SAP ETD - Synch alerts

Back


Id	7a830484-e349-4527-85f6-7850c468c238
Rulename	SAP ETD - Synch alerts
Description	Synch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
Severity	Medium
Required data connectors	SAPETDAlerts
Kind	Scheduled
Query frequency	1h
Query period	2d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml
Version	1.0.0
Arm template	7a830484-e349-4527-85f6-7850c468c238.json

KQL

let minThreshold= 1;
let minScore= 50;
let lookBack= 70d;
SAPETDAlerts_CL
| mv-expand TriggeringEvents
| extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent)
| where PatternName <> "Logon from external with SAP standard users"
| summarize arg_max(TimeGenerated, *) by AlertId
| where Threshold >= minThreshold and Score >= minScore
| extend NewEvent= split(sapOriginalEvent, "\n")
| mv-expand NewEvent to typeof(string)
| parse NewEvent with Key: string ":" Value: string
| extend Value= iff(isempty(Key) and isnotempty(NewEvent), NewEvent, Value), Key= iff(isempty(Key) and isnotempty(NewEvent), TriggeringEvents.EventLogType, Key)
| extend KV= bag_pack(Key, Value)
| summarize KeyValues= make_bag(KV), take_any(CreationTimestamp, MinTimestamp, MaxTimestamp, TriggeringEvents.EventLogType, Measure, PatternDescription, PatternName, Status, Threshold, TriggeringEvents.OriginalEvent) by AlertId
| extend SystemId= KeyValues.sid, ClienId= KeyValues.client, Host= KeyValues.instance_host, Instance= KeyValues.instance_name, User= KeyValues.user_name, IP= KeyValues.user_ip

YAML

status: Available
triggerOperator: gt
triggerThreshold: 0
name: SAP ETD - Synch alerts
alertDetailsOverride:
  alertDescriptionFormat: Alert synched from SAP Enterprise Threat Detection, cloud edition into Microsoft Sentinel (one way). {{PatternDescription}}
  alertDisplayNameFormat: 'SAP ETD - {{PatternName}} '
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml
queryPeriod: 2d
severity: Medium
eventGroupingSettings:
  aggregationKind: AlertPerResult
kind: Scheduled
entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - columnName: SystemId
    identifier: Name
  - columnName: ClienId
    identifier: AppId
  - columnName: Instance
    identifier: InstanceName
- entityType: Host
  fieldMappings:
  - columnName: Host
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IP
    identifier: Address
queryFrequency: 1h
relevantTechniques: []
requiredDataConnectors:
- dataTypes:
  - SAPETDAlerts_CL
  connectorId: SAPETDAlerts
customDetails:
  SAP_User: User
  ETD_AlertID: AlertId
description: Synch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
tactics: []
query: |
  let minThreshold= 1;
  let minScore= 50;
  let lookBack= 70d;
  SAPETDAlerts_CL
  | mv-expand TriggeringEvents
  | extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent)
  | where PatternName <> "Logon from external with SAP standard users"
  | summarize arg_max(TimeGenerated, *) by AlertId
  | where Threshold >= minThreshold and Score >= minScore
  | extend NewEvent= split(sapOriginalEvent, "\n")
  | mv-expand NewEvent to typeof(string)
  | parse NewEvent with Key: string ":" Value: string
  | extend Value= iff(isempty(Key) and isnotempty(NewEvent), NewEvent, Value), Key= iff(isempty(Key) and isnotempty(NewEvent), TriggeringEvents.EventLogType, Key)
  | extend KV= bag_pack(Key, Value)
  | summarize KeyValues= make_bag(KV), take_any(CreationTimestamp, MinTimestamp, MaxTimestamp, TriggeringEvents.EventLogType, Measure, PatternDescription, PatternName, Status, Threshold, TriggeringEvents.OriginalEvent) by AlertId
  | extend SystemId= KeyValues.sid, ClienId= KeyValues.client, Host= KeyValues.instance_host, Instance= KeyValues.instance_name, User= KeyValues.user_name, IP= KeyValues.user_ip  
id: 7a830484-e349-4527-85f6-7850c468c238
version: 1.0.0

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/7a830484-e349-4527-85f6-7850c468c238')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/7a830484-e349-4527-85f6-7850c468c238')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Alert synched from SAP Enterprise Threat Detection, cloud edition into Microsoft Sentinel (one way). {{PatternDescription}}",
          "alertDisplayNameFormat": "SAP ETD - {{PatternName}} "
        },
        "alertRuleTemplateName": "7a830484-e349-4527-85f6-7850c468c238",
        "customDetails": {
          "ETD_AlertID": "AlertId",
          "SAP_User": "User"
        },
        "description": "Synch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)",
        "displayName": "SAP ETD - Synch alerts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "SystemId",
                "identifier": "Name"
              },
              {
                "columnName": "ClienId",
                "identifier": "AppId"
              },
              {
                "columnName": "Instance",
                "identifier": "InstanceName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Host",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml",
        "query": "let minThreshold= 1;\nlet minScore= 50;\nlet lookBack= 70d;\nSAPETDAlerts_CL\n| mv-expand TriggeringEvents\n| extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent)\n| where PatternName <> \"Logon from external with SAP standard users\"\n| summarize arg_max(TimeGenerated, *) by AlertId\n| where Threshold >= minThreshold and Score >= minScore\n| extend NewEvent= split(sapOriginalEvent, \"\\n\")\n| mv-expand NewEvent to typeof(string)\n| parse NewEvent with Key: string \":\" Value: string\n| extend Value= iff(isempty(Key) and isnotempty(NewEvent), NewEvent, Value), Key= iff(isempty(Key) and isnotempty(NewEvent), TriggeringEvents.EventLogType, Key)\n| extend KV= bag_pack(Key, Value)\n| summarize KeyValues= make_bag(KV), take_any(CreationTimestamp, MinTimestamp, MaxTimestamp, TriggeringEvents.EventLogType, Measure, PatternDescription, PatternName, Status, Threshold, TriggeringEvents.OriginalEvent) by AlertId\n| extend SystemId= KeyValues.sid, ClienId= KeyValues.client, Host= KeyValues.instance_host, Instance= KeyValues.instance_name, User= KeyValues.user_name, IP= KeyValues.user_ip\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P2D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}