|
203 | 203 | "aggregationKind": "AlertPerResult" |
204 | 204 | }, |
205 | 205 | "customDetails": { |
206 | | - "SAP_User": "User", |
| 206 | + "SAP_UserEmail": "UserEmail", |
207 | 207 | "ETD_AlertNumber": "AlertId", |
208 | | - "SAP_UserEmail": "UserEmail" |
| 208 | + "SAP_User": "User" |
209 | 209 | }, |
210 | 210 | "alertDetailsOverride": { |
211 | 211 | "alertDescriptionFormat": "{{PatternDescription}}", |
|
471 | 471 | "aggregationKind": "AlertPerResult" |
472 | 472 | }, |
473 | 473 | "customDetails": { |
474 | | - "SAP_User": "extracted_sap_user", |
| 474 | + "SAP_UserEmail": "UserEmail", |
475 | 475 | "ETD_AlertNumber": "AlertId", |
476 | | - "SAP_UserEmail": "UserEmail" |
| 476 | + "SAP_User": "extracted_sap_user" |
477 | 477 | }, |
478 | 478 | "alertDetailsOverride": { |
479 | 479 | "alertDescriptionFormat": "{{PatternDescription}}\n", |
|
622 | 622 | "aggregationKind": "SingleAlert" |
623 | 623 | }, |
624 | 624 | "customDetails": { |
625 | | - "SAP_User": "extracted_sap_user", |
| 625 | + "SAP_UserEmail": "UserEmail", |
626 | 626 | "ETD_AlertNumber": "AlertId", |
627 | | - "SAP_UserEmail": "UserEmail" |
| 627 | + "SAP_User": "extracted_sap_user" |
628 | 628 | }, |
629 | 629 | "alertDetailsOverride": { |
630 | 630 | "alertDescriptionFormat": "{{PatternDescription}}\n\nSource: SAP ETD\n", |
|
731 | 731 | }, |
732 | 732 | "customDetails": { |
733 | 733 | "LastIngestion": "LastIngestionTime", |
734 | | - "LookbackPeriod": "LookbackPeriod", |
735 | | - "TimeSinceLastIngestion": "TimeSinceLastIngestion" |
| 734 | + "LastIngestionGap": "TimeSinceLastIngestion", |
| 735 | + "LookbackPeriod": "LookbackPeriod" |
736 | 736 | }, |
737 | 737 | "alertDetailsOverride": { |
738 | 738 | "alertDescriptionFormat": "{{Reason}}\n\nA complete gap in the SAP ETD feed may indicate that an adversary is tampering with the security telemetry pipeline (for example by stopping the SAP ETD collector, disabling the data connector, or blocking network egress to Microsoft Sentinel) in order to hide malicious activity in the SAP landscape. Treat the silence as suspicious until proven otherwise: validate the integrity and runtime state of the SAP ETD data connector, the SAP ETD service, and the network path between them, and review recent change / admin activity on those components before concluding the cause is a benign outage.\n", |
|
866 | 866 | "aggregationKind": "AlertPerResult" |
867 | 867 | }, |
868 | 868 | "customDetails": { |
869 | | - "LookbackPeriod": "LookbackPeriod", |
870 | 869 | "LastIngestion": "LastIngestionTime", |
871 | | - "SAP_Client": "ClientId", |
| 870 | + "LastIngestionGap": "TimeSinceLastIngestion", |
872 | 871 | "SAP_SID": "SystemId", |
873 | | - "LastIngestionGap": "TimeSinceLastIngestion" |
| 872 | + "LookbackPeriod": "LookbackPeriod", |
| 873 | + "SAP_Client": "ClientId" |
874 | 874 | }, |
875 | 875 | "alertDetailsOverride": { |
876 | 876 | "alertDescriptionFormat": "{{Reason}}\n\nA selective silence of a single SAP SID may indicate that an adversary is tampering with the security telemetry pipeline for this specific system (for example by stopping the SAP ETD collector for that SID, disabling the relevant data connector path, or blocking network egress from that host) in order to hide malicious activity while leaving the rest of the SAP ETD feed intact. Treat the silence as suspicious until proven otherwise: validate the integrity and runtime state of the SAP system, the SAP ETD collector configuration for this SID, and the data connector between SAP ETD and Microsoft Sentinel, and review recent change / admin activity on those components before concluding the cause is a benign outage.\n", |
|
0 commit comments