BTP - Audit log service unavailable

// Configure the detection threshold (in minutes) - adjust based on your environment
let detection_threshold_in_minutes = 60;
// Lookback period to identify known subaccounts
let lookback = 7d;
// Get all known subaccounts and their last log time
let last_activity = SAPBTPAuditLog_CL
    | where TimeGenerated > ago(lookback)
    | summarize LastLogTime = max(TimeGenerated) by SubaccountName, Tenant;
// Identify subaccounts with no recent activity exceeding the threshold
last_activity
| where datetime_diff('minute', now(), LastLogTime) > detection_threshold_in_minutes
| extend TimeSinceLastLog = datetime_diff('minute', now(), LastLogTime)
| project 
    SubaccountName,
    Tenant,
    LastLogTime,
    TimeSinceLastLog,
    CloudApp = "SAP BTP"

id: 8a3b5c7d-9e1f-4a2b-8c6d-3e5f7a9b1c2d
relevantTechniques:
- T1562.008
eventGroupingSettings:
  aggregationKind: AlertPerResult
description: |
  Identifies SAP BTP subaccounts that have not reported audit logs for an unusual period.
  This could indicate that the audit log service has been disabled or tampered with,
  potentially by an attacker attempting to hide malicious activity. It may also indicate
  service key expiry or SAP BTP service availability problems.  
alertDetailsOverride:
  alertDisplayNameFormat: 'SAP BTP: No audit logs received from {{SubaccountName}} for {{TimeSinceLastLog}} minutes'
  alertDescriptionFormat: |
    The SAP BTP subaccount '{{SubaccountName}}' has not reported any audit logs since {{LastLogTime}}.

    Time without logs: {{TimeSinceLastLog}} minutes

    This could indicate:
    - Audit log service has been disabled (potential compromise to hide malicious activity)
    - Data connector authentication or connectivity issues
    - SAP BTP service availability problems

    Recommended actions:
    1. Verify the audit log service status in SAP BTP cockpit
    2. Check the data connector health in Microsoft Sentinel
    3. Review any recent administrative changes to the subaccount
    4. Investigate for potential unauthorized access or configuration changes    
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Audit log service unavailable.yaml
customDetails:
  TimeSinceLastLog: TimeSinceLastLog
  SubaccountName: SubaccountName
  LastLogTime: LastLogTime
  Tenant: Tenant
query: |
  // Configure the detection threshold (in minutes) - adjust based on your environment
  let detection_threshold_in_minutes = 60;
  // Lookback period to identify known subaccounts
  let lookback = 7d;
  // Get all known subaccounts and their last log time
  let last_activity = SAPBTPAuditLog_CL
      | where TimeGenerated > ago(lookback)
      | summarize LastLogTime = max(TimeGenerated) by SubaccountName, Tenant;
  // Identify subaccounts with no recent activity exceeding the threshold
  last_activity
  | where datetime_diff('minute', now(), LastLogTime) > detection_threshold_in_minutes
  | extend TimeSinceLastLog = datetime_diff('minute', now(), LastLogTime)
  | project 
      SubaccountName,
      Tenant,
      LastLogTime,
      TimeSinceLastLog,
      CloudApp = "SAP BTP"  
queryFrequency: 1h
name: BTP - Audit log service unavailable
status: Available
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: CloudApp
  entityType: CloudApplication
severity: High
tactics:
- DefenseEvasion
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
  dataTypes:
  - SAPBTPAuditLog_CL
triggerOperator: gt
triggerThreshold: 0
version: 1.0.0
queryPeriod: 7d
kind: Scheduled