BTP - Build Work Zone unauthorized access and role tampering

Back


Id	8e5f3a2c-9d1b-4c6e-a7f8-3b2d1e0c9a5f
Rulename	BTP - Build Work Zone unauthorized access and role tampering
Description	Identifies unauthorized OData access attempts and mass role/user deletions in SAP Build Work Zone Standard Edition. These events may indicate an attacker accessing restricted resources or removing access controls to cover their tracks.
Severity	High
Tactics	InitialAccess Persistence DefenseEvasion Impact
Techniques	T1078 T1531 T1070
Required data connectors	SAPBTPAuditEvents
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Build Work Zone unauthorized access and role tampering.yaml
Version	1.0.0
Arm template	8e5f3a2c-9d1b-4c6e-a7f8-3b2d1e0c9a5f.json

KQL

SAPBTPAuditLog_CL
| extend LogMessage = coalesce(tostring(Message.message), tostring(Message.data), tostring(Message))
| where LogMessage has_any ("Unauthorized access to the oData service", 
                            "All roles for providerId", 
                            "All users for providerId",
                            "were deleted successfully",
                            "were removed successfully")
| extend EventCategory = case(
    LogMessage contains "Unauthorized access", "Unauthorized Access",
    LogMessage contains "All roles" or LogMessage contains "All users", "Mass Deletion",
    "Role Tampering"
)
| extend MessageText = case(
    LogMessage contains "Unauthorized access to the oData service", "Unauthorized OData service access attempt",
    LogMessage contains "All roles for providerId" and LogMessage contains "deleted", "Mass role deletion detected",
    LogMessage contains "All users for providerId" and LogMessage contains "deleted", "Mass user deletion detected",
    LogMessage contains "assignments were removed", "User/role assignments removed",
    "Suspicious access control modification"
)
| extend ProviderId = extract(@"providerId\s+(\S+)", 1, LogMessage)
| project
    TimeGenerated,
    UserName,
    MessageText,
    EventCategory,
    ProviderId,
    Tenant,
    CloudApp = "SAP Build Work Zone Standard Edition"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]

YAML

status: Available
relevantTechniques:
- T1078
- T1531
- T1070
triggerThreshold: 0
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Build Work Zone unauthorized access and role tampering.yaml
queryPeriod: 15m
query: |
  SAPBTPAuditLog_CL
  | extend LogMessage = coalesce(tostring(Message.message), tostring(Message.data), tostring(Message))
  | where LogMessage has_any ("Unauthorized access to the oData service", 
                              "All roles for providerId", 
                              "All users for providerId",
                              "were deleted successfully",
                              "were removed successfully")
  | extend EventCategory = case(
      LogMessage contains "Unauthorized access", "Unauthorized Access",
      LogMessage contains "All roles" or LogMessage contains "All users", "Mass Deletion",
      "Role Tampering"
  )
  | extend MessageText = case(
      LogMessage contains "Unauthorized access to the oData service", "Unauthorized OData service access attempt",
      LogMessage contains "All roles for providerId" and LogMessage contains "deleted", "Mass role deletion detected",
      LogMessage contains "All users for providerId" and LogMessage contains "deleted", "Mass user deletion detected",
      LogMessage contains "assignments were removed", "User/role assignments removed",
      "Suspicious access control modification"
  )
  | extend ProviderId = extract(@"providerId\s+(\S+)", 1, LogMessage)
  | project
      TimeGenerated,
      UserName,
      MessageText,
      EventCategory,
      ProviderId,
      Tenant,
      CloudApp = "SAP Build Work Zone Standard Edition"
  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]  
id: 8e5f3a2c-9d1b-4c6e-a7f8-3b2d1e0c9a5f
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: CloudApp
    identifier: Name
  entityType: CloudApplication
customDetails:
  ProviderId: ProviderId
  EventCategory: EventCategory
name: BTP - Build Work Zone unauthorized access and role tampering
kind: Scheduled
description: |
  Identifies unauthorized OData access attempts and mass role/user deletions in SAP Build Work Zone 
  Standard Edition. These events may indicate an attacker accessing restricted resources or 
  removing access controls to cover their tracks.  
tactics:
- InitialAccess
- Persistence
- DefenseEvasion
- Impact
version: 1.0.0
alertDetailsOverride:
  alertDisplayNameFormat: 'SAP Build Work Zone: {{MessageText}}'
  alertDescriptionFormat: |
    {{MessageText}} by {{UserName}} in tenant {{Tenant}}.

    This could indicate unauthorized access attempts or malicious removal of access controls.    
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerOperator: gt
queryFrequency: 15m
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
  dataTypes:
  - SAPBTPAuditLog_CL

ARM