diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SAPETDAlerts_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SAPETDAlerts_CL.json new file mode 100644 index 00000000000..a84f34dc7a1 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/SAPETDAlerts_CL.json @@ -0,0 +1,57 @@ +{ + "Name": "SAPETDAlerts_CL", + "Properties": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "AlertId", + "type": "int" + }, + { + "name": "PatternName", + "type": "string" + }, + { + "name": "PatternDescription", + "type": "string" + }, + { + "name": "Status", + "type": "string" + }, + { + "name": "CreationTimestamp", + "type": "datetime" + }, + { + "name": "MinTimestamp", + "type": "datetime" + }, + { + "name": "MaxTimestamp", + "type": "datetime" + }, + { + "name": "Score", + "type": "int" + }, + { + "name": "Threshold", + "type": "int" + }, + { + "name": "Measure", + "type": "int" + }, + { + "name": "TriggeringEvents", + "type": "dynamic" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json index 7588b1ba65d..9de54e1864c 100644 --- a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json +++ b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json @@ -1,4 +1,9 @@ [ + { + "id": "5dd72ebe-03ac-43ac-851b-68cfe5106e4f", + "templateName": "SAPETD-LoginFromUnexpectedNetwork.yaml", + "validationFailReason": "The name 'Network' does not refer to any known column, table, variable or function. The name 'geo_info_from_ip_address' does not refer to any known function." + }, { "id": "ef895ada-e8e8-4cf0-9313-b1ab67fab69f", "templateName": "AuthenticationAttemptfromNewCountry.yaml", diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json index 67d38fd39a8..6416f1fec01 100644 --- a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json +++ b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json @@ -154,6 +154,7 @@ "SalesforceServiceCloud", "SAP", "SAPBTPAuditEvents", + "SAPETDAlerts", "SecurityEvents", "SemperisDSP", "SenservaPro", diff --git a/Logos/SAPETD_cloud.svg b/Logos/SAPETD_cloud.svg new file mode 100644 index 00000000000..9908905ba24 --- /dev/null +++ b/Logos/SAPETD_cloud.svg @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file diff --git a/Solutions/SAP ETD Cloud/Analytic Rules/SAP ETD - Synch alerts.yaml b/Solutions/SAP ETD Cloud/Analytic Rules/SAP ETD - Synch alerts.yaml new file mode 100644 index 00000000000..2de121389e9 --- /dev/null +++ b/Solutions/SAP ETD Cloud/Analytic Rules/SAP ETD - Synch alerts.yaml @@ -0,0 +1,73 @@ +id: 7a830484-e349-4527-85f6-7850c468c238 +kind: Scheduled +name: SAP ETD - Synch alerts +description: Synch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way) +severity: Medium +status: Available +requiredDataConnectors: + - connectorId: SAPETDAlerts + dataTypes: + - SAPETDAlerts_CL +queryFrequency: 1h +queryPeriod: 2d +triggerOperator: gt +triggerThreshold: 0 +tactics: [] +relevantTechniques: [] +query: | + let minThreshold= 1; + let minScore= 50; + let lookBack= 70d; + SAPETDAlerts_CL + | mv-expand TriggeringEvents + | extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent) + // | where CreationTimestamp > ago(lookBack) + | where PatternName <> "Logon from external with SAP standard users" + | summarize arg_max(TimeGenerated, *) by AlertId + | where Threshold >= minThreshold and Score >= minScore + | extend NewEvent= split(sapOriginalEvent, "\n") + | mv-expand NewEvent to typeof(string) + | parse NewEvent with Key: string ":" Value: string + | extend + Value= iff(isempty(Key) and isnotempty(NewEvent), NewEvent, Value), + Key= iff(isempty(Key) and isnotempty(NewEvent), TriggeringEvents.EventLogType, Key) + | extend KV= bag_pack(Key, Value) + | summarize + KeyValues= make_bag(KV), + take_any(CreationTimestamp, MinTimestamp, MaxTimestamp, TriggeringEvents.EventLogType, Measure, PatternDescription, PatternName, Status, Threshold, TriggeringEvents.OriginalEvent) + by AlertId + | extend + SystemId= KeyValues.sid, + ClienId= KeyValues.client, + Host= KeyValues.instance_host, + Instance= KeyValues.instance_name, + User= KeyValues.user_name, + IP= KeyValues.user_ip +eventGroupingSettings: + aggregationKind: AlertPerResult +entityMappings: + - entityType: CloudApplication + fieldMappings: + - identifier: Name + columnName: SystemId + - identifier: AppId + columnName: ClienId + - identifier: InstanceName + columnName: Instance + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: Host + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IP +alertDetailsOverride: + alertDisplayNameFormat: 'SAP ETD - {{PatternName}} ' + alertDescriptionFormat: | + Alert synched from SAP Enterprise Threat Detection, cloud edition into Microsoft Sentinel (one way). + {{PatternDescription}} +customDetails: + SAP_User: User + ETD_AlertID: AlertId +version: 1.0.0 \ No newline at end of file diff --git a/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml b/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml new file mode 100644 index 00000000000..27b4e574ca5 --- /dev/null +++ b/Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml @@ -0,0 +1,68 @@ +id: 5dd72ebe-03ac-43ac-851b-68cfe5106e4f +kind: Scheduled +name: SAP ETD - Login from unexpected network +description: | + Identifies logons from an unexpected network. + Source Action: Logon to the backend system from an IP address which is not assigned to one of the networks. + networks can be maintained in the "SAP - Networks" watchlist of the Microsoft Sentinel Solution for SAP package. + + *Data Sources: SAP Enterprise Thread Detection Solution - Alerts* +severity: Medium +status: Available +requiredDataConnectors: + - connectorId: SAPETDAlerts + dataTypes: + - SAPETDAlerts_CL +queryFrequency: 1h +queryPeriod: 2d +triggerOperator: gt +triggerThreshold: 0 +tactics: [] +relevantTechniques: [] +query: | + let regex_ip = @"user_ip:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"; + let regex_user = @"user_name:(\w+)"; + let regex_sid = @"sid:(\w{3})"; + let regex_client = @"client:(\d{3})"; + let regex_instance_name = @"instance_name:(\w+)"; + let regex_instance_host = @"instance_host:([\w-]+)"; + let SAPNetworks = _GetWatchlist('SAP - Networks'); + SAPETDAlerts_CL + | mv-expand TriggeringEvents + | extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent) + | extend Id_ = TriggeringEvents.Id + | extend extracted_user_ip = extract(regex_ip, 1, sapOriginalEvent) + | extend extracted_sap_user = extract(regex_user, 1, sapOriginalEvent) + | extend extracted_sid = extract(regex_sid, 1, sapOriginalEvent) + | extend extracted_client = extract(regex_client, 1, sapOriginalEvent) + | extend extracted_instance_name = extract(regex_instance_name, 1, sapOriginalEvent) + | extend extracted_instance_host = extract(regex_instance_host, 1, sapOriginalEvent) + | evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true) + | where isempty(Network) + | project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status + | extend GeoLocation= iff(ipv4_is_private( extracted_user_ip), dynamic({"IsPrivate": true}), geo_info_from_ip_address(extracted_user_ip)) +eventGroupingSettings: + aggregationKind: AlertPerResult +entityMappings: + - entityType: CloudApplication + fieldMappings: + - identifier: AppId + columnName: extracted_sid + - identifier: InstanceName + columnName: extracted_instance_name + - entityType: Host + fieldMappings: + - identifier: FullName + columnName: extracted_instance_host + - entityType: IP + fieldMappings: + - identifier: Address + columnName: extracted_user_ip +alertDetailsOverride: + alertDisplayNameFormat: 'SAP ETD - {{PatternName}} ' + alertDescriptionFormat: | + {{PatternDescription}} +customDetails: + SAP_User: User + ETD_AlertID: AlertId +version: 1.0.0 \ No newline at end of file diff --git a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD.json b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD.json new file mode 100644 index 00000000000..23338c1b5af --- /dev/null +++ b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD.json @@ -0,0 +1,157 @@ +{ + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "title": "SAP ETD", + "logo": "SapLogo.svg", + "id": "SAPETDAlerts", + "publisher": "SAP", + "descriptionMarkdown": "The SAP ETD data connector enables ingestion of security alerts from ETD into Microsoft Sentinel, supporting cross-correlation, alerting, and threat hunting.", + "graphQueriesTableName": "SAPETDAlerts_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "ETD Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of ETD Events", + "query": "{{graphQueriesTableName}}\n | take 10" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Client Id and Client Secret for ETD Retrieval API", + "description": "Enable API access in ETD." + } + ] + }, + "instructionSteps": [ + { + "description": "**Step 1 - Configuration steps for the SAP ETD Audit Retrieval API**\n\nFollow the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-for-global-accounts-in-cloud-foundry-environment/). Take a note of the **url** (Audit Retrieval API URL), **uaa.url** (User Account and Authentication Server url) and the associated **uaa.clientid**.\n\n>**NOTE:** You can onboard one or more ETD subaccounts by following the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-usage-for-subaccounts-in-cloud-foundry-environment/). Add a connection for each subaccount." + }, + { + "description": "Connect using OAuth client credentials", + "title": "Connect events from SAP ETD to Microsoft Sentinel", + "instructions": [ + { + "type": "ContextPane", + "parameters": { + "contextPaneType": "DataConnectorsContextPane", + "label": "Add account", + "isPrimary": true, + "title": "ETD connection", + "instructionSteps": [ + { + "title": "Account Details", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "SAP ETD Client ID", + "placeholder": "Client ID", + "type": "text", + "name": "clientId" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "SAP ETD Client Secret", + "placeholder": "Client Secret", + "type": "password", + "name": "clientSecret" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Authorization server URL (UAA server)", + "placeholder": "https://your-tenant.authentication.region.hana.ondemand.com/oauth/token", + "type": "text", + "name": "authServerUrl" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "ETD data retrieval API URL", + "placeholder": "https://your-etd-cloud-data-retrieval-service.cfapps.region.hana.ondemand.com", + "type": "text", + "name": "etdHost" + } + } + ] + } + ] + } + } + ] + }, + { + "title": "ETD accounts", + "description": "Each row represents a connected ETD account", + "instructions": [ + { + "type": "DataConnectorsGrid", + "parameters": { + "mapping": [ + { + "columnName": "Data retrieval endpoint", + "columnValue": "properties.request.apiEndpoint" + } + ], + "menuItems": [ + "DeleteConnector" + ] + } + } + ] + } + ] + } + } +} \ No newline at end of file diff --git a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_ccp/DCR.json b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_ccp/DCR.json new file mode 100644 index 00000000000..4f4f53434f6 --- /dev/null +++ b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_ccp/DCR.json @@ -0,0 +1,85 @@ +{ + "name": "SAP-ETD-DCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "streamDeclarations": { + "Custom-SAPETDAlerts_CL": { + "columns": [ + { + "name": "Version", + "type": "string" + }, + { + "name": "AlertId", + "type": "int" + }, + { + "name": "PatternName", + "type": "string" + }, + { + "name": "PatternDescription", + "type": "string" + }, + { + "name": "Status", + "type": "string" + }, + { + "name": "CreationTimestamp", + "type": "datetime" + }, + { + "name": "MinTimestamp", + "type": "datetime" + }, + { + "name": "MaxTimestamp", + "type": "datetime" + }, + { + "name": "Score", + "type": "int" + }, + { + "name": "Threshold", + "type": "int" + }, + { + "name": "Measure", + "type": "int" + }, + { + "name": "TriggeringEvents", + "type": "dynamic" + } + ] + } + }, + "dataSources": "[variables('TemplateEmptyObject')]", + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-SAPETDAlerts_CL" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source| extend TimeGenerated = now()", + "outputStream": "Custom-SAPETDAlerts_CL" + } + ], + "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]" + } +} \ No newline at end of file diff --git a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_ccp/connectorDefinition.json b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_ccp/connectorDefinition.json new file mode 100644 index 00000000000..76ee314d527 --- /dev/null +++ b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_ccp/connectorDefinition.json @@ -0,0 +1,175 @@ +{ + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "title": "SAP ETD", + "logo": "SapLogo.svg", + "id": "SAPETDAlerts", + "publisher": "SAP", + "descriptionMarkdown": "The SAP ETD data connector enables ingestion of security alerts from ETD into Microsoft Sentinel, supporting cross-correlation, alerting, and threat hunting.", + "graphQueriesTableName": "SAPETDAlerts_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "ETD Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of ETD Events", + "query": "{{graphQueriesTableName}}\n | take 10" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Client Id and Client Secret for ETD Retrieval API", + "description": "Enable API access in ETD." + } + ] + }, + "instructionSteps": [ + { + "description": "**Step 1 - Configuration steps for the SAP ETD Audit Retrieval API**\n\nFollow the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-for-global-accounts-in-cloud-foundry-environment/). Take a note of the **url** (Audit Retrieval API URL), **uaa.url** (User Account and Authentication Server url) and the associated **uaa.clientid**.\n\n>**NOTE:** You can onboard one or more ETD subaccounts by following the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-usage-for-subaccounts-in-cloud-foundry-environment/). Add a connection for each subaccount." + }, + { + "description": "Connect using OAuth client credentials", + "title": "Connect events from SAP ETD to Microsoft Sentinel", + "instructions": [ + { + "type": "ContextPane", + "parameters": { + "contextPaneType": "DataConnectorsContextPane", + "label": "Add account", + "isPrimary": true, + "title": "ETD connection", + "instructionSteps": [ + { + "title": "Account Details", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "SAP ETD Client ID", + "placeholder": "Client ID", + "type": "text", + "name": "clientId" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "SAP ETD Client Secret", + "placeholder": "Client Secret", + "type": "password", + "name": "clientSecret" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Authorization server URL (UAA server)", + "placeholder": "https://your-tenant.authentication.region.hana.ondemand.com/oauth/token", + "type": "text", + "name": "authServerUrl" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "ETD data retrieval API URL", + "placeholder": "https://your-etd-cloud-data-retrieval-service.cfapps.region.hana.ondemand.com", + "type": "text", + "name": "etdHost" + } + } + ] + } + ] + } + } + ] + }, + { + "title": "ETD accounts", + "description": "Each row represents a connected ETD account", + "instructions": [ + { + "type": "DataConnectorsGrid", + "parameters": { + "mapping": [ + { + "columnName": "Data retrieval endpoint", + "columnValue": "properties.request.apiEndpoint" + } + ], + "menuItems": [ + "DeleteConnector" + ] + } + } + ] + } + ] + } + },"metadata": { + "id": "SAPETDAlerts", + "version": "3.1.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "SAP Enterprise Threat Detection, cloud edition integration with Microsoft Sentinel" + }, + "author": { + "name": "Michael Schmitt", + "email": "m.schmitt@sap.com" + }, + "support": { + "tier": "Partner", + "name": "SAP SE", + "email": "support@sap.com", + "link": "https://me.sap.com/" + } + } +} \ No newline at end of file diff --git a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_ccp/dataConnector.json b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_ccp/dataConnector.json new file mode 100644 index 00000000000..6e908b3534f --- /dev/null +++ b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_ccp/dataConnector.json @@ -0,0 +1,54 @@ +{ + "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/',variables('connectorName'))]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SAPETDAlerts", + "dcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "streamName": "Custom-SAPETDAlerts_CL" + }, + "dataType": "SAPETDAlerts_CL", + "addOnAttributes": { + "SubaccountName": "[[parameters('etdHost')]" + }, + "auth": { + "type": "OAuth2", + "ClientSecret": "[[parameters('ClientSecret')]", + "ClientId": "[[parameters('ClientId')]", + "GrantType": "client_credentials", + "TokenEndpoint": "[[concat(replace(parameters('authServerUrl'), '/oauth/token', ''), '/oauth/token?grant_type=client_credentials')]", + "TokenEndpointHeaders": { + "Content-Type": "application/x-www-form-urlencoded" + } + }, + "request": { + "apiEndpoint": "[[concat(parameters('etdHost'), '/alerts/v1/Alerts')]", + "queryWindowInMin": 10, + "httpMethod": "Get", + "retryCount": 3, + "timeoutInSeconds": 60, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryParameters": { + "$expand": "TriggeringEvents", + "$filter": "CreationTimestamp gt {_QueryWindowStartTime} and CreationTimestamp le {_QueryWindowEndTime}" + }, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + } + }, + "response": { + "eventsJsonPaths": [ + "$.value" + ] + }, + "paging": { + "pagingType": "LinkHeader", + "linkHeaderTokenJsonPath": "$.['@odata.nextLink']" + } + } +} \ No newline at end of file diff --git a/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_ccp/solutionMetadata.json b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_ccp/solutionMetadata.json new file mode 100644 index 00000000000..c196c0ca487 --- /dev/null +++ b/Solutions/SAP ETD Cloud/Data Connectors/SAPETD_ccp/solutionMetadata.json @@ -0,0 +1,11 @@ +{ + "SolutionName":"SAP Enterprise Threat Detection, cloud edition", + "SolutionAuthor": "SAP", + "SolutionVersion":"3.0.0", + "PackageId": "azuresentinel.azure-sentinel-solution-SAPLogServPushV1", + "TemplateName": "SAPETDPushV1", + "ConnectorDefinitionTemplateVersion": "1.0.0", + "DataConnectorsTemplateVersion": "1.0.0", + "PackageIcon":"SAP", + "SolutionTier": "Partner" +} \ No newline at end of file diff --git a/Solutions/SAP ETD Cloud/Data/Solution_SAPETD.json b/Solutions/SAP ETD Cloud/Data/Solution_SAPETD.json new file mode 100644 index 00000000000..8d701d01d6b --- /dev/null +++ b/Solutions/SAP ETD Cloud/Data/Solution_SAPETD.json @@ -0,0 +1,28 @@ +{ + "Name": "SAP Enterprise Threat Detection, cloud edition", + "Author": "SAP", + "Logo": "", + "Description": "The Sentinel Solution for SAP ETD integrates SAP Enterprise Threat Detection alerts into Microsoft Sentinel, allowing SOC teams to ingest, monitor, and hunt across SAP data. This integration enhances security by enabling faster detection, investigation, and mitigation of risks within SAP environments.", + "WorkbookDescription": [], + "Workbooks": [], + "Analytic Rules": [ + "/Analytic Rules/SAP ETD - Synch alerts.yaml", + "/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml" + ], + "Playbooks": [], + "PlaybookDescription": [], + "Parsers": [], + "SavedSearches": [], + "Hunting Queries": [], + "Data Connectors": [ + "Data Connectors/SAPETD_ccp/connectorDefinition.json", + "Data Connectors/SAPETD.json" + ], + "Watchlists": [], + "WatchlistDescription": [], + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SAP ETD Cloud", + "Version": "3.0.1", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false +} \ No newline at end of file diff --git a/Solutions/SAP ETD Cloud/Package/3.0.0.zip b/Solutions/SAP ETD Cloud/Package/3.0.0.zip new file mode 100644 index 00000000000..bf7e1f7f2c6 Binary files /dev/null and b/Solutions/SAP ETD Cloud/Package/3.0.0.zip differ diff --git a/Solutions/SAP ETD Cloud/Package/createUiDefinition.json b/Solutions/SAP ETD Cloud/Package/createUiDefinition.json new file mode 100644 index 00000000000..04939d82a00 --- /dev/null +++ b/Solutions/SAP ETD Cloud/Package/createUiDefinition.json @@ -0,0 +1,127 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP%20ETD/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Microsoft Sentinel Solution for SAP ETD integrates SAP Enterprise Threat Detection alerts into Microsoft Sentinel, allowing SOC teams to ingest, monitor, and hunt across SAP data. This integration enhances security by enabling faster detection, investigation, and mitigation of risks within SAP environments.\n\n**Data Connectors:** 1, **Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for SAP ETD. You can get SAP ETD data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "SAP ETD - Synch alerts", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Synch alerts coming in from SAP enterprise threat detection into Microsoft Sentinel (one way)" + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} \ No newline at end of file diff --git a/Solutions/SAP ETD Cloud/Package/mainTemplate.json b/Solutions/SAP ETD Cloud/Package/mainTemplate.json new file mode 100644 index 00000000000..97567db105a --- /dev/null +++ b/Solutions/SAP ETD Cloud/Package/mainTemplate.json @@ -0,0 +1,1112 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "SAP", + "comments": "Solution template for SAP ETD" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "_solutionName": "SAP ETD", + "_solutionVersion": "3.0.0", + "solutionId": "sapetd.sapetd-alerts", + "_solutionId": "[variables('solutionId')]", + "analyticRuleObject1": { + "analyticRuleVersion1": "3.0.0", + "_analyticRulecontentId1": "7a830484-e349-4527-85f6-7850c468c238", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7a830484-e349-4527-85f6-7850c468c238')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7a830484-e349-4527-85f6-7850c468c238')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7a830484-e349-4527-85f6-7850c468c238','-', '3.0.0')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "3.0.0", + "_analyticRulecontentId2": "5dd72ebe-03ac-43ac-851b-68cfe5106e4f", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5dd72ebe-03ac-43ac-851b-68cfe5106e4f')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5dd72ebe-03ac-43ac-851b-68cfe5106e4f')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5dd72ebe-03ac-43ac-851b-68cfe5106e4f','-', '3.0.0')))]" + }, + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "dataConnectorCCPVersion": "1.0.0", + "_dataConnectorContentIdConnectorDefinition1": "SAPETDAlerts", + "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", + "_dataConnectorContentIdConnections1": "SAPETDAlertsConnections", + "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]", + "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "blanks": "[replace('b', 'b', '')]", + "TemplateEmptyObject": "[json('{}')]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SAP ETD - Synch alerts_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Synch alerts coming in from SAP® enterprise threat detection into Microsoft Sentinel (one way)", + "displayName": "SAP ETD - Synch alerts", + "enabled": false, + "query": "let minThreshold= 1;\nlet minScore= 50;\nlet lookBack= 70d;\nSAPETDAlerts_CL\n| mv-expand TriggeringEvents\n| extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent)\n// | where CreationTimestamp > ago(lookBack)\n| where PatternName <> \"Logon from external with SAP standard users\"\n| summarize arg_max(TimeGenerated, *) by AlertId\n| where Threshold >= minThreshold and Score >= minScore\n| extend NewEvent= split(sapOriginalEvent, \"\\n\")\n| mv-expand NewEvent to typeof(string)\n| parse NewEvent with Key: string \":\" Value: string\n| extend\n Value= iff(isempty(Key) and isnotempty(NewEvent), NewEvent, Value),\n Key= iff(isempty(Key) and isnotempty(NewEvent), TriggeringEvents.EventLogType, Key)\n| extend KV= bag_pack(Key, Value)\n| summarize\n KeyValues= make_bag(KV),\n take_any(CreationTimestamp, MinTimestamp, MaxTimestamp, TriggeringEvents.EventLogType, Measure, PatternDescription, PatternName, Status, Threshold, TriggeringEvents.OriginalEvent)\n by AlertId\n| extend\n SystemId= KeyValues.sid,\n ClienId= KeyValues.client,\n Host= KeyValues.instance_host,\n Instance= KeyValues.instance_name,\n User= KeyValues.user_name,\n IP= KeyValues.user_ip\n", + "queryFrequency": "PT1H", + "queryPeriod": "P2D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SAPETDAlerts_CL" + ], + "connectorId": "SAPETDAlerts" + } + ], + "entityMappings": [ + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "SystemId" + }, + { + "identifier": "AppId", + "columnName": "ClienId" + }, + { + "identifier": "InstanceName", + "columnName": "Instance" + } + ] + }, + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "Host" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "IP" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "SAP_User": "User", + "ETD_AlertID": "AlertId" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Alert synched from SAP® enterprise threat detection into Microsoft Sentinel (one way).\n{{PatternDescription}}\n", + "alertDisplayNameFormat": "SAP ETD - {{PatternName}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "SAP ETD Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "SAP ETD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SAP" + }, + "support": { + "name": "SAP", + "tier": "Partner", + "link": "https://help.sap.com/docs/SAP_ENTERPRISE_THREAT_DETECTION_CLOUD_EDITION" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "SAP ETD - Synch alerts", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SAP ETD - Login from unexpected network Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies logons from an unexpected network.\r\nSource Action: Logon to the backend system from an IP address which is not assigned to one of the networks.\r\networks can be maintained in the \"SAP - Networks\" watchlist of the Microsoft Sentinel Solution for SAP package.\r\n*Data Sources: SAP Enterprise Thread Detection Solution - Alerts*", + "displayName": "SAP ETD - Login from unexpected network", + "enabled": false, + "query": "let regex_ip = @\"user_ip:(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\";\nlet regex_user = @\"user_name:(\\w+)\";\nlet regex_sid = @\"sid:(\\w{3})\";\nlet regex_client = @\"client:(\\d{3})\";\nlet regex_instance_name = @\"instance_name:(\\w+)\";\nlet regex_instance_host = @\"instance_host:([\\w-]+)\";\nlet SAPNetworks = _GetWatchlist('SAP - Networks');\nSAPETDAlerts_CL\n| mv-expand TriggeringEvents\n| extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent)\n| extend Id_ = TriggeringEvents.Id\n| extend extracted_user_ip = extract(regex_ip, 1, sapOriginalEvent)\n| extend extracted_sap_user = extract(regex_user, 1, sapOriginalEvent)\n| extend extracted_sid = extract(regex_sid, 1, sapOriginalEvent)\n| extend extracted_client = extract(regex_client, 1, sapOriginalEvent)\n| extend extracted_instance_name = extract(regex_instance_name, 1, sapOriginalEvent)\n| extend extracted_instance_host = extract(regex_instance_host, 1, sapOriginalEvent)\n| evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true)\n| where isempty(Network)\n| project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status\n| extend GeoLocation= iff(ipv4_is_private( extracted_user_ip), dynamic({\"IsPrivate\": true}), geo_info_from_ip_address(extracted_user_ip))", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "SAPETDAlerts_CL" + ], + "connectorId": "SAPETDAlerts" + } + ], + "entityMappings": [ + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "identifier": "AppId", + "columnName": "extracted_sid" + }, + { + "identifier": "InstanceName", + "columnName": "extracted_instance_name" + } + ] + }, + { + "entityType": "Host", + "fieldMappings": [ + { + "identifier": "FullName", + "columnName": "extracted_instance_host" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "extracted_user_ip" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "SAP_User": "User", + "ETD_AlertID": "AlertId" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{PatternDescription}}\n", + "alertDisplayNameFormat": "SAP ETD - {{PatternName}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "SAP ETD Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "source": { + "kind": "Solution", + "name": "SAP ETD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SAP" + }, + "support": { + "name": "SAP", + "tier": "Partner", + "link": "https://help.sap.com/docs/SAP_ENTERPRISE_THREAT_DETECTION_CLOUD_EDITION" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "SAP ETD - Login from unexpected network", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "displayName": "SAP ETD", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "title": "SAP Enterprise Threat Detection, cloud edition", + "logo": "SapLogo.svg", + "id": "SAPETDAlerts", + "publisher": "SAP", + "descriptionMarkdown": "The SAP ETD data connector enables ingestion of security alerts from ETD into Microsoft Sentinel, supporting cross-correlation, alerting, and threat hunting.", + "graphQueriesTableName": "SAPETDAlerts_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "ETD Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of ETD Events", + "query": "{{graphQueriesTableName}}\n | take 10" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Client Id and Client Secret for ETD Retrieval API", + "description": "Enable API access in ETD." + } + ] + }, + "instructionSteps": [ + { + "description": "**Step 1 - Configuration steps for the SAP ETD Audit Retrieval API**\n\nFollow the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-for-global-accounts-in-cloud-foundry-environment/). Take a note of the **url** (Audit Retrieval API URL), **uaa.url** (User Account and Authentication Server url) and the associated **uaa.clientid**.\n\n>**NOTE:** You can onboard one or more ETD subaccounts by following the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-usage-for-subaccounts-in-cloud-foundry-environment/). Add a connection for each subaccount." + }, + { + "description": "Connect using OAuth client credentials", + "title": "Connect events from SAP ETD to Microsoft Sentinel", + "instructions": [ + { + "type": "ContextPane", + "parameters": { + "contextPaneType": "DataConnectorsContextPane", + "label": "Add account", + "isPrimary": true, + "title": "ETD connection", + "instructionSteps": [ + { + "title": "Account Details", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "SAP ETD Client ID", + "placeholder": "Client ID", + "type": "text", + "name": "clientId" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "SAP ETD Client Secret", + "placeholder": "Client Secret", + "type": "password", + "name": "clientSecret" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Authorization server URL (UAA server)", + "placeholder": "https://your-tenant.authentication.region.hana.ondemand.com/oauth/token", + "type": "text", + "name": "authServerUrl" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "ETD data retrieval API URL", + "placeholder": "https://your-etd-cloud-data-retrieval-service.cfapps.region.hana.ondemand.com", + "type": "text", + "name": "etdHost" + } + } + ] + } + ] + } + } + ] + }, + { + "title": "ETD accounts", + "description": "Each row represents a connected ETD account", + "instructions": [ + { + "type": "DataConnectorsGrid", + "parameters": { + "mapping": [ + { + "columnName": "Data retrieval endpoint", + "columnValue": "properties.request.apiEndpoint" + } + ], + "menuItems": [ + "DeleteConnector" + ] + } + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "SAP" + }, + "support": { + "name": "SAP", + "tier": "Partner", + "link": "https://help.sap.com/docs/SAP_ENTERPRISE_THREAT_DETECTION_CLOUD_EDITION" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "SAP-ETD-DCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "streamDeclarations": { + "Custom-SAPETDAlerts_CL": { + "columns": [ + { + "name": "Version", + "type": "string" + }, + { + "name": "AlertId", + "type": "int" + }, + { + "name": "PatternName", + "type": "string" + }, + { + "name": "PatternDescription", + "type": "string" + }, + { + "name": "Status", + "type": "string" + }, + { + "name": "CreationTimestamp", + "type": "datetime" + }, + { + "name": "MinTimestamp", + "type": "datetime" + }, + { + "name": "MaxTimestamp", + "type": "datetime" + }, + { + "name": "Score", + "type": "int" + }, + { + "name": "Threshold", + "type": "int" + }, + { + "name": "Measure", + "type": "int" + }, + { + "name": "TriggeringEvents", + "type": "dynamic" + } + ] + } + }, + "dataSources": "[variables('TemplateEmptyObject')]", + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-SAPETDAlerts_CL" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source| extend TimeGenerated = now()", + "outputStream": "Custom-SAPETDAlerts_CL" + } + ], + "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]" + } + }, + { + "name": "SAPETDAlerts_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "SAPETDAlerts_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "Version", + "type": "string" + }, + { + "name": "AlertId", + "type": "int" + }, + { + "name": "PatternName", + "type": "string" + }, + { + "name": "PatternDescription", + "type": "string" + }, + { + "name": "Status", + "type": "string" + }, + { + "name": "CreationTimestamp", + "type": "datetime" + }, + { + "name": "MinTimestamp", + "type": "datetime" + }, + { + "name": "MaxTimestamp", + "type": "datetime" + }, + { + "name": "Score", + "type": "int" + }, + { + "name": "Threshold", + "type": "int" + }, + { + "name": "Measure", + "type": "int" + }, + { + "name": "TriggeringEvents", + "type": "dynamic" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "title": "SAP Enterprise Threat Detection, cloud edition", + "logo": "SapLogo.svg", + "id": "SAPETDAlerts", + "publisher": "SAP", + "descriptionMarkdown": "The SAP ETD data connector enables ingestion of security alerts from ETD into Microsoft Sentinel, supporting cross-correlation, alerting, and threat hunting.", + "graphQueriesTableName": "SAPETDAlerts_CL", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "ETD Events", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of ETD Events", + "query": "{{graphQueriesTableName}}\n | take 10" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Client Id and Client Secret for ETD Retrieval API", + "description": "Enable API access in ETD." + } + ] + }, + "instructionSteps": [ + { + "description": "**Step 1 - Configuration steps for the SAP ETD Audit Retrieval API**\n\nFollow the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-for-global-accounts-in-cloud-foundry-environment/). Take a note of the **url** (Audit Retrieval API URL), **uaa.url** (User Account and Authentication Server url) and the associated **uaa.clientid**.\n\n>**NOTE:** You can onboard one or more ETD subaccounts by following the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-usage-for-subaccounts-in-cloud-foundry-environment/). Add a connection for each subaccount." + }, + { + "description": "Connect using OAuth client credentials", + "title": "Connect events from SAP ETD to Microsoft Sentinel", + "instructions": [ + { + "type": "ContextPane", + "parameters": { + "contextPaneType": "DataConnectorsContextPane", + "label": "Add account", + "isPrimary": true, + "title": "ETD connection", + "instructionSteps": [ + { + "title": "Account Details", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "SAP ETD Client ID", + "placeholder": "Client ID", + "type": "text", + "name": "clientId" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "SAP ETD Client Secret", + "placeholder": "Client Secret", + "type": "password", + "name": "clientSecret" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Authorization server URL (UAA server)", + "placeholder": "https://your-tenant.authentication.region.hana.ondemand.com/oauth/token", + "type": "text", + "name": "authServerUrl" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "ETD data retrieval API URL", + "placeholder": "https://your-etd-cloud-data-retrieval-service.cfapps.region.hana.ondemand.com", + "type": "text", + "name": "etdHost" + } + } + ] + } + ] + } + } + ] + }, + { + "title": "ETD accounts", + "description": "Each row represents a connected ETD account", + "instructions": [ + { + "type": "DataConnectorsGrid", + "parameters": { + "mapping": [ + { + "columnName": "Data retrieval endpoint", + "columnValue": "properties.request.apiEndpoint" + } + ], + "menuItems": [ + "DeleteConnector" + ] + } + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "SAP" + }, + "support": { + "name": "SAP", + "tier": "Partner", + "link": "https://help.sap.com/docs/SAP_ENTERPRISE_THREAT_DETECTION_CLOUD_EDITION" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "displayName": "SAP ETD", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "connectorDefinitionName": { + "defaultValue": "SAP ETD", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "clientId": { + "defaultValue": "clientId", + "type": "string", + "minLength": 1 + }, + "clientSecret": { + "defaultValue": "clientSecret", + "type": "securestring", + "minLength": 1 + }, + "authServerUrl": { + "defaultValue": "authServerUrl", + "type": "string", + "minLength": 1 + }, + "etdHost": { + "defaultValue": "etdHost", + "type": "string", + "minLength": 1 + }, + "innerWorkspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + } + }, + "variables": { + "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]", + "connectorName": "[[concat('ETD_', guid(parameters('etdHost')))]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "SAP" + }, + "support": { + "name": "SAP", + "tier": "Partner", + "link": "https://help.sap.com/docs/SAP_ENTERPRISE_THREAT_DETECTION_CLOUD_EDITION" + } + } + }, + { + "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/',variables('connectorName'))]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "SAPETDAlerts", + "dcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "streamName": "Custom-SAPETDAlerts_CL" + }, + "dataType": "SAPETDAlerts_CL", + "addOnAttributes": { + "SubaccountName": "[[parameters('etdHost')]" + }, + "auth": { + "type": "OAuth2", + "ClientSecret": "[[parameters('ClientSecret')]", + "ClientId": "[[parameters('ClientId')]", + "GrantType": "client_credentials", + "TokenEndpoint": "[[concat(replace(parameters('authServerUrl'), '/oauth/token', ''), '/oauth/token?grant_type=client_credentials')]", + "TokenEndpointHeaders": { + "Content-Type": "application/x-www-form-urlencoded" + } + }, + "request": { + "apiEndpoint": "[[concat(parameters('etdHost'), '/alerts/v1/Alerts')]", + "queryWindowInMin": 10, + "httpMethod": "Get", + "retryCount": 3, + "timeoutInSeconds": 60, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryParameters": { + "$expand": "TriggeringEvents", + "$filter": "CreationTimestamp gt {_QueryWindowStartTime} and CreationTimestamp le {_QueryWindowEndTime}" + }, + "headers": { + "Accept": "application/json", + "User-Agent": "Scuba" + } + }, + "response": { + "eventsJsonPaths": [ + "$.value" + ] + }, + "paging": { + "pagingType": "LinkHeader", + "linkHeaderTokenJsonPath": "$.['@odata.nextLink']" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "SAP ETD", + "publisherDisplayName": "SAP SE", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Microsoft Sentinel Solution for SAP ETD integrates SAP Enterprise Threat Detection alerts into Microsoft Sentinel, allowing SOC teams to ingest, monitor, and hunt across SAP data. This integration enhances security by enabling faster detection, investigation, and mitigation of risks within SAP environments.

\n

Data Connectors: 1, Analytic Rules: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "SAP ETD", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "SAP" + }, + "support": { + "name": "SAP", + "tier": "Partner", + "link": "https://help.sap.com/docs/SAP_ENTERPRISE_THREAT_DETECTION_CLOUD_EDITION" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "version": "[variables('dataConnectorCCPVersion')]" + } + ] + }, + "firstPublishDate": "2024-12-31", + "lastPublishDate": "2024-12-31", + "providers": [ + "SAP" + ], + "categories": { + "domains": [ + "Security - Threat Protection", + "Identity", + "Application" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} + } \ No newline at end of file diff --git a/Solutions/SAP ETD Cloud/Package/testParameters.json b/Solutions/SAP ETD Cloud/Package/testParameters.json new file mode 100644 index 00000000000..0e79d6a7c29 --- /dev/null +++ b/Solutions/SAP ETD Cloud/Package/testParameters.json @@ -0,0 +1,38 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + } +} \ No newline at end of file diff --git a/Solutions/SAP ETD Cloud/ReleaseNotes.md b/Solutions/SAP ETD Cloud/ReleaseNotes.md new file mode 100644 index 00000000000..dca7ff9886a --- /dev/null +++ b/Solutions/SAP ETD Cloud/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|---------------------------------------------| +| 1.0.0 | 31-12-2024 | Initial release | \ No newline at end of file diff --git a/Solutions/SAP ETD Cloud/SolutionMetadata.json b/Solutions/SAP ETD Cloud/SolutionMetadata.json new file mode 100644 index 00000000000..4ff1c7a0c2d --- /dev/null +++ b/Solutions/SAP ETD Cloud/SolutionMetadata.json @@ -0,0 +1,16 @@ +{ + "publisherId": "sapetd", + "offerId": "sapetd-alerts", + "firstPublishDate": "2024-12-31", + "lastPublishDate": "2024-12-31", + "providers": ["SAP"], + "categories": { + "domains" : ["Security - Threat Protection","Identity", "Application Security", "Cyber Security Alerts"], + "verticals": [] + }, + "support": { + "name": "SAP", + "tier": "Partner", + "link": "https://help.sap.com/docs/SAP_ENTERPRISE_THREAT_DETECTION_CLOUD_EDITION" + } +} \ No newline at end of file