Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SAP ETD - Synch alerts

Back
Id7a830484-e349-4527-85f6-7850c468c238
RulenameSAP ETD - Synch alerts
DescriptionSynch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
SeverityMedium
Required data connectorsSAPETDAlerts
KindScheduled
Query frequency1h
Query period2d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml
Version1.0.1
Arm template7a830484-e349-4527-85f6-7850c468c238.json
Deploy To Azure
let minThreshold= 1;
let minScore= 50;
let lookBack= 70d;
SAPETDAlerts_CL
| mv-expand TriggeringEvents
| extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent)
| where PatternName <> "Logon from external with SAP standard users"
| summarize arg_max(TimeGenerated, *) by AlertId
| where Threshold >= minThreshold and Score >= minScore
| extend NewEvent= split(sapOriginalEvent, "\n")
| mv-expand NewEvent to typeof(string)
| parse NewEvent with Key: string ":" Value: string
| extend Value= iff(isempty(Key) and isnotempty(NewEvent), NewEvent, Value), Key= iff(isempty(Key) and isnotempty(NewEvent), TriggeringEvents.EventLogType, Key)
| extend KV= bag_pack(Key, Value)
| summarize KeyValues= make_bag(KV), take_any(CreationTimestamp, MinTimestamp, MaxTimestamp, TriggeringEvents.EventLogType, Measure, PatternDescription, PatternName, Status, Threshold, TriggeringEvents.OriginalEvent) by AlertId
| extend SystemId= KeyValues.sid, ClienId= KeyValues.client, Host= KeyValues.instance_host, Instance= KeyValues.instance_name, User= KeyValues.user_name, IP= KeyValues.user_ip
customDetails:
  ETD_AlertNumber: AlertId
  SAP_User: User
status: Available
id: 7a830484-e349-4527-85f6-7850c468c238
alertDetailsOverride:
  alertDescriptionFormat: Alert synched from SAP Enterprise Threat Detection, cloud edition into Microsoft Sentinel (one way). {{PatternDescription}}
  alertDisplayNameFormat: 'SAP ETD - {{PatternName}} '
query: |
  let minThreshold= 1;
  let minScore= 50;
  let lookBack= 70d;
  SAPETDAlerts_CL
  | mv-expand TriggeringEvents
  | extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent)
  | where PatternName <> "Logon from external with SAP standard users"
  | summarize arg_max(TimeGenerated, *) by AlertId
  | where Threshold >= minThreshold and Score >= minScore
  | extend NewEvent= split(sapOriginalEvent, "\n")
  | mv-expand NewEvent to typeof(string)
  | parse NewEvent with Key: string ":" Value: string
  | extend Value= iff(isempty(Key) and isnotempty(NewEvent), NewEvent, Value), Key= iff(isempty(Key) and isnotempty(NewEvent), TriggeringEvents.EventLogType, Key)
  | extend KV= bag_pack(Key, Value)
  | summarize KeyValues= make_bag(KV), take_any(CreationTimestamp, MinTimestamp, MaxTimestamp, TriggeringEvents.EventLogType, Measure, PatternDescription, PatternName, Status, Threshold, TriggeringEvents.OriginalEvent) by AlertId
  | extend SystemId= KeyValues.sid, ClienId= KeyValues.client, Host= KeyValues.instance_host, Instance= KeyValues.instance_name, User= KeyValues.user_name, IP= KeyValues.user_ip  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml
description: Synch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
name: SAP ETD - Synch alerts
relevantTechniques: []
entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: SystemId
  - identifier: AppId
    columnName: ClienId
  - identifier: InstanceName
    columnName: Instance
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Host
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IP
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- dataTypes:
  - SAPETDAlerts_CL
  connectorId: SAPETDAlerts
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 1h
queryPeriod: 2d
version: 1.0.1
kind: Scheduled
tactics: []
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7a830484-e349-4527-85f6-7850c468c238')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7a830484-e349-4527-85f6-7850c468c238')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Alert synched from SAP Enterprise Threat Detection, cloud edition into Microsoft Sentinel (one way). {{PatternDescription}}",
          "alertDisplayNameFormat": "SAP ETD - {{PatternName}} "
        },
        "alertRuleTemplateName": "7a830484-e349-4527-85f6-7850c468c238",
        "customDetails": {
          "ETD_AlertNumber": "AlertId",
          "SAP_User": "User"
        },
        "description": "Synch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)",
        "displayName": "SAP ETD - Synch alerts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "SystemId",
                "identifier": "Name"
              },
              {
                "columnName": "ClienId",
                "identifier": "AppId"
              },
              {
                "columnName": "Instance",
                "identifier": "InstanceName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Host",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml",
        "query": "let minThreshold= 1;\nlet minScore= 50;\nlet lookBack= 70d;\nSAPETDAlerts_CL\n| mv-expand TriggeringEvents\n| extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent)\n| where PatternName <> \"Logon from external with SAP standard users\"\n| summarize arg_max(TimeGenerated, *) by AlertId\n| where Threshold >= minThreshold and Score >= minScore\n| extend NewEvent= split(sapOriginalEvent, \"\\n\")\n| mv-expand NewEvent to typeof(string)\n| parse NewEvent with Key: string \":\" Value: string\n| extend Value= iff(isempty(Key) and isnotempty(NewEvent), NewEvent, Value), Key= iff(isempty(Key) and isnotempty(NewEvent), TriggeringEvents.EventLogType, Key)\n| extend KV= bag_pack(Key, Value)\n| summarize KeyValues= make_bag(KV), take_any(CreationTimestamp, MinTimestamp, MaxTimestamp, TriggeringEvents.EventLogType, Measure, PatternDescription, PatternName, Status, Threshold, TriggeringEvents.OriginalEvent) by AlertId\n| extend SystemId= KeyValues.sid, ClienId= KeyValues.client, Host= KeyValues.instance_host, Instance= KeyValues.instance_name, User= KeyValues.user_name, IP= KeyValues.user_ip\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P2D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}