SAP ETD 3.0.5: address Copilot review feedback on telemetry-tampering rules

- Rewrite descriptions to start with 'Identifies' and trim to <=5 sentences
- Drop '*Data Sources*' line from descriptions per detection schema
- Fix 'Thread' -> 'Threat' typo in product name (Enterprise Threat Detection)
- Remove 'Impact' tactic; T1562 is mapped to DefenseEvasion only
- Add CloudApplication entity mapping (FeedName = 'SAPETD') to
  SAPETD-NoNewDataReceived to satisfy entityMappings requirement
- Regenerate Package artifacts via createSolutionV3

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: MartinPankraz

Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-NoNewDataReceived.yaml

@@ -2,13 +2,7 @@ id: a9206c5a-3e72-4c10-807f-313a56075b20
 kind: Scheduled
 name: SAP ETD - No new data received
 description: |
-  Detects when no SAP Enterprise Threat Detection (ETD) data has been ingested into the SAPETDAlerts_CL table within the configured time window (default 1 hour).
-  A complete gap in the SAP ETD feed should be treated as a potential tampering / defense-evasion event: an adversary who has compromised the SAP landscape, the SAP ETD service, the data connector, or the network path between them may be intentionally blocking security telemetry from reaching Microsoft Sentinel to hide follow-on activity. Benign causes such as a service outage, connector failure, or maintenance window are also possible and should be ruled out during triage.
-  This rule is complementary to the per-SAP-system rule "SAP ETD - SAP system stopped reporting data", which can help distinguish a targeted silencing of a single system from a full-feed blackout.
-
-  To change the freshness threshold, update the `LookbackPeriod` variable in the query and align `queryFrequency` / `queryPeriod` accordingly.
-
-  *Data Sources: SAP Enterprise Thread Detection Solution -  Alerts*
+  Identifies a complete gap in the SAP Enterprise Threat Detection (ETD) feed when no records have been ingested into the SAPETDAlerts_CL table within the configured time window (default 1 hour). A full-feed blackout may indicate that an adversary is tampering with the security telemetry pipeline (for example by stopping the SAP ETD collector, disabling the data connector, or blocking network egress to Microsoft Sentinel) to hide follow-on activity in the SAP landscape. Benign causes such as a service outage, connector failure, or maintenance window are also possible and should be ruled out during triage. This rule is complementary to the per-SAP-system rule "SAP ETD - SAP system stopped reporting data", which can help distinguish a targeted silencing of a single system from a full-feed blackout. To change the freshness threshold, update the `LookbackPeriod` variable in the query and align `queryFrequency` / `queryPeriod` accordingly.
 severity: High
 status: Available
 requiredDataConnectors:
@@ -21,7 +15,6 @@ triggerOperator: gt
 triggerThreshold: 0
 tactics:
   - DefenseEvasion
-  - Impact
 relevantTechniques:
   - T1562
   - T1562.006
@@ -37,11 +30,17 @@ query: |
   | extend
       LookbackPeriod = LookbackPeriod,
       TimeSinceLastIngestion = now() - coalesce(LastIngestionTime, datetime(null)),
+      FeedName = "SAPETD",
       Reason = iff(isnull(LastIngestionTime),
           "No SAPETDAlerts_CL records have ever been ingested.",
           strcat("No SAPETDAlerts_CL records ingested in the last ", tostring(LookbackPeriod), " (last ingestion: ", tostring(LastIngestionTime), ")."))
 eventGroupingSettings:
   aggregationKind: SingleAlert
+entityMappings:
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: Name
+        columnName: FeedName
 alertDetailsOverride:
   alertDisplayNameFormat: 'SAP ETD - No new data received in the last {{LookbackPeriod}}'
   alertDescriptionFormat: |

Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SystemStoppedReporting.yaml

@@ -2,19 +2,7 @@ id: b1413b43-9410-46f4-94d9-da507105d834
 kind: Scheduled
 name: SAP ETD - SAP system stopped reporting data
 description: |
-  Detects when an individual SAP system (identified by its SID) that has recently been reporting to SAP Enterprise Threat Detection (ETD) stops producing new records in the SAPETDAlerts_CL table within the configured per-system grace period (default 2 hours).
-  A targeted silence of a single SID should be treated as a potential tampering / defense-evasion event: an adversary with access to the SAP system, the SAP ETD collector for that SID, or the data connector may be selectively blocking security telemetry for that system in order to hide follow-on activity, while leaving the rest of the SAP ETD feed intact to avoid drawing attention. Benign causes such as connectivity issues, collector misconfiguration, or planned maintenance for that SID are also possible and should be ruled out during triage.
-
-  The set of "expected" SIDs is derived from any system that has reported within the `BaselineLookback` period (default 7 days); systems silent for longer are considered decommissioned and are not alerted on.
-
-  Tunable parameters (top of query):
-    * `LookbackPeriod`    - silence threshold per SID. Defaults to 2h to allow some grace and avoid noise from short transient gaps.
-    * `BaselineLookback`  - how far back to look to discover known SIDs (default 7d).
-  When changing `LookbackPeriod` align `queryFrequency` accordingly, and when changing `BaselineLookback` align `queryPeriod` accordingly.
-
-  This rule is complementary to the overall-feed rule "SAP ETD - No new data received".
-
-  *Data Sources: SAP Enterprise Thread Detection Solution -  Alerts*
+  Identifies a per-system silence when an individual SAP system (identified by its SID) that has recently been reporting to SAP Enterprise Threat Detection (ETD) stops producing new records in the SAPETDAlerts_CL table within the configured per-system grace period (default 2 hours). A targeted silence of a single SID may indicate that an adversary with access to the SAP system, the SAP ETD collector for that SID, or the data connector is selectively blocking security telemetry to hide follow-on activity while leaving the rest of the SAP ETD feed intact; benign causes such as connectivity issues, collector misconfiguration, or planned maintenance for that SID are also possible and should be ruled out during triage. The set of "expected" SIDs is derived from any system that has reported within the `BaselineLookback` period (default 7 days); systems silent for longer are considered decommissioned and are not alerted on. Tunable parameters at the top of the query: `LookbackPeriod` (silence threshold per SID; align with `queryFrequency`) and `BaselineLookback` (how far back to look to discover known SIDs; align with `queryPeriod`). This rule is complementary to the overall-feed rule "SAP ETD - No new data received".
 severity: High
 status: Available
 requiredDataConnectors:
@@ -27,7 +15,6 @@ triggerOperator: gt
 triggerThreshold: 0
 tactics:
   - DefenseEvasion
-  - Impact
 relevantTechniques:
   - T1562
   - T1562.006

Solutions/SAP ETD Cloud/Package/3.0.5.zip

@@ -166,7 +166,7 @@
                 "name": "analytic5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Detects when no SAP Enterprise Threat Detection (ETD) data has been ingested into the SAPETDAlerts_CL table within the configured time window (default 1 hour).\nA complete gap in the SAP ETD feed should be treated as a potential tampering / defense-evasion event: an adversary who has compromised the SAP landscape, the SAP ETD service, the data connector, or the network path between them may be intentionally blocking security telemetry from reaching Microsoft Sentinel to hide follow-on activity. Benign causes such as a service outage, connector failure, or maintenance window are also possible and should be ruled out during triage.\nThis rule is complementary to the per-SAP-system rule \"SAP ETD - SAP system stopped reporting data\", which can help distinguish a targeted silencing of a single system from a full-feed blackout.\n\nTo change the freshness threshold, update the `LookbackPeriod` variable in the query and align `queryFrequency` / `queryPeriod` accordingly.\n\n*Data Sources: SAP Enterprise Thread Detection Solution -  Alerts*"
+                  "text": "Identifies a complete gap in the SAP Enterprise Threat Detection (ETD) feed when no records have been ingested into the SAPETDAlerts_CL table within the configured time window (default 1 hour). A full-feed blackout may indicate that an adversary is tampering with the security telemetry pipeline (for example by stopping the SAP ETD collector, disabling the data connector, or blocking network egress to Microsoft Sentinel) to hide follow-on activity in the SAP landscape. Benign causes such as a service outage, connector failure, or maintenance window are also possible and should be ruled out during triage. This rule is complementary to the per-SAP-system rule \"SAP ETD - SAP system stopped reporting data\", which can help distinguish a targeted silencing of a single system from a full-feed blackout. To change the freshness threshold, update the `LookbackPeriod` variable in the query and align `queryFrequency` / `queryPeriod` accordingly."
                 }
               }
             ]
@@ -180,7 +180,7 @@
                 "name": "analytic6-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Detects when an individual SAP system (identified by its SID) that has recently been reporting to SAP Enterprise Threat Detection (ETD) stops producing new records in the SAPETDAlerts_CL table within the configured per-system grace period (default 2 hours).\nA targeted silence of a single SID should be treated as a potential tampering / defense-evasion event: an adversary with access to the SAP system, the SAP ETD collector for that SID, or the data connector may be selectively blocking security telemetry for that system in order to hide follow-on activity, while leaving the rest of the SAP ETD feed intact to avoid drawing attention. Benign causes such as connectivity issues, collector misconfiguration, or planned maintenance for that SID are also possible and should be ruled out during triage.\n\nThe set of \"expected\" SIDs is derived from any system that has reported within the `BaselineLookback` period (default 7 days); systems silent for longer are considered decommissioned and are not alerted on.\n\nTunable parameters (top of query):\n  * `LookbackPeriod`    - silence threshold per SID. Defaults to 2h to allow some grace and avoid noise from short transient gaps.\n  * `BaselineLookback`  - how far back to look to discover known SIDs (default 7d).\nWhen changing `LookbackPeriod` align `queryFrequency` accordingly, and when changing `BaselineLookback` align `queryPeriod` accordingly.\n\nThis rule is complementary to the overall-feed rule \"SAP ETD - No new data received\".\n\n*Data Sources: SAP Enterprise Thread Detection Solution -  Alerts*"
+                  "text": "Identifies a per-system silence when an individual SAP system (identified by its SID) that has recently been reporting to SAP Enterprise Threat Detection (ETD) stops producing new records in the SAPETDAlerts_CL table within the configured per-system grace period (default 2 hours). A targeted silence of a single SID may indicate that an adversary with access to the SAP system, the SAP ETD collector for that SID, or the data connector is selectively blocking security telemetry to hide follow-on activity while leaving the rest of the SAP ETD feed intact; benign causes such as connectivity issues, collector misconfiguration, or planned maintenance for that SID are also possible and should be ruled out during triage. The set of \"expected\" SIDs is derived from any system that has reported within the `BaselineLookback` period (default 7 days); systems silent for longer are considered decommissioned and are not alerted on. Tunable parameters at the top of the query: `LookbackPeriod` (silence threshold per SID; align with `queryFrequency`) and `BaselineLookback` (how far back to look to discover known SIDs; align with `queryPeriod`). This rule is complementary to the overall-feed rule \"SAP ETD - No new data received\"."
                 }
               }
             ]