Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SAP ETD - SAP system stopped reporting data

SAP ETD - SAP system stopped reporting data

Back
Idb1413b43-9410-46f4-94d9-da507105d834
RulenameSAP ETD - SAP system stopped reporting data
DescriptionIdentifies a per-system silence when an individual SAP system (identified by its SID) that has recently been reporting to SAP Enterprise Threat Detection (ETD) stops producing new records in the SAPETDAlerts_CL table within the configured per-system grace period (default 2 hours). A targeted silence of a single SID may indicate that an adversary with access to the SAP system, the SAP ETD collector for that SID, or the data connector is selectively blocking security telemetry to hide follow-on activity while leaving the rest of the SAP ETD feed intact; benign causes such as connectivity issues, collector misconfiguration, or planned maintenance for that SID are also possible and should be ruled out during triage. The set of “expected” SIDs is derived from any system that has reported within the `BaselineLookback` period (default 7 days); systems silent for longer are considered decommissioned and are not alerted on. Tunable parameters at the top of the query: `LookbackPeriod` (silence threshold per SID; align with `queryFrequency`) and `BaselineLookback` (how far back to look to discover known SIDs; align with `queryPeriod`). This rule is complementary to the overall-feed rule “SAP ETD - No new data received”.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562
T1562.006
Required data connectorsSAPETDAlerts
KindScheduled
Query frequency1h
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SystemStoppedReporting.yaml
Version1.0.0
Arm templateb1413b43-9410-46f4-94d9-da507105d834.json
Deploy To Azure
// ---- Configurable thresholds ----
let LookbackPeriod = 2h;
let BaselineLookback = 7d;
// ---------------------------------
let regex_sid = @"^([A-Z0-9]{3})/";
let regex_client = @'\/(.{3})$';
SAPETDAlerts_CL
| where TimeGenerated > ago(BaselineLookback)
| mv-expand NormalizedTriggeringEvents
| extend
    SystemId = extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
    ClientId = extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
    Host     = tostring(NormalizedTriggeringEvents.NetworkHostnameInitiator),
    Instance = tostring(NormalizedTriggeringEvents.NetworkHostnameActor)
| where isnotempty(SystemId)
| summarize
    LastIngestionTime = max(TimeGenerated),
    Host     = take_any(Host),
    Instance = take_any(Instance),
    ClientId = take_any(ClientId)
    by SystemId
| extend TimeSinceLastIngestion = now() - LastIngestionTime
| where TimeSinceLastIngestion > LookbackPeriod
| extend
    LookbackPeriod = LookbackPeriod,
    Reason = strcat("SAP system ", SystemId, " has not reported any data to SAP ETD in the last ", tostring(LookbackPeriod), " (last seen: ", tostring(LastIngestionTime), ").")

entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: SystemId
  - identifier: AppId
    columnName: ClientId
  - identifier: InstanceName
    columnName: Instance
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Host
tactics:
- DefenseEvasion
requiredDataConnectors:
- dataTypes:
  - SAPETDAlerts_CL
  connectorId: SAPETDAlerts
alertDetailsOverride:
  alertDisplayNameFormat: SAP ETD - SAP system {{SystemId}} stopped reporting data
  alertDescriptionFormat: |
    {{Reason}}

    A selective silence of a single SAP SID may indicate that an adversary is tampering with the security telemetry pipeline for this specific system (for example by stopping the SAP ETD collector for that SID, disabling the relevant data connector path, or blocking network egress from that host) in order to hide malicious activity while leaving the rest of the SAP ETD feed intact. Treat the silence as suspicious until proven otherwise: validate the integrity and runtime state of the SAP system, the SAP ETD collector configuration for this SID, and the data connector between SAP ETD and Microsoft Sentinel, and review recent change / admin activity on those components before concluding the cause is a benign outage.    
id: b1413b43-9410-46f4-94d9-da507105d834
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
status: Available
customDetails:
  SAP_SID: SystemId
  LastIngestion: LastIngestionTime
  LastIngestionGap: TimeSinceLastIngestion
  SAP_Client: ClientId
  LookbackPeriod: LookbackPeriod
query: |
  // ---- Configurable thresholds ----
  let LookbackPeriod = 2h;
  let BaselineLookback = 7d;
  // ---------------------------------
  let regex_sid = @"^([A-Z0-9]{3})/";
  let regex_client = @'\/(.{3})$';
  SAPETDAlerts_CL
  | where TimeGenerated > ago(BaselineLookback)
  | mv-expand NormalizedTriggeringEvents
  | extend
      SystemId = extract(regex_sid, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
      ClientId = extract(regex_client, 1, tostring(NormalizedTriggeringEvents.SystemIdActor)),
      Host     = tostring(NormalizedTriggeringEvents.NetworkHostnameInitiator),
      Instance = tostring(NormalizedTriggeringEvents.NetworkHostnameActor)
  | where isnotempty(SystemId)
  | summarize
      LastIngestionTime = max(TimeGenerated),
      Host     = take_any(Host),
      Instance = take_any(Instance),
      ClientId = take_any(ClientId)
      by SystemId
  | extend TimeSinceLastIngestion = now() - LastIngestionTime
  | where TimeSinceLastIngestion > LookbackPeriod
  | extend
      LookbackPeriod = LookbackPeriod,
      Reason = strcat("SAP system ", SystemId, " has not reported any data to SAP ETD in the last ", tostring(LookbackPeriod), " (last seen: ", tostring(LastIngestionTime), ").")  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SystemStoppedReporting.yaml
kind: Scheduled
queryPeriod: 7d
version: 1.0.0
name: SAP ETD - SAP system stopped reporting data
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1562
- T1562.006
description: |
    Identifies a per-system silence when an individual SAP system (identified by its SID) that has recently been reporting to SAP Enterprise Threat Detection (ETD) stops producing new records in the SAPETDAlerts_CL table within the configured per-system grace period (default 2 hours). A targeted silence of a single SID may indicate that an adversary with access to the SAP system, the SAP ETD collector for that SID, or the data connector is selectively blocking security telemetry to hide follow-on activity while leaving the rest of the SAP ETD feed intact; benign causes such as connectivity issues, collector misconfiguration, or planned maintenance for that SID are also possible and should be ruled out during triage. The set of "expected" SIDs is derived from any system that has reported within the `BaselineLookback` period (default 7 days); systems silent for longer are considered decommissioned and are not alerted on. Tunable parameters at the top of the query: `LookbackPeriod` (silence threshold per SID; align with `queryFrequency`) and `BaselineLookback` (how far back to look to discover known SIDs; align with `queryPeriod`). This rule is complementary to the overall-feed rule "SAP ETD - No new data received".
triggerOperator: gt