Detection rules › Kusto
SAP LogServ - HANA DB - Audit Trail Policy Changes
Identifies changes for HANA DB audit trail policies. Source Action: Create / update existing audit policy in security definitions. Data Sources: SAP LogServ - HANA DB (Syslog)
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | No specific technique |
| Stealth | No specific technique |
| Lateral Movement | No specific technique |
Rule body kusto
id: e8394afb-82a7-4718-8d31-cc57ad352fa8
kind: Scheduled
name: SAP LogServ - HANA DB - Audit Trail Policy Changes
description: |
Identifies changes for HANA DB audit trail policies.
Source Action: Create / update existing audit policy in security definitions.
*Data Sources: SAP LogServ - HANA DB (Syslog)*
severity: High
status: Available
requiredDataConnectors:
- connectorId: SAPLogServ
dataTypes:
- SAPLogServ_CL
queryFrequency: 10m
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- LateralMovement
- DefenseEvasion
relevantTechniques: []
query: |
let AuditTimeAgo = 60m;
SAPLogServ_CL
| where TimeGenerated >= ago(AuditTimeAgo)
| where clz_subdir == "hanaaudit"
| extend raw_split = split(Raw, ";")
| extend
event_timestamp__col_0 = tostring(raw_split[0]),
service_name__col_1 = tostring(raw_split[1]),
hostname__col_2 = tostring(raw_split[2]),
sid__col_3 = tostring(raw_split[3]),
instance_number__col_4 = tostring(raw_split[4]),
port_number__col_5 = tostring(raw_split[5]),
database_name__col_6 = tostring(raw_split[6]),
client_ip_address__col_7 = tostring(raw_split[7]),
client_name__col_8 = tostring(raw_split[8]),
client_process_id__col_9 = tostring(raw_split[9]),
client_port_number__col_10 = tostring(raw_split[10]),
policy_name__col_11 = tostring(raw_split[11]),
audit_level__col_12 = tostring(raw_split[12]),
audit_action__col_13 = tostring(raw_split[13]),
session_user__col_14 = tostring(raw_split[14]),
target_schema__col_15 = tostring(raw_split[15]),
target_object__col_16 = tostring(raw_split[16]),
privilege_name__col_17 = tostring(raw_split[17]),
grantable__col_18 = tostring(raw_split[18]),
role_name__col_19 = tostring(raw_split[19]),
target_principal__col_20 = tostring(raw_split[20]),
action_status__col_21 = tostring(raw_split[21]),
component__col_22 = tostring(raw_split[22]),
section__col_23 = tostring(raw_split[23]),
parameter__col_24 = tostring(raw_split[24]),
old_value__col_25 = tostring(raw_split[25]),
new_value__col_26 = tostring(raw_split[26]),
comment__col_27 = tostring(raw_split[27]),
executed_statement__col_28 = tostring(raw_split[28]),
session_id__col_29 = tostring(raw_split[29]),
application_user_name__col_30 = tostring(raw_split[30]),
role_schema_name__col_31 = tostring(raw_split[31]),
grantee_schema_name__col_32 = tostring(raw_split[32]),
origin_database_name__col_33 = tostring(raw_split[33]),
origin_user_name__col_34 = tostring(raw_split[34]),
xs_application_user_name__col_35 = tostring(raw_split[35]),
application_name__col_36 = tostring(raw_split[36]),
statement_user_name__col_37 = tostring(raw_split[37]),
create_time__col_38 = tostring(raw_split[38]),
xsa_message_ip__col_39 = tostring(raw_split[39]),
xsa_tenant__col_40 = tostring(raw_split[40]),
xsa_uuid__col_41 = tostring(raw_split[41]),
xsa_channel__col_42 = tostring(raw_split[42]),
xsa_attachment_id__col_43 = tostring(raw_split[43]),
xsa_attachment_name__col_44 = tostring(raw_split[44]),
xsa_organization_id__col_45 = tostring(raw_split[45]),
xsa_space_id__col_46 = tostring(raw_split[46]),
xsa_instance_id__col_47 = tostring(raw_split[47]),
xsa_binding_id__col_48 = tostring(raw_split[48]),
xsa_object__col_49 = tostring(raw_split[49]),
xsa_data_subject__col_50 = tostring(raw_split[50])
| where audit_action__col_13 contains 'AUDIT POLICY'
| extend AlertRuleUniqueName = 'hanadb-audittrailpolicychanges-logserv'
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: CloudApplication
fieldMappings:
- identifier: AppId
columnName: sid__col_3
- identifier: InstanceName
columnName: database_name__col_6
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: hostname__col_2
- entityType: IP
fieldMappings:
- identifier: Address
columnName: client_ip_address__col_7
alertDetailsOverride:
alertDisplayNameFormat: 'SAP LogServ - HANA DB - Audit Trail Policy Change'
alertDescriptionFormat: |
{{comment__col_27}}
customDetails:
SAP_User: session_user__col_14
version: 1.0.0
Stages and Predicates
Parameters
let AuditTimeAgo = 60m;
Stage 1: source
SAPLogServ_CL
Stage 2: where
| where TimeGenerated >= ago(AuditTimeAgo)
Stage 3: where
| where clz_subdir == "hanaaudit"
Stage 4: extend
| extend raw_split = split(Raw, ";")
Stage 5: extend
| extend
event_timestamp__col_0 = tostring(raw_split[0]),
service_name__col_1 = tostring(raw_split[1]),
hostname__col_2 = tostring(raw_split[2]),
sid__col_3 = tostring(raw_split[3]),
instance_number__col_4 = tostring(raw_split[4]),
port_number__col_5 = tostring(raw_split[5]),
database_name__col_6 = tostring(raw_split[6]),
client_ip_address__col_7 = tostring(raw_split[7]),
client_name__col_8 = tostring(raw_split[8]),
client_process_id__col_9 = tostring(raw_split[9]),
client_port_number__col_10 = tostring(raw_split[10]),
policy_name__col_11 = tostring(raw_split[11]),
audit_level__col_12 = tostring(raw_split[12]),
audit_action__col_13 = tostring(raw_split[13]),
session_user__col_14 = tostring(raw_split[14]),
target_schema__col_15 = tostring(raw_split[15]),
target_object__col_16 = tostring(raw_split[16]),
privilege_name__col_17 = tostring(raw_split[17]),
grantable__col_18 = tostring(raw_split[18]),
role_name__col_19 = tostring(raw_split[19]),
target_principal__col_20 = tostring(raw_split[20]),
action_status__col_21 = tostring(raw_split[21]),
component__col_22 = tostring(raw_split[22]),
section__col_23 = tostring(raw_split[23]),
parameter__col_24 = tostring(raw_split[24]),
old_value__col_25 = tostring(raw_split[25]),
new_value__col_26 = tostring(raw_split[26]),
comment__col_27 = tostring(raw_split[27]),
executed_statement__col_28 = tostring(raw_split[28]),
session_id__col_29 = tostring(raw_split[29]),
application_user_name__col_30 = tostring(raw_split[30]),
role_schema_name__col_31 = tostring(raw_split[31]),
grantee_schema_name__col_32 = tostring(raw_split[32]),
origin_database_name__col_33 = tostring(raw_split[33]),
origin_user_name__col_34 = tostring(raw_split[34]),
xs_application_user_name__col_35 = tostring(raw_split[35]),
application_name__col_36 = tostring(raw_split[36]),
statement_user_name__col_37 = tostring(raw_split[37]),
create_time__col_38 = tostring(raw_split[38]),
xsa_message_ip__col_39 = tostring(raw_split[39]),
xsa_tenant__col_40 = tostring(raw_split[40]),
xsa_uuid__col_41 = tostring(raw_split[41]),
xsa_channel__col_42 = tostring(raw_split[42]),
xsa_attachment_id__col_43 = tostring(raw_split[43]),
xsa_attachment_name__col_44 = tostring(raw_split[44]),
xsa_organization_id__col_45 = tostring(raw_split[45]),
xsa_space_id__col_46 = tostring(raw_split[46]),
xsa_instance_id__col_47 = tostring(raw_split[47]),
xsa_binding_id__col_48 = tostring(raw_split[48]),
xsa_object__col_49 = tostring(raw_split[49]),
xsa_data_subject__col_50 = tostring(raw_split[50])
Stage 6: where
| where audit_action__col_13 contains 'AUDIT POLICY'
Stage 7: extend
| extend AlertRuleUniqueName = 'hanadb-audittrailpolicychanges-logserv'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
audit_action__col_13 | contains |
|
clz_subdir | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
raw_split | extend |
action_status__col_21 | extend |
application_name__col_36 | extend |
application_user_name__col_30 | extend |
audit_action__col_13 | extend |
audit_level__col_12 | extend |
client_ip_address__col_7 | extend |
client_name__col_8 | extend |
client_port_number__col_10 | extend |
client_process_id__col_9 | extend |
comment__col_27 | extend |
component__col_22 | extend |
create_time__col_38 | extend |
database_name__col_6 | extend |
event_timestamp__col_0 | extend |
executed_statement__col_28 | extend |
grantable__col_18 | extend |
grantee_schema_name__col_32 | extend |
hostname__col_2 | extend |
instance_number__col_4 | extend |
new_value__col_26 | extend |
old_value__col_25 | extend |
origin_database_name__col_33 | extend |
origin_user_name__col_34 | extend |
parameter__col_24 | extend |
policy_name__col_11 | extend |
port_number__col_5 | extend |
privilege_name__col_17 | extend |
role_name__col_19 | extend |
role_schema_name__col_31 | extend |
section__col_23 | extend |
service_name__col_1 | extend |
session_id__col_29 | extend |
session_user__col_14 | extend |
sid__col_3 | extend |
statement_user_name__col_37 | extend |
target_object__col_16 | extend |
target_principal__col_20 | extend |
target_schema__col_15 | extend |
xs_application_user_name__col_35 | extend |
xsa_attachment_id__col_43 | extend |
xsa_attachment_name__col_44 | extend |
xsa_binding_id__col_48 | extend |
xsa_channel__col_42 | extend |
xsa_data_subject__col_50 | extend |
xsa_instance_id__col_47 | extend |
xsa_message_ip__col_39 | extend |
xsa_object__col_49 | extend |
xsa_organization_id__col_45 | extend |
xsa_space_id__col_46 | extend |
xsa_tenant__col_40 | extend |
xsa_uuid__col_41 | extend |
AlertRuleUniqueName | extend |