Pathlock CAC: Threat Detection & Response Microsoft Sentinel Integration

Solution: Pathlock_TDnR

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Solutions Index

Attribute	Value
Publisher	Pathlock Inc.
Support Tier	Partner
Support Link	https://pathlock.com/support/
Categories	Security - Network,Finance
Version	3.0.1
Author	Pathlock Inc. - support@pathlock.com
First Published	2022-02-17
Solution Folder	Pathlock_TDnR
Marketplace	Azure Marketplace · Popularity: 🟡 Low (40%)

The Pathlock TD&R integration enables organizations to seamlessly forward Pathlock Threat Detection and Response (TD&R) events from both on-premise and cloud-based SAP systems into Microsoft Sentinel Solution for SAP for unified security visibility and incident correlation across the enterprise.

Built on Pathlock’s Cybersecurity Application Controls (CAC) platform, this connector utilizes the Common Connector Platform (CCP) framework to securely transmit log and event data while maintaining data integrity and governance. The Custom Logs solution is automatically deployed during installation, ensuring a quick and reliable setup without manual configuration steps.

With this integration, SOC and SAP security teams can:

Consolidate SAP-specific threat intelligence and correlate it with enterprise events in Microsoft Sentinel.
Leverage 4,000+ Pathlock detection signatures and 80+ SAP log sources for comprehensive SAP monitoring.
Automate alerting and response workflows in Microsoft Sentinel for faster mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR).
Maintain audit readiness by demonstrating end-to-end visibility of SAP threat activity.

This out-of-the-box connector simplifies secure event forwarding from SAP to Microsoft Sentinel—enabling centralized analysis, compliance reporting, and proactive response within your existing security ecosystem.

Data Connectors
Tables Used
Content Items
Additional Documentation

Data Connectors

This solution provides 1 data connector(s):

Pathlock Inc.: Threat Detection and Response for SAP

Tables Used

This solution uses 2 table(s):

Table	Used By Connectors	Used By Content
`ABAPAuditLog`	Pathlock Inc.: Threat Detection and Response for SAP	-
`Pathlock_TDnR_CL`	Pathlock Inc.: Threat Detection and Response for SAP, Pathlock Threat Detection and Response Integration	Analytics

Content Items

This solution includes 77 content item(s):

Content Type	Count
Analytic Rules	77

Analytic Rules

Name	Severity	Tactics	Tables Used
Pathlock TDnR - ABAP Runtime Dumps	Medium	Discovery	`Pathlock_TDnR_CL`
Pathlock TDnR - ABAP Source Code Changes	High	Persistence, DefenseEvasion	`Pathlock_TDnR_CL`
Pathlock TDnR - Authorization Check Value Changes (SU24)	High	DefenseEvasion, PrivilegeEscalation	`Pathlock_TDnR_CL`
Pathlock TDnR - Authorization Profile Changes	High	PrivilegeEscalation, Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - Authorization Role Changes	High	PrivilegeEscalation, Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - Bank Master Data Changes	High	Impact	`Pathlock_TDnR_CL`
Pathlock TDnR - Business Partner Bank Data Changes	High	Impact	`Pathlock_TDnR_CL`
Pathlock TDnR - CUA Settings Changes	Medium	Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - Credit Card Data Changes	High	Collection, Impact	`Pathlock_TDnR_CL`
Pathlock TDnR - Critical File Integrity Changes	High	DefenseEvasion, Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - DDIC Table Utility Changes (SE14)	High	DefenseEvasion	`Pathlock_TDnR_CL`
Pathlock TDnR - Database Cockpit Audit Events	Medium	Discovery, PrivilegeEscalation	`Pathlock_TDnR_CL`
Pathlock TDnR - Debitor Change Documents	Medium	Impact	`Pathlock_TDnR_CL`
Pathlock TDnR - Dynamic Access Control Events	High	PrivilegeEscalation	`Pathlock_TDnR_CL`
Pathlock TDnR - Emergency User (AdminTrack) Activity	High	Persistence, PrivilegeEscalation	`Pathlock_TDnR_CL`
Pathlock TDnR - Function Module Tested in Production	High	Execution	`Pathlock_TDnR_CL`
Pathlock TDnR - G/L Account Changes	Medium	Impact	`Pathlock_TDnR_CL`
Pathlock TDnR - GRC Access Control Change Documents	Medium	PrivilegeEscalation	`Pathlock_TDnR_CL`
Pathlock TDnR - Generic SAP Change Documents	Medium	Impact, DefenseEvasion	`Pathlock_TDnR_CL`
Pathlock TDnR - Generic Table Content Changes	High	DefenseEvasion, Impact	`Pathlock_TDnR_CL`
Pathlock TDnR - Global System Change Setting Events	High	DefenseEvasion, Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - HANA Standalone DB Connection Events	Medium	LateralMovement	`Pathlock_TDnR_CL`
Pathlock TDnR - HR User Master Change Requests	Medium	Impact, Collection	`Pathlock_TDnR_CL`
Pathlock TDnR - IBAN Change Documents	High	Impact	`Pathlock_TDnR_CL`
Pathlock TDnR - ICF Web Service Changes	High	Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - ICM Security Events	Medium	DefenseEvasion	`Pathlock_TDnR_CL`
Pathlock TDnR - J2EE Security Audit Events	Medium	Discovery	`Pathlock_TDnR_CL`
Pathlock TDnR - J2EE Security Events	Medium	InitialAccess, Discovery	`Pathlock_TDnR_CL`
Pathlock TDnR - Kerberos Keytab Changes	High	CredentialAccess, Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - LDAP Synchronization Application Log Events	Medium	CredentialAccess	`Pathlock_TDnR_CL`
Pathlock TDnR - Logical OS Command Changes	High	Execution, Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - Missing SAP Security Notes	Medium	Discovery	`Pathlock_TDnR_CL`
Pathlock TDnR - Multiple Login Sessions Detected	Medium	InitialAccess, Discovery, CredentialAccess	`Pathlock_TDnR_CL`
Pathlock TDnR - OData Application Log Events	Medium	Collection, Exfiltration	`Pathlock_TDnR_CL`
Pathlock TDnR - Outbound SAP SMTP Email	Medium	Exfiltration	`Pathlock_TDnR_CL`
Pathlock TDnR - Outgoing Spool Print Job Events	Medium	Exfiltration	`Pathlock_TDnR_CL`
Pathlock TDnR - Pathlock Security Radar Internal Events	Medium	Discovery	`Pathlock_TDnR_CL`
Pathlock TDnR - Payment Request Changes	Medium	Impact	`Pathlock_TDnR_CL`
Pathlock TDnR - RFC Connection Changes	High	LateralMovement, Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - RiskTrack Audit Results	High	Discovery	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP Authorization Changes	High	PrivilegeEscalation, Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP BTP Cloud Foundry Events	Medium	Discovery	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP Batch Job Events	Medium	Execution, Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP Client Configuration Changes	High	DefenseEvasion, Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP Cloud Account Administration Events	Medium	InitialAccess, Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP Cloud Connector Events	Medium	LateralMovement	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP Download Observer Events	Medium	Exfiltration	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP HANA Database Audit Trail	Medium	Discovery, CredentialAccess, InitialAccess	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP HANA Parameter Changes	Medium	DefenseEvasion	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP HTTP Webserver Events	Medium	InitialAccess, CommandAndControl	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP Instance Profile Changes	High	DefenseEvasion, Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP Public Cloud Security Audit Events	Medium	Discovery	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP RFC Gateway Events	Medium	LateralMovement, CommandAndControl	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP Read Access Logging Audit	Medium	Collection	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP Read Access Logging Data	Medium	Collection, Exfiltration	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP Router Log Events	Medium	LateralMovement, CommandAndControl	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP Security Audit Log Events	High	Discovery, DefenseEvasion	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP System Job Monitoring Events	Medium	Execution	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP System Log Events	Medium	Discovery	`Pathlock_TDnR_CL`
Pathlock TDnR - SAP Web Dispatcher HTTP Events	Medium	InitialAccess, CommandAndControl	`Pathlock_TDnR_CL`
Pathlock TDnR - SE16N Direct Table Change Documents	High	DefenseEvasion, Exfiltration	`Pathlock_TDnR_CL`
Pathlock TDnR - STRUST PSE Certificate Changes	High	CredentialAccess, DefenseEvasion	`Pathlock_TDnR_CL`
Pathlock TDnR - SU24 Table USOBT_C Changes	Medium	DefenseEvasion, PrivilegeEscalation	`Pathlock_TDnR_CL`
Pathlock TDnR - SU24 Table USOBX_C Changes	Medium	DefenseEvasion, PrivilegeEscalation	`Pathlock_TDnR_CL`
Pathlock TDnR - Spool Job Changes	Medium	Collection	`Pathlock_TDnR_CL`
Pathlock TDnR - Switchable Authorization Design Changes	High	DefenseEvasion, PrivilegeEscalation	`Pathlock_TDnR_CL`
Pathlock TDnR - Switchable Authorization Runtime Changes	High	DefenseEvasion, PrivilegeEscalation	`Pathlock_TDnR_CL`
Pathlock TDnR - System Security Policy Changes	High	DefenseEvasion, Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - TMS Transport and Import Events	High	Persistence, Execution	`Pathlock_TDnR_CL`
Pathlock TDnR - Table Parameter Setting Changes	High	DefenseEvasion	`Pathlock_TDnR_CL`
Pathlock TDnR - Transaction and Report Statistics	Medium	Discovery	`Pathlock_TDnR_CL`
Pathlock TDnR - User Access Management Password Resets	Medium	CredentialAccess, Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - User Authorization Buffer Manipulation	High	PrivilegeEscalation, DefenseEvasion	`Pathlock_TDnR_CL`
Pathlock TDnR - User Master Data Changes	High	Persistence, PrivilegeEscalation	`Pathlock_TDnR_CL`
Pathlock TDnR - User-Profile Assignment Changes	High	PrivilegeEscalation, Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - User-Role Assignment Changes	High	PrivilegeEscalation, Persistence	`Pathlock_TDnR_CL`
Pathlock TDnR - Vendor Change Documents	Medium	Impact	`Pathlock_TDnR_CL`

Additional Documentation

📄 Source: Pathlock_TDnR/README.md

This project provides an ARM template to deploy the "Pathlock Threat Detection & Response (TD&R)" connector in Microsoft Sentinel Solution for SAP. The deployment includes the following components:

Connector
Workbook
Parser Function

Deployment via Content Hub

To deploy using the Content Hub:

Log in to the Azure Portal.
Navigate to Microsoft Sentinel and select your workspace.
Go to Content Hub.
Search for Pathlock Threat Detection & Response (TD&R).
Click Install, then Create.
Follow the prompts to complete the installation.

Deployment via ARM Template

If the connector is not yet available in the Content Hub, you can deploy it manually using the provided ARM template.

Prerequisites

Access to the Microsoft Sentinel environment.
Workspace name and location (found in Sentinel > Settings > Workspace Settings > Properties > Location).
Microsoft Sentinel Agent installed on the relevant system.
Path for log file generation.
Cron job configured to append new logs to an existing file.
Logs must be received in a custom table named Pathlock_TDnR_CL.

Installation Steps

Click the Deploy to Azure button below.
Select the Resource Group where Microsoft Sentinel is deployed.
Enter the Microsoft Sentinel Workspace name.
Leave other settings as default.
Click Review + create.
Wait for validation, then click Create.

This solution is provided by Pathlock as a temporary deployment method until the official connector is available in the Content Hub.

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.1	04-06-2026	Added 77 Analytic Rules; updated Data Connector description and dataTypes; fixed MITRE tactic/technique mapping mismatches and replaced non-ASCII characters in Analytic Rules
3.0.0	05-11-2025	Initial Solution Release