BTP - Build Work Zone unauthorized access and role tampering

Back


Id	8e5f3a2c-9d1b-4c6e-a7f8-3b2d1e0c9a5f
Rulename	BTP - Build Work Zone unauthorized access and role tampering
Description	Identifies unauthorized OData access attempts and mass role/user deletions in SAP Build Work Zone Standard Edition. These events may indicate an attacker accessing restricted resources or removing access controls to cover their tracks.
Severity	High
Tactics	InitialAccess Persistence DefenseEvasion Impact
Techniques	T1078 T1531 T1070
Required data connectors	SAPBTPAuditEvents
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Build Work Zone unauthorized access and role tampering.yaml
Version	1.0.0
Arm template	8e5f3a2c-9d1b-4c6e-a7f8-3b2d1e0c9a5f.json

KQL

SAPBTPAuditLog_CL
| extend LogMessage = coalesce(tostring(Message.message), tostring(Message.data), tostring(Message))
| where LogMessage has_any ("Unauthorized access to the oData service", 
                            "All roles for providerId", 
                            "All users for providerId",
                            "were deleted successfully",
                            "were removed successfully")
| extend EventCategory = case(
    LogMessage contains "Unauthorized access", "Unauthorized Access",
    LogMessage contains "All roles" or LogMessage contains "All users", "Mass Deletion",
    "Role Tampering"
)
| extend MessageText = case(
    LogMessage contains "Unauthorized access to the oData service", "Unauthorized OData service access attempt",
    LogMessage contains "All roles for providerId" and LogMessage contains "deleted", "Mass role deletion detected",
    LogMessage contains "All users for providerId" and LogMessage contains "deleted", "Mass user deletion detected",
    LogMessage contains "assignments were removed", "User/role assignments removed",
    "Suspicious access control modification"
)
| extend ProviderId = extract(@"providerId\s+(\S+)", 1, LogMessage)
| project
    TimeGenerated,
    UserName,
    MessageText,
    EventCategory,
    ProviderId,
    Tenant,
    CloudApp = "SAP Build Work Zone Standard Edition"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]

YAML

id: 8e5f3a2c-9d1b-4c6e-a7f8-3b2d1e0c9a5f
alertDetailsOverride:
  alertDisplayNameFormat: 'SAP Build Work Zone: {{MessageText}}'
  alertDescriptionFormat: |
    {{MessageText}} by {{UserName}} in tenant {{Tenant}}.

    This could indicate unauthorized access attempts or malicious removal of access controls.    
customDetails:
  ProviderId: ProviderId
  EventCategory: EventCategory
triggerThreshold: 0
description: |
  Identifies unauthorized OData access attempts and mass role/user deletions in SAP Build Work Zone 
  Standard Edition. These events may indicate an attacker accessing restricted resources or 
  removing access controls to cover their tracks.  
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
  dataTypes:
  - SAPBTPAuditLog_CL
queryPeriod: 15m
version: 1.0.0
severity: High
tactics:
- InitialAccess
- Persistence
- DefenseEvasion
- Impact
queryFrequency: 15m
kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: CloudApplication
  fieldMappings:
  - columnName: CloudApp
    identifier: Name
name: BTP - Build Work Zone unauthorized access and role tampering
relevantTechniques:
- T1078
- T1531
- T1070
triggerOperator: gt
query: |
  SAPBTPAuditLog_CL
  | extend LogMessage = coalesce(tostring(Message.message), tostring(Message.data), tostring(Message))
  | where LogMessage has_any ("Unauthorized access to the oData service", 
                              "All roles for providerId", 
                              "All users for providerId",
                              "were deleted successfully",
                              "were removed successfully")
  | extend EventCategory = case(
      LogMessage contains "Unauthorized access", "Unauthorized Access",
      LogMessage contains "All roles" or LogMessage contains "All users", "Mass Deletion",
      "Role Tampering"
  )
  | extend MessageText = case(
      LogMessage contains "Unauthorized access to the oData service", "Unauthorized OData service access attempt",
      LogMessage contains "All roles for providerId" and LogMessage contains "deleted", "Mass role deletion detected",
      LogMessage contains "All users for providerId" and LogMessage contains "deleted", "Mass user deletion detected",
      LogMessage contains "assignments were removed", "User/role assignments removed",
      "Suspicious access control modification"
  )
  | extend ProviderId = extract(@"providerId\s+(\S+)", 1, LogMessage)
  | project
      TimeGenerated,
      UserName,
      MessageText,
      EventCategory,
      ProviderId,
      Tenant,
      CloudApp = "SAP Build Work Zone Standard Edition"
  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]  
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Build Work Zone unauthorized access and role tampering.yaml

ARM