": { + "Ticks": 216000000000, + "Days": 0, + "Hours": 6, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.25, + "TotalHours": 6, + "TotalMilliseconds": 21600000, + "TotalMinutes": 360, + "TotalSeconds": 21600 + }, + "Severity": "Medium", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "CredentialAccess" + ], + "Name": "9dd49f70-9d72-483b-8e03-051e37011ca1", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a004df0-0000-0d00-0000-60900d270000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - Low - Multiple Password Changes by User", + "Description": "Identifies multiple password changes by user.\n\nSource Action: Change user password\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620052813352)/", + "Query": "// Define variables\r\nlet systemsPerUser = 3; // Systems Clients per User\r\nlet AuditClasses = dynamic(['BU2']); // Audit Log Claases - Password Changed\r\n// Query logic\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| project-rename UserReset = Variable2_s\r\n| extend DetailsBy = pack(\"SystemID\", SystemID_s, \"ClientID\", ClientID_s)\r\n| summarize CountSysClient = dcount(strcat(SystemID_s, ClientID_s)), Details = make_set(DetailsBy), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) \r\n by UserReset, User_s, Email_s, TerminalIPv6_s\r\n| where CountSysClient > systemsPerUser // Number of passwords changed by user\r\n| mv-expand Details\r\n| evaluate bag_unpack(Details, \"Details_\") // Unpack the detatils to a couple of fields\r\n| project \r\n StartTime, EndTime, UserReset, User_s, AccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s,\r\n column_ifexists(\"Details_SystemID\", \"\"),\r\n column_ifexists(\"Details_ClientID\", \"\")", + "QueryFrequency": { + "Ticks": 108000000000, + "Days": 0, + "Hours": 3, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.125, + "TotalHours": 3, + "TotalMilliseconds": 10800000, + "TotalMinutes": 180, + "TotalSeconds": 10800 + }, + "QueryPeriod": { + "Ticks": 108000000000, + "Days": 0, + "Hours": 3, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.125, + "TotalHours": 3, + "TotalMilliseconds": 10800000, + "TotalMinutes": 180, + "TotalSeconds": 10800 + }, + "Severity": "Low", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "CredentialAccess" + ], + "Name": "d1c3d55d-a2ab-45b4-ba3a-e2e66d77fbf3", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a000def-0000-0d00-0000-60900b4d0000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - High - HANA DB - Assign Admin Authorizations", + "Description": "Identifies admin privileges/roles assignment.\n\nSource Action: Assign a user with any Admin role / privileges.\n\n*Data Sources: Linux Agent - Syslog*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620024576628)/", + "Query": "Syslog \r\n| where ProcessName startswith \"HDB\"\r\n| where SyslogMessage contains \"ADMIN\" and (SyslogMessage contains \"GRANT PRIVILEGE\" or SyslogMessage contains \"GRANT ROLE\")", + "QueryFrequency": { + "Ticks": 108000000000, + "Days": 0, + "Hours": 3, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.125, + "TotalHours": 3, + "TotalMilliseconds": 10800000, + "TotalMinutes": 180, + "TotalSeconds": 10800 + }, + "QueryPeriod": { + "Ticks": 108000000000, + "Days": 0, + "Hours": 3, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.125, + "TotalHours": 3, + "TotalMilliseconds": 10800000, + "TotalMinutes": 180, + "TotalSeconds": 10800 + }, + "Severity": "High", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "PrivilegeEscalation" + ], + "Name": "1b729014-51e1-4951-8bbf-87788385d4cf", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a0014a4-0000-0d00-0000-608f9d020000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - High - HANA DB - User Admin actions", + "Description": "Identifies user administration actions.\n\nSouirce Action: Create/Update/Delete a DB User.\n\n*Data Sources: Linux Agent - Syslog*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620024602562)/", + "Query": "Syslog \r\n| where ProcessName startswith \"HDB\"\r\n| where SyslogMessage contains \"CREATE USER\" or \r\n SyslogMessage contains 'ALTER USER' or \r\n SyslogMessage contains 'DROP USER' or \r\n SyslogMessage contains 'DROP SCHEMA'", + "QueryFrequency": { + "Ticks": 108000000000, + "Days": 0, + "Hours": 3, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.125, + "TotalHours": 3, + "TotalMilliseconds": 10800000, + "TotalMinutes": 180, + "TotalSeconds": 10800 + }, + "QueryPeriod": { + "Ticks": 108000000000, + "Days": 0, + "Hours": 3, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.125, + "TotalHours": 3, + "TotalMilliseconds": 10800000, + "TotalMinutes": 180, + "TotalSeconds": 10800 + }, + "Severity": "High", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "PrivilegeEscalation" + ], + "Name": "ee2ab407-37ba-4dfb-9586-288edd9eabfa", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a001ea4-0000-0d00-0000-608f9d1b0000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - High - HANA DB - Audit Trail Policy Changes", + "Description": "Identifies changes for HANA DB audit trail policies.\n\nSource Action: Create / update existing audit policy in security definitions.\n\n*Data Sources: Linux Agent - Syslog*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620024624064)/", + "Query": "Syslog \r\n| where ProcessName startswith \"HDB\"\r\n| where SyslogMessage contains \"AUDIT POLICY\" ", + "QueryFrequency": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "QueryPeriod": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "Severity": "High", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "LateralMovement", + "DefenseEvasion", + "Persistence" + ], + "Name": "97d896da-eee8-4df2-8ef6-41bfa2fa4490", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a0024a4-0000-0d00-0000-608f9d310000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - High - HANA DB - Deactivation of Audit Trail", + "Description": "Identifies deactivation of HANA DB audit log.\n\nSource Action: Deactivate Audit Log in HANA DB security defnitions.\n\n*Data Sources: Linux Agent - Syslog*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620024742785)/", + "Query": "Syslog \r\n| where ProcessName startswith \"HDB\"\r\n| where SyslogMessage contains \"AUDIT CONFIGURATION\" and \r\n SyslogMessage contains 'global_auditing_state' and \r\n SyslogMessage contains 'False'", + "QueryFrequency": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "QueryPeriod": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "Severity": "High", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "Persistence", + "LateralMovement", + "DefenseEvasion" + ], + "Name": "3df3b8ce-5fe4-44d3-b339-28de2feec8ae", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a005ea4-0000-0d00-0000-608f9da70000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - Medium - Debugging Activities", + "Description": "Identifies all debugging related activities.\n\nSource Action: Activate Debug (\"/h\") in system, debug an active process, add breakpoint to source code etc.\n\n**Recommended for Production only**\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620053159704)/", + "Query": "let Role = 'Production';\r\nlet DebuggerProgram = 'RSTPDAMAIN';\r\nlet AuditClasses = dynamic(['CUK','CUL','CUM','CUN','CUO','CUP']); // Audit Log Classes - Debug Activities\r\nlet allSystemRoles = dynamic(['Sandbox','Developement','QualityAssurance','Training','Production']); // Available System Roles\r\nlet allSystemUsage = dynamic (['ERP','CRM','BW','Solman','Gateway','Enterprise Portal']); // Available System Usages\r\n// Get Relevant Systems from WatchList\r\nlet systemID = _GetWatchlist('SAP - Systems')\r\n| where SystemRole == Role; // Reccommended is Production only\r\nlet fixedSID = datatable(SystemID:string, SystemRole:string, SystemUsage:string)\r\n// Maintain these if WatchList is not available \r\n [\"S4H\",\"Production\",\"ERP\",\r\n \"XXX\",\"Sandbox\",\"BW\"]\r\n | where SystemRole == Role // Reccommended is Production only\r\n; \r\nlet SystemUnited = union systemID, fixedSID\r\n| summarize by SystemID, SystemRole, SystemUsage;\r\n//| where SystemRole in (allSystemRoles); // Use this for all system roles\r\nABAPAuditLog_CL \r\n | where MessageID_s in (AuditClasses) or ABAPProgramName_s == DebuggerProgram // Get logs by messege ID or program name\r\n | project-rename SystemID = SystemID_s\r\n | lookup kind=inner (SystemUnited) on SystemID\r\n | order by TimeGenerated asc\r\n | project TimeGenerated, User_s, MessageText_s, ABAPProgramName_s, TransactionCode_s, SystemID, SystemRole, SystemUsage,MessageID_s, AccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s", + "QueryFrequency": { + "Ticks": 108000000000, + "Days": 0, + "Hours": 3, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.125, + "TotalHours": 3, + "TotalMilliseconds": 10800000, + "TotalMinutes": 180, + "TotalSeconds": 10800 + }, + "QueryPeriod": { + "Ticks": 108000000000, + "Days": 0, + "Hours": 3, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.125, + "TotalHours": 3, + "TotalMilliseconds": 10800000, + "TotalMinutes": 180, + "TotalSeconds": 10800 + }, + "Severity": "Medium", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "Discovery" + ], + "Name": "906e409e-2c3e-445f-bdcc-bf1aa7f566a4", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a00f2ef-0000-0d00-0000-60900ca80000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - High - Data has Changed during Debugging Activity", + "Description": "Identifies changes for runtime data during a debugging activity.\nSource Action: Activate Debug (\"/h\"), Select a field for change and update it's value.\n\n**Recommended for Production only**\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620053968033)/", + "Query": "let Role = 'Production';\r\nlet AuditClasses = dynamic(['CUL']); // Audit Log Classes - Debug Change\r\nlet allSystemRoles = dynamic(['Sandbox','Developement','QualityAssurance','Training','Production']); // Available System Roles\r\nlet allSystemUsage = dynamic (['ERP','CRM','BW','Solman','Gateway','Enterprise Portal']); // Available System Usages\r\n// Get Relevant Systems from WatchList\r\nlet systemID = _GetWatchlist('SAP - Systems');\r\nlet fixedSID = datatable(SystemID:string, SystemRole:string, SystemUsage:string)\r\n// Maintain these if WatchList is not available \r\n [\"S4H\",\"Production\",\"ERP\",\r\n \"XXX\",\"Sandbox\",\"BW\"]\r\n;\r\nlet UnitedSystem = \r\nunion systemID, fixedSID\r\n| summarize by SystemID, SystemRole, SystemUsage\r\n| where SystemRole == Role; // Reccommended is Production only\r\n//| where SystemRole in (allSystemRoles); // Use this for all system roles\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| project-rename SystemID = SystemID_s\r\n| lookup kind = inner (UnitedSystem) on SystemID\r\n| project TimeGenerated, User_s, MessageText_s, ABAPProgramName_s, TransactionCode_s, SystemID, SystemRole, SystemUsage,\r\nAccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s\r\n", + "QueryFrequency": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "QueryPeriod": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "Severity": "High", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "Execution", + "LateralMovement" + ], + "Name": "d4316d15-8ae0-4b8a-abad-c1d921e07bc3", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a0085f2-0000-0d00-0000-60900fd00000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - High - System Configuration Change", + "Description": "Identifies changes for system configuration. \n\nSource Action: Adapt system change options or software components modifcation using SE06 transaction code.\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620053932658)/", + "Query": "// Audit Log Classes - System Change Configuration\r\nlet AuditClasses = dynamic(['EU1']); // Relevent message\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| project \r\n// Details\r\nTimeGenerated, SystemID_s, User_s, TransactionCode_s, SoftwareComponent = Variable1_s, NewModifiabilityStatus = Variable2_s, MessageText_s,\r\nAccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s\r\n", + "QueryFrequency": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "QueryPeriod": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "Severity": "High", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "Exfiltration", + "DefenseEvasion", + "Persistence" + ], + "Name": "aa1ba33d-0791-4a1a-84cc-e2e707c41e32", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a006ef2-0000-0d00-0000-60900fac0000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - High - Client Configuration Change", + "Description": "Identifies changes for client configuration such as: Client role, Changes recording mode. \n\nSource Action: Perofrm client configurations changes using SCC4 transaction code. \n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620053886970)/", + "Query": "// Audit Log Classes - Client Change Configuration\r\nlet AuditClasses = dynamic(['EU2']); // Relevent message\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| project-rename ClientID = Variable1_s \r\n| parse Variable2_s with Currency \"|\" ClientRole \"|\" RecordingChanges \"|\" CrossClientObjectChanges \"|\" ClientCopyProtectionLevel \"|\" ProtectionSAPUpgrade \"|\" CATTeCATT \"|\" LockedforCopy // Parse every object before the | char \r\n| project TimeGenerated, SystemID_s, User_s, ClientID, \r\nCurrency,ClientRole,RecordingChanges,CrossClientObjectChanges,ClientCopyProtectionLevel,CATTeCATT,LockedforCopy,ProtectionSAPUpgrade,\r\nMessageText_s,\r\nAccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s\r\n", + "QueryFrequency": { + "Ticks": 180000000000, + "Days": 0, + "Hours": 5, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.20833333333333331, + "TotalHours": 5, + "TotalMilliseconds": 18000000, + "TotalMinutes": 300, + "TotalSeconds": 18000 + }, + "QueryPeriod": { + "Ticks": 180000000000, + "Days": 0, + "Hours": 5, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.20833333333333331, + "TotalHours": 5, + "TotalMilliseconds": 18000000, + "TotalMinutes": 300, + "TotalSeconds": 18000 + }, + "Severity": "High", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "DefenseEvasion", + "Exfiltration", + "Persistence" + ], + "Name": "3af5fd8d-493d-4474-abf2-a901f487c3fd", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a004cf2-0000-0d00-0000-60900f7f0000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - High - Sensitive privileged user makes a change in other user", + "Description": "Identifies changes of sensitive privileged users in other users.\n\nSource Action: Change user details / authorizations using SU01.\n\nPriveleged users should be maintained in \"SAP - Privileged Users\" Watchlist\n\n*Data Sources: SAPcon - Audit Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620053825331)/", + "Query": "// Audit Log Classes - User Master Changes\r\nlet AuditClasses = dynamic(['AU7', 'BUV', 'BUW', 'AU8', 'AU9', 'AUA', 'AUB', 'AUD', 'DUH', 'BU2']);\r\n// Get Relevant User from WatchList\r\nlet PrivelegedUsers = _GetWatchlist('SAP - Privileged Users');\r\nlet fixedUsers = datatable(User: string)\r\n // Maintain these if WatchList is not available \r\n [\"SAP*\", \"DDIC\"]\r\n;\r\nlet UnitedPrivleged = union PrivelegedUsers, fixedUsers\r\n| summarize by User;\r\nABAPAuditLog_CL \r\n| where MessageID_s in (AuditClasses)\r\n| where User_s in (UnitedPrivleged) // The user that makes a change is a sensitive privileged user\r\n| project TimeGenerated, SystemID_s, ClientID_s, User_s, MessageText_s, MessageID_s,\r\n AccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s\r\n", + "QueryFrequency": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "QueryPeriod": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "Severity": "High", + "SuppressionDuration": { + "Ticks": 180000000000, + "Days": 0, + "Hours": 5, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.20833333333333331, + "TotalHours": 5, + "TotalMilliseconds": 18000000, + "TotalMinutes": 300, + "TotalSeconds": 18000 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "PrivilegeEscalation", + "CredentialAccess" + ], + "Name": "c3cea8b5-236c-4c8a-b85b-00ae203e0160", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a002cf2-0000-0d00-0000-60900f410000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - Medium - Critical authorizations assignment - New User Assignment", + "Description": "Identifies assignment of a critical authorization object value to a new user.\n\nSource Action: Assign a new user to a role which holds critical authorization values using SU01/PFCG.\n\nCritical authorization objects should be maintained in watchlist \"\"SAP - Critical Authorization Objects\"\"\n\n*Data Sources: SAPcon - Change Documents Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620053061671)/", + "Query": "// New Assigned Users\r\nlet ObjectClassRoles = 'PFCG';\r\nlet TableName = 'CD1251';\r\nlet UsersRoles = 'AGR_USERS';\r\nlet Insert = \"I\";\r\nlet NotInUse = 'NOT_IN_USE';\r\nlet logsThreshold = 3; // 3 seconds\r\n// Audit Log Classes - Authorizations for user changed\r\nlet AuditClasses = dynamic(['AUB','AUD']); // Authorizations for user &A changed. User Master Record Changed\r\n// Roles Change Documents - Extract Auth Object and Obj Field\r\nlet allHistory = ago(0d);\r\nlet alertSched = ago(6h); // Please maintain according to schedule\r\n// Maintain these if System doesn't have CR's\r\nlet fixedChangeDocs = datatable(User_s : string, ObjectClass_s : string, TableName_s : string, TypeofChange_Item_s : string , ChangedTableKey_s : string, ObjectID_s : string, TimeGenerated : datetime, ValueNew_s : string, SystemID_s : string)[];\r\nlet ChangeDocs = \r\nunion isfuzzy=true table(\"ABAPChangeDocsLog_CL\"), fixedChangeDocs;\r\nlet RolesAuthObject = ChangeDocs \r\n | where TimeGenerated <= allHistory\r\n | where ObjectClass_s == ObjectClassRoles and TableName_s == TableName // Role-Obj-Profile-ObjField\r\n | where TypeofChange_Item_s in ('J', 'I', 'U') // Insert\r\n | extend RoleObjProfileObjFieldVer = ChangedTableKey_s, Role = ObjectID_s\r\n | extend ObjFieldValue = ValueNew_s \r\n | extend ObjField = trim(@\"\\s*?\", extract(@\"(^.{1,30})\\s*?(.{1,10})\\s*?(.{1,12})\\s*?(.{1,10})\\s*?\\d{6}\", 4, RoleObjProfileObjFieldVer, typeof(string)))\r\n | extend AuthObject = trim(@\"\\s*?\", extract(@\"(^.{1,30})\\s*?(.{1,10})\\s*?(.{1,12})\\s*?(.{1,10})\\s*?\\d{6}\", 2, RoleObjProfileObjFieldVer, typeof(string)))\r\n | summarize by SystemID_s, Role, AuthObject, ObjField, ObjFieldValue;\r\nlet ComplexAuth = _GetWatchlist('SAP - Critical Authorizations');\r\nlet SimpleAuth = _GetWatchlist('SAP - Critical Authorizations');\r\nlet fixedComplexAuth = datatable(AuthorizationObject: string, AuthorizationField: string, AuthorizationValue: string, ActivityField: string, Activity: string)\r\n ['S_DEVELOP', 'OBJTYPE', 'DEBUG', 'ACTVT', '*',\r\n 'S_DEVELOP', 'OBJTYPE', 'DEBUG', 'ACTVT', '02']; // Maintain these if WatchList is not available\r\nlet fixedSimpleAuth = datatable(AuthorizationObject: string, AuthorizationField: string, AuthorizationValue: string, ActivityField: string, Activity: string)\r\n ['S_TCODE', 'TCD', '*', 'NOT_IN_USE', '',\r\n 'S_TZONE', 'ACTVT', '*', 'NOT_IN_USE', '']; // Maintain these if WatchList is not available\r\nlet usersinRole = \r\n ChangeDocs \r\n | where TimeGenerated >= alertSched\r\n | where ObjectClass_s == ObjectClassRoles // Roles\r\n and TableName_s == UsersRoles // Users Roles\r\n and TypeofChange_Item_s == Insert // Insert \r\n | extend UserAssigned = extract(@\"^.{1,33}\\s*?(.{1,12})\\s*?\\d{16}\", 1, ChangedTableKey_s)\r\n | extend Role = ObjectID_s\r\n | extend TimeGenUserinRole = TimeGenerated;\r\n //| summarize by TimeGenerated, SystemID_s, ClientID_s, Role, UserAssigned, User_s\r\nlet RolesAuthObjectCheck = \r\n RolesAuthObject \r\n | extend ObjFieldVal = ObjFieldValue\r\n | lookup kind = leftouter \r\n (RolesAuthObject \r\n | extend ActivityVal = ObjFieldValue)\r\n on Role, AuthObject;\r\nlet complexScenario = \r\n union ComplexAuth, fixedComplexAuth\r\n | where ActivityField != NotInUse\r\n | summarize by AuthorizationObject, AuthorizationField, AuthorizationValue, ActivityField, Activity\r\n | lookup kind = inner (RolesAuthObjectCheck)\r\n on $left.AuthorizationObject == $right.AuthObject \r\n and $left.AuthorizationField == $right.ObjField \r\n and $left.AuthorizationValue == $right.ObjFieldValue\r\n and $left.ActivityField == $right.ObjField1\r\n and $left.Activity == $right.ActivityVal;\r\nlet simpleScenario = \r\n union SimpleAuth, fixedSimpleAuth\r\n | where ActivityField == NotInUse\r\n | summarize by AuthorizationObject, AuthorizationField, AuthorizationValue, ActivityField, Activity \r\n | lookup kind = inner (RolesAuthObject)\r\n on $left.AuthorizationObject == $right.AuthObject \r\n and $left.AuthorizationField == $right.ObjField \r\n and $left.AuthorizationValue == $right.ObjFieldValue;\r\nlet GetEntites = \r\n ABAPAuditLog_CL \r\n | where TimeGenerated >= alertSched\r\n | where MessageID_s in (AuditClasses)\r\n | summarize by TimeGenerated, TerminalIPv6_s, ClientID_s, User_s, Host_s, Email_s\r\n | extend TimeGenAudit = TimeGenerated; \r\nunion complexScenario, simpleScenario\r\n| lookup kind = inner (usersinRole) on SystemID_s, Role\r\n| lookup kind = leftouter (GetEntites) on User_s\r\n| where abs(datetime_diff('second', TimeGenUserinRole, TimeGenAudit)) <= logsThreshold or\r\nisnull(TimeGenAudit)\r\n| project \r\n // Details\r\nTimeGenUserinRole, SystemID_s, ClientID_s, Role, User_s, UserAssigned, AuthorizationObject, AuthorizationField, AuthorizationValue, ActivityField, Activity,\r\nAccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s", + "QueryFrequency": { + "Ticks": 216000000000, + "Days": 0, + "Hours": 6, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.25, + "TotalHours": 6, + "TotalMilliseconds": 21600000, + "TotalMinutes": 360, + "TotalSeconds": 21600 + }, + "QueryPeriod": { + "Ticks": 216000000000, + "Days": 0, + "Hours": 6, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.25, + "TotalHours": 6, + "TotalMilliseconds": 21600000, + "TotalMinutes": 360, + "TotalSeconds": 21600 + }, + "Severity": "Medium", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "PrivilegeEscalation" + ], + "Name": "24914031-b93a-48d4-a5fd-38341e362f34", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a00a7ef-0000-0d00-0000-60900c460000\"", + "Kind": "Scheduled" + }, + { + "AlertRuleTemplateName": null, + "DisplayName": "(Preview) SAP - Medium - Critical authorizations assignment - New Authorization Value", + "Description": "Identifies assignment of a critical authorization object value to a new user.\n\nSource Action: Assign a new authorization object / update existing one in a role using PFCG.\n\nCritical authorization objects should be maintained in watchlist \"\"SAP - Critical Authorization Objects\"\"\n\n*Data Sources: SAPcon - Change Documents Log*", + "Enabled": true, + "LastModifiedUtc": "/Date(1620053001187)/", + "Query": "// New Assigned Objects\r\nlet ObjectClassRoles = 'PFCG';\r\nlet TableName = 'CD1251';\r\nlet UsersRoles = 'AGR_USERS';\r\nlet Insert = \"I\";\r\nlet NotInUse = 'NOT_IN_USE';\r\nlet logsThreshold = 3; // 3 seconds\r\n// Audit Log Classes - Authorizations for user changed\r\nlet AuditClasses = dynamic(['AUR','AUT']); // Authorization/Authorization Profile &B created / changed.\r\n// Roles Change Documents - Extract Auth Object and Obj Field\r\nlet allHistory = ago(0d);\r\nlet alertSched = ago(6h); // Please maintain according to schedule\r\n// Maintain these if System doesn't have CR's\r\nlet fixedChangeDocs = datatable(User_s : string, ObjectClass_s : string, TableName_s : string, TypeofChange_Item_s : string , ChangedTableKey_s : string, ObjectID_s : string, TimeGenerated : datetime, ValueNew_s : string, SystemID_s : string)[];\r\nlet ChangeDocs = \r\nunion isfuzzy=true table(\"ABAPChangeDocsLog_CL\"), fixedChangeDocs;\r\nlet RolesAuthObject = ChangeDocs \r\n | where TimeGenerated >= alertSched\r\n | where ObjectClass_s == ObjectClassRoles and TableName_s == TableName // Role-Obj-Profile-ObjField\r\n | where TypeofChange_Item_s in ('J', 'I', 'U') // Insert\r\n | extend RoleObjProfileObjFieldVer = ChangedTableKey_s, Role = ObjectID_s\r\n | extend ObjFieldValue = ValueNew_s \r\n | extend ObjField = trim(@\"\\s*?\", extract(@\"(^.{1,30})\\s*?(.{1,10})\\s*?(.{1,12})\\s*?(.{1,10})\\s*?\\d{6}\", 4, RoleObjProfileObjFieldVer, typeof(string)))\r\n | extend AuthObject = trim(@\"\\s*?\", extract(@\"(^.{1,30})\\s*?(.{1,10})\\s*?(.{1,12})\\s*?(.{1,10})\\s*?\\d{6}\", 2, RoleObjProfileObjFieldVer, typeof(string)))\r\n | extend TimeGenRoleAuth = TimeGenerated;\r\nlet ComplexAuth = _GetWatchlist('SAP - Critical Authorizations');\r\nlet SimpleAuth = _GetWatchlist('SAP - Critical Authorizations');\r\nlet fixedComplexAuth = datatable(AuthorizationObject: string, AuthorizationField: string, AuthorizationValue: string, ActivityField: string, Activity: string)\r\n ['S_DEVELOP', 'OBJTYPE', 'DEBUG', 'ACTVT', '*',\r\n 'S_DEVELOP', 'OBJTYPE', 'DEBUG', 'ACTVT', '02']; // Maintain these if WatchList is not available\r\nlet fixedSimpleAuth = datatable(AuthorizationObject: string, AuthorizationField: string, AuthorizationValue: string, ActivityField: string, Activity: string)\r\n ['S_TCODE', 'TCD', '*', 'NOT_IN_USE', '',\r\n 'S_TZONE', 'ACTVT', '*', 'NOT_IN_USE', '']; // Maintain these if WatchList is not available\r\nlet usersinRole = \r\n ChangeDocs \r\n | where TimeGenerated <= allHistory\r\n | where ObjectClass_s == ObjectClassRoles // Roles\r\n and TableName_s == UsersRoles // Users Roles\r\n and TypeofChange_Item_s == Insert // Insert \r\n | extend UserAssigned = extract(@\"^.{1,33}\\s*?(.{1,12})\\s*?\\d{16}\", 1, ChangedTableKey_s)\r\n | extend Role = ObjectID_s\r\n | summarize by SystemID_s, Role, UserAssigned;\r\nlet RolesAuthObjectCheck = \r\n RolesAuthObject \r\n | extend ObjFieldVal = ObjFieldValue\r\n | lookup kind = leftouter \r\n (RolesAuthObject \r\n | extend ActivityVal = ObjFieldValue)\r\n on Role, AuthObject;\r\nlet complexScenario = union ComplexAuth, fixedComplexAuth\r\n | where ActivityField != NotInUse\r\n | summarize by AuthorizationObject, AuthorizationField, AuthorizationValue, ActivityField, Activity\r\n | lookup kind = inner (RolesAuthObjectCheck)\r\n on $left.AuthorizationObject == $right.AuthObject \r\n and $left.AuthorizationField == $right.ObjField \r\n and $left.AuthorizationValue == $right.ObjFieldValue\r\n and $left.ActivityField == $right.ObjField1\r\n and $left.Activity == $right.ActivityVal;\r\nlet simpleScenario = \r\n union SimpleAuth, fixedSimpleAuth\r\n | where ActivityField == NotInUse\r\n | summarize by AuthorizationObject, AuthorizationField, AuthorizationValue, ActivityField, Activity \r\n | lookup kind = inner (RolesAuthObject)\r\n on $left.AuthorizationObject == $right.AuthObject \r\n and $left.AuthorizationField == $right.ObjField \r\n and $left.AuthorizationValue == $right.ObjFieldValue;\r\nlet GetEntities =\r\n ABAPAuditLog_CL \r\n | where MessageID_s in (AuditClasses)\r\n | summarize by TimeGenerated, ClientID_s, TerminalIPv6_s, User_s, Host_s, Email_s\r\n | extend TimeGenAudit = TimeGenerated;\r\nunion complexScenario, simpleScenario\r\n| lookup kind = inner (usersinRole) on SystemID_s, Role\r\n| lookup kind = leftouter (GetEntities) on User_s\r\n| where abs(datetime_diff('second', TimeGenRoleAuth, TimeGenAudit)) <= logsThreshold or\r\nisnull(TimeGenAudit)\r\n| project \r\n // Details\r\nTimeGenRoleAuth, SystemID_s, ClientID_s, Role, User_s, UserAssigned, AuthorizationObject, AuthorizationField, AuthorizationValue, ActivityField, Activity,AccountCustomEntity = Email_s, IPCustomEntity = TerminalIPv6_s, HostCustomEntity = Host_s", + "QueryFrequency": { + "Ticks": 216000000000, + "Days": 0, + "Hours": 6, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.25, + "TotalHours": 6, + "TotalMilliseconds": 21600000, + "TotalMinutes": 360, + "TotalSeconds": 21600 + }, + "QueryPeriod": { + "Ticks": 216000000000, + "Days": 0, + "Hours": 6, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.25, + "TotalHours": 6, + "TotalMilliseconds": 21600000, + "TotalMinutes": 360, + "TotalSeconds": 21600 + }, + "Severity": "Medium", + "SuppressionDuration": { + "Ticks": 36000000000, + "Days": 0, + "Hours": 1, + "Milliseconds": 0, + "Minutes": 0, + "Seconds": 0, + "TotalDays": 0.041666666666666664, + "TotalHours": 1, + "TotalMilliseconds": 3600000, + "TotalMinutes": 60, + "TotalSeconds": 3600 + }, + "SuppressionEnabled": false, + "TriggerOperator": 0, + "TriggerThreshold": 0, + "Tactics": [ + "PrivilegeEscalation" + ], + "Name": "5911c32c-0aff-498b-8733-a245f0eb0dc8", + "Type": "Microsoft.SecurityInsights/alertRules", + "Etag": "\"3a0085ef-0000-0d00-0000-60900c0a0000\"", + "Kind": "Scheduled" + } +] \ No newline at end of file diff --git a/Solutions/SAP/Analytics/Sentinel SAPCon Logs and Analytics.docx b/Solutions/SAP/Analytics/Sentinel SAPCon Logs and Analytics.docx new file mode 100644 index 0000000000..e892083588 Binary files /dev/null and b/Solutions/SAP/Analytics/Sentinel SAPCon Logs and Analytics.docx differ diff --git a/Solutions/SAP/Analytics/Watchlists/SAP - Critical Authorizations.csv b/Solutions/SAP/Analytics/Watchlists/SAP - Critical Authorizations.csv new file mode 100644 index 0000000000..8c071f0e8f --- /dev/null +++ b/Solutions/SAP/Analytics/Watchlists/SAP - Critical Authorizations.csv @@ -0,0 +1,9 @@ +AuthorizationObject,AuthorizationField,AuthorizationValue,ActivityField,Activity,Description +S_DEVELOP,OBJTYPE,DEBUG,ACTVT,02,Debug Change Authorizations +S_DEVELOP,OBJTYPE,*,ACTVT,02,All development activities - include debug +S_DEVELOP,OBJTYPE,DEBUG,ACTVT,*,Debug All Activites (Including Change) +S_DEVELOP,OBJTYPE,*,ACTVT,*,All development activities - include debug +S_RFC,RFCNAME,*,ACTVT,16,Execution of all RFC Services +S_RFC,RFCNAME,*,ACTVT,*,Execution of all RFC Services +S_TCODE,TCD,*,NOT_IN_USE,,All Transaction Codes - Example without Activity +S_TZONE,ACTVT,*,NOT_IN_USE,,Maintain System Time Zone - Example only with Activity diff --git a/Solutions/SAP/Analytics/Watchlists/SAP - Excluded Networks.csv b/Solutions/SAP/Analytics/Watchlists/SAP - Excluded Networks.csv new file mode 100644 index 0000000000..5bc359f21d --- /dev/null +++ b/Solutions/SAP/Analytics/Watchlists/SAP - Excluded Networks.csv @@ -0,0 +1,3 @@ +Network,Description +111.68.128.0/1,My Terminal Server +123.68.128.0/1,My Citrix diff --git a/Solutions/SAP/Analytics/Watchlists/SAP - Excluded Users.csv b/Solutions/SAP/Analytics/Watchlists/SAP - Excluded Users.csv new file mode 100644 index 0000000000..a3e33c1ae7 --- /dev/null +++ b/Solutions/SAP/Analytics/Watchlists/SAP - Excluded Users.csv @@ -0,0 +1,2 @@ +User,Description +SYSWF,WF diff --git a/Solutions/SAP/Analytics/Watchlists/SAP - Networks.csv b/Solutions/SAP/Analytics/Watchlists/SAP - Networks.csv new file mode 100644 index 0000000000..84294bbf64 --- /dev/null +++ b/Solutions/SAP/Analytics/Watchlists/SAP - Networks.csv @@ -0,0 +1,4 @@ +Network,Description +111.68.128.0/17,Our internal Network +5.8.0.0/19,SAP Support Network +223.255.254.0/24,Our Support Network diff --git a/Solutions/SAP/Analytics/Watchlists/SAP - Privileged Users.csv b/Solutions/SAP/Analytics/Watchlists/SAP - Privileged Users.csv new file mode 100644 index 0000000000..49aa38adf0 --- /dev/null +++ b/Solutions/SAP/Analytics/Watchlists/SAP - Privileged Users.csv @@ -0,0 +1,7 @@ +User,Description +SAP*,SAP* +DDIC,"Dictionary, Internal" +ALEREMOTE,BW User +BWREMOTE,BW User +SAPSYS,"SAP System, Internal" +WF-BATCH,Workflow Batch diff --git a/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive ABAP Programs.csv b/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive ABAP Programs.csv new file mode 100644 index 0000000000..aeb76063bb --- /dev/null +++ b/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive ABAP Programs.csv @@ -0,0 +1,9 @@ +ABAPProgram,Description +RSPFLDOC,Profile Parameter Maintenance +/1BCDWB/DBUSR02,Data Browser - USR02 +/1BCDWB/DBUSH02,Data Browser - USH02 +/1BCDWB/DBUSRPWDHISTORY,Data Browser - USRPWDHISTORY +RDDGENBB,DD: Dispatcher for Converter and Distributor +RSBDCOS0,Execute OS Command (Logged in SYSLOG and Trace Files) +RSCDOK99,Delete Change Documents +RSTBPDEL,Table Log Database Management: Delete Logs diff --git a/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive Function Modules.csv b/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive Function Modules.csv new file mode 100644 index 0000000000..764a675ef7 --- /dev/null +++ b/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive Function Modules.csv @@ -0,0 +1,23 @@ +FunctionModule,Description +RSAU_CLEAR_AUDIT_LOG,Delete Audit Log +BAPI_USER_CREATE,Create User +BAPI_USER_CREATE1,Create User +BAPI_USER_DELETE,Delete user +BAPI_USER_GET_DETAIL,Read User Details +BAPI_USER_PROFILES_ASSIGN,Change User-Profile Assignments +EPS_GET_DIRECTORY_LISTING, +PFL_CHECK_OS_FILE_EXISTENCE, +PRGN_INTERFACE_USER, +RFC_ABAP_INSTALL_AND_RUN, +RFC_GET_TABLE_ENTRIES,Read table entries +RFC_READ_TABLE,External access to R/3 tables via RFC +RS_FUNCTIONMODULE_INSERT, +RZL_READ_DIR_LOCAL, +SUSR_RFC_USER_INTERFACE, +SXPG_CALL_SYSTEM,Execute an External Command +SXPG_COMMAND_EXECUTE,Execute an External Command +SXPG_COMMAND_EXECUTE_LONG,Execute an External Command +TABLE_ENTRIES_GET_VIA_RFC, +TH_REMOTE_TRANSACTION,Start Remote Transaction +TH_SAPREL, +TMS_CI_START_SERVICE, diff --git a/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive Profiles.csv b/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive Profiles.csv new file mode 100644 index 0000000000..c89556fe93 --- /dev/null +++ b/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive Profiles.csv @@ -0,0 +1,3 @@ +Profile,Description +SAP_ALL,All SAP Systems Authorizations +SAP_NEW,New Authorizations Checks diff --git a/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive Roles.csv b/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive Roles.csv new file mode 100644 index 0000000000..4ef403a84a --- /dev/null +++ b/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive Roles.csv @@ -0,0 +1,5 @@ +Role,Description +Z_FIGL_POSTING_ADMIN,Custom example role +SAP_BC_AUTH_DATA_ADMIN,Authorization Data Administrator +SAP_BC_AUTH_PROFILE_ADMIN,Authorization Profile Administrator +SAP_BC_BASIS_ADMIN,System Administrator diff --git a/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive Tables.csv b/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive Tables.csv new file mode 100644 index 0000000000..6e90682bbc --- /dev/null +++ b/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive Tables.csv @@ -0,0 +1,5 @@ +Table,Description +USR02,Logon Data +PA0008,Basic Pay Infotype +USH02,Change history for logon data +USRPWDHISTORY,Change History for Logon Data: Last Entries from Archive diff --git a/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive Transactions.csv b/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive Transactions.csv new file mode 100644 index 0000000000..4a59a09956 --- /dev/null +++ b/Solutions/SAP/Analytics/Watchlists/SAP - Sensitive Transactions.csv @@ -0,0 +1,3 @@ +TransactionCode,Description +RSAU_CONFIG,Audit Log Configuration +RZ11,Profile Parameter Maintenance diff --git a/Solutions/SAP/Analytics/Watchlists/SAP - Systems.csv b/Solutions/SAP/Analytics/Watchlists/SAP - Systems.csv new file mode 100644 index 0000000000..745e98dbe1 --- /dev/null +++ b/Solutions/SAP/Analytics/Watchlists/SAP - Systems.csv @@ -0,0 +1,31 @@ +SystemID,SystemRole,SystemUsage +S4X,Sandbox,ERP +S4D,Development,ERP +S4Q,QualityAssurance,ERP +S4T,Training,ERP +S4P,Production,ERP +S4H,Production,ERP +B4X,Sandbox,BW +B4D,Development,BW +B4Q,QualityAssurance,BW +B4T,Training,BW +B4P,Production,BW +SMX,Sandbox,Solman +SMD,QualityAssurance,Solman +SMQ,Training,Solman +SMP,Production,Solman +C4X,Sandbox,CRM +C4D,Development,CRM +C4Q,QualityAssurance,CRM +C4T,Training,CRM +C4P,Production,CRM +GWX,Sandbox,Gateway +GWD,Development,Gateway +GWQ,QualityAssurance,Gateway +GWT,Training,Gateway +GWP,Production,Gateway +EPS,Sandbox,Enterpirse Portal +EPD,Development,Enterpirse Portal +EPQ,QualityAssurance,Enterpirse Portal +EPT,Training,Enterpirse Portal +EPP,Production,Enterpirse Portal diff --git a/Solutions/SAP/CR/K900114.NPL b/Solutions/SAP/CR/K900114.NPL new file mode 100644 index 0000000000..2e0f18ef0d --- /dev/null +++ b/Solutions/SAP/CR/K900114.NPL @@ -0,0 +1,7 @@ +SENTINEL T NPL 1 0 0 0 0 1 0 0 0 1 752 . 0 0 0 0 0 001 +#A +#/1/ A G D C R 7 T - Z RELE EX. _ _ _ _ _ CLI +NPL f 0000 20210422091205 vhcalnplci npladm +NPL e 0000 20210422091207 vhcalnplci npladm +NPL.000 < 0000 20210422091209 vhcalnplci npladm +NPL.001 E 0000 20210422091209 vhcalnplci npladm diff --git a/Solutions/SAP/CR/K900131.NPL b/Solutions/SAP/CR/K900131.NPL new file mode 100644 index 0000000000..cd99c506bc --- /dev/null +++ b/Solutions/SAP/CR/K900131.NPL @@ -0,0 +1,7 @@ +SENTINEL T NPL 1 10 19 0 0 0 0 0 0 20 752 . 0 0 0 0 0 001 +#A +#/1/ A G D C R 7 T - Z RELE EX. _ _ _ _ _ CLI +NPL f 0000 20210427112123 vhcalnplci npladm +NPL e 0000 20210427112126 vhcalnplci npladm +NPL.000 < 0000 20210427112132 vhcalnplci npladm +NPL.001 E 0000 20210427112132 vhcalnplci npladm diff --git a/Solutions/SAP/CR/K900132.NPL b/Solutions/SAP/CR/K900132.NPL new file mode 100644 index 0000000000..85f97d299a --- /dev/null +++ b/Solutions/SAP/CR/K900132.NPL @@ -0,0 +1,7 @@ +SENTINEL T NPL 1 11 20 0 0 0 0 0 0 21 752 . 0 0 0 0 0 001 +#A +#/1/ A G D C R 7 T - Z RELE EX. _ _ _ _ _ CLI +NPL f 0000 20210427112246 vhcalnplci npladm +NPL e 0000 20210427112248 vhcalnplci npladm +NPL.000 < 0000 20210427112253 vhcalnplci npladm +NPL.001 E 0000 20210427112253 vhcalnplci npladm diff --git a/Solutions/SAP/CR/R900114.NPL b/Solutions/SAP/CR/R900114.NPL new file mode 100644 index 0000000000..021d9fac60 Binary files /dev/null and b/Solutions/SAP/CR/R900114.NPL differ diff --git a/Solutions/SAP/CR/R900131.NPL b/Solutions/SAP/CR/R900131.NPL new file mode 100644 index 0000000000..f406b02fcf Binary files /dev/null and b/Solutions/SAP/CR/R900131.NPL differ diff --git a/Solutions/SAP/CR/R900132.NPL b/Solutions/SAP/CR/R900132.NPL new file mode 100644 index 0000000000..61c4159a0b Binary files /dev/null and b/Solutions/SAP/CR/R900132.NPL differ diff --git a/Solutions/SAP/CR/README.MD b/Solutions/SAP/CR/README.MD new file mode 100644 index 0000000000..a35d4e08a8 --- /dev/null +++ b/Solutions/SAP/CR/README.MD @@ -0,0 +1,27 @@ +# Required SAP Log change requests + +The following table lists the SAP Log change requests that you must configure in order to support ingesting specific SAP logs into Azure Sentinel. + + For a typical installation on SAP Basis 7.5+ install NPLK900131 + + For a typical installation on SAP Basis 7.4 install NPLK900132 + + For the role creation (any version) install NPLK900114 + +SAP notes required for version below SAP Basis 7.5 SP13: + +[SAP Note 2641084](https://launchpad.support.sap.com/#/notes/2641084) (*Standardized read access for the Security Audit log data*) + +[SAP Note 2173545](https://launchpad.support.sap.com/#/notes/2173545) (*CD: CHANGEDOCUMENT_READ_ALL*) + +[SAP Note 2502336](https://launchpad.support.sap.com/#/notes/2502336) (*CD: RSSCD100 - read only from archive, not from database*) + +**Note**: The required SAP log change requests expose custom RFC FMs that are required for the connector, and do not change any standard or custom objects. + + +| Log | Change Request | Latest Update in Version | +| --- | -------------- | -------------------------- | +| **All Logs** | NPLK900131 | 0.0.21

Use the complete package

Basis>=7.5 | +| **All Logs** | NPLK900132 | 0.0.21

Use the complete package

Basis<7.5 | +| **Sample Authorizations Role** | NPLK900114 | 0.0.14 | + diff --git a/Solutions/SAP/template/loggingconfig_DEV.yaml b/Solutions/SAP/template/loggingconfig_DEV.yaml new file mode 100644 index 0000000000..923aab3809 --- /dev/null +++ b/Solutions/SAP/template/loggingconfig_DEV.yaml @@ -0,0 +1,156 @@ +version: 1 +disable_existing_loggers: False +formatters: + brief: + format: '%(levelname)-8s - %(message)s' + detailed: + format: '%(asctime)s.%(msecs)03d %(levelname)-8s %(name)-15s %(message)s' + datefmt: '%Y-%m-%d %H:%M:%S' +handlers: + console: + class : logging.StreamHandler + formatter: detailed + level : DEBUG + stream : ext://sys.stdout + file_API: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : DEBUG + filename: ./sapcon/logs/API.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_RFC: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : DEBUG + filename: ./sapcon/logs/RFC.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_LogsDeltaMananger: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : DEBUG + filename: ./sapcon/logs/LogsDeltaManager.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_PersistenceMananger: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : DEBUG + filename: ./sapcon/logs/PersistenceManager.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_SysAdmin: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : INFO + filename: ./sapcon/logs/SystemAdmin.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPAuditLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : DEBUG + filename: ./sapcon/logs/ABAPAuditLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPJobLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : DEBUG + filename: ./sapcon/logs/ABAPJobLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPSpoolLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : DEBUG + filename: ./sapcon/logs/ABAPSpoolLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPSpoolOutputLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : DEBUG + filename: ./sapcon/logs/ABAPSpoolOutputLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPChangeDocsLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : DEBUG + filename: ./sapcon/logs/ABAPChangeDocsLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPAppLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : DEBUG + filename: ./sapcon/logs/ABAPAppLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPWorkflowLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : DEBUG + filename: ./sapcon/logs/ABAPWorkflowLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPCRLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : DEBUG + filename: ./sapcon/logs/ABAPCRLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPTableDataLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : DEBUG + filename: ./sapcon/logs/ABAPTableDataLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + +loggers: + API: + level : DEBUG + handlers: [console, file_API] + RFC: + level : DEBUG + handlers: [console, file_RFC] + DeltaManager: + level : DEBUG + handlers: [console, file_LogsDeltaMananger] + Persistence: + level : DEBUG + handlers: [console, file_PersistenceMananger] + SysAdmin: + level : INFO + handlers: [console, file_SysAdmin] + ABAPAuditLog: + level : DEBUG + handlers: [console, file_ABAPAuditLog] + ABAPJobLog: + level : DEBUG + handlers: [console, file_ABAPJobLog] + ABAPSpoolLog: + level : DEBUG + handlers: [console, file_ABAPSpoolLog] + ABAPSpoolOutputLog: + level : DEBUG + handlers: [console, file_ABAPSpoolOutputLog] + ABAPChangeDocsLog: + level : DEBUG + handlers: [console, file_ABAPChangeDocsLog] + ABAPAppLog: + level : DEBUG + handlers: [console, file_ABAPAppLog] + ABAPWorkflowLog: + level : DEBUG + handlers: [console, file_ABAPWorkflowLog] + ABAPCRLog: + level : DEBUG + handlers: [console, file_ABAPCRLog] + ABAPTableDataLog: + level : DEBUG + handlers: [console, file_ABAPTableDataLog] \ No newline at end of file diff --git a/Solutions/SAP/template/loggingconfig_PRD.yaml b/Solutions/SAP/template/loggingconfig_PRD.yaml new file mode 100644 index 0000000000..6b1248e9fc --- /dev/null +++ b/Solutions/SAP/template/loggingconfig_PRD.yaml @@ -0,0 +1,156 @@ +version: 1 +disable_existing_loggers: False +formatters: + brief: + format: '%(levelname)-8s - %(message)s' + detailed: + format: '%(asctime)s.%(msecs)03d %(levelname)-8s %(name)-15s %(message)s' + datefmt: '%Y-%m-%d %H:%M:%S' +handlers: + console: + class : logging.StreamHandler + formatter: detailed + level : INFO + stream : ext://sys.stdout + file_API: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : INFO + filename: ./sapcon/logs/API.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_RFC: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : WARNING + filename: ./sapcon/logs/RFC.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_LogsDeltaMananger: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : WARNING + filename: ./sapcon/logs/LogsDeltaManager.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_PersistenceMananger: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : WARNING + filename: ./sapcon/logs/PersistenceManager.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_SysAdmin: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : INFO + filename: ./sapcon/logs/SystemAdmin.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPAuditLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : INFO + filename: ./sapcon/logs/ABAPAuditLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPJobLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : INFO + filename: ./sapcon/logs/ABAPJobLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPSpoolLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : INFO + filename: ./sapcon/logs/ABAPSpoolLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPSpoolOutputLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : INFO + filename: ./sapcon/logs/ABAPSpoolOutputLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPChangeDocsLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : INFO + filename: ./sapcon/logs/ABAPChangeDocsLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPAppLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : INFO + filename: ./sapcon/logs/ABAPAppLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPWorkflowLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : INFO + filename: ./sapcon/logs/ABAPWorkflowLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPCRLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : INFO + filename: ./sapcon/logs/ABAPCRLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + file_ABAPTableDataLog: + class : logging.handlers.RotatingFileHandler + formatter: detailed + level : WARNING + filename: ./sapcon/logs/ABAPTableDataLog.log + maxBytes: 10485760 #10MB 10*1024*1024 + backupCount: 15 + +loggers: + API: + level : INFO + handlers: [console, file_API] + RFC: + level : WARNING + handlers: [console, file_RFC] + DeltaManager: + level : WARNING + handlers: [console, file_LogsDeltaMananger] + Persistence: + level : WARNING + handlers: [console, file_PersistenceMananger] + SysAdmin: + level : INFO + handlers: [console, file_SysAdmin] + ABAPAuditLog: + level : INFO + handlers: [console, file_ABAPAuditLog] + ABAPJobLog: + level : INFO + handlers: [console, file_ABAPJobLog] + ABAPSpoolLog: + level : INFO + handlers: [console, file_ABAPSpoolLog] + ABAPSpoolOutputLog: + level : INFO + handlers: [console, file_ABAPSpoolOutputLog] + ABAPChangeDocsLog: + level : INFO + handlers: [console, file_ABAPChangeDocsLog] + ABAPAppLog: + level : INFO + handlers: [console, file_ABAPAppLog] + ABAPWorkflowLog: + level : INFO + handlers: [console, file_ABAPWorkflowLog] + ABAPCRLog: + level : INFO + handlers: [console, file_ABAPCRLog] + ABAPTableDataLog: + level : WARNING + handlers: [console, file_ABAPTableDataLog] \ No newline at end of file diff --git a/Solutions/SAP/template/systemconfig-kickstart.ini b/Solutions/SAP/template/systemconfig-kickstart.ini new file mode 100644 index 0000000000..dc195a0ca6 --- /dev/null +++ b/Solutions/SAP/template/systemconfig-kickstart.ini @@ -0,0 +1,59 @@ +[Secrets Source] +secrets = AZURE_KEY_VAULT +keyvault = +intprefix = + +[ABAP Central Instance] +############################################################## +# Please fill required value according to server configuration +ashost = +#mshost = - #In case different then App +############################################################## +#group = +#msserv = - # is needed only, if the service of the message server is not defined as sapms in /etc/services +sysnr = +#user = +############################################################## +# Please fill Password OR SNC Parameters for X509 +#passwd = +#snc_partnername = +#snc_lib = +#x509cert = +############################################################## +sysid = +client = + +[Azure Credentials] + + +[File Extraction ABAP] + + +[File Extraction JAVA] + +[Logs Activation Status] +# ABAP RFC Logs - Retrieved by using RFC interface +ABAPAuditLog = True +ABAPJobLog = True +ABAPSpoolLog = True +ABAPSpoolOutputLog = True +ABAPChangeDocsLog = True +ABAPAppLog = True +ABAPWorkflowLog = True +ABAPCRLog = True +ABAPTableDataLog = False +# ABAP SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login +ABAPFilesLogs = False +SysLog = False +ICM = False +WP = False +GW = False +# Java SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login +JAVAFilesLogs = False + +[Connector Configuration] +extractuseremail = True +apiretry = True +auditlogforcexal = False +auditlogforcelegacyfiles = False +timechunk = 60 diff --git a/Solutions/SAP/template/systemconfig.ini b/Solutions/SAP/template/systemconfig.ini new file mode 100644 index 0000000000..768bf2b0ce --- /dev/null +++ b/Solutions/SAP/template/systemconfig.ini @@ -0,0 +1,73 @@ +[Secrets Source] +secrets = +keyvault = +intprefix = + +[ABAP Central Instance] +############################################################## +# Please fill required value according to server configuration +ashost = +mshost = - #In case different then App +############################################################## +group = +msserv = - # is needed only, if the service of the message server is not defined as sapms in /etc/services +sysnr = +user = +############################################################## +# Please fill Password OR SNC Parameters for X509 +passwd = +#snc_partnername = +#snc_lib = +#x509cert = +############################################################## +sysid = +client = + +[Azure Credentials] +loganalyticswsid = +publickey = + +[File Extraction ABAP] +osuser = +ospasswd = +appserver = +instance = +x509pkicert = +abapseverity = +abaptz = + +[File Extraction JAVA] +javaosuser = +javaospasswd = +javaappserver = +javainstance = +javax509pkicert = +javaseverity = +javatz = + +[Logs Activation Status] +# ABAP RFC Logs - Retrieved by using RFC interface +ABAPAuditLog = True +ABAPJobLog = True +ABAPSpoolLog = True +ABAPSpoolOutputLog = True +ABAPChangeDocsLog = True +ABAPAppLog = True +ABAPWorkflowLog = True +ABAPCRLog = True +ABAPTableDataLog = False +# ABAP SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login +ABAPFilesLogs = False +SysLog = False +ICM = False +WP = False +GW = False +# Java SAP Control Logs - Retrieved by using SAP Conntrol interface and OS Login +JAVAFilesLogs = False + +[Connector Configuration] +extractuseremail = True +apiretry = True +auditlogforcexal = False +auditlogforcelegacyfiles = False +timechunk = 60