What Changed
SAP ETD Cloud solution adds new Investigations data connector to ingest investigation data from ETD cloud edition alongside existing alerts data. The connector provides comprehensive investigation tracking, correlation, and threat hunting capabilities.
Data Source
New connector ingests investigation data from SAP ETD’s /investigations/v1/Investigations API endpoint, including investigation status, severity, actions, users, systems, and alerts. This expands visibility beyond individual alerts to complete investigation workflows.
Ingestion Mechanism
CCF-based connector using OAuth2 client credentials authentication. Data flows to SAPETDInvestigations_CL table via consolidated DCR supporting both alerts and investigations data streams.
Detection Surface Unlocked
Investigation completion tracking becomes visible, enabling SOC teams to monitor investigation lifecycles, identify investigation patterns, and correlate completed investigations with ongoing threats. High-severity completed investigations can now be automatically surfaced for review.
Affected Files
Solutions/SAP ETD Cloud/Data Connectors/SAPETD_INVESTIGATIONS_CCP/ (new investigations connector), Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_DCR.json (consolidated DCR); (packaging artefacts updated: mainTemplate.json, createUiDefinition.json, etc.)