BTP - Audit log service unavailable

// Configure the detection threshold (in minutes) - adjust based on your environment
let detection_threshold_in_minutes = 60;
// Lookback period to identify known subaccounts
let lookback = 7d;
// Get all known subaccounts and their last log time
let last_activity = SAPBTPAuditLog_CL
    | where TimeGenerated > ago(lookback)
    | summarize LastLogTime = max(TimeGenerated) by SubaccountName, Tenant;
// Identify subaccounts with no recent activity exceeding the threshold
last_activity
| where datetime_diff('minute', now(), LastLogTime) > detection_threshold_in_minutes
| extend TimeSinceLastLog = datetime_diff('minute', now(), LastLogTime)
| project 
    SubaccountName,
    Tenant,
    LastLogTime,
    TimeSinceLastLog,
    CloudApp = "SAP BTP"

status: Available
query: |
  // Configure the detection threshold (in minutes) - adjust based on your environment
  let detection_threshold_in_minutes = 60;
  // Lookback period to identify known subaccounts
  let lookback = 7d;
  // Get all known subaccounts and their last log time
  let last_activity = SAPBTPAuditLog_CL
      | where TimeGenerated > ago(lookback)
      | summarize LastLogTime = max(TimeGenerated) by SubaccountName, Tenant;
  // Identify subaccounts with no recent activity exceeding the threshold
  last_activity
  | where datetime_diff('minute', now(), LastLogTime) > detection_threshold_in_minutes
  | extend TimeSinceLastLog = datetime_diff('minute', now(), LastLogTime)
  | project 
      SubaccountName,
      Tenant,
      LastLogTime,
      TimeSinceLastLog,
      CloudApp = "SAP BTP"  
version: 1.0.0
name: BTP - Audit log service unavailable
queryPeriod: 7d
kind: Scheduled
id: 8a3b5c7d-9e1f-4a2b-8c6d-3e5f7a9b1c2d
customDetails:
  SubaccountName: SubaccountName
  LastLogTime: LastLogTime
  TimeSinceLastLog: TimeSinceLastLog
  Tenant: Tenant
triggerOperator: gt
relevantTechniques:
- T1562.008
tactics:
- DefenseEvasion
eventGroupingSettings:
  aggregationKind: AlertPerResult
severity: High
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Audit log service unavailable.yaml
queryFrequency: 1h
entityMappings:
- fieldMappings:
  - columnName: CloudApp
    identifier: Name
  entityType: CloudApplication
requiredDataConnectors:
- dataTypes:
  - SAPBTPAuditLog_CL
  connectorId: SAPBTPAuditEvents
alertDetailsOverride:
  alertDisplayNameFormat: 'SAP BTP: No audit logs received from {{SubaccountName}} for {{TimeSinceLastLog}} minutes'
  alertDescriptionFormat: |
    The SAP BTP subaccount '{{SubaccountName}}' has not reported any audit logs since {{LastLogTime}}.

    Time without logs: {{TimeSinceLastLog}} minutes

    This could indicate:
    - Audit log service has been disabled (potential compromise to hide malicious activity)
    - Data connector authentication or connectivity issues
    - SAP BTP service availability problems

    Recommended actions:
    1. Verify the audit log service status in SAP BTP cockpit
    2. Check the data connector health in Microsoft Sentinel
    3. Review any recent administrative changes to the subaccount
    4. Investigate for potential unauthorized access or configuration changes    
description: |
  Identifies SAP BTP subaccounts that have not reported audit logs for an unusual period.
  This could indicate that the audit log service has been disabled or tampered with,
  potentially by an attacker attempting to hide malicious activity. It may also indicate
  service key expiry or SAP BTP service availability problems.