BTP - Mass user deletion in a sub account
| Id | 6f1e58bd-cd95-4dfb-8883-94207f30929a |
| Rulename | BTP - Mass user deletion in a sub account |
| Description | Identifies user account deletion activity where the amount of deleted users exceeds a predefined threshold. |
| Severity | Medium |
| Tactics | Impact |
| Techniques | T1531 T1485 T1489 T0813 T0826 T0827 |
| Required data connectors | SAPBTPAuditEvents |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Mass user deletion in a sub account.yaml |
| Version | 3.0.5 |
| Arm template | 6f1e58bd-cd95-4dfb-8883-94207f30929a.json |
let bulk_delete_threshold = 10;
SAPBTPAuditLog_CL
| where isnotnull(Message.object)
| where Message.object has "scim user" and Message.object has "DELETE"
| mv-expand Attributes = Message.attributes
| where isnotempty(Attributes.old)
| extend DeletedUserName = tostring(parse_json(tostring(Attributes.old)).userName)
| where isnotempty(DeletedUserName)
| summarize
Start = min(UpdatedOn),
End = max(UpdatedOn),
DeletedUsers = make_set(DeletedUserName, 100)
by UserName, Tenant, SpaceId
| where array_length(DeletedUsers) > bulk_delete_threshold
| project Start, End, UserName, DeletedUsers, Tenant, SpaceId, CloudApp = "SAP BTP"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
queryPeriod: 1h
id: 6f1e58bd-cd95-4dfb-8883-94207f30929a
relevantTechniques:
- T1531
- T1485
- T1489
- T0813
- T0826
- T0827
triggerOperator: gt
entityMappings:
- fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: CloudApp
identifier: Name
entityType: CloudApplication
query: |
let bulk_delete_threshold = 10;
SAPBTPAuditLog_CL
| where isnotnull(Message.object)
| where Message.object has "scim user" and Message.object has "DELETE"
| mv-expand Attributes = Message.attributes
| where isnotempty(Attributes.old)
| extend DeletedUserName = tostring(parse_json(tostring(Attributes.old)).userName)
| where isnotempty(DeletedUserName)
| summarize
Start = min(UpdatedOn),
End = max(UpdatedOn),
DeletedUsers = make_set(DeletedUserName, 100)
by UserName, Tenant, SpaceId
| where array_length(DeletedUsers) > bulk_delete_threshold
| project Start, End, UserName, DeletedUsers, Tenant, SpaceId, CloudApp = "SAP BTP"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Mass user deletion in a sub account.yaml
queryFrequency: 1h
requiredDataConnectors:
- dataTypes:
- SAPBTPAuditLog_CL
connectorId: SAPBTPAuditEvents
eventGroupingSettings:
aggregationKind: SingleAlert
name: BTP - Mass user deletion in a sub account
version: 3.0.5
description: Identifies user account deletion activity where the amount of deleted users exceeds a predefined threshold.
tactics:
- Impact
severity: Medium
status: Available
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6f1e58bd-cd95-4dfb-8883-94207f30929a')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6f1e58bd-cd95-4dfb-8883-94207f30929a')]",
"properties": {
"alertRuleTemplateName": "6f1e58bd-cd95-4dfb-8883-94207f30929a",
"customDetails": null,
"description": "Identifies user account deletion activity where the amount of deleted users exceeds a predefined threshold.",
"displayName": "BTP - Mass user deletion in a sub account",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "CloudApp",
"identifier": "Name"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Mass user deletion in a sub account.yaml",
"query": "let bulk_delete_threshold = 10;\nSAPBTPAuditLog_CL\n| where isnotnull(Message.object)\n| where Message.object has \"scim user\" and Message.object has \"DELETE\"\n| mv-expand Attributes = Message.attributes\n| where isnotempty(Attributes.old)\n| extend DeletedUserName = tostring(parse_json(tostring(Attributes.old)).userName)\n| where isnotempty(DeletedUserName)\n| summarize\n Start = min(UpdatedOn),\n End = max(UpdatedOn),\n DeletedUsers = make_set(DeletedUserName, 100)\n by UserName, Tenant, SpaceId\n| where array_length(DeletedUsers) > bulk_delete_threshold\n| project Start, End, UserName, DeletedUsers, Tenant, SpaceId, CloudApp = \"SAP BTP\"\n| extend AccountName = split(UserName, \"@\")[0], UPNSuffix = split(UserName, \"@\")[1]\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1485",
"T1489",
"T1531"
],
"templateVersion": "3.0.5",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}