BTP - Trust and authorization Identity Provider monitor
| Id | 62357c23-ecdc-4edc-9349-8338063af1ef |
| Rulename | BTP - Trust and authorization Identity Provider monitor |
| Description | Identifies CRUD operations on Identity Provider settings within a sub account. |
| Severity | Medium |
| Tactics | CredentialAccess PrivilegeEscalation |
| Techniques | T1606 T1556 T1134 |
| Required data connectors | SAPBTPAuditEvents |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Trust and authorization Identity Provider monitor.yaml |
| Version | 3.0.5 |
| Arm template | 62357c23-ecdc-4edc-9349-8338063af1ef.json |
SAPBTPAuditLog_CL
| where isnotnull(Message.object)
| extend Object = Message.object, Attributes = Message.attributes
| where Object.type == "IdentityProvider"
| extend CrudType = tostring(parse_json(tostring(Object.id)).crudType)
| mv-expand Attributes
| extend MessageText = case(
CrudType == "CREATE",
"An identity provider was created",
CrudType == "UPDATE",
"An identity provider was updated",
CrudType == "DELETE",
"An identity provider was deleted",
"Unclassified CRUD operation encountered"
)
| extend NewAttributes = parse_json(replace_regex(tostring(Attributes.new), "\\r", ""))
| extend OldAttributes = parse_json(replace_regex(tostring(Attributes.old), "\\r", ""))
| extend IdentityProviderName = case(
CrudType == "CREATE" or CrudType == "UPDATE",
NewAttributes.name,
CrudType == "DELETE",
OldAttributes.name,
"Unknown"
)
| project
UpdatedOn,
UserName,
MessageText,
IdentityProviderName,
Tenant,
SpaceId,
CloudApp = "SAP BTP"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
alertDetailsOverride:
alertDescriptionFormat: '{{MessageText}} by {{UserName}}. Identity provider name: {{IdentityProviderName}}'
alertDisplayNameFormat: 'SAP BTP: {{MessageText}}'
description: Identifies CRUD operations on Identity Provider settings within a sub account.
kind: Scheduled
tactics:
- CredentialAccess
- PrivilegeEscalation
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
dataTypes:
- SAPBTPAuditLog_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Trust and authorization Identity Provider monitor.yaml
severity: Medium
name: BTP - Trust and authorization Identity Provider monitor
triggerThreshold: 0
queryPeriod: 15m
query: |
SAPBTPAuditLog_CL
| where isnotnull(Message.object)
| extend Object = Message.object, Attributes = Message.attributes
| where Object.type == "IdentityProvider"
| extend CrudType = tostring(parse_json(tostring(Object.id)).crudType)
| mv-expand Attributes
| extend MessageText = case(
CrudType == "CREATE",
"An identity provider was created",
CrudType == "UPDATE",
"An identity provider was updated",
CrudType == "DELETE",
"An identity provider was deleted",
"Unclassified CRUD operation encountered"
)
| extend NewAttributes = parse_json(replace_regex(tostring(Attributes.new), "\\r", ""))
| extend OldAttributes = parse_json(replace_regex(tostring(Attributes.old), "\\r", ""))
| extend IdentityProviderName = case(
CrudType == "CREATE" or CrudType == "UPDATE",
NewAttributes.name,
CrudType == "DELETE",
OldAttributes.name,
"Unknown"
)
| project
UpdatedOn,
UserName,
MessageText,
IdentityProviderName,
Tenant,
SpaceId,
CloudApp = "SAP BTP"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
relevantTechniques:
- T1606
- T1556
- T1134
id: 62357c23-ecdc-4edc-9349-8338063af1ef
queryFrequency: 15m
status: Available
version: 3.0.5
triggerOperator: gt
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
- entityType: CloudApplication
fieldMappings:
- columnName: CloudApp
identifier: Name