Azure · v-atulyadav · Apr 21, 2026 · Apr 16, 2026 · Apr 17, 2026 · Apr 17, 2026
@@ -52,6 +52,10 @@
       {
         "name": "NormalizedTriggeringEvents",
         "type": "dynamic"
+      },
+      {
+        "name": "Users",
+        "type": "dynamic"
       }
     ]
 }
@@ -43,9 +43,21 @@ query: |
   | where extracted_function_module in (SenseModules)
   | extend AlertName = strcat("SAP ETD - Sensitive Function Module ", extracted_function_module," was executed by user ", extracted_sap_user, 
   " in a ", tolower(extracted_system_role), " system"), Dummy = " "
+  | mv-expand Users
+  | extend
+    UserAccountName = tostring(Users.UserAccountName),
+    UserEmail = tostring(Users.EmailAddresses[0])
 eventGroupingSettings:
   aggregationKind: SingleAlert
 entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: UserAccountName
+  - entityType: Mailbox
+    fieldMappings:
+      - identifier: MailboxPrimaryAddress
+        columnName: UserEmail
   - entityType: CloudApplication
     fieldMappings:
       - identifier: AppId
@@ -68,5 +80,6 @@ alertDetailsOverride:
     Source: SAP ETD
 customDetails:
   SAP_User: extracted_sap_user
+  SAP_UserEmail: UserEmail
   ETD_AlertNumber: AlertId
-version: 1.0.0
+version: 1.0.1
@@ -22,11 +22,14 @@ tactics:
 relevantTechniques: []
 query: |
   let AuditTimeAgo = 60m;
+  let minThreshold= 1;
+  let minScore= 50;
   let regex_sid = @"^([A-Z0-9]{3})/"; 
   let regex_client = @"/(\d{3})$";
   let SAPNetworks = _GetWatchlist('SAP - Networks');
   SAPETDAlerts_CL
   | where TimeGenerated > ago(AuditTimeAgo)
+  | where Threshold >= minThreshold and Score >= minScore
   | where PatternName in ("Logon from external with SAP standard users","Access via unallowed IP Address")
   | mv-expand NormalizedTriggeringEvents
   | extend sapOriginalEvent = tostring(NormalizedTriggeringEvents)
@@ -40,11 +43,23 @@ query: |
   | extend extracted_instance_host = NormalizedTriggeringEvents.NetworkHostnameInitiator
   | evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true)
   | where isempty(Network)
-  | project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status, NormalizedTriggeringEvents
+  | project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status, NormalizedTriggeringEvents, Users
   | extend GeoLocation= iff(ipv4_is_private(extracted_user_ip), dynamic({"IsPrivate": true}), geo_info_from_ip_address(extracted_user_ip))
+  | mv-expand Users
+  | extend
+    UserAccountName = tostring(Users.UserAccountName),
+    UserEmail = tostring(Users.EmailAddresses[0])
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: UserAccountName
+  - entityType: Mailbox
+    fieldMappings:
+      - identifier: MailboxPrimaryAddress
+        columnName: UserEmail
   - entityType: CloudApplication
     fieldMappings:
       - identifier: AppId
@@ -65,5 +80,6 @@ alertDetailsOverride:
     {{PatternDescription}}
 customDetails:
   SAP_User: extracted_sap_user
+  SAP_UserEmail: UserEmail
   ETD_AlertNumber: AlertId
-version: 1.0.3
+version: 1.0.4
@@ -30,10 +30,22 @@ query: |
     Host= NormalizedTriggeringEvents.NetworkHostnameInitiator,
     Instance= NormalizedTriggeringEvents.NetworkHostnameActor,
     User= NormalizedTriggeringEvents.UserAccountActing,
-    IP= NormalizedTriggeringEvents.NetworkIPAddressInitiator;
+    IP= NormalizedTriggeringEvents.NetworkIPAddressInitiator
+  | mv-expand Users
+  | extend
+    UserAccountName = tostring(Users.UserAccountName),
+    UserEmail = tostring(Users.EmailAddresses[0]);
 eventGroupingSettings:
   aggregationKind: AlertPerResult
 entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: UserAccountName
+  - entityType: Mailbox
+    fieldMappings:
+      - identifier: MailboxPrimaryAddress
+        columnName: UserEmail
   - entityType: CloudApplication
     fieldMappings:
       - identifier: Name
@@ -55,5 +67,6 @@ alertDetailsOverride:
   alertDescriptionFormat: '{{PatternDescription}}'
 customDetails:
   SAP_User: User
+  SAP_UserEmail: UserEmail
   ETD_AlertNumber: AlertId
-version: 1.0.3
+version: 1.0.4
@@ -20,11 +20,26 @@ query: |
   SAPETDInvestigations_CL
   | where TimeGenerated > ago(AuditTimeAgo)
   | where Severity in (_severity)
+  | mv-expand Users
+  | extend
+    UserAccountName = tostring(Users.UserAccountName),
+    UserEmail = tostring(Users.EmailAddresses[0])
 eventGroupingSettings:
   aggregationKind: AlertPerResult
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: UserAccountName
+  - entityType: Mailbox
+    fieldMappings:
+      - identifier: MailboxPrimaryAddress
+        columnName: UserEmail
 alertDetailsOverride:
   alertDisplayNameFormat: 'SAP ETD - {{Description}} '
   alertDescriptionFormat: 'Description: {{Description}}. Processed by {{Processor}}. Severity: {{Severity}}.'
 customDetails:
   ETD_InvestNumber: InvestigationId
-version: 1.0.0
+  SAP_UserAccount: UserAccountName
+  SAP_UserEmail: UserEmail
+version: 1.0.1
@@ -55,10 +55,14 @@
             {
               "name": "NormalizedTriggeringEvents",
               "type": "dynamic"
+            },
+            {
+              "name": "Users",
+              "type": "dynamic"
             }
           ]
         },
-        "Custom-SAPETDInvestigations_CL": {
+        "Custom-SAPETDInvestigations_CL":{
           "columns": [
             {
               "name": "Version",

@@ -33,7 +33,7 @@
         "timeoutInSeconds": 60,
         "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
         "queryParameters": {
-          "$expand": "NormalizedTriggeringEvents",
+          "$expand": "NormalizedTriggeringEvents,Users",
           "$filter": "CreationTimestamp gt {_QueryWindowStartTime} and CreationTimestamp le {_QueryWindowEndTime}"
         },
         "headers": {

@@ -58,6 +58,10 @@
           {
             "name": "NormalizedTriggeringEvents",
             "type": "dynamic"
+          },
+          {
+            "name": "Users",
+            "type": "dynamic"
           }
         ]
       }

@@ -1,29 +1,29 @@
 {
-    "Name": "SAP ETD Cloud",
-    "Author": "SAP",
-    "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/SAPBTP.svg\" width=\"75px\" height=\"75px\">",
-    "Description": "The Microsoft Sentinel Solution for SAP ETD integrates SAP Enterprise Threat Detection entities into Microsoft Sentinel, allowing SOC teams to ingest, monitor, and hunt across SAP data. This integration enhances security by enabling faster detection, investigation, and mitigation of risks within SAP environments.",
-    "WorkbookDescription": [],
-    "Workbooks": [],
-    "Analytic Rules": [
-        "Analytic Rules/SAPETD-SynchAlerts.yaml",
-        "Analytic Rules/SAPETD-SynchInvestigations.yaml",
-        "Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml",
-        "Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml"
-    ],
-    "Playbooks": [],
-    "PlaybookDescription": [],
-    "Parsers": [],
-    "SavedSearches": [],
-    "Hunting Queries": [],
-    "Data Connectors": [
-        "/Data Connectors/SAPETD_PUSH_CCP/SAPETD_connectorDefinition.json"
-    ],
-    "Watchlists": [],
-    "WatchlistDescription": [],
-    "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SAP ETD Cloud",
-    "Version": "3.0.3",
-    "Metadata": "SolutionMetadata.json",
-    "TemplateSpec": true,
-    "Is1PConnector": false
-}
+  "Name": "SAP ETD Cloud",
+  "Author": "SAP",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/SAPBTP.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "The Microsoft Sentinel Solution for SAP ETD integrates SAP Enterprise Threat Detection entities into Microsoft Sentinel, allowing SOC teams to ingest, monitor, and hunt across SAP data. This integration enhances security by enabling faster detection, investigation, and mitigation of risks within SAP environments.",
+  "WorkbookDescription": [],
+  "Workbooks": [],
+  "Analytic Rules": [
+    "Analytic Rules/SAPETD-SynchAlerts.yaml",
+    "Analytic Rules/SAPETD-SynchInvestigations.yaml",
+    "Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml",
+    "Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml"
+  ],
+  "Playbooks": [],
+  "PlaybookDescription": [],
+  "Parsers": [],
+  "SavedSearches": [],
+  "Hunting Queries": [],
+  "Data Connectors": [
+    "/Data Connectors/SAPETD_PUSH_CCP/SAPETD_connectorDefinition.json"
+  ],
+  "Watchlists": [],
+  "WatchlistDescription": [],
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SAP ETD Cloud",
+  "Version": "3.0.4",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true,
+  "Is1PConnector": false
+}
@@ -60,7 +60,7 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This Solution installs the data connector for SAP ETD Cloud. You can get SAP ETD Cloud data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+              "text": "This Solution installs the data connector for SAP Enterprise Threat Detection, cloud edition. You can get SAP Enterprise Threat Detection, cloud edition data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
           {