BTP - Build Work Zone unauthorized access and role tampering

Back


Id	8e5f3a2c-9d1b-4c6e-a7f8-3b2d1e0c9a5f
Rulename	BTP - Build Work Zone unauthorized access and role tampering
Description	Identifies unauthorized OData access attempts and mass role/user deletions in SAP Build Work Zone Standard Edition. These events may indicate an attacker accessing restricted resources or removing access controls to cover their tracks.
Severity	High
Tactics	InitialAccess Persistence DefenseEvasion Impact
Techniques	T1078 T1531 T1070
Required data connectors	SAPBTPAuditEvents
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Build Work Zone unauthorized access and role tampering.yaml
Version	1.0.0
Arm template	8e5f3a2c-9d1b-4c6e-a7f8-3b2d1e0c9a5f.json

KQL

SAPBTPAuditLog_CL
| extend LogMessage = coalesce(tostring(Message.message), tostring(Message.data), tostring(Message))
| where LogMessage has_any ("Unauthorized access to the oData service", 
                            "All roles for providerId", 
                            "All users for providerId",
                            "were deleted successfully",
                            "were removed successfully")
| extend EventCategory = case(
    LogMessage contains "Unauthorized access", "Unauthorized Access",
    LogMessage contains "All roles" or LogMessage contains "All users", "Mass Deletion",
    "Role Tampering"
)
| extend MessageText = case(
    LogMessage contains "Unauthorized access to the oData service", "Unauthorized OData service access attempt",
    LogMessage contains "All roles for providerId" and LogMessage contains "deleted", "Mass role deletion detected",
    LogMessage contains "All users for providerId" and LogMessage contains "deleted", "Mass user deletion detected",
    LogMessage contains "assignments were removed", "User/role assignments removed",
    "Suspicious access control modification"
)
| extend ProviderId = extract(@"providerId\s+(\S+)", 1, LogMessage)
| project
    TimeGenerated,
    UserName,
    MessageText,
    EventCategory,
    ProviderId,
    Tenant,
    CloudApp = "SAP Build Work Zone Standard Edition"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]

YAML

name: BTP - Build Work Zone unauthorized access and role tampering
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Build Work Zone unauthorized access and role tampering.yaml
severity: High
description: |
  Identifies unauthorized OData access attempts and mass role/user deletions in SAP Build Work Zone 
  Standard Edition. These events may indicate an attacker accessing restricted resources or 
  removing access controls to cover their tracks.  
version: 1.0.0
customDetails:
  EventCategory: EventCategory
  ProviderId: ProviderId
requiredDataConnectors:
- dataTypes:
  - SAPBTPAuditLog_CL
  connectorId: SAPBTPAuditEvents
tactics:
- InitialAccess
- Persistence
- DefenseEvasion
- Impact
relevantTechniques:
- T1078
- T1531
- T1070
kind: Scheduled
triggerThreshold: 0
status: Available
queryPeriod: 15m
alertDetailsOverride:
  alertDescriptionFormat: |
    {{MessageText}} by {{UserName}} in tenant {{Tenant}}.

    This could indicate unauthorized access attempts or malicious removal of access controls.    
  alertDisplayNameFormat: 'SAP Build Work Zone: {{MessageText}}'
triggerOperator: gt
query: |
  SAPBTPAuditLog_CL
  | extend LogMessage = coalesce(tostring(Message.message), tostring(Message.data), tostring(Message))
  | where LogMessage has_any ("Unauthorized access to the oData service", 
                              "All roles for providerId", 
                              "All users for providerId",
                              "were deleted successfully",
                              "were removed successfully")
  | extend EventCategory = case(
      LogMessage contains "Unauthorized access", "Unauthorized Access",
      LogMessage contains "All roles" or LogMessage contains "All users", "Mass Deletion",
      "Role Tampering"
  )
  | extend MessageText = case(
      LogMessage contains "Unauthorized access to the oData service", "Unauthorized OData service access attempt",
      LogMessage contains "All roles for providerId" and LogMessage contains "deleted", "Mass role deletion detected",
      LogMessage contains "All users for providerId" and LogMessage contains "deleted", "Mass user deletion detected",
      LogMessage contains "assignments were removed", "User/role assignments removed",
      "Suspicious access control modification"
  )
  | extend ProviderId = extract(@"providerId\s+(\S+)", 1, LogMessage)
  | project
      TimeGenerated,
      UserName,
      MessageText,
      EventCategory,
      ProviderId,
      Tenant,
      CloudApp = "SAP Build Work Zone Standard Edition"
  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]  
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 15m
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: CloudApp
id: 8e5f3a2c-9d1b-4c6e-a7f8-3b2d1e0c9a5f

ARM