Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SAP ETD - Synch alerts

SAP ETD - Synch alerts

Back
Id7a830484-e349-4527-85f6-7850c468c238
RulenameSAP ETD - Synch alerts
DescriptionSynch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
SeverityMedium
Required data connectorsSAPETDAlerts
KindScheduled
Query frequency1h
Query period2d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml
Version1.0.4
Arm template7a830484-e349-4527-85f6-7850c468c238.json
Deploy To Azure
let minThreshold= 1;
let minScore= 50;
let lookBack= 7d;
let regex_sid = @"^([A-Z0-9]{3})/";
let regex_client = @'\/(.{3})$';
SAPETDAlerts_CL
| mv-expand NormalizedTriggeringEvents
| summarize arg_max(TimeGenerated, *) by AlertId
| where Threshold >= minThreshold and Score >= minScore
| extend
  SystemId= extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
  ClienId= extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
  Host= NormalizedTriggeringEvents.NetworkHostnameInitiator,
  Instance= NormalizedTriggeringEvents.NetworkHostnameActor,
  User= NormalizedTriggeringEvents.UserAccountActing,
  IP= NormalizedTriggeringEvents.NetworkIPAddressInitiator
| mv-expand Users
| extend
  UserAccountName = tostring(Users.UserAccountName),
  UserEmail = tostring(Users.EmailAddresses[0]);

severity: Medium
triggerOperator: gt
relevantTechniques: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml
id: 7a830484-e349-4527-85f6-7850c468c238
customDetails:
  SAP_UserEmail: UserEmail
  SAP_User: User
  ETD_AlertNumber: AlertId
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: UserAccountName
  entityType: Account
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: UserEmail
  entityType: Mailbox
- fieldMappings:
  - identifier: Name
    columnName: SystemId
  - identifier: AppId
    columnName: ClienId
  - identifier: InstanceName
    columnName: Instance
  entityType: CloudApplication
- fieldMappings:
  - identifier: FullName
    columnName: Host
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: IP
  entityType: IP
kind: Scheduled
status: Available
tactics: []
queryFrequency: 1h
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- connectorId: SAPETDAlerts
  dataTypes:
  - SAPETDAlerts_CL
queryPeriod: 2d
version: 1.0.4
description: Synch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
alertDetailsOverride:
  alertDisplayNameFormat: 'SAP ETD - {{PatternName}} '
  alertDescriptionFormat: '{{PatternDescription}}'
triggerThreshold: 0
query: |
  let minThreshold= 1;
  let minScore= 50;
  let lookBack= 7d;
  let regex_sid = @"^([A-Z0-9]{3})/";
  let regex_client = @'\/(.{3})$';
  SAPETDAlerts_CL
  | mv-expand NormalizedTriggeringEvents
  | summarize arg_max(TimeGenerated, *) by AlertId
  | where Threshold >= minThreshold and Score >= minScore
  | extend
    SystemId= extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
    ClienId= extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
    Host= NormalizedTriggeringEvents.NetworkHostnameInitiator,
    Instance= NormalizedTriggeringEvents.NetworkHostnameActor,
    User= NormalizedTriggeringEvents.UserAccountActing,
    IP= NormalizedTriggeringEvents.NetworkIPAddressInitiator
  | mv-expand Users
  | extend
    UserAccountName = tostring(Users.UserAccountName),
    UserEmail = tostring(Users.EmailAddresses[0]);  
name: SAP ETD - Synch alerts