Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. BTP - Mass user deletion in a sub account

BTP - Mass user deletion in a sub account

Back
Id6f1e58bd-cd95-4dfb-8883-94207f30929a
RulenameBTP - Mass user deletion in a sub account
DescriptionIdentifies user account deletion activity where the amount of deleted users exceeds a predefined threshold.
SeverityMedium
TacticsImpact
TechniquesT1531
T1485
T1489
T0813
T0826
T0827
Required data connectorsSAPBTPAuditEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Mass user deletion in a sub account.yaml
Version3.0.5
Arm template6f1e58bd-cd95-4dfb-8883-94207f30929a.json
Deploy To Azure
let bulk_delete_threshold = 10;
SAPBTPAuditLog_CL
| where isnotnull(Message.object)
| where Message.object has "scim user" and Message.object has "DELETE"
| mv-expand Attributes = Message.attributes
| where isnotempty(Attributes.old)
| extend DeletedUserName = tostring(parse_json(tostring(Attributes.old)).userName)
| where isnotempty(DeletedUserName)
| summarize
    Start = min(UpdatedOn),
    End = max(UpdatedOn),
    DeletedUsers = make_set(DeletedUserName, 100)
    by UserName, Tenant, SpaceId
| where array_length(DeletedUsers) > bulk_delete_threshold
| project Start, End, UserName, DeletedUsers, Tenant, SpaceId, CloudApp = "SAP BTP"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]

queryPeriod: 1h
query: |
  let bulk_delete_threshold = 10;
  SAPBTPAuditLog_CL
  | where isnotnull(Message.object)
  | where Message.object has "scim user" and Message.object has "DELETE"
  | mv-expand Attributes = Message.attributes
  | where isnotempty(Attributes.old)
  | extend DeletedUserName = tostring(parse_json(tostring(Attributes.old)).userName)
  | where isnotempty(DeletedUserName)
  | summarize
      Start = min(UpdatedOn),
      End = max(UpdatedOn),
      DeletedUsers = make_set(DeletedUserName, 100)
      by UserName, Tenant, SpaceId
  | where array_length(DeletedUsers) > bulk_delete_threshold
  | project Start, End, UserName, DeletedUsers, Tenant, SpaceId, CloudApp = "SAP BTP"
  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]  
version: 3.0.5
name: BTP - Mass user deletion in a sub account
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: CloudApp
    identifier: Name
  entityType: CloudApplication
eventGroupingSettings:
  aggregationKind: SingleAlert
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Mass user deletion in a sub account.yaml
description: Identifies user account deletion activity where the amount of deleted users exceeds a predefined threshold.
kind: Scheduled
status: Available
severity: Medium
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
  dataTypes:
  - SAPBTPAuditLog_CL
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
id: 6f1e58bd-cd95-4dfb-8883-94207f30929a
relevantTechniques:
- T1531
- T1485
- T1489
- T0813
- T0826
- T0827