Azure · v-atulyadav · Jun 26, 2025 · Jun 24, 2025 · Jun 24, 2025
@@ -4,6 +4,11 @@
     "templateName": "SAPETD-LoginFromUnexpectedNetwork.yaml",
     "validationFailReason": "The name 'Network' does not refer to any known column, table, variable or function. The name 'geo_info_from_ip_address' does not refer to any known function."
   },
+  {
+    "id": "c6111e06-11e2-45eb-86ef-28313a06db35",
+    "templateName": "SAPETD-ExecutionofSensitiveFunctionModule.yaml",
+    "validationFailReason": "The name 'FunctionModule' does not refer to any known column, table, variable or function."
+  },
   {
     "id": "ef895ada-e8e8-4cf0-9313-b1ab67fab69f",
     "templateName": "AuthenticationAttemptfromNewCountry.yaml",

@@ -0,0 +1,72 @@
+id: c6111e06-11e2-45eb-86ef-28313a06db35
+kind: Scheduled
+name: SAP ETD - Execution of Sensitive Function Module
+description: |
+  Identifies execution of a sensitive ABAP Function Module using the watchlists provided by the Microsoft Sentinel Solution for SAP
+
+  Source Action: Execute a sensitive function module directly using SE37.
+
+  *Data Sources: SAP Enterprise Thread Detection Solution -  Alerts*
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: SAPETDAlerts
+    dataTypes:
+      - SAPETDAlerts_CL
+queryFrequency: 5m
+queryPeriod: 60m
+triggerOperator: gt
+triggerThreshold: 0
+tactics: 
+  - Discovery
+relevantTechniques: []
+query: |
+  let AuditTimeAgo = 60m;
+  let minThreshold= 1;
+  let minScore= 50;
+  let SenseModules = _GetWatchlist('SAP - Sensitive Function Modules')
+  | project trimmedFunctionModule = trim(@"\s+", FunctionModule);
+  SAPETDAlerts_CL
+  | where TimeGenerated > ago(AuditTimeAgo)
+  | where Threshold >= minThreshold and Score >= minScore
+  | where PatternName == "Critical Function module call in Test framework calls"
+  | mv-expand NormalizedTriggeringEvents
+  | extend sapOriginalEvent = tostring(NormalizedTriggeringEvents.OriginalEvent)
+  | extend Id_ = NormalizedTriggeringEvents.Id
+  | extend extracted_user_ip = tostring(NormalizedTriggeringEvents.NetworkIPAddressInitiator)
+  | extend extracted_sap_user = tostring(NormalizedTriggeringEvents.UserAccountActing)
+  | extend extracted_sid = tostring(NormalizedTriggeringEvents.SystemIdActor)
+  | extend extracted_instance_name = tostring(NormalizedTriggeringEvents.NetworkHostnameActor)
+  | extend extracted_instance_host = tostring(NormalizedTriggeringEvents.ServiceInstanceName)
+  | extend extracted_function_module = trim(@"\s+", tostring(NormalizedTriggeringEvents.ServiceFunctionName))
+  | extend extracted_system_role = tostring(NormalizedTriggeringEvents.SystemRoleReporter)
+  | where extracted_function_module in (SenseModules)
+  | extend AlertName = strcat("SAP ETD - Sensitive Function Module ", extracted_function_module," was executed by user ", extracted_sap_user, 
+  " in a ", tolower(extracted_system_role), " system"), Dummy = " "
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: AppId
+        columnName: extracted_sid
+      - identifier: InstanceName
+        columnName: extracted_instance_name
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: extracted_instance_host
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: extracted_user_ip
+alertDetailsOverride:
+  alertDisplayNameFormat: 'SAP ETD - {{PatternName}} '
+  alertDescriptionFormat: |
+    {{PatternDescription}}
+
+    Source: SAP ETD
+customDetails:
+  SAP_User: extracted_sap_user
+  ETD_AlertNumber: AlertId
+version: 1.0.0
@@ -17,13 +17,16 @@ queryFrequency: 5m
 queryPeriod: 30m
 triggerOperator: gt
 triggerThreshold: 0
-tactics: []
+tactics: 
+  - Discovery
 relevantTechniques: []
 query: |
+  let AuditTimeAgo = 60m;
   let regex_sid = @"^([A-Z0-9]{3})/"; 
   let regex_client = @"/(\d{3})$";
   let SAPNetworks = _GetWatchlist('SAP - Networks');
   SAPETDAlerts_CL
+  | where TimeGenerated > ago(AuditTimeAgo)
   | where PatternName in ("Logon from external with SAP standard users","Access via unallowed IP Address")
   | mv-expand NormalizedTriggeringEvents
   | extend sapOriginalEvent = tostring(NormalizedTriggeringEvents)
@@ -63,4 +66,4 @@ alertDetailsOverride:
 customDetails:
   SAP_User: extracted_sap_user
   ETD_AlertNumber: AlertId
-version: 1.0.2
+version: 1.0.3
@@ -71,7 +71,7 @@
         },
         "instructionSteps": [
           {
-            "description": "**Step 1 - Configuration steps for the SAP ETD Audit Retrieval API**\n\nFollow the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-for-global-accounts-in-cloud-foundry-environment/). Take a note of the **url** (Audit Retrieval API URL), **uaa.url** (User Account and Authentication Server url) and the associated **uaa.clientid**.\n\n>**NOTE:** You can onboard one or more ETD subaccounts by following the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-usage-for-subaccounts-in-cloud-foundry-environment/). Add a connection for each subaccount."
+            "description": "**Step 1 - Configuration steps for the SAP ETD Audit Retrieval API**\n\nFollow the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-for-global-accounts-in-cloud-foundry-environment/). Take a note of the **url** (Audit Retrieval API URL), **uaa.url** (User Account and Authentication Server url) and the associated **uaa.clientid**.\n\n>**NOTE:** You can onboard one or more ETD subaccounts by following the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-usage-for-subaccounts-in-cloud-foundry-environment/). Add a connection for each subaccount.\n\n>**TIP:** Use the [shared blog series](https://community.sap.com/t5/enterprise-resource-planning-blog-posts-by-sap/sap-enterprise-threat-detection-cloud-edition-joins-forces-with-microsoft/ba-p/13942075) for additional info."
           },
           {
             "description": "Connect using OAuth client credentials",

@@ -71,7 +71,7 @@
         },
         "instructionSteps": [
           {
-            "description": "**Step 1 - Configuration steps for the SAP ETD Audit Retrieval API**\n\nFollow the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-for-global-accounts-in-cloud-foundry-environment/). Take a note of the **url** (Audit Retrieval API URL), **uaa.url** (User Account and Authentication Server url) and the associated **uaa.clientid**.\n\n>**NOTE:** You can onboard one or more ETD subaccounts by following the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-usage-for-subaccounts-in-cloud-foundry-environment/). Add a connection for each subaccount."
+            "description": "**Step 1 - Configuration steps for the SAP ETD Audit Retrieval API**\n\nFollow the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-for-global-accounts-in-cloud-foundry-environment/). Take a note of the **url** (Audit Retrieval API URL), **uaa.url** (User Account and Authentication Server url) and the associated **uaa.clientid**.\n\n>**NOTE:** You can onboard one or more ETD subaccounts by following the steps provided by SAP [see ETD docs](https://help.sap.com/docs/ETD/sap-business-technology-platform/audit-log-retrieval-api-usage-for-subaccounts-in-cloud-foundry-environment/). Add a connection for each subaccount.\n\n>**TIP:** Use the [shared blog series](https://community.sap.com/t5/enterprise-resource-planning-blog-posts-by-sap/sap-enterprise-threat-detection-cloud-edition-joins-forces-with-microsoft/ba-p/13942075) for additional info."
           },
           {
             "description": "Connect using OAuth client credentials",

@@ -27,7 +27,7 @@
       },
       "request": {
         "apiEndpoint": "[[concat(parameters('etdHost'), '/alerts/v1/Alerts')]",
-        "queryWindowInMin": 10,
+        "queryWindowInMin": 1,
         "httpMethod": "Get",
         "retryCount": 3,
         "timeoutInSeconds": 60,

@@ -1,7 +1,7 @@
 {
     "SolutionName":"SAP ETD Cloud",
     "SolutionAuthor": "SAP",
-    "SolutionVersion":"3.0.1",
+    "SolutionVersion":"3.0.2",
     "PackageId": "azuresentinel.azure-sentinel-solution-SAPLogServPushV1",
     "TemplateName": "SAPETDPushV1",
     "ConnectorDefinitionTemplateVersion": "1.0.0",

@@ -7,7 +7,8 @@
     "Workbooks": [],
     "Analytic Rules": [
         "Analytic Rules/SAPETD-SynchAlerts.yaml",
-        "Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml"
+        "Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml",
+        "Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml"
     ],
     "Playbooks": [],
     "PlaybookDescription": [],
@@ -20,7 +21,7 @@
     "Watchlists": [],
     "WatchlistDescription": [],
     "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SAP ETD Cloud",
-    "Version": "3.0.1",
+    "Version": "3.0.2",
     "Metadata": "SolutionMetadata.json",
     "TemplateSpec": true,
     "Is1PConnector": false

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/SAPBTP.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP%20ETD%20Cloud/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Microsoft Sentinel Solution for SAP ETD integrates SAP Enterprise Threat Detection alerts into Microsoft Sentinel, allowing SOC teams to ingest, monitor, and hunt across SAP data. This integration enhances security by enabling faster detection, investigation, and mitigation of risks within SAP environments.\n\n**Data Connectors:** 1, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/SAPBTP.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP%20ETD%20Cloud/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Microsoft Sentinel Solution for SAP ETD integrates SAP Enterprise Threat Detection alerts into Microsoft Sentinel, allowing SOC teams to ingest, monitor, and hunt across SAP data. This integration enhances security by enabling faster detection, investigation, and mitigation of risks within SAP environments.\n\n**Data Connectors:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -128,6 +128,20 @@
                 }
               }
             ]
+          },
+          {
+            "name": "analytic3",
+            "type": "Microsoft.Common.Section",
+            "label": "SAP ETD - Execution of Sensitive Function Module",
+            "elements": [
+              {
+                "name": "analytic3-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Identifies execution of a sensitive ABAP Function Module using the watchlists provided by the Microsoft Sentinel Solution for SAP\n\nSource Action: Execute a sensitive function module directly using SE37.\n\n*Data Sources: SAP Enterprise Thread Detection Solution -  Alerts*"
+                }
+              }
+            ]
           }
         ]
       }