Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SAP ETD - Synch investigations

SAP ETD - Synch investigations

Back
Id5096db53-fad3-4844-a264-246f7b7e6e06
RulenameSAP ETD - Synch investigations
DescriptionSynch investigations coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
SeverityHigh
Required data connectorsSAPETDAlerts
KindScheduled
Query frequency1h
Query period2d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchInvestigations.yaml
Version1.0.1
Arm template5096db53-fad3-4844-a264-246f7b7e6e06.json
Deploy To Azure
let AuditTimeAgo = 2d;
let _severity= dynamic(["HIGH","VERY HIGH"]);
SAPETDInvestigations_CL
| where TimeGenerated > ago(AuditTimeAgo)
| where Severity in (_severity)
| mv-expand Users
| extend
  UserAccountName = tostring(Users.UserAccountName),
  UserEmail = tostring(Users.EmailAddresses[0])

status: Available
queryFrequency: 1h
queryPeriod: 2d
triggerOperator: gt
alertDetailsOverride:
  alertDescriptionFormat: 'Description: {{Description}}. Processed by {{Processor}}. Severity: {{Severity}}.'
  alertDisplayNameFormat: 'SAP ETD - {{Description}} '
query: |
  let AuditTimeAgo = 2d;
  let _severity= dynamic(["HIGH","VERY HIGH"]);
  SAPETDInvestigations_CL
  | where TimeGenerated > ago(AuditTimeAgo)
  | where Severity in (_severity)
  | mv-expand Users
  | extend
    UserAccountName = tostring(Users.UserAccountName),
    UserEmail = tostring(Users.EmailAddresses[0])  
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchInvestigations.yaml
tactics: []
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: UserAccountName
- entityType: Mailbox
  fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: UserEmail
requiredDataConnectors:
- connectorId: SAPETDAlerts
  dataTypes:
  - SAPETDInvestigations_CL
kind: Scheduled
relevantTechniques: []
customDetails:
  SAP_UserEmail: UserEmail
  ETD_InvestNumber: InvestigationId
  SAP_UserAccount: UserAccountName
description: Synch investigations coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
name: SAP ETD - Synch investigations
version: 1.0.1
id: 5096db53-fad3-4844-a264-246f7b7e6e06
severity: High