Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. BTP - Cloud Identity Service application configuration monitor

BTP - Cloud Identity Service application configuration monitor

Back
Id3f8a2c5e-7b9d-4e1a-8f6c-2d4b9a1e3c7f
RulenameBTP - Cloud Identity Service application configuration monitor
DescriptionIdentifies CRUD operations on Application (SSO Domain/Service Provider) configurations

within SAP Cloud Identity Service. This includes both SAML 2.0 and OpenID Connect applications.

Unauthorized application creation could indicate an attacker establishing persistent access

through a rogue federated application.
SeverityMedium
TacticsCredentialAccess
PrivilegeEscalation
TechniquesT1606
T1556
T1134
Required data connectorsSAPBTPAuditEvents
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Identity Service application configuration monitor.yaml
Version1.0.0
Arm template3f8a2c5e-7b9d-4e1a-8f6c-2d4b9a1e3c7f.json
Deploy To Azure
SAPBTPAuditLog_CL
| extend data_s = tostring(Message.data)
| extend 
    action = extract(@"action=""([^""]+)""", 1, data_s),
    state = extract(@"state=""([^""]+)""", 1, data_s),
    objectType = extract(@"objectType=""([^""]+)""", 1, data_s),
    serviceProviderName = extract(@"serviceProviderName=""([^""]+)""", 1, data_s),
    ipAddress = extract(@"ipAddress=""([^""]+)""", 1, data_s),
    // Extract payload JSON for federation type
    payloadJson = extract(@"\{""payload"":\{([^}]+)\}\}", 1, data_s)
| extend federationType = extract(@"""type"":""([^""]+)""", 1, payloadJson)
| where objectType == "ssoDomain"
| where state == "successful"
| where action in ("create", "update", "delete")
| extend MessageText = case(
    action == "create", strcat("Application '", serviceProviderName, "' (", federationType, ") was created"),
    action == "update", strcat("Application '", serviceProviderName, "' (", federationType, ") was updated"),
    action == "delete", strcat("Application '", serviceProviderName, "' was deleted"),
    "Unclassified operation on application"
)
| project
    UpdatedOn,
    UserName,
    MessageText,
    ServiceProviderName = serviceProviderName,
    FederationType = federationType,
    Action = action,
    Tenant,
    ipAddress,
    CloudApp = "SAP Cloud Identity Service"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]

kind: Scheduled
queryFrequency: 15m
description: |
  Identifies CRUD operations on Application (SSO Domain/Service Provider) configurations
  within SAP Cloud Identity Service. This includes both SAML 2.0 and OpenID Connect applications.
  Unauthorized application creation could indicate an attacker establishing persistent access
  through a rogue federated application.  
version: 1.0.0
eventGroupingSettings:
  aggregationKind: SingleAlert
query: |
  SAPBTPAuditLog_CL
  | extend data_s = tostring(Message.data)
  | extend 
      action = extract(@"action=""([^""]+)""", 1, data_s),
      state = extract(@"state=""([^""]+)""", 1, data_s),
      objectType = extract(@"objectType=""([^""]+)""", 1, data_s),
      serviceProviderName = extract(@"serviceProviderName=""([^""]+)""", 1, data_s),
      ipAddress = extract(@"ipAddress=""([^""]+)""", 1, data_s),
      // Extract payload JSON for federation type
      payloadJson = extract(@"\{""payload"":\{([^}]+)\}\}", 1, data_s)
  | extend federationType = extract(@"""type"":""([^""]+)""", 1, payloadJson)
  | where objectType == "ssoDomain"
  | where state == "successful"
  | where action in ("create", "update", "delete")
  | extend MessageText = case(
      action == "create", strcat("Application '", serviceProviderName, "' (", federationType, ") was created"),
      action == "update", strcat("Application '", serviceProviderName, "' (", federationType, ") was updated"),
      action == "delete", strcat("Application '", serviceProviderName, "' was deleted"),
      "Unclassified operation on application"
  )
  | project
      UpdatedOn,
      UserName,
      MessageText,
      ServiceProviderName = serviceProviderName,
      FederationType = federationType,
      Action = action,
      Tenant,
      ipAddress,
      CloudApp = "SAP Cloud Identity Service"
  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]  
customDetails:
  ServiceProviderName: ServiceProviderName
  SourceIP: ipAddress
  Action: Action
  FederationType: FederationType
alertDetailsOverride:
  alertDescriptionFormat: "{{MessageText}} by {{UserName}}. Identity provider name: {{ServiceProviderName}}\n    \nThis could indicate:\n- Legitimate administrative change to federated applications\n- Unauthorized application registration for persistent access\n- Rogue SAML/OIDC application added by attacker\n"
  alertDisplayNameFormat: 'SAP Cloud Identity Service: {{MessageText}}'
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: ipAddress
  entityType: IP
- fieldMappings:
  - identifier: Name
    columnName: CloudApp
  entityType: CloudApplication
triggerThreshold: 0
id: 3f8a2c5e-7b9d-4e1a-8f6c-2d4b9a1e3c7f
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Identity Service application configuration monitor.yaml
name: BTP - Cloud Identity Service application configuration monitor
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
  dataTypes:
  - SAPBTPAuditLog_CL
relevantTechniques:
- T1606
- T1556
- T1134
triggerOperator: gt
tactics:
- CredentialAccess
- PrivilegeEscalation
queryPeriod: 15m