Merge pull request #14089 from MartinPankraz/feature/sap-etd-users-entity

Feature/sap etd users entity

Author: v-atulyadav

.script/tests/KqlvalidationsTests/CustomTables/SAPETDAlerts_CL.json

@@ -52,6 +52,10 @@
       {
         "name": "NormalizedTriggeringEvents",
         "type": "dynamic"
+      },
+      {
+        "name": "Users",
+        "type": "dynamic"
       }
     ]
 }

Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml

@@ -43,9 +43,21 @@ query: |
   | where extracted_function_module in (SenseModules)
   | extend AlertName = strcat("SAP ETD - Sensitive Function Module ", extracted_function_module," was executed by user ", extracted_sap_user, 
   " in a ", tolower(extracted_system_role), " system"), Dummy = " "
+  | mv-expand Users
+  | extend
+    UserAccountName = tostring(Users.UserAccountName),
+    UserEmail = tostring(Users.EmailAddresses[0])
 eventGroupingSettings:
   aggregationKind: SingleAlert
 entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: UserAccountName
+  - entityType: Mailbox
+    fieldMappings:
+      - identifier: MailboxPrimaryAddress
+        columnName: UserEmail
   - entityType: CloudApplication
     fieldMappings:
       - identifier: AppId
@@ -68,5 +80,6 @@ alertDetailsOverride:
     Source: SAP ETD
 customDetails:
   SAP_User: extracted_sap_user
+  SAP_UserEmail: UserEmail
   ETD_AlertNumber: AlertId
-version: 1.0.0
+version: 1.0.1

Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml

@@ -22,11 +22,14 @@ tactics:
 relevantTechniques: []
 query: |
   let AuditTimeAgo = 60m;
+  let minThreshold= 1;
+  let minScore= 50;
   let regex_sid = @"^([A-Z0-9]{3})/"; 
   let regex_client = @"/(\d{3})$";
   let SAPNetworks = _GetWatchlist('SAP - Networks');
   SAPETDAlerts_CL
   | where TimeGenerated > ago(AuditTimeAgo)
+  | where Threshold >= minThreshold and Score >= minScore
   | where PatternName in ("Logon from external with SAP standard users","Access via unallowed IP Address")
   | mv-expand NormalizedTriggeringEvents
   | extend sapOriginalEvent = tostring(NormalizedTriggeringEvents)
@@ -40,11 +43,23 @@ query: |
   | extend extracted_instance_host = NormalizedTriggeringEvents.NetworkHostnameInitiator
   | evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true)
   | where isempty(Network)
-  | project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status, NormalizedTriggeringEvents
+  | project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status, NormalizedTriggeringEvents, Users
   | extend GeoLocation= iff(ipv4_is_private(extracted_user_ip), dynamic({"IsPrivate": true}), geo_info_from_ip_address(extracted_user_ip))
+  | mv-expand Users
+  | extend
+    UserAccountName = tostring(Users.UserAccountName),
+    UserEmail = tostring(Users.EmailAddresses[0])
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: UserAccountName
+  - entityType: Mailbox
+    fieldMappings:
+      - identifier: MailboxPrimaryAddress
+        columnName: UserEmail
   - entityType: CloudApplication
     fieldMappings:
       - identifier: AppId
@@ -65,5 +80,6 @@ alertDetailsOverride:
     {{PatternDescription}}
 customDetails:
   SAP_User: extracted_sap_user
+  SAP_UserEmail: UserEmail
   ETD_AlertNumber: AlertId
-version: 1.0.3
+version: 1.0.4

Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml

@@ -30,10 +30,22 @@ query: |
     Host= NormalizedTriggeringEvents.NetworkHostnameInitiator,
     Instance= NormalizedTriggeringEvents.NetworkHostnameActor,
     User= NormalizedTriggeringEvents.UserAccountActing,
-    IP= NormalizedTriggeringEvents.NetworkIPAddressInitiator;
+    IP= NormalizedTriggeringEvents.NetworkIPAddressInitiator
+  | mv-expand Users
+  | extend
+    UserAccountName = tostring(Users.UserAccountName),
+    UserEmail = tostring(Users.EmailAddresses[0]);
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: UserAccountName
+  - entityType: Mailbox
+    fieldMappings:
+      - identifier: MailboxPrimaryAddress
+        columnName: UserEmail
   - entityType: CloudApplication
     fieldMappings:
       - identifier: Name
@@ -55,5 +67,6 @@ alertDetailsOverride:
   alertDescriptionFormat: '{{PatternDescription}}'
 customDetails:
   SAP_User: User
+  SAP_UserEmail: UserEmail
   ETD_AlertNumber: AlertId
-version: 1.0.3
+version: 1.0.4

Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchInvestigations.yaml

@@ -20,11 +20,26 @@ query: |
   SAPETDInvestigations_CL
   | where TimeGenerated > ago(AuditTimeAgo)
   | where Severity in (_severity)
+  | mv-expand Users
+  | extend
+    UserAccountName = tostring(Users.UserAccountName),
+    UserEmail = tostring(Users.EmailAddresses[0])
 eventGroupingSettings:
   aggregationKind: AlertPerResult
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: UserAccountName
+  - entityType: Mailbox
+    fieldMappings:
+      - identifier: MailboxPrimaryAddress
+        columnName: UserEmail
 alertDetailsOverride:
   alertDisplayNameFormat: 'SAP ETD - {{Description}} '
   alertDescriptionFormat: 'Description: {{Description}}. Processed by {{Processor}}. Severity: {{Severity}}.'
 customDetails:
   ETD_InvestNumber: InvestigationId
-version: 1.0.0
+  SAP_UserAccount: UserAccountName
+  SAP_UserEmail: UserEmail
+version: 1.0.1

Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_DCR.json

@@ -55,10 +55,14 @@
             {
               "name": "NormalizedTriggeringEvents",
               "type": "dynamic"
+            },
+            {
+              "name": "Users",
+              "type": "dynamic"
             }
           ]
         },
-        "Custom-SAPETDInvestigations_CL": {
+        "Custom-SAPETDInvestigations_CL":{
           "columns": [
             {
               "name": "Version",

Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_PollerConfig.json

@@ -33,7 +33,7 @@
         "timeoutInSeconds": 60,
         "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
         "queryParameters": {
-          "$expand": "NormalizedTriggeringEvents",
+          "$expand": "NormalizedTriggeringEvents,Users",
           "$filter": "CreationTimestamp gt {_QueryWindowStartTime} and CreationTimestamp le {_QueryWindowEndTime}"
         },
         "headers": {

Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_table.json

@@ -58,6 +58,10 @@
           {
             "name": "NormalizedTriggeringEvents",
             "type": "dynamic"
+          },
+          {
+            "name": "Users",
+            "type": "dynamic"
           }
         ]
       }

Solutions/SAP ETD Cloud/Data/Solution_SAPETD.json

@@ -1,29 +1,29 @@
 {
-    "Name": "SAP ETD Cloud",
-    "Author": "SAP",
-    "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/SAPBTP.svg\" width=\"75px\" height=\"75px\">",
-    "Description": "The Microsoft Sentinel Solution for SAP ETD integrates SAP Enterprise Threat Detection entities into Microsoft Sentinel, allowing SOC teams to ingest, monitor, and hunt across SAP data. This integration enhances security by enabling faster detection, investigation, and mitigation of risks within SAP environments.",
-    "WorkbookDescription": [],
-    "Workbooks": [],
-    "Analytic Rules": [
-        "Analytic Rules/SAPETD-SynchAlerts.yaml",
-        "Analytic Rules/SAPETD-SynchInvestigations.yaml",
-        "Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml",
-        "Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml"
-    ],
-    "Playbooks": [],
-    "PlaybookDescription": [],
-    "Parsers": [],
-    "SavedSearches": [],
-    "Hunting Queries": [],
-    "Data Connectors": [
-        "/Data Connectors/SAPETD_PUSH_CCP/SAPETD_connectorDefinition.json"
-    ],
-    "Watchlists": [],
-    "WatchlistDescription": [],
-    "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SAP ETD Cloud",
-    "Version": "3.0.3",
-    "Metadata": "SolutionMetadata.json",
-    "TemplateSpec": true,
-    "Is1PConnector": false
-}
+  "Name": "SAP ETD Cloud",
+  "Author": "SAP",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/SAPBTP.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "The Microsoft Sentinel Solution for SAP ETD integrates SAP Enterprise Threat Detection entities into Microsoft Sentinel, allowing SOC teams to ingest, monitor, and hunt across SAP data. This integration enhances security by enabling faster detection, investigation, and mitigation of risks within SAP environments.",
+  "WorkbookDescription": [],
+  "Workbooks": [],
+  "Analytic Rules": [
+    "Analytic Rules/SAPETD-SynchAlerts.yaml",
+    "Analytic Rules/SAPETD-SynchInvestigations.yaml",
+    "Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml",
+    "Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml"
+  ],
+  "Playbooks": [],
+  "PlaybookDescription": [],
+  "Parsers": [],
+  "SavedSearches": [],
+  "Hunting Queries": [],
+  "Data Connectors": [
+    "/Data Connectors/SAPETD_PUSH_CCP/SAPETD_connectorDefinition.json"
+  ],
+  "Watchlists": [],
+  "WatchlistDescription": [],
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SAP ETD Cloud",
+  "Version": "3.0.4",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true,
+  "Is1PConnector": false
+}