Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. BTP - Malware detected in BAS dev space

BTP - Malware detected in BAS dev space

Back
Id31997e9a-7447-47f3-8208-4f5d7efe497c
RulenameBTP - Malware detected in BAS dev space
DescriptionIdentifies instances of malware detected using SAP internal malware agent within Business Application Studio dev spaces.
SeverityMedium
TacticsResourceDevelopment
Execution
Persistence
TechniquesT1584
T1072
T0873
Required data connectorsSAPBTPAuditEvents
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Malware detected in BAS dev space.yaml
Version3.0.7
Arm template31997e9a-7447-47f3-8208-4f5d7efe497c.json
Deploy To Azure
SAPBTPAuditLog_CL
| where Message has "malware"
| extend MessageData = parse_json(tostring(Message.data))
| extend
    ClusterID = tostring(MessageData.clusterID),
    WorkspaceID = tostring(MessageData.wsID),
    Message = tostring(MessageData.message)
| parse Message with * 'user: ' User '.The following issues were detected: ' Malware ',' *
| extend
    AccountName = tostring(split(User, '@')[0]),
    UPNSuffix = tostring(split(User, '@')[1])
| project
    UpdatedOn,
    ClusterID,
    WorkspaceID,
    Message,
    User,
    Malware,
    Tenant,
    SpaceId,
    Category,
    CloudApp = "SAP BTP",
    AccountName,
    UPNSuffix

id: 31997e9a-7447-47f3-8208-4f5d7efe497c
severity: Medium
queryFrequency: 15m
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: SingleAlert
description: Identifies instances of malware detected using SAP internal malware agent within Business Application Studio dev spaces.
version: 3.0.7
query: |
  SAPBTPAuditLog_CL
  | where Message has "malware"
  | extend MessageData = parse_json(tostring(Message.data))
  | extend
      ClusterID = tostring(MessageData.clusterID),
      WorkspaceID = tostring(MessageData.wsID),
      Message = tostring(MessageData.message)
  | parse Message with * 'user: ' User '.The following issues were detected: ' Malware ',' *
  | extend
      AccountName = tostring(split(User, '@')[0]),
      UPNSuffix = tostring(split(User, '@')[1])
  | project
      UpdatedOn,
      ClusterID,
      WorkspaceID,
      Message,
      User,
      Malware,
      Tenant,
      SpaceId,
      Category,
      CloudApp = "SAP BTP",
      AccountName,
      UPNSuffix  
name: BTP - Malware detected in BAS dev space
queryPeriod: 15m
triggerOperator: gt
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
  dataTypes:
  - SAPBTPAuditLog_CL
status: Available
tactics:
- ResourceDevelopment
- Execution
- Persistence
relevantTechniques:
- T1584
- T1072
- T0873
kind: Scheduled
alertDetailsOverride:
  alertDisplayNameFormat: BTP - Malware detected in Business Apps Studio dev space
  alertDescriptionFormat: 'Malware was found in the following subaccount: {{Tenant}}'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Malware detected in BAS dev space.yaml
entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - columnName: CloudApp
    identifier: Name
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: Malware
  fieldMappings:
  - columnName: Malware
    identifier: Name