BTP - Audit log service unavailable

// Configure the detection threshold (in minutes) - adjust based on your environment
let detection_threshold_in_minutes = 60;
// Lookback period to identify known subaccounts
let lookback = 7d;
// Get all known subaccounts and their last log time
let last_activity = SAPBTPAuditLog_CL
    | where TimeGenerated > ago(lookback)
    | summarize LastLogTime = max(TimeGenerated) by SubaccountName, Tenant;
// Identify subaccounts with no recent activity exceeding the threshold
last_activity
| where datetime_diff('minute', now(), LastLogTime) > detection_threshold_in_minutes
| extend TimeSinceLastLog = datetime_diff('minute', now(), LastLogTime)
| project 
    SubaccountName,
    Tenant,
    LastLogTime,
    TimeSinceLastLog,
    CloudApp = "SAP BTP"

severity: High
name: BTP - Audit log service unavailable
alertDetailsOverride:
  alertDescriptionFormat: |
    The SAP BTP subaccount '{{SubaccountName}}' has not reported any audit logs since {{LastLogTime}}.

    Time without logs: {{TimeSinceLastLog}} minutes

    This could indicate:
    - Audit log service has been disabled (potential compromise to hide malicious activity)
    - Data connector authentication or connectivity issues
    - SAP BTP service availability problems

    Recommended actions:
    1. Verify the audit log service status in SAP BTP cockpit
    2. Check the data connector health in Microsoft Sentinel
    3. Review any recent administrative changes to the subaccount
    4. Investigate for potential unauthorized access or configuration changes    
  alertDisplayNameFormat: 'SAP BTP: No audit logs received from {{SubaccountName}} for {{TimeSinceLastLog}} minutes'
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerOperator: gt
query: |
  // Configure the detection threshold (in minutes) - adjust based on your environment
  let detection_threshold_in_minutes = 60;
  // Lookback period to identify known subaccounts
  let lookback = 7d;
  // Get all known subaccounts and their last log time
  let last_activity = SAPBTPAuditLog_CL
      | where TimeGenerated > ago(lookback)
      | summarize LastLogTime = max(TimeGenerated) by SubaccountName, Tenant;
  // Identify subaccounts with no recent activity exceeding the threshold
  last_activity
  | where datetime_diff('minute', now(), LastLogTime) > detection_threshold_in_minutes
  | extend TimeSinceLastLog = datetime_diff('minute', now(), LastLogTime)
  | project 
      SubaccountName,
      Tenant,
      LastLogTime,
      TimeSinceLastLog,
      CloudApp = "SAP BTP"  
tactics:
- DefenseEvasion
customDetails:
  TimeSinceLastLog: TimeSinceLastLog
  Tenant: Tenant
  SubaccountName: SubaccountName
  LastLogTime: LastLogTime
status: Available
version: 1.0.0
relevantTechniques:
- T1562.008
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Audit log service unavailable.yaml
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - SAPBTPAuditLog_CL
  connectorId: SAPBTPAuditEvents
id: 8a3b5c7d-9e1f-4a2b-8c6d-3e5f7a9b1c2d
entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: CloudApp
kind: Scheduled
queryFrequency: 1h
queryPeriod: 7d
description: |
  Identifies SAP BTP subaccounts that have not reported audit logs for an unusual period.
  This could indicate that the audit log service has been disabled or tampered with,
  potentially by an attacker attempting to hide malicious activity. It may also indicate
  service key expiry or SAP BTP service availability problems.