Pathlock TD&R: Major Detection Coverage Expansion with 77 New SAP-Focused Analytic Rules

What Changed

Major content update to Pathlock Threat Detection & Response solution adding 77 new Analytic Rules targeting comprehensive SAP security monitoring. Each rule queries the Pathlock_TDnR_CL table with appropriate MITRE ATT&CK mappings and entity extraction.

Detection Logic

The new rules cover critical SAP security domains:

ABAP & Development Security:

• Source code changes, runtime dumps, function module testing
• Transport logs, table utilities, missing OSS security notes

Identity & Access Management:

• User master changes, role modifications, authorization changes
• Login monitoring, profile changes, authentication buffers
• User roles and privilege escalations

Financial & Business Process Security:

• Change documents for banking data (IBAN, credit cards, vendor masters)
• Payment requests, business partner financial data
• HR personnel data changes

System & Infrastructure Security:

• Client changes, system configuration modifications
• Gateway logs, HTTP security logs, ICF changes
• Database parameter changes, file checksum monitoring

Audit & Compliance:

• Security audit logs (on-premise and cloud)
• SACF authorization framework changes
• System jobs and batch processing monitoring

MITRE Mapping

Rules include comprehensive MITRE ATT&CK coverage including T1078 (Valid Accounts), T1098 (Account Manipulation), T1505 (Server Software Component), T1562 (Impair Defenses), T1134 (Access Token Manipulation), and T1190 (Exploit Public-Facing Application).

Technical Details

• Entity mapping: Account (SAP username), Host (SAP system), IP address extraction
• Data source: All rules query Pathlock_TDnR_CL custom table
• Field normalization: Updated from UPPER_SNAKE_CASE to camelCase schema
• Connector updates: Fixed dataTypes declaration and updated detection counts (1,500 → 4,000+)
• Incident configuration: 5-hour grouping with single alert aggregation

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/Pathlock_TDnR_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_ABAP_CHANGES.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_ABAP_DUMPS.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_AUTH_CHANGES.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_BATCH_JOBS.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_BANK.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_BUPA_BANK.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_CCARD.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_DEBI.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_GENERIC.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_GRAC.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_IBAN.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_KERBEROS.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_KRED.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_PAYRQ.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_SACH.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_SECURITY_P.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_USER_CUA.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_USOBT_C.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CHANGEDOC_USOBX_C.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CLIENT_CHANGES.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CLOUD_ACCOUNT_LOGS.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_CLOUD_FOUNDRY_LOGS.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_DBACOCKPIT.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_FILE_CHECKSUM.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_FUNCTION_MODULE_TEST.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_GATEWAY_LOG.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_HANA_AUDIT_TRAIL.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_HANA_DBCON_CONNECT.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_HANA_PARAM_CHANGED.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_HR_PA_CHANGELOG.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_HTTP_LOG.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_ICF_CHANGES.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_ICM_SECURITY_LOG.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_INTERNAL.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_J2EE_SECURITY_LOG.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_J2EE_SEC_AUD_LOG.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_MISSING_OSS_NOTES.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_OS_CMD_CHANGES.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_OUTBOUND_SMTP_MAIL.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_PATHLOCK_DAC.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_PROFILE_CHANGES.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_PSE_CHANGES.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_RAL_AUDIT.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_RAL_DATA.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_RFC_DESTINATIONS.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_ROLE_CHANGES.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SACF_CHANGES_DESIGN.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SACF_CHANGES_RUNTIME.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SAPROUTER.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SAST_AT.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SAST_DO.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SAST_RT.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SAST_UAM_PWR.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SCC_LOGS.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SE16N_CHANGEDOCS.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SECURITY_AUDIT_LOG.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SEC_AUDIT_LOG_CLOUD.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SLG1_LDAPSYNC.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SLG1_ODATA.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SPOOL_OUTPUT_REQUEST.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SPOOL_REQUEST.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SU24_CHANGELOG.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SYSLOG.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SYSPROFILE_CHANGES.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SYSTEM_CHANGELOG.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_SYSTEM_JOBS.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_TABLE_CHANGES.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_TABLE_SETTINGS.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_TABLE_UTILITY.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_TCODE_STATISTIC.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_TRANSPORT_LOG.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_USER_AUTH_BUFFER.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_USER_LOGINS.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_USER_MASTER_CHANGES.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_USER_PROFILES.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_USER_ROLES.yaml
Solutions/Pathlock_TDnR/Analytic Rules/Pathlock_TDnR_WD_HTTP_LOG.yaml
Solutions/Pathlock_TDnR/Data Connectors/Pathlock_TDnR_PUSH_CCP/Pathlock_TDnR_CL.json
Solutions/Pathlock_TDnR/Data Connectors/Pathlock_TDnR_PUSH_CCP/Pathlock_TDnR_DCR.json
Solutions/Pathlock_TDnR/Data Connectors/Pathlock_TDnR_PUSH_CCP/Pathlock_TDnR_connectorDefinition.json
(packaging artefacts: 3.0.1.zip, ReleaseNotes.md, Solution_Pathlock_TDnR.json, createUiDefinition.json, mainTemplate.json)