SAP ETD - Synch alerts

Back


Id	7a830484-e349-4527-85f6-7850c468c238
Rulename	SAP ETD - Synch alerts
Description	Synch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
Severity	Medium
Required data connectors	SAPETDAlerts
Kind	Scheduled
Query frequency	1h
Query period	2d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml
Version	1.0.3
Arm template	7a830484-e349-4527-85f6-7850c468c238.json

KQL

let minThreshold= 1;
let minScore= 50;
let lookBack= 7d;
let regex_sid = @"^([A-Z0-9]{3})/";
let regex_client = @'\/(.{3})$';
SAPETDAlerts_CL
| mv-expand NormalizedTriggeringEvents
| summarize arg_max(TimeGenerated, *) by AlertId
| where Threshold >= minThreshold and Score >= minScore
| extend
  SystemId= extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
  ClienId= extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
  Host= NormalizedTriggeringEvents.NetworkHostnameInitiator,
  Instance= NormalizedTriggeringEvents.NetworkHostnameActor,
  User= NormalizedTriggeringEvents.UserAccountActing,
  IP= NormalizedTriggeringEvents.NetworkIPAddressInitiator;

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml
query: |
  let minThreshold= 1;
  let minScore= 50;
  let lookBack= 7d;
  let regex_sid = @"^([A-Z0-9]{3})/";
  let regex_client = @'\/(.{3})$';
  SAPETDAlerts_CL
  | mv-expand NormalizedTriggeringEvents
  | summarize arg_max(TimeGenerated, *) by AlertId
  | where Threshold >= minThreshold and Score >= minScore
  | extend
    SystemId= extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
    ClienId= extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
    Host= NormalizedTriggeringEvents.NetworkHostnameInitiator,
    Instance= NormalizedTriggeringEvents.NetworkHostnameActor,
    User= NormalizedTriggeringEvents.UserAccountActing,
    IP= NormalizedTriggeringEvents.NetworkIPAddressInitiator;  
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryPeriod: 2d
severity: Medium
requiredDataConnectors:
- dataTypes:
  - SAPETDAlerts_CL
  connectorId: SAPETDAlerts
triggerOperator: gt
tactics: []
name: SAP ETD - Synch alerts
alertDetailsOverride:
  alertDisplayNameFormat: 'SAP ETD - {{PatternName}} '
  alertDescriptionFormat: '{{PatternDescription}}'
relevantTechniques: []
id: 7a830484-e349-4527-85f6-7850c468c238
entityMappings:
- fieldMappings:
  - columnName: SystemId
    identifier: Name
  - columnName: ClienId
    identifier: AppId
  - columnName: Instance
    identifier: InstanceName
  entityType: CloudApplication
- fieldMappings:
  - columnName: Host
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: IP
    identifier: Address
  entityType: IP
queryFrequency: 1h
version: 1.0.3
status: Available
description: Synch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
customDetails:
  SAP_User: User
  ETD_AlertNumber: AlertId
kind: Scheduled

ARM