Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. BTP - User added to sensitive privileged role collection

BTP - User added to sensitive privileged role collection

Back
Id5acbe4cb-a379-4acc-9ad3-28dc48ad33d3
RulenameBTP - User added to sensitive privileged role collection
DescriptionIdentifies identity management actions whereby a user is added to a set of monitored privileged role collections.
SeverityLow
TacticsLateralMovement
PrivilegeEscalation
TechniquesT0859
T1078
Required data connectorsSAPBTPAuditEvents
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - User added to sensitive privileged role collection.yaml
Version3.0.5
Arm template5acbe4cb-a379-4acc-9ad3-28dc48ad33d3.json
Deploy To Azure
let monitored_rolecollections = dynamic(["Subaccount Service Administrator", "Subaccount Administrator", "Connectivity and Destination Administrator", "Destination Administrator", "Cloud Connector Administrator"]);
SAPBTPAuditLog_CL
| where Message.object has "xs_rolecollection2user"
| extend ObjectId = parse_json((Message.object).id)
| where ObjectId.crudType == "CREATE"
| extend RoleCollection = ObjectId.rolecollection_name, TargetUserId = ObjectId.user_id
| where RoleCollection in (monitored_rolecollections)
| project UpdatedOn, UserName, RoleCollection, TargetUserId, Tenant, SpaceId, CloudApp = "SAP BTP"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]

queryPeriod: 15m
query: |
  let monitored_rolecollections = dynamic(["Subaccount Service Administrator", "Subaccount Administrator", "Connectivity and Destination Administrator", "Destination Administrator", "Cloud Connector Administrator"]);
  SAPBTPAuditLog_CL
  | where Message.object has "xs_rolecollection2user"
  | extend ObjectId = parse_json((Message.object).id)
  | where ObjectId.crudType == "CREATE"
  | extend RoleCollection = ObjectId.rolecollection_name, TargetUserId = ObjectId.user_id
  | where RoleCollection in (monitored_rolecollections)
  | project UpdatedOn, UserName, RoleCollection, TargetUserId, Tenant, SpaceId, CloudApp = "SAP BTP"
  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]  
version: 3.0.5
name: BTP - User added to sensitive privileged role collection
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: CloudApp
    identifier: Name
  entityType: CloudApplication
eventGroupingSettings:
  aggregationKind: SingleAlert
queryFrequency: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - User added to sensitive privileged role collection.yaml
description: Identifies identity management actions whereby a user is added to a set of monitored privileged role collections.
kind: Scheduled
status: Available
severity: Low
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
  dataTypes:
  - SAPBTPAuditLog_CL
triggerOperator: gt
triggerThreshold: 0
tactics:
- LateralMovement
- PrivilegeEscalation
id: 5acbe4cb-a379-4acc-9ad3-28dc48ad33d3
relevantTechniques:
- T0859
- T1078