BTP - Build Work Zone unauthorized access and role tampering

Back


Id	8e5f3a2c-9d1b-4c6e-a7f8-3b2d1e0c9a5f
Rulename	BTP - Build Work Zone unauthorized access and role tampering
Description	Identifies unauthorized OData access attempts and mass role/user deletions in SAP Build Work Zone Standard Edition. These events may indicate an attacker accessing restricted resources or removing access controls to cover their tracks.
Severity	High
Tactics	InitialAccess Persistence DefenseEvasion Impact
Techniques	T1078 T1531 T1070
Required data connectors	SAPBTPAuditEvents
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Build Work Zone unauthorized access and role tampering.yaml
Version	1.0.0
Arm template	8e5f3a2c-9d1b-4c6e-a7f8-3b2d1e0c9a5f.json

KQL

SAPBTPAuditLog_CL
| extend LogMessage = coalesce(tostring(Message.message), tostring(Message.data), tostring(Message))
| where LogMessage has_any ("Unauthorized access to the oData service", 
                            "All roles for providerId", 
                            "All users for providerId",
                            "were deleted successfully",
                            "were removed successfully")
| extend EventCategory = case(
    LogMessage contains "Unauthorized access", "Unauthorized Access",
    LogMessage contains "All roles" or LogMessage contains "All users", "Mass Deletion",
    "Role Tampering"
)
| extend MessageText = case(
    LogMessage contains "Unauthorized access to the oData service", "Unauthorized OData service access attempt",
    LogMessage contains "All roles for providerId" and LogMessage contains "deleted", "Mass role deletion detected",
    LogMessage contains "All users for providerId" and LogMessage contains "deleted", "Mass user deletion detected",
    LogMessage contains "assignments were removed", "User/role assignments removed",
    "Suspicious access control modification"
)
| extend ProviderId = extract(@"providerId\s+(\S+)", 1, LogMessage)
| project
    TimeGenerated,
    UserName,
    MessageText,
    EventCategory,
    ProviderId,
    Tenant,
    CloudApp = "SAP Build Work Zone Standard Edition"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]

YAML

version: 1.0.0
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  SAPBTPAuditLog_CL
  | extend LogMessage = coalesce(tostring(Message.message), tostring(Message.data), tostring(Message))
  | where LogMessage has_any ("Unauthorized access to the oData service", 
                              "All roles for providerId", 
                              "All users for providerId",
                              "were deleted successfully",
                              "were removed successfully")
  | extend EventCategory = case(
      LogMessage contains "Unauthorized access", "Unauthorized Access",
      LogMessage contains "All roles" or LogMessage contains "All users", "Mass Deletion",
      "Role Tampering"
  )
  | extend MessageText = case(
      LogMessage contains "Unauthorized access to the oData service", "Unauthorized OData service access attempt",
      LogMessage contains "All roles for providerId" and LogMessage contains "deleted", "Mass role deletion detected",
      LogMessage contains "All users for providerId" and LogMessage contains "deleted", "Mass user deletion detected",
      LogMessage contains "assignments were removed", "User/role assignments removed",
      "Suspicious access control modification"
  )
  | extend ProviderId = extract(@"providerId\s+(\S+)", 1, LogMessage)
  | project
      TimeGenerated,
      UserName,
      MessageText,
      EventCategory,
      ProviderId,
      Tenant,
      CloudApp = "SAP Build Work Zone Standard Edition"
  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]  
queryPeriod: 15m
status: Available
alertDetailsOverride:
  alertDescriptionFormat: |
    {{MessageText}} by {{UserName}} in tenant {{Tenant}}.

    This could indicate unauthorized access attempts or malicious removal of access controls.    
  alertDisplayNameFormat: 'SAP Build Work Zone: {{MessageText}}'
kind: Scheduled
relevantTechniques:
- T1078
- T1531
- T1070
tactics:
- InitialAccess
- Persistence
- DefenseEvasion
- Impact
triggerOperator: gt
queryFrequency: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Build Work Zone unauthorized access and role tampering.yaml
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: CloudApp
    identifier: Name
  entityType: CloudApplication
name: BTP - Build Work Zone unauthorized access and role tampering
triggerThreshold: 0
severity: High
id: 8e5f3a2c-9d1b-4c6e-a7f8-3b2d1e0c9a5f
customDetails:
  ProviderId: ProviderId
  EventCategory: EventCategory
description: |
  Identifies unauthorized OData access attempts and mass role/user deletions in SAP Build Work Zone 
  Standard Edition. These events may indicate an attacker accessing restricted resources or 
  removing access controls to cover their tracks.  
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
  dataTypes:
  - SAPBTPAuditLog_CL

ARM