Merge pull request #14429 from MartinPankraz/feature/sapetd-data-freshness-alert

SAP ETD Cloud 3.0.5: telemetry-tampering analytic rules

Author: v-atulyadav

Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-NoNewDataReceived.yaml

@@ -0,0 +1,54 @@
+id: a9206c5a-3e72-4c10-807f-313a56075b20
+kind: Scheduled
+name: SAP ETD - No new data received
+description: |
+  Identifies a complete gap in the SAP Enterprise Threat Detection (ETD) feed when no records have been ingested into the SAPETDAlerts_CL table within the configured time window (default 1 hour). A full-feed blackout may indicate that an adversary is tampering with the security telemetry pipeline (for example by stopping the SAP ETD collector, disabling the data connector, or blocking network egress to Microsoft Sentinel) to hide follow-on activity in the SAP landscape. Benign causes such as a service outage, connector failure, or maintenance window are also possible and should be ruled out during triage. This rule is complementary to the per-SAP-system rule "SAP ETD - SAP system stopped reporting data", which can help distinguish a targeted silencing of a single system from a full-feed blackout. To change the freshness threshold, update the `LookbackPeriod` variable in the query and align `queryFrequency` / `queryPeriod` accordingly.
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: SAPETDAlerts
+    dataTypes:
+      - SAPETDAlerts_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
+  - T1562.006
+query: |
+  // Configurable freshness threshold for the entire SAP ETD data feed.
+  // When changing this value also update queryFrequency and queryPeriod accordingly.
+  let LookbackPeriod = 1h;
+  SAPETDAlerts_CL
+  | summarize
+      LastIngestionTime = max(TimeGenerated),
+      RecordsInWindow   = countif(TimeGenerated > ago(LookbackPeriod))
+  | where RecordsInWindow == 0 or isnull(LastIngestionTime)
+  | extend
+      LookbackPeriod = LookbackPeriod,
+      TimeSinceLastIngestion = now() - coalesce(LastIngestionTime, datetime(null)),
+      FeedName = "SAPETD",
+      Reason = iff(isnull(LastIngestionTime),
+          "No SAPETDAlerts_CL records have ever been ingested.",
+          strcat("No SAPETDAlerts_CL records ingested in the last ", tostring(LookbackPeriod), " (last ingestion: ", tostring(LastIngestionTime), ")."))
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: Name
+        columnName: FeedName
+alertDetailsOverride:
+  alertDisplayNameFormat: 'SAP ETD - No new data received in the last {{LookbackPeriod}}'
+  alertDescriptionFormat: |
+    {{Reason}}
+
+    A complete gap in the SAP ETD feed may indicate that an adversary is tampering with the security telemetry pipeline (for example by stopping the SAP ETD collector, disabling the data connector, or blocking network egress to Microsoft Sentinel) in order to hide malicious activity in the SAP landscape. Treat the silence as suspicious until proven otherwise: validate the integrity and runtime state of the SAP ETD data connector, the SAP ETD service, and the network path between them, and review recent change / admin activity on those components before concluding the cause is a benign outage.
+customDetails:
+  LookbackPeriod: LookbackPeriod
+  LastIngestion: LastIngestionTime
+  LastIngestionGap: TimeSinceLastIngestion
+version: 1.0.0

Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SystemStoppedReporting.yaml

@@ -0,0 +1,75 @@
+id: b1413b43-9410-46f4-94d9-da507105d834
+kind: Scheduled
+name: SAP ETD - SAP system stopped reporting data
+description: |
+  Identifies a per-system silence when an individual SAP system (identified by its SID) that has recently been reporting to SAP Enterprise Threat Detection (ETD) stops producing new records in the SAPETDAlerts_CL table within the configured per-system grace period (default 2 hours). A targeted silence of a single SID may indicate that an adversary with access to the SAP system, the SAP ETD collector for that SID, or the data connector is selectively blocking security telemetry to hide follow-on activity while leaving the rest of the SAP ETD feed intact; benign causes such as connectivity issues, collector misconfiguration, or planned maintenance for that SID are also possible and should be ruled out during triage. The set of "expected" SIDs is derived from any system that has reported within the `BaselineLookback` period (default 7 days); systems silent for longer are considered decommissioned and are not alerted on. Tunable parameters at the top of the query: `LookbackPeriod` (silence threshold per SID; align with `queryFrequency`) and `BaselineLookback` (how far back to look to discover known SIDs; align with `queryPeriod`). This rule is complementary to the overall-feed rule "SAP ETD - No new data received".
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: SAPETDAlerts
+    dataTypes:
+      - SAPETDAlerts_CL
+queryFrequency: 1h
+queryPeriod: 7d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - DefenseEvasion
+relevantTechniques:
+  - T1562
+  - T1562.006
+query: |
+  // ---- Configurable thresholds ----
+  let LookbackPeriod = 2h;
+  let BaselineLookback = 7d;
+  // ---------------------------------
+  let regex_sid = @"^([A-Z0-9]{3})/";
+  let regex_client = @'\/(.{3})$';
+  SAPETDAlerts_CL
+  | where TimeGenerated > ago(BaselineLookback)
+  | mv-expand NormalizedTriggeringEvents
+  | extend
+      SystemId = extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
+      ClientId = extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
+      Host     = tostring(NormalizedTriggeringEvents.NetworkHostnameInitiator),
+      Instance = tostring(NormalizedTriggeringEvents.NetworkHostnameActor)
+  | where isnotempty(SystemId)
+  | summarize
+      LastIngestionTime = max(TimeGenerated),
+      Host     = take_any(Host),
+      Instance = take_any(Instance),
+      ClientId = take_any(ClientId)
+      by SystemId
+  | extend TimeSinceLastIngestion = now() - LastIngestionTime
+  | where TimeSinceLastIngestion > LookbackPeriod
+  | extend
+      LookbackPeriod = LookbackPeriod,
+      Reason = strcat("SAP system ", SystemId, " has not reported any data to SAP ETD in the last ", tostring(LookbackPeriod), " (last seen: ", tostring(LastIngestionTime), ").")
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+entityMappings:
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: Name
+        columnName: SystemId
+      - identifier: AppId
+        columnName: ClientId
+      - identifier: InstanceName
+        columnName: Instance
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: Host
+alertDetailsOverride:
+  alertDisplayNameFormat: 'SAP ETD - SAP system {{SystemId}} stopped reporting data'
+  alertDescriptionFormat: |
+    {{Reason}}
+
+    A selective silence of a single SAP SID may indicate that an adversary is tampering with the security telemetry pipeline for this specific system (for example by stopping the SAP ETD collector for that SID, disabling the relevant data connector path, or blocking network egress from that host) in order to hide malicious activity while leaving the rest of the SAP ETD feed intact. Treat the silence as suspicious until proven otherwise: validate the integrity and runtime state of the SAP system, the SAP ETD collector configuration for this SID, and the data connector between SAP ETD and Microsoft Sentinel, and review recent change / admin activity on those components before concluding the cause is a benign outage.
+customDetails:
+  SAP_SID: SystemId
+  SAP_Client: ClientId
+  LookbackPeriod: LookbackPeriod
+  LastIngestion: LastIngestionTime
+  LastIngestionGap: TimeSinceLastIngestion
+version: 1.0.0

Solutions/SAP ETD Cloud/Data/Solution_SAPETD.json

@@ -9,7 +9,9 @@
     "Analytic Rules/SAPETD-SynchAlerts.yaml",
     "Analytic Rules/SAPETD-SynchInvestigations.yaml",
     "Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml",
-    "Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml"
+    "Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml",
+    "Analytic Rules/SAPETD-NoNewDataReceived.yaml",
+    "Analytic Rules/SAPETD-SystemStoppedReporting.yaml"
   ],
   "Playbooks": [],
   "PlaybookDescription": [],
@@ -22,7 +24,7 @@
   "Watchlists": [],
   "WatchlistDescription": [],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SAP ETD Cloud",
-  "Version": "3.0.4",
+  "Version": "3.0.5",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": false

Solutions/SAP ETD Cloud/Package/3.0.5.zip

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/SAPBTP.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP%20ETD%20Cloud/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Microsoft Sentinel Solution for SAP ETD integrates SAP Enterprise Threat Detection entities into Microsoft Sentinel, allowing SOC teams to ingest, monitor, and hunt across SAP data. This integration enhances security by enabling faster detection, investigation, and mitigation of risks within SAP environments.\n\n**Data Connectors:** 1, **Analytic Rules:** 4\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/SAPBTP.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP%20ETD%20Cloud/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Microsoft Sentinel Solution for SAP ETD integrates SAP Enterprise Threat Detection entities into Microsoft Sentinel, allowing SOC teams to ingest, monitor, and hunt across SAP data. This integration enhances security by enabling faster detection, investigation, and mitigation of risks within SAP environments.\n\n**Data Connectors:** 1, **Analytic Rules:** 6\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -156,6 +156,34 @@
                 }
               }
             ]
+          },
+          {
+            "name": "analytic5",
+            "type": "Microsoft.Common.Section",
+            "label": "SAP ETD - No new data received",
+            "elements": [
+              {
+                "name": "analytic5-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Identifies a complete gap in the SAP Enterprise Threat Detection (ETD) feed when no records have been ingested into the SAPETDAlerts_CL table within the configured time window (default 1 hour). A full-feed blackout may indicate that an adversary is tampering with the security telemetry pipeline (for example by stopping the SAP ETD collector, disabling the data connector, or blocking network egress to Microsoft Sentinel) to hide follow-on activity in the SAP landscape. Benign causes such as a service outage, connector failure, or maintenance window are also possible and should be ruled out during triage. This rule is complementary to the per-SAP-system rule \"SAP ETD - SAP system stopped reporting data\", which can help distinguish a targeted silencing of a single system from a full-feed blackout. To change the freshness threshold, update the `LookbackPeriod` variable in the query and align `queryFrequency` / `queryPeriod` accordingly."
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic6",
+            "type": "Microsoft.Common.Section",
+            "label": "SAP ETD - SAP system stopped reporting data",
+            "elements": [
+              {
+                "name": "analytic6-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Identifies a per-system silence when an individual SAP system (identified by its SID) that has recently been reporting to SAP Enterprise Threat Detection (ETD) stops producing new records in the SAPETDAlerts_CL table within the configured per-system grace period (default 2 hours). A targeted silence of a single SID may indicate that an adversary with access to the SAP system, the SAP ETD collector for that SID, or the data connector is selectively blocking security telemetry to hide follow-on activity while leaving the rest of the SAP ETD feed intact; benign causes such as connectivity issues, collector misconfiguration, or planned maintenance for that SID are also possible and should be ruled out during triage. The set of \"expected\" SIDs is derived from any system that has reported within the `BaselineLookback` period (default 7 days); systems silent for longer are considered decommissioned and are not alerted on. Tunable parameters at the top of the query: `LookbackPeriod` (silence threshold per SID; align with `queryFrequency`) and `BaselineLookback` (how far back to look to discover known SIDs; align with `queryPeriod`). This rule is complementary to the overall-feed rule \"SAP ETD - No new data received\"."
+                }
+              }
+            ]
           }
         ]
       }