BTP - Cloud Integration access policy tampering
| Id | 9e6f4b2c-0d3e-5a8f-c9b7-2f5d8a1e4c6b |
| Rulename | BTP - Cloud Integration access policy tampering |
| Description | Identifies changes to access policies in SAP Cloud Integration. Access policies control authorization for integration artifacts, defining which users and roles can access specific integration flows and related content. Unauthorized access policy manipulation could indicate: - Attacker granting themselves access to sensitive integration artifacts - Removal of security controls to enable further malicious activity - Defense evasion by modifying artifact references to hide unauthorized access |
| Severity | High |
| Tactics | DefenseEvasion PrivilegeEscalation |
| Techniques | T1548 T1222 |
| Required data connectors | SAPBTPAuditEvents |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration access policy tampering.yaml |
| Version | 1.0.0 |
| Arm template | 9e6f4b2c-0d3e-5a8f-c9b7-2f5d8a1e4c6b.json |
let accessPolicyTypes = dynamic(["Access Policy", "Artifact Reference"]);
let monitoredActions = dynamic(["Create", "Change", "Delete"]);
SAPBTPAuditLog_CL
| where Category == "audit.security-events"
| extend data_s = tostring(Message.data),
ipAddress = tostring(Message.ip)
| extend parsedData = parse_json(data_s)
| extend action = tostring(parsedData.action),
objectType = tostring(parsedData.objectType),
objectId = tostring(parsedData.objectId),
policyMessage = tostring(parsedData.attributes.message)
| where objectType in (accessPolicyTypes)
| where action in (monitoredActions)
| extend normalizedAction = case(
action == "Create", "created",
action == "Change", "modified",
action == "Delete", "deleted",
action
)
| extend MessageText = case(
objectType == "Access Policy", strcat("Access policy '", objectId, "' was ", normalizedAction),
objectType == "Artifact Reference", strcat("Artifact reference '", objectId, "' was ", normalizedAction),
strcat(objectType, " '", objectId, "' was ", normalizedAction)
)
| project
UpdatedOn,
UserName,
MessageText,
ObjectType = objectType,
ObjectId = objectId,
Action = action,
PolicyMessage = policyMessage,
Tenant,
ipAddress,
CloudApp = "SAP Cloud Integration"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
requiredDataConnectors:
- dataTypes:
- SAPBTPAuditLog_CL
connectorId: SAPBTPAuditEvents
relevantTechniques:
- T1548
- T1222
triggerOperator: gt
customDetails:
ObjectId: ObjectId
PolicyMessage: PolicyMessage
ObjectType: ObjectType
Action: Action
SourceIP: ipAddress
queryFrequency: 15m
severity: High
description: |
Identifies changes to access policies in SAP Cloud Integration. Access policies control
authorization for integration artifacts, defining which users and roles can access specific
integration flows and related content.
Unauthorized access policy manipulation could indicate:
- Attacker granting themselves access to sensitive integration artifacts
- Removal of security controls to enable further malicious activity
- Defense evasion by modifying artifact references to hide unauthorized access
triggerThreshold: 0
entityMappings:
- fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: ipAddress
identifier: Address
entityType: IP
- fieldMappings:
- columnName: CloudApp
identifier: Name
entityType: CloudApplication
alertDetailsOverride:
alertDescriptionFormat: |
{{MessageText}} by {{UserName}} from IP {{ipAddress}}.
This could indicate:
- Legitimate access policy administration
- Unauthorized privilege escalation attempt
- Attacker modifying security controls to access sensitive integrations
alertDisplayNameFormat: 'SAP Cloud Integration: {{MessageText}}'
name: BTP - Cloud Integration access policy tampering
query: |
let accessPolicyTypes = dynamic(["Access Policy", "Artifact Reference"]);
let monitoredActions = dynamic(["Create", "Change", "Delete"]);
SAPBTPAuditLog_CL
| where Category == "audit.security-events"
| extend data_s = tostring(Message.data),
ipAddress = tostring(Message.ip)
| extend parsedData = parse_json(data_s)
| extend action = tostring(parsedData.action),
objectType = tostring(parsedData.objectType),
objectId = tostring(parsedData.objectId),
policyMessage = tostring(parsedData.attributes.message)
| where objectType in (accessPolicyTypes)
| where action in (monitoredActions)
| extend normalizedAction = case(
action == "Create", "created",
action == "Change", "modified",
action == "Delete", "deleted",
action
)
| extend MessageText = case(
objectType == "Access Policy", strcat("Access policy '", objectId, "' was ", normalizedAction),
objectType == "Artifact Reference", strcat("Artifact reference '", objectId, "' was ", normalizedAction),
strcat(objectType, " '", objectId, "' was ", normalizedAction)
)
| project
UpdatedOn,
UserName,
MessageText,
ObjectType = objectType,
ObjectId = objectId,
Action = action,
PolicyMessage = policyMessage,
Tenant,
ipAddress,
CloudApp = "SAP Cloud Integration"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
version: 1.0.0
tactics:
- DefenseEvasion
- PrivilegeEscalation
queryPeriod: 15m
kind: Scheduled
id: 9e6f4b2c-0d3e-5a8f-c9b7-2f5d8a1e4c6b
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration access policy tampering.yaml
eventGroupingSettings:
aggregationKind: SingleAlert
status: Available