Merge pull request #11722 from MartinPankraz/add-sapetd

Initial SAP etd release

Author: v-atulyadav

.script/tests/KqlvalidationsTests/CustomTables/SAPETDAlerts_CL.json

@@ -0,0 +1,57 @@
+{
+    "Name": "SAPETDAlerts_CL",
+    "Properties": [
+      {
+        "name": "TimeGenerated",
+        "type": "datetime"
+      },
+      {
+        "name": "Version",
+        "type": "string"
+      },
+      {
+        "name": "AlertId",
+        "type": "int"
+      },
+      {
+        "name": "PatternName",
+        "type": "string"
+      },
+      {
+        "name": "PatternDescription",
+        "type": "string"
+      },
+      {
+        "name": "Status",
+        "type": "string"
+      },
+      {
+        "name": "CreationTimestamp",
+        "type": "datetime"
+      },
+      {
+        "name": "MinTimestamp",
+        "type": "datetime"
+      },
+      {
+        "name": "MaxTimestamp",
+        "type": "datetime"
+      },
+      {
+        "name": "Score",
+        "type": "int"
+      },
+      {
+        "name": "Threshold",
+        "type": "int"
+      },
+      {
+        "name": "Measure",
+        "type": "int"
+      },
+      {
+        "name": "TriggeringEvents",
+        "type": "dynamic"
+      }
+    ]
+}

.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json

@@ -1,4 +1,9 @@
 [
+  {
+    "id": "5dd72ebe-03ac-43ac-851b-68cfe5106e4f",
+    "templateName": "SAPETD-LoginFromUnexpectedNetwork.yaml",
+    "validationFailReason": "The name 'Network' does not refer to any known column, table, variable or function. The name 'geo_info_from_ip_address' does not refer to any known function."
+  },
   {
     "id": "ef895ada-e8e8-4cf0-9313-b1ab67fab69f",
     "templateName": "AuthenticationAttemptfromNewCountry.yaml",

.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json

@@ -154,6 +154,7 @@
   "SalesforceServiceCloud",
   "SAP",
   "SAPBTPAuditEvents",
+  "SAPETDAlerts",
   "SecurityEvents",
   "SemperisDSP",
   "SenservaPro",

Logos/SAPETD_cloud.svg

@@ -1,4 +1,4 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                             |
 |-------------|--------------------------------|------------------------------------------------|
-| 3.0.0       | 05-12-2024                     | Initial Solution Release                       |
-| 3.1.0       | 29-01-2025                     | Threat Intelligence Ingestion                  |
+| 3.1.0       | 18-02-2025                     | Added new **Playbooks** Custom Connector endpoint.<br/> Added new **Playbook** GT Threat List.<br/> Fixed bug in GT Enrich Incident **Playbook**.                |
+| 3.0.0       | 05-12-2024                     | Initial Solution Release.                       |

Solutions/Google Threat Intelligence/ReleaseNotes.md

@@ -0,0 +1,68 @@
+id: 5dd72ebe-03ac-43ac-851b-68cfe5106e4f
+kind: Scheduled
+name: SAP ETD - Login from unexpected network
+description: |
+  Identifies logons from an unexpected network.
+  Source Action: Logon to the backend system from an IP address which is not assigned to one of the networks.
+  networks can be maintained in the "SAP - Networks" watchlist of the Microsoft Sentinel Solution for SAP package.
+  
+  *Data Sources: SAP Enterprise Thread Detection Solution -  Alerts*
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: SAPETDAlerts
+    dataTypes:
+      - SAPETDAlerts_CL
+queryFrequency: 1h
+queryPeriod: 2d
+triggerOperator: gt
+triggerThreshold: 0
+tactics: []
+relevantTechniques: []
+query: |
+  let regex_ip = @"user_ip:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})";
+  let regex_user = @"user_name:(\w+)";
+  let regex_sid = @"sid:(\w{3})";
+  let regex_client = @"client:(\d{3})";
+  let regex_instance_name = @"instance_name:(\w+)";
+  let regex_instance_host = @"instance_host:([\w-]+)";
+  let SAPNetworks = _GetWatchlist('SAP - Networks');
+  SAPETDAlerts_CL
+  | mv-expand TriggeringEvents
+  | extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent)
+  | extend Id_ = TriggeringEvents.Id
+  | extend extracted_user_ip = extract(regex_ip, 1, sapOriginalEvent)
+  | extend extracted_sap_user = extract(regex_user, 1, sapOriginalEvent)
+  | extend extracted_sid = extract(regex_sid, 1, sapOriginalEvent)
+  | extend extracted_client = extract(regex_client, 1, sapOriginalEvent)
+  | extend extracted_instance_name = extract(regex_instance_name, 1, sapOriginalEvent)
+  | extend extracted_instance_host = extract(regex_instance_host, 1, sapOriginalEvent)
+  | evaluate ipv4_lookup(SAPNetworks, extracted_user_ip, Network, return_unmatched = true)
+  | where isempty(Network)
+  | project TimeGenerated, extracted_user_ip, extracted_sap_user, extracted_sid, extracted_client, extracted_instance_name, extracted_instance_host, AlertId, PatternName, PatternDescription, Status
+  | extend GeoLocation= iff(ipv4_is_private( extracted_user_ip), dynamic({"IsPrivate": true}), geo_info_from_ip_address(extracted_user_ip))
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+entityMappings:
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: AppId
+        columnName: extracted_sid
+      - identifier: InstanceName
+        columnName: extracted_instance_name
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: extracted_instance_host
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: extracted_user_ip
+alertDetailsOverride:
+  alertDisplayNameFormat: 'SAP ETD - {{PatternName}} '
+  alertDescriptionFormat: |
+    {{PatternDescription}}
+customDetails:
+  SAP_User: extracted_sap_user
+  ETD_AlertID: AlertId
+version: 1.0.0

Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml

@@ -0,0 +1,59 @@
+id: 7a830484-e349-4527-85f6-7850c468c238
+kind: Scheduled
+name: SAP ETD - Synch alerts
+description: Synch alerts coming in from SAP Enterprise Threat Detection into Microsoft Sentinel (one way)
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: SAPETDAlerts
+    dataTypes:
+      - SAPETDAlerts_CL
+queryFrequency: 1h
+queryPeriod: 2d
+triggerOperator: gt
+triggerThreshold: 0
+tactics: []
+relevantTechniques: []
+query: |
+  let minThreshold= 1;
+  let minScore= 50;
+  let lookBack= 70d;
+  SAPETDAlerts_CL
+  | mv-expand TriggeringEvents
+  | extend sapOriginalEvent = tostring(TriggeringEvents.OriginalEvent)
+  | where PatternName <> "Logon from external with SAP standard users"
+  | summarize arg_max(TimeGenerated, *) by AlertId
+  | where Threshold >= minThreshold and Score >= minScore
+  | extend NewEvent= split(sapOriginalEvent, "\n")
+  | mv-expand NewEvent to typeof(string)
+  | parse NewEvent with Key: string ":" Value: string
+  | extend Value= iff(isempty(Key) and isnotempty(NewEvent), NewEvent, Value), Key= iff(isempty(Key) and isnotempty(NewEvent), TriggeringEvents.EventLogType, Key)
+  | extend KV= bag_pack(Key, Value)
+  | summarize KeyValues= make_bag(KV), take_any(CreationTimestamp, MinTimestamp, MaxTimestamp, TriggeringEvents.EventLogType, Measure, PatternDescription, PatternName, Status, Threshold, TriggeringEvents.OriginalEvent) by AlertId
+  | extend SystemId= KeyValues.sid, ClienId= KeyValues.client, Host= KeyValues.instance_host, Instance= KeyValues.instance_name, User= KeyValues.user_name, IP= KeyValues.user_ip
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+entityMappings:
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: Name
+        columnName: SystemId
+      - identifier: AppId
+        columnName: ClienId
+      - identifier: InstanceName
+        columnName: Instance
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: Host
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IP
+alertDetailsOverride:
+  alertDisplayNameFormat: 'SAP ETD - {{PatternName}} '
+  alertDescriptionFormat: 'Alert synched from SAP Enterprise Threat Detection, cloud edition into Microsoft Sentinel (one way). {{PatternDescription}}'
+customDetails:
+  SAP_User: User
+  ETD_AlertID: AlertId
+version: 1.0.0

Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml

@@ -0,0 +1,176 @@
+{
+    "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
+    "apiVersion": "2022-09-01-preview",
+    "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+    "location": "[parameters('workspace-location')]",
+    "kind": "Customizable",
+    "properties": {
+      "connectorUiConfig": {
+        "title": "SAP Enterprise Threat Detection, cloud edition",
+        "logo": "SapLogo.svg",
+        "id": "SAPETDAlerts",
+        "publisher": "SAP",
+        "descriptionMarkdown": "The SAP Enterprise Threat Detection, cloud edition (ETD) data connector enables ingestion of security alerts from ETD into Microsoft Sentinel, supporting cross-correlation, alerting, and threat hunting.",
+        "graphQueriesTableName": "SAPETDAlerts_CL",
+        "graphQueries": [
+          {
+            "metricName": "Total events received",
+            "legend": "ETD Events",
+            "baseQuery": "{{graphQueriesTableName}}"
+          }
+        ],
+        "sampleQueries": [
+          {
+            "description": "Get Sample of ETD Events",
+            "query": "{{graphQueriesTableName}}\n | take 10"
+          }
+        ],
+        "dataTypes": [
+          {
+            "name": "{{graphQueriesTableName}}",
+            "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+          }
+        ],
+        "connectivityCriteria": [
+          {
+            "type": "HasDataConnectors"
+          }
+        ],
+        "availability": {
+          "isPreview": true
+        },
+        "permissions": {
+          "resourceProvider": [
+            {
+              "provider": "Microsoft.OperationalInsights/workspaces",
+              "permissionsDisplayText": "Read and Write permissions are required.",
+              "providerDisplayName": "Workspace",
+              "scope": "Workspace",
+              "requiredPermissions": {
+                "write": true,
+                "read": true,
+                "delete": true
+              }
+            },
+            {
+              "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+              "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)",
+              "providerDisplayName": "Keys",
+              "scope": "Workspace",
+              "requiredPermissions": {
+                "action": true
+              }
+            }
+          ],
+          "customs": [
+            {
+              "name": "Client Id and Client Secret for ETD Retrieval API",
+              "description": "Enable API access in ETD."
+            }
+          ]
+        },
+        "instructionSteps": [
+          {
+            "description": "**Step 1 - Configuration steps for the SAP ETD Audit Retrieval API**\n\nFollow the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-for-global-accounts-in-cloud-foundry-environment/). Take a note of the **url** (Audit Retrieval API URL), **uaa.url** (User Account and Authentication Server url) and the associated **uaa.clientid**.\n\n>**NOTE:** You can onboard one or more ETD subaccounts by following the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-usage-for-subaccounts-in-cloud-foundry-environment/). Add a connection for each subaccount."
+          },
+          {
+            "description": "Connect using OAuth client credentials",
+            "title": "Connect events from SAP ETD to Microsoft Sentinel",
+            "instructions": [
+              {
+                "type": "ContextPane",
+                "parameters": {
+                  "contextPaneType": "DataConnectorsContextPane",
+                  "label": "Add account",
+                  "isPrimary": true,
+                  "title": "ETD connection",
+                  "instructionSteps": [
+                    {
+                      "title": "Account Details",
+                      "instructions": [
+                        {
+                          "type": "Textbox",
+                          "parameters": {
+                            "label": "SAP ETD Client ID",
+                            "placeholder": "Client ID",
+                            "type": "text",
+                            "name": "clientId"
+                          }
+                        },
+                        {
+                          "type": "Textbox",
+                          "parameters": {
+                            "label": "SAP ETD Client Secret",
+                            "placeholder": "Client Secret",
+                            "type": "password",
+                            "name": "clientSecret"
+                          }
+                        },
+                        {
+                          "type": "Textbox",
+                          "parameters": {
+                            "label": "Authorization server URL (UAA server)",
+                            "placeholder": "https://your-tenant.authentication.region.hana.ondemand.com/oauth/token",
+                            "type": "text",
+                            "name": "authServerUrl"
+                          }
+                        },
+                        {
+                          "type": "Textbox",
+                          "parameters": {
+                            "label": "SAP ETD data retrieval API URL",
+                            "placeholder": "https://your-etd-cloud-data-retrieval-service.cfapps.region.hana.ondemand.com",
+                            "type": "text",
+                            "name": "etdHost"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                }
+              }
+            ]
+          },
+          {
+            "title": "ETD accounts",
+            "description": "Each row represents a connected ETD account",
+            "instructions": [
+              {
+                "type": "DataConnectorsGrid",
+                "parameters": {
+                  "mapping": [
+                    {
+                      "columnName": "Data retrieval endpoint",
+                      "columnValue": "properties.request.apiEndpoint"
+                    }
+                  ],
+                  "menuItems": [
+                    "DeleteConnector"
+                  ]
+                }
+              }
+            ]
+          }
+        ],
+        "metadata": {
+            "id": "SAPSAPETD",
+            "version": "3.1.0",
+            "kind": "dataConnector",
+            "source": {
+                "kind": "solution",
+                "name": "SAP ETD Cloud for Microsoft Sentinel"
+            },
+            "author": {
+                "name": "Michael Schmitt",
+                "email": "m.schmitt@sap.com"
+            },
+            "support": {
+                "tier": "Partner",
+                "name": "SAP SE",
+                "email": "support@sap.com",
+                "link": "https://me.sap.com/"
+            }
+        }
+      }
+    }
+}