SAP ETD: New Telemetry Tampering Detection Rules Target Defense Evasion

What Changed

Added two new analytic rules to detect telemetry tampering scenarios where attackers manipulate SAP ETD data flow to hide malicious activity.

Detection Logic

SAPETD-NoNewDataReceived: Primary data source SAPETDAlerts_CL with 1-hour silence threshold. Core logic detects complete feed blackouts by counting records in the lookback window and identifying zero-ingestion periods.

SAPETD-SystemStoppedReporting: Uses 7-day baseline to establish expected SAP systems (SIDs), then detects per-system silence exceeding 2-hour grace period. Extracts SystemId from NormalizedTriggeringEvents.SystemIdActor using regex pattern matching.

Entity types mapped: CloudApplication (for feed/SID identification) and Host (for affected systems in the per-SID rule).

MITRE Mapping

Defense Evasion (T1562, T1562.006) techniques targeting Indicator Removal on Host, reflecting adversary attempts to disable security telemetry and blind SOC visibility.

Security Impact (Visibility & Fidelity)

Addresses a critical blind spot where attackers compromise SAP ETD collectors, data connectors, or network paths to hide SAP landscape activity. The dual-rule approach distinguishes between full-feed outages and targeted system silencing, enabling rapid triage of connector failures versus selective evasion attempts.

Affected Files

Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-NoNewDataReceived.yaml
Solutions/SAP ETD Cloud/Analytic Rules/SAPETD-SystemStoppedReporting.yaml
(packaging artefacts: 3.0.5.zip, ReleaseNotes.md, Solution_SAPETD.json, createUiDefinition.json, mainTemplate.json)