Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. BTP - User added to sensitive privileged role collection

BTP - User added to sensitive privileged role collection

Back
Id5acbe4cb-a379-4acc-9ad3-28dc48ad33d3
RulenameBTP - User added to sensitive privileged role collection
DescriptionIdentifies identity management actions whereby a user is added to a set of monitored privileged role collections.
SeverityLow
TacticsLateralMovement
PrivilegeEscalation
TechniquesT0859
T1078
Required data connectorsSAPBTPAuditEvents
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - User added to sensitive privileged role collection.yaml
Version3.0.5
Arm template5acbe4cb-a379-4acc-9ad3-28dc48ad33d3.json
Deploy To Azure
let monitored_rolecollections = dynamic(["Subaccount Service Administrator", "Subaccount Administrator", "Connectivity and Destination Administrator", "Destination Administrator", "Cloud Connector Administrator"]);
SAPBTPAuditLog_CL
| where Message.object has "xs_rolecollection2user"
| extend ObjectId = parse_json((Message.object).id)
| where ObjectId.crudType == "CREATE"
| extend RoleCollection = ObjectId.rolecollection_name, TargetUserId = ObjectId.user_id
| where RoleCollection in (monitored_rolecollections)
| project UpdatedOn, UserName, RoleCollection, TargetUserId, Tenant, SpaceId, CloudApp = "SAP BTP"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]

name: BTP - User added to sensitive privileged role collection
id: 5acbe4cb-a379-4acc-9ad3-28dc48ad33d3
description: Identifies identity management actions whereby a user is added to a set of monitored privileged role collections.
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: CloudApp
    identifier: Name
  entityType: CloudApplication
version: 3.0.5
triggerOperator: gt
query: |
  let monitored_rolecollections = dynamic(["Subaccount Service Administrator", "Subaccount Administrator", "Connectivity and Destination Administrator", "Destination Administrator", "Cloud Connector Administrator"]);
  SAPBTPAuditLog_CL
  | where Message.object has "xs_rolecollection2user"
  | extend ObjectId = parse_json((Message.object).id)
  | where ObjectId.crudType == "CREATE"
  | extend RoleCollection = ObjectId.rolecollection_name, TargetUserId = ObjectId.user_id
  | where RoleCollection in (monitored_rolecollections)
  | project UpdatedOn, UserName, RoleCollection, TargetUserId, Tenant, SpaceId, CloudApp = "SAP BTP"
  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]  
tactics:
- LateralMovement
- PrivilegeEscalation
kind: Scheduled
queryFrequency: 15m
severity: Low
queryPeriod: 15m
requiredDataConnectors:
- dataTypes:
  - SAPBTPAuditLog_CL
  connectorId: SAPBTPAuditEvents
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - User added to sensitive privileged role collection.yaml
eventGroupingSettings:
  aggregationKind: SingleAlert
relevantTechniques:
- T0859
- T1078