Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SAP ETD - Synch alerts

Back
Id7a830484-e349-4527-85f6-7850c468c238
RulenameSAP ETD - Synch alerts
DescriptionSynch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
SeverityMedium
Required data connectorsSAPETDAlerts
KindScheduled
Query frequency1h
Query period2d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml
Version1.0.2
Arm template7a830484-e349-4527-85f6-7850c468c238.json
Deploy To Azure
let minThreshold= 1;
let minScore= 50;
let lookBack= 7d;
let regex_sid = @"^([A-Z0-9]{3})/";
let regex_client = @'\/(.{3})$';
SAPETDAlerts_CL
| mv-expand NormalizedTriggeringEvents
| summarize arg_max(TimeGenerated, *) by AlertId
| where Threshold >= minThreshold and Score >= minScore
| extend
  SystemId= extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
  ClienId= extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
  Host= NormalizedTriggeringEvents.NetworkHostnameInitiator,
  Instance= NormalizedTriggeringEvents.NetworkHostnameActor,
  User= NormalizedTriggeringEvents.UserAccountActing,
  IP= NormalizedTriggeringEvents.NetworkIPAddressInitiator;
triggerThreshold: 0
alertDetailsOverride:
  alertDisplayNameFormat: 'SAP ETD - {{PatternName}} '
  alertDescriptionFormat: Alert synched from SAP Enterprise Threat Detection, cloud edition into Microsoft Sentinel (one way). {{PatternDescription}}
requiredDataConnectors:
- connectorId: SAPETDAlerts
  dataTypes:
  - SAPETDAlerts_CL
severity: Medium
queryFrequency: 1h
id: 7a830484-e349-4527-85f6-7850c468c238
relevantTechniques: []
queryPeriod: 2d
name: SAP ETD - Synch alerts
status: Available
kind: Scheduled
tactics: []
triggerOperator: gt
version: 1.0.2
entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - columnName: SystemId
    identifier: Name
  - columnName: ClienId
    identifier: AppId
  - columnName: Instance
    identifier: InstanceName
- entityType: Host
  fieldMappings:
  - columnName: Host
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IP
    identifier: Address
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  SAP_User: User
  ETD_AlertNumber: AlertId
description: Synch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml
query: |
  let minThreshold= 1;
  let minScore= 50;
  let lookBack= 7d;
  let regex_sid = @"^([A-Z0-9]{3})/";
  let regex_client = @'\/(.{3})$';
  SAPETDAlerts_CL
  | mv-expand NormalizedTriggeringEvents
  | summarize arg_max(TimeGenerated, *) by AlertId
  | where Threshold >= minThreshold and Score >= minScore
  | extend
    SystemId= extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
    ClienId= extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
    Host= NormalizedTriggeringEvents.NetworkHostnameInitiator,
    Instance= NormalizedTriggeringEvents.NetworkHostnameActor,
    User= NormalizedTriggeringEvents.UserAccountActing,
    IP= NormalizedTriggeringEvents.NetworkIPAddressInitiator;  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7a830484-e349-4527-85f6-7850c468c238')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7a830484-e349-4527-85f6-7850c468c238')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Alert synched from SAP Enterprise Threat Detection, cloud edition into Microsoft Sentinel (one way). {{PatternDescription}}",
          "alertDisplayNameFormat": "SAP ETD - {{PatternName}} "
        },
        "alertRuleTemplateName": "7a830484-e349-4527-85f6-7850c468c238",
        "customDetails": {
          "ETD_AlertNumber": "AlertId",
          "SAP_User": "User"
        },
        "description": "Synch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)",
        "displayName": "SAP ETD - Synch alerts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "SystemId",
                "identifier": "Name"
              },
              {
                "columnName": "ClienId",
                "identifier": "AppId"
              },
              {
                "columnName": "Instance",
                "identifier": "InstanceName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Host",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml",
        "query": "let minThreshold= 1;\nlet minScore= 50;\nlet lookBack= 7d;\nlet regex_sid = @\"^([A-Z0-9]{3})/\";\nlet regex_client = @'\\/(.{3})$';\nSAPETDAlerts_CL\n| mv-expand NormalizedTriggeringEvents\n| summarize arg_max(TimeGenerated, *) by AlertId\n| where Threshold >= minThreshold and Score >= minScore\n| extend\n  SystemId= extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),\n  ClienId= extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),\n  Host= NormalizedTriggeringEvents.NetworkHostnameInitiator,\n  Instance= NormalizedTriggeringEvents.NetworkHostnameActor,\n  User= NormalizedTriggeringEvents.UserAccountActing,\n  IP= NormalizedTriggeringEvents.NetworkIPAddressInitiator;\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P2D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}