BTP - Failed access attempts across multiple BAS subaccounts
| Id | 74b243a6-3046-48aa-8b03-e43b3c529cc1 |
| Rulename | BTP - Failed access attempts across multiple BAS subaccounts |
| Description | Identifies failed Business Application Studio access attempts over a predefined number of subaccounts. |
| Severity | Medium |
| Tactics | Reconnaissance Discovery |
| Techniques | T1595 T1526 |
| Required data connectors | SAPBTPAuditEvents |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Failed access attempts across multiple BAS subaccounts.yaml |
| Version | 3.0.5 |
| Arm template | 74b243a6-3046-48aa-8b03-e43b3c529cc1.json |
let subaccount_detection_threshold = 3;
SAPBTPAuditLog_CL
| where Category == "audit.security-events" and Message has "Unauthorized access attempt"
| summarize Start=min(UpdatedOn), End=max(UpdatedOn), Tenants = make_set(Tenant, 100) by UserName
| where array_length(Tenants) > subaccount_detection_threshold
| project Start, End, UserName, Tenants, CloudApp = "SAP BTP"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
alertDetailsOverride:
alertDescriptionFormat: '{{UserName}} attempted, and failed, to log into multiple Business Application Studio dev spaces. Tenants accessed: {{Tenants}}'
alertDisplayNameFormat: BTP - Unauthorized access attempt to multiple tenants
description: Identifies failed Business Application Studio access attempts over a predefined number of subaccounts.
kind: Scheduled
tactics:
- Reconnaissance
- Discovery
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
dataTypes:
- SAPBTPAuditLog_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Failed access attempts across multiple BAS subaccounts.yaml
severity: Medium
name: BTP - Failed access attempts across multiple BAS subaccounts
triggerThreshold: 0
queryPeriod: 1h
query: |
let subaccount_detection_threshold = 3;
SAPBTPAuditLog_CL
| where Category == "audit.security-events" and Message has "Unauthorized access attempt"
| summarize Start=min(UpdatedOn), End=max(UpdatedOn), Tenants = make_set(Tenant, 100) by UserName
| where array_length(Tenants) > subaccount_detection_threshold
| project Start, End, UserName, Tenants, CloudApp = "SAP BTP"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
relevantTechniques:
- T1595
- T1526
id: 74b243a6-3046-48aa-8b03-e43b3c529cc1
queryFrequency: 1h
status: Available
version: 3.0.5
triggerOperator: gt
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
- entityType: CloudApplication
fieldMappings:
- columnName: CloudApp
identifier: Name