diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SAPETDAlerts_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SAPETDAlerts_CL.json
index 52e72ed8b5f..d06f9634ebf 100644
--- a/.script/tests/KqlvalidationsTests/CustomTables/SAPETDAlerts_CL.json
+++ b/.script/tests/KqlvalidationsTests/CustomTables/SAPETDAlerts_CL.json
@@ -52,6 +52,10 @@
{
"name": "NormalizedTriggeringEvents",
"type": "dynamic"
+ },
+ {
+ "name": "Users",
+ "type": "dynamic"
}
]
}
\ No newline at end of file
diff --git a/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml b/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml
index a3eb64cc66c..120977ac7b7 100644
--- a/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml
+++ b/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml
@@ -43,9 +43,21 @@ query: |
| where extracted_function_module in (SenseModules)
| extend AlertName = strcat("SAP ETD - Sensitive Function Module ", extracted_function_module," was executed by user ", extracted_sap_user,
" in a ", tolower(extracted_system_role), " system"), Dummy = " "
+ | mv-expand Users
+ | extend
+ UserAccountName = tostring(Users.UserAccountName),
+ UserEmail = tostring(Users.EmailAddresses[0])
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: UserAccountName
+ - entityType: Mailbox
+ fieldMappings:
+ - identifier: MailboxPrimaryAddress
+ columnName: UserEmail
- entityType: CloudApplication
fieldMappings:
- identifier: AppId
@@ -68,5 +80,6 @@ alertDetailsOverride:
Source: SAP ETD
customDetails:
SAP_User: extracted_sap_user
+ SAP_UserEmail: UserEmail
ETD_AlertNumber: AlertId
-version: 1.0.0
\ No newline at end of file
+version: 1.0.1
\ No newline at end of file
diff --git a/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml b/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml
index 46b74d2cee2..858c5a443d6 100644
--- a/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml
+++ b/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml
@@ -22,11 +22,14 @@ tactics:
relevantTechniques: []
query: |
let AuditTimeAgo = 60m;
+ let minThreshold= 1;
+ let minScore= 50;
let regex_sid = @"^([A-Z0-9]{3})/";
let regex_client = @"/(\d{3})$";
let SAPNetworks = _GetWatchlist('SAP - Networks');
SAPETDAlerts_CL
| where TimeGenerated > ago(AuditTimeAgo)
+ | where Threshold >= minThreshold and Score >= minScore
| where PatternName in ("Logon from external with SAP standard users","Access via unallowed IP Address")
| mv-expand NormalizedTriggeringEvents
| extend sapOriginalEvent = tostring(NormalizedTriggeringEvents)
@@ -40,11 +43,23 @@ query: |
| extend extracted_instance_host = NormalizedTriggeringEvents.NetworkHostnameInitiator
| evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true)
| where isempty(Network)
- | project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status, NormalizedTriggeringEvents
+ | project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status, NormalizedTriggeringEvents, Users
| extend GeoLocation= iff(ipv4_is_private(extracted_user_ip), dynamic({"IsPrivate": true}), geo_info_from_ip_address(extracted_user_ip))
+ | mv-expand Users
+ | extend
+ UserAccountName = tostring(Users.UserAccountName),
+ UserEmail = tostring(Users.EmailAddresses[0])
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: UserAccountName
+ - entityType: Mailbox
+ fieldMappings:
+ - identifier: MailboxPrimaryAddress
+ columnName: UserEmail
- entityType: CloudApplication
fieldMappings:
- identifier: AppId
@@ -65,5 +80,6 @@ alertDetailsOverride:
{{PatternDescription}}
customDetails:
SAP_User: extracted_sap_user
+ SAP_UserEmail: UserEmail
ETD_AlertNumber: AlertId
-version: 1.0.3
\ No newline at end of file
+version: 1.0.4
\ No newline at end of file
diff --git a/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml b/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml
index d3640164348..45aa535da59 100644
--- a/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml
+++ b/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml
@@ -30,10 +30,22 @@ query: |
Host= NormalizedTriggeringEvents.NetworkHostnameInitiator,
Instance= NormalizedTriggeringEvents.NetworkHostnameActor,
User= NormalizedTriggeringEvents.UserAccountActing,
- IP= NormalizedTriggeringEvents.NetworkIPAddressInitiator;
+ IP= NormalizedTriggeringEvents.NetworkIPAddressInitiator
+ | mv-expand Users
+ | extend
+ UserAccountName = tostring(Users.UserAccountName),
+ UserEmail = tostring(Users.EmailAddresses[0]);
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: UserAccountName
+ - entityType: Mailbox
+ fieldMappings:
+ - identifier: MailboxPrimaryAddress
+ columnName: UserEmail
- entityType: CloudApplication
fieldMappings:
- identifier: Name
@@ -55,5 +67,6 @@ alertDetailsOverride:
alertDescriptionFormat: '{{PatternDescription}}'
customDetails:
SAP_User: User
+ SAP_UserEmail: UserEmail
ETD_AlertNumber: AlertId
-version: 1.0.3
\ No newline at end of file
+version: 1.0.4
\ No newline at end of file
diff --git a/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchInvestigations.yaml b/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchInvestigations.yaml
index ee3bad8542a..e5492ec0668 100644
--- a/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchInvestigations.yaml
+++ b/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchInvestigations.yaml
@@ -20,11 +20,26 @@ query: |
SAPETDInvestigations_CL
| where TimeGenerated > ago(AuditTimeAgo)
| where Severity in (_severity)
+ | mv-expand Users
+ | extend
+ UserAccountName = tostring(Users.UserAccountName),
+ UserEmail = tostring(Users.EmailAddresses[0])
eventGroupingSettings:
aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: Account
+ fieldMappings:
+ - identifier: Name
+ columnName: UserAccountName
+ - entityType: Mailbox
+ fieldMappings:
+ - identifier: MailboxPrimaryAddress
+ columnName: UserEmail
alertDetailsOverride:
alertDisplayNameFormat: 'SAP ETD - {{Description}} '
alertDescriptionFormat: 'Description: {{Description}}. Processed by {{Processor}}. Severity: {{Severity}}.'
customDetails:
ETD_InvestNumber: InvestigationId
-version: 1.0.0
\ No newline at end of file
+ SAP_UserAccount: UserAccountName
+ SAP_UserEmail: UserEmail
+version: 1.0.1
\ No newline at end of file
diff --git a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_DCR.json b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_DCR.json
index 60321301f0a..f051dbd4500 100644
--- a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_DCR.json
+++ b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_DCR.json
@@ -55,10 +55,14 @@
{
"name": "NormalizedTriggeringEvents",
"type": "dynamic"
+ },
+ {
+ "name": "Users",
+ "type": "dynamic"
}
]
},
- "Custom-SAPETDInvestigations_CL": {
+ "Custom-SAPETDInvestigations_CL":{
"columns": [
{
"name": "Version",
diff --git a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_PollerConfig.json b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_PollerConfig.json
index 5e0a2a2375c..ce285487a4a 100644
--- a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_PollerConfig.json
+++ b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_PollerConfig.json
@@ -33,7 +33,7 @@
"timeoutInSeconds": 60,
"queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
"queryParameters": {
- "$expand": "NormalizedTriggeringEvents",
+ "$expand": "NormalizedTriggeringEvents,Users",
"$filter": "CreationTimestamp gt {_QueryWindowStartTime} and CreationTimestamp le {_QueryWindowEndTime}"
},
"headers": {
diff --git a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_table.json b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_table.json
index b8ccdbfa46a..995480b4b45 100644
--- a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_table.json
+++ b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_table.json
@@ -58,6 +58,10 @@
{
"name": "NormalizedTriggeringEvents",
"type": "dynamic"
+ },
+ {
+ "name": "Users",
+ "type": "dynamic"
}
]
}
diff --git a/Solutions/SAP ETD Cloud/Data/Solution_SAPETD.json b/Solutions/SAP ETD Cloud/Data/Solution_SAPETD.json
index 3fbec10e41e..02f7050c271 100644
--- a/Solutions/SAP ETD Cloud/Data/Solution_SAPETD.json
+++ b/Solutions/SAP ETD Cloud/Data/Solution_SAPETD.json
@@ -1,29 +1,29 @@
{
- "Name": "SAP ETD Cloud",
- "Author": "SAP",
- "Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/SAPBTP.svg\")
",
- "Description": "The Microsoft Sentinel Solution for SAP ETD integrates SAP Enterprise Threat Detection entities into Microsoft Sentinel, allowing SOC teams to ingest, monitor, and hunt across SAP data. This integration enhances security by enabling faster detection, investigation, and mitigation of risks within SAP environments.",
- "WorkbookDescription": [],
- "Workbooks": [],
- "Analytic Rules": [
- "Analytic Rules/SAPETD-SynchAlerts.yaml",
- "Analytic Rules/SAPETD-SynchInvestigations.yaml",
- "Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml",
- "Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml"
- ],
- "Playbooks": [],
- "PlaybookDescription": [],
- "Parsers": [],
- "SavedSearches": [],
- "Hunting Queries": [],
- "Data Connectors": [
- "/Data Connectors/SAPETD_PUSH_CCP/SAPETD_connectorDefinition.json"
- ],
- "Watchlists": [],
- "WatchlistDescription": [],
- "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SAP ETD Cloud",
- "Version": "3.0.3",
- "Metadata": "SolutionMetadata.json",
- "TemplateSpec": true,
- "Is1PConnector": false
-}
\ No newline at end of file
+ "Name": "SAP ETD Cloud",
+ "Author": "SAP",
+ "Logo": "",
+ "Description": "The Microsoft Sentinel Solution for SAP ETD integrates SAP Enterprise Threat Detection entities into Microsoft Sentinel, allowing SOC teams to ingest, monitor, and hunt across SAP data. This integration enhances security by enabling faster detection, investigation, and mitigation of risks within SAP environments.",
+ "WorkbookDescription": [],
+ "Workbooks": [],
+ "Analytic Rules": [
+ "Analytic Rules/SAPETD-SynchAlerts.yaml",
+ "Analytic Rules/SAPETD-SynchInvestigations.yaml",
+ "Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml",
+ "Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml"
+ ],
+ "Playbooks": [],
+ "PlaybookDescription": [],
+ "Parsers": [],
+ "SavedSearches": [],
+ "Hunting Queries": [],
+ "Data Connectors": [
+ "/Data Connectors/SAPETD_PUSH_CCP/SAPETD_connectorDefinition.json"
+ ],
+ "Watchlists": [],
+ "WatchlistDescription": [],
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SAP ETD Cloud",
+ "Version": "3.0.4",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false
+}
diff --git a/Solutions/SAP ETD Cloud/Package/3.0.4.zip b/Solutions/SAP ETD Cloud/Package/3.0.4.zip
new file mode 100644
index 00000000000..e47b19656d7
Binary files /dev/null and b/Solutions/SAP ETD Cloud/Package/3.0.4.zip differ
diff --git a/Solutions/SAP ETD Cloud/Package/createUiDefinition.json b/Solutions/SAP ETD Cloud/Package/createUiDefinition.json
index 7679d10712f..5251b1ebc47 100644
--- a/Solutions/SAP ETD Cloud/Package/createUiDefinition.json
+++ b/Solutions/SAP ETD Cloud/Package/createUiDefinition.json
@@ -60,7 +60,7 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This Solution installs the data connector for SAP ETD Cloud. You can get SAP ETD Cloud data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ "text": "This Solution installs the data connector for SAP Enterprise Threat Detection, cloud edition. You can get SAP Enterprise Threat Detection, cloud edition data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
diff --git a/Solutions/SAP ETD Cloud/Package/mainTemplate.json b/Solutions/SAP ETD Cloud/Package/mainTemplate.json
index 29982f2961e..87513a0701d 100644
--- a/Solutions/SAP ETD Cloud/Package/mainTemplate.json
+++ b/Solutions/SAP ETD Cloud/Package/mainTemplate.json
@@ -45,39 +45,39 @@
},
"variables": {
"_solutionName": "SAP ETD Cloud",
- "_solutionVersion": "3.0.3",
+ "_solutionVersion": "3.0.4",
"solutionId": "sap_jasondau.azure-sentinel-solution-sapetd",
"_solutionId": "[variables('solutionId')]",
"analyticRuleObject1": {
- "analyticRuleVersion1": "1.0.3",
+ "analyticRuleVersion1": "1.0.4",
"_analyticRulecontentId1": "7a830484-e349-4527-85f6-7850c468c238",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7a830484-e349-4527-85f6-7850c468c238')]",
"analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7a830484-e349-4527-85f6-7850c468c238')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7a830484-e349-4527-85f6-7850c468c238','-', '1.0.3')))]"
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7a830484-e349-4527-85f6-7850c468c238','-', '1.0.4')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.0",
+ "analyticRuleVersion2": "1.0.1",
"_analyticRulecontentId2": "5096db53-fad3-4844-a264-246f7b7e6e06",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5096db53-fad3-4844-a264-246f7b7e6e06')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5096db53-fad3-4844-a264-246f7b7e6e06')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5096db53-fad3-4844-a264-246f7b7e6e06','-', '1.0.0')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5096db53-fad3-4844-a264-246f7b7e6e06','-', '1.0.1')))]"
},
"analyticRuleObject3": {
- "analyticRuleVersion3": "1.0.3",
+ "analyticRuleVersion3": "1.0.4",
"_analyticRulecontentId3": "5dd72ebe-03ac-43ac-851b-68cfe5106e4f",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5dd72ebe-03ac-43ac-851b-68cfe5106e4f')]",
"analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5dd72ebe-03ac-43ac-851b-68cfe5106e4f')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5dd72ebe-03ac-43ac-851b-68cfe5106e4f','-', '1.0.3')))]"
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5dd72ebe-03ac-43ac-851b-68cfe5106e4f','-', '1.0.4')))]"
},
"analyticRuleObject4": {
- "analyticRuleVersion4": "1.0.0",
+ "analyticRuleVersion4": "1.0.1",
"_analyticRulecontentId4": "c6111e06-11e2-45eb-86ef-28313a06db35",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c6111e06-11e2-45eb-86ef-28313a06db35')]",
"analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c6111e06-11e2-45eb-86ef-28313a06db35')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c6111e06-11e2-45eb-86ef-28313a06db35','-', '1.0.0')))]"
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c6111e06-11e2-45eb-86ef-28313a06db35','-', '1.0.1')))]"
},
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
- "dataConnectorCCPVersion": "1.0.0",
+ "dataConnectorCCPVersion": "3.0.4",
"_dataConnectorContentIdConnectorDefinition1": "SAPETDAlerts",
"dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]",
"_dataConnectorContentIdConnections1": "SAPETDAlertsConnections",
@@ -96,7 +96,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SAPETD-SynchAlerts_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "SAPETD-SynchAlerts_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -113,7 +113,7 @@
"description": "Synch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)",
"displayName": "SAP ETD - Synch alerts",
"enabled": false,
- "query": "let minThreshold= 1;\nlet minScore= 50;\nlet lookBack= 7d;\nlet regex_sid = @\"^([A-Z0-9]{3})/\";\nlet regex_client = @'\\/(.{3})$';\nSAPETDAlerts_CL\n| mv-expand NormalizedTriggeringEvents\n| summarize arg_max(TimeGenerated, *) by AlertId\n| where Threshold >= minThreshold and Score >= minScore\n| extend\n SystemId= extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),\n ClienId= extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),\n Host= NormalizedTriggeringEvents.NetworkHostnameInitiator,\n Instance= NormalizedTriggeringEvents.NetworkHostnameActor,\n User= NormalizedTriggeringEvents.UserAccountActing,\n IP= NormalizedTriggeringEvents.NetworkIPAddressInitiator;\n",
+ "query": "let minThreshold= 1;\nlet minScore= 50;\nlet lookBack= 7d;\nlet regex_sid = @\"^([A-Z0-9]{3})/\";\nlet regex_client = @'\\/(.{3})$';\nSAPETDAlerts_CL\n| mv-expand NormalizedTriggeringEvents\n| summarize arg_max(TimeGenerated, *) by AlertId\n| where Threshold >= minThreshold and Score >= minScore\n| extend\n SystemId= extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),\n ClienId= extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),\n Host= NormalizedTriggeringEvents.NetworkHostnameInitiator,\n Instance= NormalizedTriggeringEvents.NetworkHostnameActor,\n User= NormalizedTriggeringEvents.UserAccountActing,\n IP= NormalizedTriggeringEvents.NetworkIPAddressInitiator\n| mv-expand Users\n| extend\n UserAccountName = tostring(Users.UserAccountName),\n UserEmail = tostring(Users.EmailAddresses[0]);\n",
"queryFrequency": "PT1H",
"queryPeriod": "P2D",
"severity": "Medium",
@@ -131,6 +131,24 @@
}
],
"entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "Name",
+ "columnName": "UserAccountName"
+ }
+ ]
+ },
+ {
+ "entityType": "Mailbox",
+ "fieldMappings": [
+ {
+ "identifier": "MailboxPrimaryAddress",
+ "columnName": "UserEmail"
+ }
+ ]
+ },
{
"entityType": "CloudApplication",
"fieldMappings": [
@@ -171,8 +189,9 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
+ "ETD_AlertNumber": "AlertId",
"SAP_User": "User",
- "ETD_AlertNumber": "AlertId"
+ "SAP_UserEmail": "UserEmail"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "{{PatternDescription}}",
@@ -229,7 +248,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SAPETD-SynchInvestigations_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "SAPETD-SynchInvestigations_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -246,7 +265,7 @@
"description": "Synch investigations coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)",
"displayName": "SAP ETD - Synch investigations",
"enabled": false,
- "query": "let AuditTimeAgo = 2d;\nlet _severity= dynamic([\"HIGH\",\"VERY HIGH\"]);\nSAPETDInvestigations_CL\n| where TimeGenerated > ago(AuditTimeAgo)\n| where Severity in (_severity)\n",
+ "query": "let AuditTimeAgo = 2d;\nlet _severity= dynamic([\"HIGH\",\"VERY HIGH\"]);\nSAPETDInvestigations_CL\n| where TimeGenerated > ago(AuditTimeAgo)\n| where Severity in (_severity)\n| mv-expand Users\n| extend\n UserAccountName = tostring(Users.UserAccountName),\n UserEmail = tostring(Users.EmailAddresses[0])\n",
"queryFrequency": "PT1H",
"queryPeriod": "P2D",
"severity": "High",
@@ -263,11 +282,33 @@
"connectorId": "SAPETDAlerts"
}
],
+ "entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "Name",
+ "columnName": "UserAccountName"
+ }
+ ]
+ },
+ {
+ "entityType": "Mailbox",
+ "fieldMappings": [
+ {
+ "identifier": "MailboxPrimaryAddress",
+ "columnName": "UserEmail"
+ }
+ ]
+ }
+ ],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"customDetails": {
- "ETD_InvestNumber": "InvestigationId"
+ "SAP_UserEmail": "UserEmail",
+ "ETD_InvestNumber": "InvestigationId",
+ "SAP_UserAccount": "UserAccountName"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "Description: {{Description}}. Processed by {{Processor}}. Severity: {{Severity}}.",
@@ -324,7 +365,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SAPETD-LoginFromUnexpectedNetwork_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "SAPETD-LoginFromUnexpectedNetwork_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -341,7 +382,7 @@
"description": "Identifies logons from an unexpected network.\nSource Action: Logon to the backend system from an IP address which is not assigned to one of the networks.\nnetworks can be maintained in the \"SAP - Networks\" watchlist of the Microsoft Sentinel Solution for SAP package.\n\n*Data Sources: SAP Enterprise Thread Detection Solution - Alerts*",
"displayName": "SAP ETD - Login from unexpected network",
"enabled": false,
- "query": "let AuditTimeAgo = 60m;\nlet regex_sid = @\"^([A-Z0-9]{3})/\"; \nlet regex_client = @\"/(\\d{3})$\";\nlet SAPNetworks = _GetWatchlist('SAP - Networks');\nSAPETDAlerts_CL\n| where TimeGenerated > ago(AuditTimeAgo)\n| where PatternName in (\"Logon from external with SAP standard users\",\"Access via unallowed IP Address\")\n| mv-expand NormalizedTriggeringEvents\n| extend sapOriginalEvent = tostring(NormalizedTriggeringEvents)\n| extend Id_ = NormalizedTriggeringEvents.Id\n| extend extracted_user_ip = tostring(NormalizedTriggeringEvents.NetworkIPAddressInitiator)\n| where isnotempty(extracted_user_ip)\n| extend extracted_sap_user = NormalizedTriggeringEvents.UserAccountTargeted\n| extend extracted_sid = extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor))\n| extend extracted_client = extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor))\n| extend extracted_instance_name = NormalizedTriggeringEvents.NetworkHostnameActor\n| extend extracted_instance_host = NormalizedTriggeringEvents.NetworkHostnameInitiator\n| evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true)\n| where isempty(Network)\n| project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status, NormalizedTriggeringEvents\n| extend GeoLocation= iff(ipv4_is_private(extracted_user_ip), dynamic({\"IsPrivate\": true}), geo_info_from_ip_address(extracted_user_ip))\n",
+ "query": "let AuditTimeAgo = 60m;\nlet regex_sid = @\"^([A-Z0-9]{3})/\"; \nlet regex_client = @\"/(\\d{3})$\";\nlet SAPNetworks = _GetWatchlist('SAP - Networks');\nSAPETDAlerts_CL\n| where TimeGenerated > ago(AuditTimeAgo)\n| where PatternName in (\"Logon from external with SAP standard users\",\"Access via unallowed IP Address\")\n| mv-expand NormalizedTriggeringEvents\n| extend sapOriginalEvent = tostring(NormalizedTriggeringEvents)\n| extend Id_ = NormalizedTriggeringEvents.Id\n| extend extracted_user_ip = tostring(NormalizedTriggeringEvents.NetworkIPAddressInitiator)\n| where isnotempty(extracted_user_ip)\n| extend extracted_sap_user = NormalizedTriggeringEvents.UserAccountTargeted\n| extend extracted_sid = extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor))\n| extend extracted_client = extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor))\n| extend extracted_instance_name = NormalizedTriggeringEvents.NetworkHostnameActor\n| extend extracted_instance_host = NormalizedTriggeringEvents.NetworkHostnameInitiator\n| evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true)\n| where isempty(Network)\n| project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status, NormalizedTriggeringEvents, Users\n| extend GeoLocation= iff(ipv4_is_private(extracted_user_ip), dynamic({\"IsPrivate\": true}), geo_info_from_ip_address(extracted_user_ip))\n| mv-expand Users\n| extend\n UserAccountName = tostring(Users.UserAccountName),\n UserEmail = tostring(Users.EmailAddresses[0])\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT30M",
"severity": "Medium",
@@ -362,6 +403,24 @@
"Discovery"
],
"entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "Name",
+ "columnName": "UserAccountName"
+ }
+ ]
+ },
+ {
+ "entityType": "Mailbox",
+ "fieldMappings": [
+ {
+ "identifier": "MailboxPrimaryAddress",
+ "columnName": "UserEmail"
+ }
+ ]
+ },
{
"entityType": "CloudApplication",
"fieldMappings": [
@@ -398,8 +457,9 @@
"aggregationKind": "AlertPerResult"
},
"customDetails": {
+ "ETD_AlertNumber": "AlertId",
"SAP_User": "extracted_sap_user",
- "ETD_AlertNumber": "AlertId"
+ "SAP_UserEmail": "UserEmail"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "{{PatternDescription}}\n",
@@ -456,7 +516,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SAPETD-ExecutionofSensitiveFunctionModule_AnalyticalRules Analytics Rule with template version 3.0.3",
+ "description": "SAPETD-ExecutionofSensitiveFunctionModule_AnalyticalRules Analytics Rule with template version 3.0.4",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -473,7 +533,7 @@
"description": "Identifies execution of a sensitive ABAP Function Module using the watchlists provided by the Microsoft Sentinel Solution for SAP\n\nSource Action: Execute a sensitive function module directly using SE37.\n\n*Data Sources: SAP Enterprise Thread Detection Solution - Alerts*",
"displayName": "SAP ETD - Execution of Sensitive Function Module",
"enabled": false,
- "query": "let AuditTimeAgo = 60m;\nlet minThreshold= 1;\nlet minScore= 50;\nlet SenseModules = _GetWatchlist('SAP - Sensitive Function Modules')\n| project trimmedFunctionModule = trim(@\"\\s+\", FunctionModule);\nSAPETDAlerts_CL\n| where TimeGenerated > ago(AuditTimeAgo)\n| where Threshold >= minThreshold and Score >= minScore\n| where PatternName == \"Critical Function module call in Test framework calls\"\n| mv-expand NormalizedTriggeringEvents\n| extend sapOriginalEvent = tostring(NormalizedTriggeringEvents.OriginalEvent)\n| extend Id_ = NormalizedTriggeringEvents.Id\n| extend extracted_user_ip = tostring(NormalizedTriggeringEvents.NetworkIPAddressInitiator)\n| extend extracted_sap_user = tostring(NormalizedTriggeringEvents.UserAccountActing)\n| extend extracted_sid = tostring(NormalizedTriggeringEvents.SystemIdActor)\n| extend extracted_instance_name = tostring(NormalizedTriggeringEvents.NetworkHostnameActor)\n| extend extracted_instance_host = tostring(NormalizedTriggeringEvents.ServiceInstanceName)\n| extend extracted_function_module = trim(@\"\\s+\", tostring(NormalizedTriggeringEvents.ServiceFunctionName))\n| extend extracted_system_role = tostring(NormalizedTriggeringEvents.SystemRoleReporter)\n| where extracted_function_module in (SenseModules)\n| extend AlertName = strcat(\"SAP ETD - Sensitive Function Module \", extracted_function_module,\" was executed by user \", extracted_sap_user, \n\" in a \", tolower(extracted_system_role), \" system\"), Dummy = \" \"\n",
+ "query": "let AuditTimeAgo = 60m;\nlet minThreshold= 1;\nlet minScore= 50;\nlet SenseModules = _GetWatchlist('SAP - Sensitive Function Modules')\n| project trimmedFunctionModule = trim(@\"\\s+\", FunctionModule);\nSAPETDAlerts_CL\n| where TimeGenerated > ago(AuditTimeAgo)\n| where Threshold >= minThreshold and Score >= minScore\n| where PatternName == \"Critical Function module call in Test framework calls\"\n| mv-expand NormalizedTriggeringEvents\n| extend sapOriginalEvent = tostring(NormalizedTriggeringEvents.OriginalEvent)\n| extend Id_ = NormalizedTriggeringEvents.Id\n| extend extracted_user_ip = tostring(NormalizedTriggeringEvents.NetworkIPAddressInitiator)\n| extend extracted_sap_user = tostring(NormalizedTriggeringEvents.UserAccountActing)\n| extend extracted_sid = tostring(NormalizedTriggeringEvents.SystemIdActor)\n| extend extracted_instance_name = tostring(NormalizedTriggeringEvents.NetworkHostnameActor)\n| extend extracted_instance_host = tostring(NormalizedTriggeringEvents.ServiceInstanceName)\n| extend extracted_function_module = trim(@\"\\s+\", tostring(NormalizedTriggeringEvents.ServiceFunctionName))\n| extend extracted_system_role = tostring(NormalizedTriggeringEvents.SystemRoleReporter)\n| where extracted_function_module in (SenseModules)\n| extend AlertName = strcat(\"SAP ETD - Sensitive Function Module \", extracted_function_module,\" was executed by user \", extracted_sap_user, \n\" in a \", tolower(extracted_system_role), \" system\"), Dummy = \" \"\n| mv-expand Users\n| extend\n UserAccountName = tostring(Users.UserAccountName),\n UserEmail = tostring(Users.EmailAddresses[0])\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT60M",
"severity": "Medium",
@@ -494,6 +554,24 @@
"Discovery"
],
"entityMappings": [
+ {
+ "entityType": "Account",
+ "fieldMappings": [
+ {
+ "identifier": "Name",
+ "columnName": "UserAccountName"
+ }
+ ]
+ },
+ {
+ "entityType": "Mailbox",
+ "fieldMappings": [
+ {
+ "identifier": "MailboxPrimaryAddress",
+ "columnName": "UserEmail"
+ }
+ ]
+ },
{
"entityType": "CloudApplication",
"fieldMappings": [
@@ -530,8 +608,9 @@
"aggregationKind": "SingleAlert"
},
"customDetails": {
+ "ETD_AlertNumber": "AlertId",
"SAP_User": "extracted_sap_user",
- "ETD_AlertNumber": "AlertId"
+ "SAP_UserEmail": "UserEmail"
},
"alertDetailsOverride": {
"alertDescriptionFormat": "{{PatternDescription}}\n\nSource: SAP ETD\n",
@@ -850,6 +929,10 @@
{
"name": "NormalizedTriggeringEvents",
"type": "dynamic"
+ },
+ {
+ "name": "Users",
+ "type": "dynamic"
}
]
},
@@ -1011,6 +1094,10 @@
{
"name": "NormalizedTriggeringEvents",
"type": "dynamic"
+ },
+ {
+ "name": "Users",
+ "type": "dynamic"
}
]
}
@@ -1424,7 +1511,7 @@
"timeoutInSeconds": 60,
"queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
"queryParameters": {
- "$expand": "NormalizedTriggeringEvents",
+ "$expand": "NormalizedTriggeringEvents,Users",
"$filter": "CreationTimestamp gt {_QueryWindowStartTime} and CreationTimestamp le {_QueryWindowEndTime}"
},
"headers": {
@@ -1513,7 +1600,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.3",
+ "version": "3.0.4",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "SAP ETD Cloud",
diff --git a/Solutions/SAP ETD Cloud/ReleaseNotes.md b/Solutions/SAP ETD Cloud/ReleaseNotes.md
index 48bfa13160a..0d458053bcd 100644
--- a/Solutions/SAP ETD Cloud/ReleaseNotes.md
+++ b/Solutions/SAP ETD Cloud/ReleaseNotes.md
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
+| 3.0.4 | 16-04-2026 | Added Users entity expansion to Alerts for email correlation |
| 3.0.3 | 11-09-2025 | Investigations API Connector added |
| 3.0.2 | 24-06-2025 | Data connector polling window reduced |
| 3.0.1 | 31-03-2025 | SAP OData entity change from TriggeringEvents to new NormalizedTriggeringEvents |