Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. BTP - Malware detected in BAS dev space

BTP - Malware detected in BAS dev space

Back
Id31997e9a-7447-47f3-8208-4f5d7efe497c
RulenameBTP - Malware detected in BAS dev space
DescriptionIdentifies instances of malware detected using SAP internal malware agent within Business Application Studio dev spaces.
SeverityMedium
TacticsResourceDevelopment
Execution
Persistence
TechniquesT1584
T1072
T0873
Required data connectorsSAPBTPAuditEvents
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Malware detected in BAS dev space.yaml
Version3.0.7
Arm template31997e9a-7447-47f3-8208-4f5d7efe497c.json
Deploy To Azure
SAPBTPAuditLog_CL
| where Message has "malware"
| extend MessageData = parse_json(tostring(Message.data))
| extend
    ClusterID = tostring(MessageData.clusterID),
    WorkspaceID = tostring(MessageData.wsID),
    Message = tostring(MessageData.message)
| parse Message with * 'user: ' User '.The following issues were detected: ' Malware ',' *
| extend
    AccountName = tostring(split(User, '@')[0]),
    UPNSuffix = tostring(split(User, '@')[1])
| project
    UpdatedOn,
    ClusterID,
    WorkspaceID,
    Message,
    User,
    Malware,
    Tenant,
    SpaceId,
    Category,
    CloudApp = "SAP BTP",
    AccountName,
    UPNSuffix

id: 31997e9a-7447-47f3-8208-4f5d7efe497c
eventGroupingSettings:
  aggregationKind: SingleAlert
requiredDataConnectors:
- dataTypes:
  - SAPBTPAuditLog_CL
  connectorId: SAPBTPAuditEvents
name: BTP - Malware detected in BAS dev space
version: 3.0.7
query: |
  SAPBTPAuditLog_CL
  | where Message has "malware"
  | extend MessageData = parse_json(tostring(Message.data))
  | extend
      ClusterID = tostring(MessageData.clusterID),
      WorkspaceID = tostring(MessageData.wsID),
      Message = tostring(MessageData.message)
  | parse Message with * 'user: ' User '.The following issues were detected: ' Malware ',' *
  | extend
      AccountName = tostring(split(User, '@')[0]),
      UPNSuffix = tostring(split(User, '@')[1])
  | project
      UpdatedOn,
      ClusterID,
      WorkspaceID,
      Message,
      User,
      Malware,
      Tenant,
      SpaceId,
      Category,
      CloudApp = "SAP BTP",
      AccountName,
      UPNSuffix  
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: CloudApp
  entityType: CloudApplication
- fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Name
    columnName: Malware
  entityType: Malware
triggerThreshold: 0
alertDetailsOverride:
  alertDescriptionFormat: 'Malware was found in the following subaccount: {{Tenant}}'
  alertDisplayNameFormat: BTP - Malware detected in Business Apps Studio dev space
relevantTechniques:
- T1584
- T1072
- T0873
tactics:
- ResourceDevelopment
- Execution
- Persistence
kind: Scheduled
queryPeriod: 15m
queryFrequency: 15m
severity: Medium
triggerOperator: gt
status: Available
description: Identifies instances of malware detected using SAP internal malware agent within Business Application Studio dev spaces.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Malware detected in BAS dev space.yaml