SAP ETD - Synch investigations

Back


Id	5096db53-fad3-4844-a264-246f7b7e6e06
Rulename	SAP ETD - Synch investigations
Description	Synch investigations coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
Severity	High
Required data connectors	SAPETDAlerts
Kind	Scheduled
Query frequency	1h
Query period	2d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchInvestigations.yaml
Version	1.0.0
Arm template	5096db53-fad3-4844-a264-246f7b7e6e06.json

KQL

let AuditTimeAgo = 2d;
let _severity= dynamic(["HIGH","VERY HIGH"]);
SAPETDInvestigations_CL
| where TimeGenerated > ago(AuditTimeAgo)
| where Severity in (_severity)

YAML

triggerOperator: gt
description: Synch investigations coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDescriptionFormat: 'Description: {{Description}}. Processed by {{Processor}}. Severity: {{Severity}}.'
  alertDisplayNameFormat: 'SAP ETD - {{Description}} '
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchInvestigations.yaml
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - SAPETDInvestigations_CL
  connectorId: SAPETDAlerts
tactics: []
relevantTechniques: []
query: |
  let AuditTimeAgo = 2d;
  let _severity= dynamic(["HIGH","VERY HIGH"]);
  SAPETDInvestigations_CL
  | where TimeGenerated > ago(AuditTimeAgo)
  | where Severity in (_severity)  
id: 5096db53-fad3-4844-a264-246f7b7e6e06
status: Available
customDetails:
  ETD_InvestNumber: InvestigationId
severity: High
name: SAP ETD - Synch investigations
queryFrequency: 1h
queryPeriod: 2d
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5096db53-fad3-4844-a264-246f7b7e6e06')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5096db53-fad3-4844-a264-246f7b7e6e06')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Description: {{Description}}. Processed by {{Processor}}. Severity: {{Severity}}.",
          "alertDisplayNameFormat": "SAP ETD - {{Description}} "
        },
        "alertRuleTemplateName": "5096db53-fad3-4844-a264-246f7b7e6e06",
        "customDetails": {
          "ETD_InvestNumber": "InvestigationId"
        },
        "description": "Synch investigations coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)",
        "displayName": "SAP ETD - Synch investigations",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchInvestigations.yaml",
        "query": "let AuditTimeAgo = 2d;\nlet _severity= dynamic([\"HIGH\",\"VERY HIGH\"]);\nSAPETDInvestigations_CL\n| where TimeGenerated > ago(AuditTimeAgo)\n| where Severity in (_severity)\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P2D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}