Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

BTP - Malware detected in BAS dev space

Back
Id31997e9a-7447-47f3-8208-4f5d7efe497c
RulenameBTP - Malware detected in BAS dev space
DescriptionIdentifies instances of malware detected using SAP internal malware agent within Business Application Studio dev spaces.
SeverityMedium
TacticsResourceDevelopment
Execution
Persistence
TechniquesT1584
T1072
T0873
Required data connectorsSAPBTPAuditEvents
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Malware detected in BAS dev space.yaml
Version3.0.7
Arm template31997e9a-7447-47f3-8208-4f5d7efe497c.json
Deploy To Azure
SAPBTPAuditLog_CL
| where Message has "malware"
| extend MessageData = parse_json(tostring(Message.data))
| extend
    ClusterID = tostring(MessageData.clusterID),
    WorkspaceID = tostring(MessageData.wsID),
    Message = tostring(MessageData.message)
| parse Message with * 'user: ' User '.The following issues were detected: ' Malware ',' *
| extend
    AccountName = tostring(split(User, '@')[0]),
    UPNSuffix = tostring(split(User, '@')[1])
| project
    UpdatedOn,
    ClusterID,
    WorkspaceID,
    Message,
    User,
    Malware,
    Tenant,
    SpaceId,
    Category,
    CloudApp = "SAP BTP",
    AccountName,
    UPNSuffix
tactics:
- ResourceDevelopment
- Execution
- Persistence
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: CloudApp
  entityType: CloudApplication
- fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Name
    columnName: Malware
  entityType: Malware
alertDetailsOverride:
  alertDisplayNameFormat: BTP - Malware detected in Business Apps Studio dev space
  alertDescriptionFormat: 'Malware was found in the following subaccount: {{Tenant}}'
query: |
  SAPBTPAuditLog_CL
  | where Message has "malware"
  | extend MessageData = parse_json(tostring(Message.data))
  | extend
      ClusterID = tostring(MessageData.clusterID),
      WorkspaceID = tostring(MessageData.wsID),
      Message = tostring(MessageData.message)
  | parse Message with * 'user: ' User '.The following issues were detected: ' Malware ',' *
  | extend
      AccountName = tostring(split(User, '@')[0]),
      UPNSuffix = tostring(split(User, '@')[1])
  | project
      UpdatedOn,
      ClusterID,
      WorkspaceID,
      Message,
      User,
      Malware,
      Tenant,
      SpaceId,
      Category,
      CloudApp = "SAP BTP",
      AccountName,
      UPNSuffix  
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
  dataTypes:
  - SAPBTPAuditLog_CL
version: 3.0.7
relevantTechniques:
- T1584
- T1072
- T0873
queryFrequency: 15m
queryPeriod: 15m
description: Identifies instances of malware detected using SAP internal malware agent within Business Application Studio dev spaces.
id: 31997e9a-7447-47f3-8208-4f5d7efe497c
triggerThreshold: 0
severity: Medium
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Malware detected in BAS dev space.yaml
name: BTP - Malware detected in BAS dev space
status: Available
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: SingleAlert
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/31997e9a-7447-47f3-8208-4f5d7efe497c')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/31997e9a-7447-47f3-8208-4f5d7efe497c')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Malware was found in the following subaccount: {{Tenant}}",
          "alertDisplayNameFormat": "BTP - Malware detected in Business Apps Studio dev space"
        },
        "alertRuleTemplateName": "31997e9a-7447-47f3-8208-4f5d7efe497c",
        "customDetails": null,
        "description": "Identifies instances of malware detected using SAP internal malware agent within Business Application Studio dev spaces.",
        "displayName": "BTP - Malware detected in BAS dev space",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudApp",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "Malware",
                "identifier": "Name"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Malware detected in BAS dev space.yaml",
        "query": "SAPBTPAuditLog_CL\n| where Message has \"malware\"\n| extend MessageData = parse_json(tostring(Message.data))\n| extend\n    ClusterID = tostring(MessageData.clusterID),\n    WorkspaceID = tostring(MessageData.wsID),\n    Message = tostring(MessageData.message)\n| parse Message with * 'user: ' User '.The following issues were detected: ' Malware ',' *\n| extend\n    AccountName = tostring(split(User, '@')[0]),\n    UPNSuffix = tostring(split(User, '@')[1])\n| project\n    UpdatedOn,\n    ClusterID,\n    WorkspaceID,\n    Message,\n    User,\n    Malware,\n    Tenant,\n    SpaceId,\n    Category,\n    CloudApp = \"SAP BTP\",\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "Persistence",
          "ResourceDevelopment"
        ],
        "techniques": [
          "T1072",
          "T1584"
        ],
        "templateVersion": "3.0.7",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}