From 3b733f6f2f56815d510b60bb49616122ff869151 Mon Sep 17 00:00:00 2001 From: MartinPankraz Date: Wed, 9 Apr 2025 12:15:36 +0200 Subject: [PATCH 1/3] add etd rules --- .../SAPETD-LoginFromUnexpectedNetwork.yaml | 38 +++++++++---------- .../Analytic Rules/SAPETD-SynchAlerts.yaml | 24 ++++++------ .../SAPETD_PUSH_CCP/SAPETD_DCR.json | 2 +- .../SAPETD_PUSH_CCP/SAPETD_dataConnector.json | 2 +- .../SAPETD_PUSH_CCP/SAPETD_table.json | 2 +- .../SAP ETD Cloud/Data/Solution_SAPETD.json | 2 +- .../SAP ETD Cloud/Package/mainTemplate.json | 10 ++--- Solutions/SAP ETD Cloud/ReleaseNotes.md | 3 +- 8 files changed, 41 insertions(+), 42 deletions(-) diff --git a/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml b/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml index de0d0de75f0..3c5a5a94c30 100644 --- a/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml +++ b/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml @@ -13,34 +13,32 @@ requiredDataConnectors: - connectorId: SAPETDAlerts dataTypes: - SAPETDAlerts_CL -queryFrequency: 1h -queryPeriod: 2d +queryFrequency: 5m +queryPeriod: 30m triggerOperator: gt triggerThreshold: 0 tactics: [] relevantTechniques: [] query: | - let regex_ip = @"user_ip:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"; - let regex_user = @"user_name:(\w+)"; - let regex_sid = @"sid:(\w{3})"; - let regex_client = @"client:(\d{3})"; - let regex_instance_name = @"instance_name:(\w+)"; - let regex_instance_host = @"instance_host:([\w-]+)"; + let regex_sid = @"^([A-Z0-9]{3})/"; + let regex_client = @"/(\d{3})$"; let SAPNetworks = _GetWatchlist('SAP - Networks'); SAPETDAlerts_CL - | mv-expand TriggeringEvents - | extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent) - | extend Id_ = TriggeringEvents.Id - | extend extracted_user_ip = extract(regex_ip, 1, sapOriginalEvent) - | extend extracted_sap_user = extract(regex_user, 1, sapOriginalEvent) - | extend extracted_sid = extract(regex_sid, 1, sapOriginalEvent) - | extend extracted_client = extract(regex_client, 1, sapOriginalEvent) - | extend extracted_instance_name = extract(regex_instance_name, 1, sapOriginalEvent) - | extend extracted_instance_host = extract(regex_instance_host, 1, sapOriginalEvent) + | where PatternName in ("Logon from external with SAP standard users","Access via unallowed IP Address") + | mv-expand NormalizedTriggeringEvents + | extend sapOriginalEvent = tostring(NormalizedTriggeringEvents) + | extend Id_ = NormalizedTriggeringEvents.Id + | extend extracted_user_ip = tostring(NormalizedTriggeringEvents.NetworkIPAddressInitiator) + | where isnotempty(extracted_user_ip) + | extend extracted_sap_user = NormalizedTriggeringEvents.UserAccountTargeted + | extend extracted_sid = extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)) + | extend extracted_client = extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)) + | extend extracted_instance_name = NormalizedTriggeringEvents.NetworkHostnameActor + | extend extracted_instance_host = NormalizedTriggeringEvents.NetworkHostnameInitiator | evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true) | where isempty(Network) - | project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status - | extend GeoLocation= iff(ipv4_is_private( extracted_user_ip), dynamic({"IsPrivate": true}), geo_info_from_ip_address(extracted_user_ip)) + | project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status, NormalizedTriggeringEvents + | extend GeoLocation= iff(ipv4_is_private(extracted_user_ip), dynamic({"IsPrivate": true}), geo_info_from_ip_address(extracted_user_ip)) eventGroupingSettings: aggregationKind: AlertPerResult entityMappings: @@ -65,4 +63,4 @@ alertDetailsOverride: customDetails: SAP_User: extracted_sap_user ETD_AlertNumber: AlertId -version: 1.0.1 \ No newline at end of file +version: 1.0.2 \ No newline at end of file diff --git a/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml b/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml index d771496c352..cebfdb8ae99 100644 --- a/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml +++ b/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml @@ -17,20 +17,20 @@ relevantTechniques: [] query: | let minThreshold= 1; let minScore= 50; - let lookBack= 70d; + let lookBack= 7d; + let regex_sid = @"^([A-Z0-9]{3})/"; + let regex_client = @'\/(.{3})$'; SAPETDAlerts_CL - | mv-expand TriggeringEvents - | extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent) - | where PatternName <> "Logon from external with SAP standard users" + | mv-expand NormalizedTriggeringEvents | summarize arg_max(TimeGenerated, *) by AlertId | where Threshold >= minThreshold and Score >= minScore - | extend NewEvent= split(sapOriginalEvent, "\n") - | mv-expand NewEvent to typeof(string) - | parse NewEvent with Key: string ":" Value: string - | extend Value= iff(isempty(Key) and isnotempty(NewEvent), NewEvent, Value), Key= iff(isempty(Key) and isnotempty(NewEvent), TriggeringEvents.EventLogType, Key) - | extend KV= bag_pack(Key, Value) - | summarize KeyValues= make_bag(KV), take_any(CreationTimestamp, MinTimestamp, MaxTimestamp, TriggeringEvents.EventLogType, Measure, PatternDescription, PatternName, Status, Threshold, TriggeringEvents.OriginalEvent) by AlertId - | extend SystemId= KeyValues.sid, ClienId= KeyValues.client, Host= KeyValues.instance_host, Instance= KeyValues.instance_name, User= KeyValues.user_name, IP= KeyValues.user_ip + | extend + SystemId= extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)) + ClienId= extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)), + Host= NormalizedTriggeringEvents.NetworkHostnameInitiator, + Instance= NormalizedTriggeringEvents.NetworkHostnameActor, + User= NormalizedTriggeringEvents.UserAccountActing, + IP= NormalizedTriggeringEvents.NetworkIPAddressInitiator; eventGroupingSettings: aggregationKind: AlertPerResult entityMappings: @@ -56,4 +56,4 @@ alertDetailsOverride: customDetails: SAP_User: User ETD_AlertNumber: AlertId -version: 1.0.1 +version: 1.0.2 diff --git a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_DCR.json b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_DCR.json index 8c73ff63f61..fd7bc1ff86f 100644 --- a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_DCR.json +++ b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_DCR.json @@ -53,7 +53,7 @@ "type": "int" }, { - "name": "TriggeringEvents", + "name": "NormalizedTriggeringEvents", "type": "dynamic" } ] diff --git a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_dataConnector.json b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_dataConnector.json index b0bd2cccf12..bbcd39d7f5b 100644 --- a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_dataConnector.json +++ b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_dataConnector.json @@ -33,7 +33,7 @@ "timeoutInSeconds": 60, "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", "queryParameters": { - "$expand": "TriggeringEvents", + "$expand": "NormalizedTriggeringEvents", "$filter": "CreationTimestamp gt {_QueryWindowStartTime} and CreationTimestamp le {_QueryWindowEndTime}" }, "headers": { diff --git a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_table.json b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_table.json index 3352ab19bec..4d3d837863b 100644 --- a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_table.json +++ b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_table.json @@ -56,7 +56,7 @@ "type": "int" }, { - "name": "TriggeringEvents", + "name": "NormalizedTriggeringEvents", "type": "dynamic" } ] diff --git a/Solutions/SAP ETD Cloud/Data/Solution_SAPETD.json b/Solutions/SAP ETD Cloud/Data/Solution_SAPETD.json index 432f3462847..3fb49e35572 100644 --- a/Solutions/SAP ETD Cloud/Data/Solution_SAPETD.json +++ b/Solutions/SAP ETD Cloud/Data/Solution_SAPETD.json @@ -20,7 +20,7 @@ "Watchlists": [], "WatchlistDescription": [], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SAP ETD Cloud", - "Version": "3.0.0", + "Version": "3.0.1", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/SAP ETD Cloud/Package/mainTemplate.json b/Solutions/SAP ETD Cloud/Package/mainTemplate.json index db748251509..d67543b8790 100644 --- a/Solutions/SAP ETD Cloud/Package/mainTemplate.json +++ b/Solutions/SAP ETD Cloud/Package/mainTemplate.json @@ -99,7 +99,7 @@ "description": "Synch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)", "displayName": "SAP ETD - Synch alerts", "enabled": false, - "query": "let minThreshold= 1;\nlet minScore= 50;\nlet lookBack= 70d;\nSAPETDAlerts_CL\n| mv-expand TriggeringEvents\n| extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent)\n| where PatternName <> \"Logon from external with SAP standard users\"\n| summarize arg_max(TimeGenerated, *) by AlertId\n| where Threshold >= minThreshold and Score >= minScore\n| extend NewEvent= split(sapOriginalEvent, \"\\n\")\n| mv-expand NewEvent to typeof(string)\n| parse NewEvent with Key: string \":\" Value: string\n| extend Value= iff(isempty(Key) and isnotempty(NewEvent), NewEvent, Value), Key= iff(isempty(Key) and isnotempty(NewEvent), TriggeringEvents.EventLogType, Key)\n| extend KV= bag_pack(Key, Value)\n| summarize KeyValues= make_bag(KV), take_any(CreationTimestamp, MinTimestamp, MaxTimestamp, TriggeringEvents.EventLogType, Measure, PatternDescription, PatternName, Status, Threshold, TriggeringEvents.OriginalEvent) by AlertId\n| extend SystemId= KeyValues.sid, ClienId= KeyValues.client, Host= KeyValues.instance_host, Instance= KeyValues.instance_name, User= KeyValues.user_name, IP= KeyValues.user_ip\n", + "query": "let minThreshold= 1;\nlet minScore= 50;\nlet lookBack= 70d;\nSAPETDAlerts_CL\n| mv-expand NormalizedTriggeringEvents\n| extend sapOriginalEvent = tostring(NormalizedTriggeringEvents.OriginalEvent)\n| where PatternName <> \"Logon from external with SAP standard users\"\n| summarize arg_max(TimeGenerated, *) by AlertId\n| where Threshold >= minThreshold and Score >= minScore\n| extend NewEvent= split(sapOriginalEvent, \"\\n\")\n| mv-expand NewEvent to typeof(string)\n| parse NewEvent with Key: string \":\" Value: string\n| extend Value= iff(isempty(Key) and isnotempty(NewEvent), NewEvent, Value), Key= iff(isempty(Key) and isnotempty(NewEvent), NormalizedTriggeringEvents.EventLogType, Key)\n| extend KV= bag_pack(Key, Value)\n| summarize KeyValues= make_bag(KV), take_any(CreationTimestamp, MinTimestamp, MaxTimestamp, NormalizedTriggeringEvents.EventLogType, Measure, PatternDescription, PatternName, Status, Threshold, NormalizedTriggeringEvents.OriginalEvent) by AlertId\n| extend SystemId= KeyValues.sid, ClienId= KeyValues.client, Host= KeyValues.instance_host, Instance= KeyValues.instance_name, User= KeyValues.user_name, IP= KeyValues.user_ip\n", "queryFrequency": "PT1H", "queryPeriod": "P2D", "severity": "Medium", @@ -232,7 +232,7 @@ "description": "Identifies logons from an unexpected network.\nSource Action: Logon to the backend system from an IP address which is not assigned to one of the networks.\nnetworks can be maintained in the \"SAP - Networks\" watchlist of the Microsoft Sentinel Solution for SAP package.\n\n*Data Sources: SAP Enterprise Thread Detection Solution - Alerts*", "displayName": "SAP ETD - Login from unexpected network", "enabled": false, - "query": "let regex_ip = @\"user_ip:(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\";\nlet regex_user = @\"user_name:(\\w+)\";\nlet regex_sid = @\"sid:(\\w{3})\";\nlet regex_client = @\"client:(\\d{3})\";\nlet regex_instance_name = @\"instance_name:(\\w+)\";\nlet regex_instance_host = @\"instance_host:([\\w-]+)\";\nlet SAPNetworks = _GetWatchlist('SAP - Networks');\nSAPETDAlerts_CL\n| mv-expand TriggeringEvents\n| extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent)\n| extend Id_ = TriggeringEvents.Id\n| extend extracted_user_ip = extract(regex_ip, 1, sapOriginalEvent)\n| extend extracted_sap_user = extract(regex_user, 1, sapOriginalEvent)\n| extend extracted_sid = extract(regex_sid, 1, sapOriginalEvent)\n| extend extracted_client = extract(regex_client, 1, sapOriginalEvent)\n| extend extracted_instance_name = extract(regex_instance_name, 1, sapOriginalEvent)\n| extend extracted_instance_host = extract(regex_instance_host, 1, sapOriginalEvent)\n| evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true)\n| where isempty(Network)\n| project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status\n| extend GeoLocation= iff(ipv4_is_private( extracted_user_ip), dynamic({\"IsPrivate\": true}), geo_info_from_ip_address(extracted_user_ip))\n", + "query": "let regex_ip = @\"user_ip:(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\";\nlet regex_user = @\"user_name:(\\w+)\";\nlet regex_sid = @\"sid:(\\w{3})\";\nlet regex_client = @\"client:(\\d{3})\";\nlet regex_instance_name = @\"instance_name:(\\w+)\";\nlet regex_instance_host = @\"instance_host:([\\w-]+)\";\nlet SAPNetworks = _GetWatchlist('SAP - Networks');\nSAPETDAlerts_CL\n| mv-expand NormalizedTriggeringEvents\n| extend sapOriginalEvent = tostring(NormalizedTriggeringEvents.OriginalEvent)\n| extend Id_ = NormalizedTriggeringEvents.Id\n| extend extracted_user_ip = extract(regex_ip, 1, sapOriginalEvent)\n| extend extracted_sap_user = extract(regex_user, 1, sapOriginalEvent)\n| extend extracted_sid = extract(regex_sid, 1, sapOriginalEvent)\n| extend extracted_client = extract(regex_client, 1, sapOriginalEvent)\n| extend extracted_instance_name = extract(regex_instance_name, 1, sapOriginalEvent)\n| extend extracted_instance_host = extract(regex_instance_host, 1, sapOriginalEvent)\n| evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true)\n| where isempty(Network)\n| project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status\n| extend GeoLocation= iff(ipv4_is_private( extracted_user_ip), dynamic({\"IsPrivate\": true}), geo_info_from_ip_address(extracted_user_ip))\n", "queryFrequency": "PT1H", "queryPeriod": "P2D", "severity": "Medium", @@ -599,7 +599,7 @@ "type": "int" }, { - "name": "TriggeringEvents", + "name": "NormalizedTriggeringEvents", "type": "dynamic" } ] @@ -686,7 +686,7 @@ "type": "int" }, { - "name": "TriggeringEvents", + "name": "NormalizedTriggeringEvents", "type": "dynamic" } ] @@ -1018,7 +1018,7 @@ "timeoutInSeconds": 60, "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", "queryParameters": { - "$expand": "TriggeringEvents", + "$expand": "NormalizedTriggeringEvents", "$filter": "CreationTimestamp gt {_QueryWindowStartTime} and CreationTimestamp le {_QueryWindowEndTime}" }, "headers": { diff --git a/Solutions/SAP ETD Cloud/ReleaseNotes.md b/Solutions/SAP ETD Cloud/ReleaseNotes.md index 59fa1bd25b6..067000aef23 100644 --- a/Solutions/SAP ETD Cloud/ReleaseNotes.md +++ b/Solutions/SAP ETD Cloud/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| -| 3.0.0 | 17-02-2025 | Initial Solution Release | \ No newline at end of file +| 3.0.1 | 31-03-2025 | SAP OData entity change from TriggeringEvents to new NormalizedTriggeringEvents | +| 3.0.0 | 17-02-2025 | Initial Solution Release | From 56eb2135f1c67dae275aa4bec6a09289834a7d23 Mon Sep 17 00:00:00 2001 From: MartinPankraz Date: Thu, 10 Apr 2025 13:26:29 +0200 Subject: [PATCH 2/3] logserv retention fix, etd odata update --- .../SAPETD_PUSH_CCP/solutionMetadata.json | 2 +- Solutions/SAP ETD Cloud/Package/3.0.1.zip | Bin 0 -> 9764 bytes .../SAPLogServ_PUSH_CCP/solutionMetadata.json | 2 +- .../SAPLogServ_PUSH_CCP/table.json | 3 +-- .../SAP LogServ/Data/Solution_SAPLogServ.json | 2 +- Solutions/SAP LogServ/ReleaseNotes.md | 1 + 6 files changed, 5 insertions(+), 5 deletions(-) create mode 100644 Solutions/SAP ETD Cloud/Package/3.0.1.zip diff --git a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/solutionMetadata.json b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/solutionMetadata.json index 90c6080dcef..4ff9cbb8b10 100644 --- a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/solutionMetadata.json +++ b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/solutionMetadata.json @@ -1,7 +1,7 @@ { "SolutionName":"SAP ETD Cloud", "SolutionAuthor": "SAP", - "SolutionVersion":"3.0.0", + "SolutionVersion":"3.0.1", "PackageId": "azuresentinel.azure-sentinel-solution-SAPLogServPushV1", "TemplateName": "SAPETDPushV1", "ConnectorDefinitionTemplateVersion": "1.0.0", diff --git a/Solutions/SAP ETD Cloud/Package/3.0.1.zip b/Solutions/SAP ETD Cloud/Package/3.0.1.zip new file mode 100644 index 0000000000000000000000000000000000000000..9abd8e203678dbff783832655fafa11b9685b2ac GIT binary patch literal 9764 zcmZ{~V{j#0@a`Mi$z;d2ZQGpKc6OW{+qNdQZQJ%_;)!idlJox0mwWHIb$WGG*Xru( zufJ96c~s;fp|HTfz~I27J)(6z+fmUfVZp%ialya<|8>n=EKJ-iG;Aa+ENvWZ+-!i3 zOt!8-$64(QM|^JVul|8P$inR~N>RK`m}u;=vM^iNZ7?Of5!;Y33#b*O(tX?TU&#dY zj$9)7r3q`)XP!KOS;VR!#mSmWTX15QjTs?r9D2U9b3vrZ#M ziT+)jOqdJ!H!U|AoV)Jz=B9}g7J)K5xns%3tWw;blJEC{LQQG1lI@S48BFQ`nUHVo z+Apq5kPfSsDjCwGH?4SatzozEwHG%}>InCcHVfH7dV>r9VR-pa5FFNxHGE8=rd{VI zv$5>&^?PbZGKM-Y)6tS09cTLCF`IrIcznF9PPKbsi!PJ3(E0RMPo!OF{Idh!G(8iN z#iWP{?w#a=n@5ZowJ38KE78f#&K+z1?q5c}y&Z6uvzENZ{J5PsvBKXBJ~8v!6N;DT zH_REfm1Bp%R!r(c)@~W7_F&vb>~P*$eTEHP>Zl#rRulThH7Sz7f%!7+#n>*zpcexgh+$D5k(L`4_kw>Mi7mi2GXP&!#;aK$Ipx^Yl z7R8H`0Z2_Tn1bi3`y)PWu4){(*;7{L&C>6o=E@NHU( z{u=k*j2*I{4k@*&?N!B5E)XehfCRJzI^EgK>+dCAkIeX-+?hI5Sx{dFwD>#)`_A?T zP6`o_$e)eYj?~2O_J=u>$q3`4Q`IcNa_X~b3z7&L;9>Z<3p-ferKBY9J8jh(ENwqf zCLV=am@oACswufkcRUlRnNv%9jIH<`+PDro)^s#w^S$i7#)SrIM@>tgo=Ht9=y1KK zIE`&!6^AZ9$3M!ZF$nJsJxN7fhfcSVtDxDUL+2a6lhFs8OxaBM2f2n=&o+Lau2@w| z0KujqWWY?1qSHMT(<=OB=(VCM?!N@9v;gmMi(YGsyAj6^?HGfF6*W95+_)OT)5Jdx z{VXaA7a3R)++!}o<4zvdTWJ+*|2Q1WKCi0{^JV6^<;g;2v-8>HFY)QfG@0(H59w0< zB&L0R*$d)N%7xkt?Rc5<(|8Z`q9(DSfHOgF1r^Up_BCL>RL9k?S!TkuI^Q)MjqKBq zAWEkUFS^Hsp$n54bPFYpWS>9m<($NDv8f&zTvCb&?XlX!P(w{xyDUV8kHaiz38XAH z^@BWoLB2eK|4h9>ZeU>_j-K}mjMqe7LFIgsbf|N&b8{-)x-0NTQK1tbi;0xlQSK1< zQKw70sE2VZAUJ4r3aOuZo@}z(VlQl&GeT01_Q0Ug%)eGb2^nBhjt1wW>27{A>rlYF)8ij_j1}s(E52 zI-sZC`9}CsA-Igxf$qxWLMEeu!9pY4I(?MIuf;457ZJaDfj8Wpu@!~ngwaZ-yM5~7 z#4YE>dmDN_j`4fcsA3Hf!iUt2_Eu=Vgf-jd zmYo#=IydFBWWVe@vOWj=7!Ob==_2rwyEoU3ZB#!gcjQNQy>NS9y^u@{2bw=#iXA$T zWUZz5-PPj&v*#6+qi?7?zu|Eon=(iFVQpbGf7nbh0X1+k>JbRvKMv}oxBb(64sXa+ zA4vbUm^RvAH~Gqehr!*E??vQkUwi49h?}#v9kv(GQF_*OHamUZz4-r=z0Re2SR(Gk z0J85Uu~QPX5(n_0#eZ9gfPy^1sn;=ZG0cROu(*oZFS6s>%co6MvV4T|5;MRe@59_i zhigT?THCFwmb2$$5XXw))FJaQOyO4w5oqF)rc8hS+>1X9CFt=*&rrh_bkh*_D~`09 zP8}ouH=gCzmPcSmK!HAV|*2@{rd?Vc3aC;Kt)EWp2i87Cu*%`!cg%TIedaSLYwo>9eP|Fb;o0 zT(04Ik?VN(pa&#h4!@-g|2Le#3v(P7zVT%zY0n4#6Xcew^Djdy*l$38{^CN*3>xce zEb3koZkYP~cv*S(cn>Zl$FL~G^B>nDw1FfRqGWxLP|(_6;|Aqt0_G;XjjQwoR&GDc zF>oxkVxFB137i<|Tb7t<8?0#ztgm&n5E*WnjqIF1Z+r#Q-cPZMw%NP1jF6s(~l#?-3Zitq$-@xa~f`xm0 z1MQBzGC8z0zK9Jb}2I(|8Q@lwAr^1$_Ux4{#D2rbrh(U*uMvnEJ~HDHQ^) zH;c(<@@pS`E{g(fhHQa(s}c=Lbk@4O;ew2 zxbq1#1pdfqgCx`Sqlcq04>o?aznEu?l(IQ>FFVQ<-9R{wM-C`27=&`zsGnsrOQ~vB z5GQNXFbk(m^0atw<8`stJwP5+iUhPI{m8uXZBCu>hr;O2XhB0pVGM8QCH@+QN&;q~ z3)97tNUfqVB3ny{PvQ`a=ma}fcY>Dn(Hc$06#OuFAFUrzH;Q{_ewXf!gI-2VmX#St zS+-e(a!?r89xLB27v~PG5|H0d?@-4MsXxodnyCT1_{#Z$o4CSXUz;7@r#c8~cq&Mw zCNJXEs|wh4u5#l^zzFULM`PtOlZ9>f3Sv`XXHyu(J-pmIb&APC5|P}wGo1DI4D4td z)pVK4W6kbO#(}0yrVEG6zD0ZKy3hH@d&T9YUy>dH6WB)^FE!Q-Yf=gn9LzTKqYSh{ z5TSXOBx#;0E>>A#9~KOM)~!s| z9-}M-ua?m{J&3Z*4q3mRE@gq{V9|g_S>TD!`>WXG(C4a-ww13R_Vq3%;>Bzc1meq0 zepu`A:!GbIcr9n)-`CIV?!1U&2lOTNiy3O>a97*h>3Q)1;=!FhL+X3*Epj`L2e zHUZ6Mx~Ue0^7C2P)$d3JW}&yeJu?M@30TaT$k>WtwW*wN&N){t@3Tkexdy#S^FqG{ zj>#4Nt2e4ZEDyUQD|K*gDRa%fFdQSf7r%CPTe>Qp}(6vQe>A*}&eC>n0}G z-R`DABm^}wDid?wc&`DMIwIaOAKVds*b1St+G99Rq7VAoXNqoqW;I)x)PYJy)zIEq zaI7}UruMtGQH}U8xtcO6D%_cq*m*A<;s7lgRSXQ+O6Zu$Gy8Q(|^6?!4OkQ8*BCJ@#*#xwR<#CYgnWH;xC0qh|fkRxLJ4%HKv|2(Go^f7Ng$Y#iIS%^Jjtt|(G zGsxz2<#;u6AgpOQg8%h1Wjm%Ga3C2NtR6Sep2>tIdv)D~f!#GeS7)dA2t?;EEFkO{ zq1XvcKN(VD1-7N%i9^{txn^>EB?O5sRmk|L0klwUKqh?PX`Dgo6aAtMD9G>%FwQ7t zd1k#Ny#d0WhvnsF^X1GFDY>snhh7=NK@DD_dAfJx`AVndCSXb_fWP%8ao>))S9k%t ztp2aBZ;Mx&FFi>%TpsqB{B8Dm`JQ@&_74V_*(Fb<`#W2%FQ{zYY^UX&XS#oTPv#ZI zzjAdUck>hmc+Ztk>J~`ju7a((ApJjcgRMN+er4tBLi$JV-u+dyH!ZQBXPAJ`c=a{k+k48-hu$d z#dq;ZTHtS@Y~R37Tw)%rf zXEl-ArKMm+X{LNOFF3nwk3$I7ja$X4>SS#6>%rhlIKsu=&i$GX5~o+reHoi1SDT^k z;fE#m^c}0Day3yOr^9bH)`u}i(mk->&xp5(uvJ)t#_|)vk+S+T)>Wlz^_1<+Gpg1I zAtxeW-7otqRH7y@^;AuP8CqE0tJxrbTt#k|(&$GVb>V9DgmWJpA0d_MZFfPkHwSLY zgDX&wV(Et~=$TCmS>Zi39HdQ;WxeuAjj3XsiS)s{c9vBUmhywa67E9QDT7hdi~zcj z8!`+}iS)^dWHJKj>%*EW+GeCxh*v}P9aZ&ZApNpG`;=vsf9x3UCm1odlp@p)4=a^n zp&TaFL=sr57y2c0BgJp?SSv_y1M&HW)5Q7wgjqDOE?O){;18(%4yMa^=sLs;a_~rG zM_^Q}^_z4jtXI)_X3Ouda*Bg$lNdJfmIZ7@`-9dIv8Fq4x6RU_%`^cNV~63)MlB%n zngbs}?#q$609OpDLcY%DYA>aW^5771F{1h|Vv-A;xu(ePd)ryV0vra?2eeY5g+GG1iV-#B_MUB)sQNBvyk+>l2WF1+{g@~KH8|uYBqZf9Wq3Jce{Xhj@Y=W|fQ4rRpMa@T}e@r}lzYqbD( zPv-FQgQlHW|Mmppv+_sxb>9_^S{}0G&SE>7_)sUkOJ(0N&Qf8+E@Whh0*PxdzF!%l z7q}@FcpfDkVFc1F)F%IDfuf#rB|H4|MZm>ky>-B_@wpDD-{q@Zw(t!wgM&ZVn#}kG^ z6pUaiBEU%Giqt3$WS(4eb;TCKA1+?FJWlI?1SeTck7S_W zc95>q&Lk?5HXf?S#gU?{pZ##&u320L8^`|n4+Qy3u*Z&c(p(Si z49JF@P)&xlQ9?2{YaQdVN%#wH(RHL%+cl!tPynd69N*zjQ8yGPMDQkF!toDpf2>^hSOXXOtT1) zQ4X}xjl}2oEJqWf5?xK;3rQsK5)u`S8!0~WkX!dvfNI5t1Ve##DX8;75s`I5`v>I5 zqys+6;5!zhr}4wR_cAs5`=H2C|G~zMo)eTFO;79?MGf+`=utT*BVKI1*_`$)?V2)f zPM8n07=xk-afWA7?CvCk{&4M@w)HkCCr!>cNoeP%J$sEzyF{0OqP1V`KFt{% zh%sTT@mMXiBwRPZ1awX$AL5l)!sg8L&3)4^mu7O>us37KbHKBN&GJ3FvWK&HUa-e$ zO@}IbYBmTdlXu+Og1SR)8!0WYpd5`L)QWJlhq{k9{|mwy-Z&imATzl<%e3nL+E%!62@vDy^u{G$Yr66*2FKYf z77SKoViv8nUD<1j_A_6^9L|Sq6*N*&@HT-&b1)UmkuNM??(b85%PB8U^|#eLZUE{| zQHw-=?lNLeh}VK8$)V-=eSXO+ulp}*aK_KXojJVY8r7omym}tWl^C@FsJ-k#@(+sR z45LR&BCYqbkg~s&tkj0p>-mn9$Y{-^=Gr}h1c3F!ExdZqP^1huKh~ijrz^E6*7R$+ zCa{LtHM~e7M4S(Vk_n5F zngY?4&43P9vyNiTlJGAzz4*hFPDgF|UzZvyL1Od%2%jB&mS8A0PyxZTN;J~}qpg&c z;ZQx^5-V$T<~}I9Kd(@Rlu~`;`E*^4kz0K*|@e9v; z+;tFG5!rq6mY~fb-uogJXb92(dw6!(3ktsfJ{K0cOgvD&w=%s7?!5g0jCcbuhC`Kv zc{N?Up$^TLfWgu5=-j8~W3%Wl@=SGvz^ z&(SbWG8du(f;eHKWMdOl9(Y9KkRN_cT;G|H?z_k#_1A;>pr=qH1s|f2cyMV?Yz-u~ zp!#zT>~oYnxYL+zZNWu74!lh`6u<7kOvHwQCx24ur*@-nK%}u$c*%!+;JP zV>tZVrA(e3xPbegLj!?V6ZUu@+|Kj>GnJRAXFL$WCE{7B^y_^ao(ixKPt| za})`Y7;mqtMw8A2_cw3I8_t16siKUE!i%|};yLTQVR;9wu?-G>P-cK!Uxpk@2o zFxiVluuCLFSsxNY%^sX-Dlh0RcRq$!H~2_KT9WMO z-7xv!G6uc3z)b_Nc4Mv_F0+>Z?+HLEd1@4FWPS$WyRZx564weB5 z=ny{;Qp>itUtcso-2u_l$RKeMPG?0Vd5hHg_<5nV#VoNuRfnC}BbE9wXWT?wm*G2< z?l($gdzt!#|MvJ%FN-h`XE@JJo~}9X;E`*!AxBNr_~@I81;Z1Mq0M7p<>os19l;eg z!_+RY=#Sz`xNM+t!afn->5TmJGn(>MUqVII3OrA0{W-*Z8(jUO0RXmMp~jyB9de?* z;ub>Hrv2eH+wSL&?1nszOwimpoPGJ*#~ghJ`tn;xiOHzP3_}AAz)iwCLKe}{(z7@X zovs-YutQG1(7?#_gY69~p>0XSF+fv(Nl>DqzEA5h(#Z_Ugb|w210r0tL3wMIPp_Oh zA=}&Hi@#krosM}LbXDevfiR^VEwW^mtVa4yMb1b`Msuy#X4;>SOU)j1S+VfHT~yme z$q^SVE9*A0H*Us8CI#2powG^%T9FC$VTxK?AR1`z(M0He`2DoFBksObOe7?1NZ|M8 zF8`tcZ(l@;_{E5dFKoC0Y0IQ<_aoc={KQJ{52?F2Lf#YEzR_Z=BvOfas}Hx!y%)}y z;7sTHf+S@ybt_G$R+ppGV(sUmOw((##0%s-LHWAXn%L|HRMlqFYvBKh@U;RL?&TC`P{K`~G(z z=~*xg_iJ3lCrTFYe?vg;&6TthgkDUS&h6wwEYp9o26}|s>QC5Ug6C z7X|HAwlt;4)-?4bl|}byl=|wlUrP~Ul9id9X?j9WPNU{(L#Tes$ShljCjo5Af<`%i z#ft5(?+|6mI~{2c`H*D>a-{cZ$x-;-A7x3p2Lp0{`#R?aDiq&bo!UN93Kb**XdRSV zJ;}!_3&*KjjZ4?H?67oF&)1Klo^TE6Wpw@= zkDdOx2JjSql^4t2Us>Dfe{3z{uHW9nmQ;@frVFvu_6eI@DD@MmZrd4oYm5PY&KVZQ z`ZXV2JOPJjn6#LCl!`h8dRrL$1dmRSEKVtpPIh%Sy=Gk=lGz?C4qG&JIxTsNT+qIU<7Zfvqc<8W61^^tPXNBDsrHyLCZ=U3hWWW| zRCVq6T8(hV*<~H|&8P6GTDvqIyYwPWT2V&kawf)NCi;9s&6%wn-GSu$(}sYv=X)QfavEk;1y&;OvHsZ!3+p~mZ^^FwBoZ87?&kUs6BPUTpy zQJ~sZ2WX-w>x_E?=pyQRYNbyMc>q?mRMuJclzjD$ zUzvtfm5xvsm;Wq}Et}S$5v^}o(v}RCtP*IfP zl~I&Y!$Y{KVY@^2zXtb=Q4wiKlf55J0y^}SvP8Qpe47gFUEa_P#k2mtPm@=tNv>u5 z**(zuX<8-hD+n!1&DI4{Qa4;H58K@K6_jkFFHhHxz+Ui>j=n+R6we^$t$RpMF?v4XM2&6s$Au&IrCVw-lBUX9 z;M%1*>#DExn&Ow(*0`?qC`vsuV(VQ~9`?9k-?7PYzjp`SVLQiOAOe zp5UKkjA_GBaYM;d?+9H-u@eMRXYJ?s5bDp3Edh(8q4j<;tY{<0v;@OTHx3*yndXTW zTiOMpP*~(UxP$4cFN^c*3MX_0BzoSj#F!&?krcj-v1#6XxFb6v(caDt?3%1dqF|AJ ze9n22FDcG`esQuf?Bw@^w{||*Y1Bk#hL0HI%xOp|@pe@xQK8aF#yyW!KC2h^$VFv{ z)f;bVe)Ja$epbbSS634`MZ1@TVS8aew4iB4OtoJu6GmI|Q>5>?wCArR_X`mjkg^av zuy${-j3Y~#>Km*x(f44!aBg;R(>Xy8$8Yw}0&ri39Q|gwug{*3%LMn-=V{d3eccU& zI3l_a%2cFp0{<*T&z8{+SYO}M%M+R1!KMY4!8P+aGhDMwJLR$n)BtA!GtJz5oN3D= zH*~n&uR)wtA>$-GT7Ul;qx|k3;trPLBmW41P#U-7VT2pv?z_-uwew5U3p+jzE$5j? z+OH2&03q(PGs$B0oKPTVKBA`#^zFLOWd}Un3S4xcDM_i!Cb)AL0kDmWbPQMt+ZQVi!GXb}I(Yj-&WQ)lhB=W^2i_7x*EUM6 zXUuz*8=;b+(Dh(OJ+lEV9$9m-245uJB$&@3Zuq#b=4K2VJv4HL6a`HYHJ6E#+%v?y z|JGu>4GO_Am7nd!AOe1o#Q+UGJ8B|DI%B~rN2M58Z-tPk82#}G4tsGz)<`x(r4o5-WNOxGWie%&8(_qlErb}Q{zCL3eHaO^zcg7 zTbM%qZC7JDUllSuEA*)P8YLGG(MtUK%5PAR20= zcms4J*2{#4FZImEQOQj$e{Agi(!Trbjg`8^`TG7=kq3vs0{g#vvHlZm|6lQcac2FW lOa4#E_y5_j^PkP@|0e*e$V0>Y&j`eSC-lD>P5D2!{{@DUy1@Vd literal 0 HcmV?d00001 diff --git a/Solutions/SAP LogServ/Data Connectors/SAPLogServ_PUSH_CCP/solutionMetadata.json b/Solutions/SAP LogServ/Data Connectors/SAPLogServ_PUSH_CCP/solutionMetadata.json index a2be36342e1..af9457060ef 100644 --- a/Solutions/SAP LogServ/Data Connectors/SAPLogServ_PUSH_CCP/solutionMetadata.json +++ b/Solutions/SAP LogServ/Data Connectors/SAPLogServ_PUSH_CCP/solutionMetadata.json @@ -1,7 +1,7 @@ { "SolutionName":"SAP LogServ for Microsoft Sentinel", "SolutionAuthor": "SAP", - "SolutionVersion":"3.0.0", + "SolutionVersion":"3.0.1", "PackageId": "azuresentinel.azure-sentinel-solution-SAPLogServPushV1", "TemplateName": "SAPLogServPushV1", "ConnectorDefinitionTemplateVersion": "1.0.0", diff --git a/Solutions/SAP LogServ/Data Connectors/SAPLogServ_PUSH_CCP/table.json b/Solutions/SAP LogServ/Data Connectors/SAPLogServ_PUSH_CCP/table.json index d701382a123..21960f5b84a 100644 --- a/Solutions/SAP LogServ/Data Connectors/SAPLogServ_PUSH_CCP/table.json +++ b/Solutions/SAP LogServ/Data Connectors/SAPLogServ_PUSH_CCP/table.json @@ -65,7 +65,6 @@ "type": "real" } ] - }, - "totalRetentionInDays": 30 + } } } \ No newline at end of file diff --git a/Solutions/SAP LogServ/Data/Solution_SAPLogServ.json b/Solutions/SAP LogServ/Data/Solution_SAPLogServ.json index 7e12dedd503..6cce85039f0 100644 --- a/Solutions/SAP LogServ/Data/Solution_SAPLogServ.json +++ b/Solutions/SAP LogServ/Data/Solution_SAPLogServ.json @@ -7,7 +7,7 @@ "Data Connectors/SAPLogServ_PUSH_CCP/SAPLogServ_connectorDefinition.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SAP LogServ", - "Version": "3.0.0", + "Version": "3.0.1", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/SAP LogServ/ReleaseNotes.md b/Solutions/SAP LogServ/ReleaseNotes.md index 59fa1bd25b6..d2f1d09bd1e 100644 --- a/Solutions/SAP LogServ/ReleaseNotes.md +++ b/Solutions/SAP LogServ/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.1 | 09-04-2025 | Retention setting dropped from table to default to LogAnalytics ws default | | 3.0.0 | 17-02-2025 | Initial Solution Release | \ No newline at end of file From b192ffd9d703ed943622902540f8b64bdce8ef04 Mon Sep 17 00:00:00 2001 From: MartinPankraz Date: Thu, 10 Apr 2025 13:45:09 +0200 Subject: [PATCH 3/3] add entity to validation --- .../tests/KqlvalidationsTests/CustomTables/SAPETDAlerts_CL.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SAPETDAlerts_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SAPETDAlerts_CL.json index a84f34dc7a1..52e72ed8b5f 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SAPETDAlerts_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SAPETDAlerts_CL.json @@ -50,7 +50,7 @@ "type": "int" }, { - "name": "TriggeringEvents", + "name": "NormalizedTriggeringEvents", "type": "dynamic" } ]