BTP - User added to Cloud Identity Service privileged Administrators list

let monitored_permissions = dynamic(["ManageIdP", "ManageSP", "ManageUsers", "ReadUsers", "ManageAccess", "ManageGroups"]);
SAPBTPAuditLog_CL
| extend data_s = tostring(Message.data)
| extend action = extract(@"action=""([^""]+)""", 1, data_s),
         state = extract(@"state=""([^""]+)""", 1, data_s),
         changedAttribute = extract(@"changedAttribute=""([^""]+)""", 1, data_s),
         newValue = extract(@"newValue=""([^""]+)""", 1, data_s),
         targetUser = extract(@"userIdentifier=""([^""]+)""", 1, data_s),
         callerMail = extract(@"callerMail=""([^""]+)""", 1, data_s),
         ipAddress = extract(@"ipAddress=""([^""]+)""", 1, data_s)
| where action == "grantPermissions"
| where state == "successful"
| where changedAttribute == "authorizations"
| where isnotempty(newValue)
| mv-expand permission = monitored_permissions
| where newValue contains tostring(permission)
| summarize 
    GrantedPermissions = make_set(newValue, 10),
    MatchedPermissions = make_set(tostring(permission), 10)
    by UpdatedOn, UserName, callerMail, targetUser, Tenant, ipAddress
| project UpdatedOn, UserName, callerMail, targetUser, GrantedPermissions, MatchedPermissions, Tenant, ipAddress, CloudApp = "SAP Cloud Identity Service"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]

kind: Scheduled
queryFrequency: 15m
description: Identifies when a user is granted privileged administrator permissions in SAP Cloud Identity Service. These permissions include managing Identity Providers, Service Providers, Users, Groups, and Access controls.
version: 1.0.0
eventGroupingSettings:
  aggregationKind: SingleAlert
query: |
  let monitored_permissions = dynamic(["ManageIdP", "ManageSP", "ManageUsers", "ReadUsers", "ManageAccess", "ManageGroups"]);
  SAPBTPAuditLog_CL
  | extend data_s = tostring(Message.data)
  | extend action = extract(@"action=""([^""]+)""", 1, data_s),
           state = extract(@"state=""([^""]+)""", 1, data_s),
           changedAttribute = extract(@"changedAttribute=""([^""]+)""", 1, data_s),
           newValue = extract(@"newValue=""([^""]+)""", 1, data_s),
           targetUser = extract(@"userIdentifier=""([^""]+)""", 1, data_s),
           callerMail = extract(@"callerMail=""([^""]+)""", 1, data_s),
           ipAddress = extract(@"ipAddress=""([^""]+)""", 1, data_s)
  | where action == "grantPermissions"
  | where state == "successful"
  | where changedAttribute == "authorizations"
  | where isnotempty(newValue)
  | mv-expand permission = monitored_permissions
  | where newValue contains tostring(permission)
  | summarize 
      GrantedPermissions = make_set(newValue, 10),
      MatchedPermissions = make_set(tostring(permission), 10)
      by UpdatedOn, UserName, callerMail, targetUser, Tenant, ipAddress
  | project UpdatedOn, UserName, callerMail, targetUser, GrantedPermissions, MatchedPermissions, Tenant, ipAddress, CloudApp = "SAP Cloud Identity Service"
  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]  
severity: High
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Name
    columnName: CloudApp
  entityType: CloudApplication
- fieldMappings:
  - identifier: Address
    columnName: ipAddress
  entityType: IP
triggerThreshold: 0
id: 7d4e9f2a-8b1c-4a5d-9e3f-6c2b1a0d8e7f
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - User added to privileged Administrators list.yaml
name: BTP - User added to Cloud Identity Service privileged Administrators list
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
  dataTypes:
  - SAPBTPAuditLog_CL
relevantTechniques:
- T0859
- T1078
triggerOperator: gt
tactics:
- LateralMovement
- PrivilegeEscalation
queryPeriod: 15m