SAP ETD Cloud: User Account Correlation Now Available After Data Collection Gap

What Changed

The SAP ETD Cloud connector expanded data collection to include the Users entity, enabling extraction of UserAccountName and EmailAddresses from SAP alerts and investigations. All four analytic rules were updated with new entity mappings for Account and Mailbox correlation.

Data Fidelity Impact

Prior to this change, SAP ETD alerts in Sentinel contained only SAP-internal user identifiers without corresponding account names or email addresses. This created a correlation blind spot — security analysts could see suspicious SAP activity but could not easily link it to specific user accounts or email addresses for cross-system investigation.

The Users entity expansion now provides:

• UserAccountName extraction from the Users object for Account entity mapping
• EmailAddresses[0] extraction for Mailbox entity mapping
• Enhanced custom details including SAP_UserEmail field

Detection Logic Updates

All four detection rules now include mv-expand Users operations to surface user identity data:

• Execution of Sensitive Function Module: Maps extracted user accounts to Account/Mailbox entities
• Login from Unexpected Network: Adds user correlation alongside existing IP geolocation analysis
• Synch Alerts: Enables account-based grouping of synchronized ETD alerts
• Synch Investigations: Links investigation workflows to specific user identities

Technical Implementation

The DCR configuration added the Users column as a dynamic type, and the polling configuration expanded the OData query to include Users expansion. This change maintains backward compatibility while enriching the data schema for enhanced correlation capabilities.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/SAPETDAlerts_CL.json
Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-ExecutionofSensitiveFunctionModule.yaml
Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-LoginFromUnexpectedNetwork.yaml
Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchAlerts.yaml
Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SynchInvestigations.yaml
Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_DCR.json
Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_PollerConfig.json
Solutions/SAP ETD Cloud/Data Connectors/SAPETD_PUSH_CCP/SAPETD_table.json
(packaging artefacts: 3.0.4.zip, ReleaseNotes.md, Solution_SAPETD.json, createUiDefinition.json, mainTemplate.json)