How to change IP address to Host in SAP Analytics rules for Microsoft Sentinel

Question

I am setting up Microsoft Sentinel for SAP. When enabling Analytics rules I notice most rule queries are based on IP address e.g: LoginbyIPAttempts', 'TerminalIPv6'.

Is it possible to change this to Host as this is my preference from the SAP Audit log? How is this variable set in the rule query?

Answer 1

Hello @Ronan Gately

I am not to familiar with the SAP audit logs and their output, however in your example, "LoginbyIPAttempts", I am assuming this is referring to the analytic rule "SAP - Brute Force (RFC)" (This is the only one I can see in the solution with "LoginbyIPAttempts"). In this scenario, trying to use host name would defeat the purpose of the analytic rule. Brute force attempts could be attempted by devices external to you network, and therefore a hostname of the attacking device will not be available to you, just the originating IP address.

With analytic rules that have "TerminalIPv6", such as "Multiple password changes by user", if hostname is provided by SAP, then you could use it, however this still doesn't change the fact that the user could be compromised and the password request is being made from a device outside of your network, which brings me back to the previous paragraph where the hostname of the attacking device will not be available to you.

If you are using wanting to add hostnames to IP addresses for clarity / reporting purposes, then consider using the DeviceInfo Table from Defender for Endpoint, or Heartbeat table for servers etc if the source hostname isn't available in the SAP audit logs and perform a full join, to the original query, ensuring that any unknown IP addresses are left blank.

I hope this helps provide you with the information you need. If it does, please make sure to mark the question as answered so it helps other people in future.

Kind regards

Alistair