Azure · MartinPankraz · Jan 27, 2025 · Jan 28, 2025 · Jan 28, 2025 · Jan 28, 2025
@@ -0,0 +1,57 @@
+{
+    "Name": "SAPETDAlerts_CL",
+    "Properties": [
+      {
+        "name": "TimeGenerated",
+        "type": "datetime"
+      },
+      {
+        "name": "Version",
+        "type": "string"
+      },
+      {
+        "name": "AlertId",
+        "type": "int"
+      },
+      {
+        "name": "PatternName",
+        "type": "string"
+      },
+      {
+        "name": "PatternDescription",
+        "type": "string"
+      },
+      {
+        "name": "Status",
+        "type": "string"
+      },
+      {
+        "name": "CreationTimestamp",
+        "type": "datetime"
+      },
+      {
+        "name": "MinTimestamp",
+        "type": "datetime"
+      },
+      {
+        "name": "MaxTimestamp",
+        "type": "datetime"
+      },
+      {
+        "name": "Score",
+        "type": "int"
+      },
+      {
+        "name": "Threshold",
+        "type": "int"
+      },
+      {
+        "name": "Measure",
+        "type": "int"
+      },
+      {
+        "name": "TriggeringEvents",
+        "type": "dynamic"
+      }
+    ]
+}
@@ -154,6 +154,7 @@
   "SalesforceServiceCloud",
   "SAP",
   "SAPBTPAuditEvents",
+  "SAPETDAlerts",
   "SecurityEvents",
   "SemperisDSP",
   "SenservaPro",

@@ -0,0 +1,73 @@
+id: 7a830484-e349-4527-85f6-7850c468c238
+kind: Scheduled
+name: SAP ETD - Synch alerts
+description: Synch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: SAPETDAlerts
+    dataTypes:
+      - SAPETDAlerts_CL
+queryFrequency: 1h
+queryPeriod: 2d
+triggerOperator: gt
+triggerThreshold: 0
+tactics: []
+relevantTechniques: []
+query: |
+  let minThreshold= 1;
+  let minScore= 50;
+  let lookBack= 70d;
+  SAPETDAlerts_CL
+  | mv-expand TriggeringEvents
+  | extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent)
+  // | where CreationTimestamp > ago(lookBack)
+  | where PatternName <> "Logon from external with SAP standard users"
+  | summarize arg_max(TimeGenerated, *) by AlertId
+  | where Threshold >= minThreshold and Score >= minScore
+  | extend NewEvent= split(sapOriginalEvent, "\n")
+  | mv-expand NewEvent to typeof(string)
+  | parse NewEvent with Key: string ":" Value: string
+  | extend
+      Value= iff(isempty(Key) and isnotempty(NewEvent), NewEvent, Value),
+      Key= iff(isempty(Key) and isnotempty(NewEvent), TriggeringEvents.EventLogType, Key)
+  | extend KV= bag_pack(Key, Value)
+  | summarize
+      KeyValues= make_bag(KV),
+      take_any(CreationTimestamp, MinTimestamp, MaxTimestamp, TriggeringEvents.EventLogType, Measure, PatternDescription, PatternName, Status, Threshold, TriggeringEvents.OriginalEvent)
+      by AlertId
+  | extend
+      SystemId= KeyValues.sid,
+      ClienId= KeyValues.client,
+      Host= KeyValues.instance_host,
+      Instance= KeyValues.instance_name,
+      User= KeyValues.user_name,
+      IP= KeyValues.user_ip
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+entityMappings:
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: Name
+        columnName: SystemId
+      - identifier: AppId
+        columnName: ClienId
+      - identifier: InstanceName
+        columnName: Instance
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: Host
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IP
+alertDetailsOverride:
+  alertDisplayNameFormat: 'SAP ETD - {{PatternName}} '
+  alertDescriptionFormat: |
+    Alert synched from SAP Enterprise Threat Detection, cloud edition into Microsoft Sentinel (one way).
+    {{PatternDescription}}
+customDetails:
+  SAP_User: User
+  ETD_AlertID: AlertId
+version: 1.0.0