BTP - Cloud Integration access policy tampering
| Id | 9e6f4b2c-0d3e-5a8f-c9b7-2f5d8a1e4c6b |
| Rulename | BTP - Cloud Integration access policy tampering |
| Description | Identifies changes to access policies in SAP Cloud Integration. Access policies control authorization for integration artifacts, defining which users and roles can access specific integration flows and related content. Unauthorized access policy manipulation could indicate: - Attacker granting themselves access to sensitive integration artifacts - Removal of security controls to enable further malicious activity - Defense evasion by modifying artifact references to hide unauthorized access |
| Severity | High |
| Tactics | DefenseEvasion PrivilegeEscalation |
| Techniques | T1548 T1222 |
| Required data connectors | SAPBTPAuditEvents |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration access policy tampering.yaml |
| Version | 1.0.0 |
| Arm template | 9e6f4b2c-0d3e-5a8f-c9b7-2f5d8a1e4c6b.json |
let accessPolicyTypes = dynamic(["Access Policy", "Artifact Reference"]);
let monitoredActions = dynamic(["Create", "Change", "Delete"]);
SAPBTPAuditLog_CL
| where Category == "audit.security-events"
| extend data_s = tostring(Message.data),
ipAddress = tostring(Message.ip)
| extend parsedData = parse_json(data_s)
| extend action = tostring(parsedData.action),
objectType = tostring(parsedData.objectType),
objectId = tostring(parsedData.objectId),
policyMessage = tostring(parsedData.attributes.message)
| where objectType in (accessPolicyTypes)
| where action in (monitoredActions)
| extend normalizedAction = case(
action == "Create", "created",
action == "Change", "modified",
action == "Delete", "deleted",
action
)
| extend MessageText = case(
objectType == "Access Policy", strcat("Access policy '", objectId, "' was ", normalizedAction),
objectType == "Artifact Reference", strcat("Artifact reference '", objectId, "' was ", normalizedAction),
strcat(objectType, " '", objectId, "' was ", normalizedAction)
)
| project
UpdatedOn,
UserName,
MessageText,
ObjectType = objectType,
ObjectId = objectId,
Action = action,
PolicyMessage = policyMessage,
Tenant,
ipAddress,
CloudApp = "SAP Cloud Integration"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
relevantTechniques:
- T1548
- T1222
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
- entityType: IP
fieldMappings:
- columnName: ipAddress
identifier: Address
- entityType: CloudApplication
fieldMappings:
- columnName: CloudApp
identifier: Name
eventGroupingSettings:
aggregationKind: SingleAlert
version: 1.0.0
id: 9e6f4b2c-0d3e-5a8f-c9b7-2f5d8a1e4c6b
severity: High
kind: Scheduled
queryFrequency: 15m
description: |
Identifies changes to access policies in SAP Cloud Integration. Access policies control
authorization for integration artifacts, defining which users and roles can access specific
integration flows and related content.
Unauthorized access policy manipulation could indicate:
- Attacker granting themselves access to sensitive integration artifacts
- Removal of security controls to enable further malicious activity
- Defense evasion by modifying artifact references to hide unauthorized access
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
dataTypes:
- SAPBTPAuditLog_CL
triggerOperator: gt
name: BTP - Cloud Integration access policy tampering
tactics:
- DefenseEvasion
- PrivilegeEscalation
alertDetailsOverride:
alertDescriptionFormat: |
{{MessageText}} by {{UserName}} from IP {{ipAddress}}.
This could indicate:
- Legitimate access policy administration
- Unauthorized privilege escalation attempt
- Attacker modifying security controls to access sensitive integrations
alertDisplayNameFormat: 'SAP Cloud Integration: {{MessageText}}'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration access policy tampering.yaml
triggerThreshold: 0
queryPeriod: 15m
query: |
let accessPolicyTypes = dynamic(["Access Policy", "Artifact Reference"]);
let monitoredActions = dynamic(["Create", "Change", "Delete"]);
SAPBTPAuditLog_CL
| where Category == "audit.security-events"
| extend data_s = tostring(Message.data),
ipAddress = tostring(Message.ip)
| extend parsedData = parse_json(data_s)
| extend action = tostring(parsedData.action),
objectType = tostring(parsedData.objectType),
objectId = tostring(parsedData.objectId),
policyMessage = tostring(parsedData.attributes.message)
| where objectType in (accessPolicyTypes)
| where action in (monitoredActions)
| extend normalizedAction = case(
action == "Create", "created",
action == "Change", "modified",
action == "Delete", "deleted",
action
)
| extend MessageText = case(
objectType == "Access Policy", strcat("Access policy '", objectId, "' was ", normalizedAction),
objectType == "Artifact Reference", strcat("Artifact reference '", objectId, "' was ", normalizedAction),
strcat(objectType, " '", objectId, "' was ", normalizedAction)
)
| project
UpdatedOn,
UserName,
MessageText,
ObjectType = objectType,
ObjectId = objectId,
Action = action,
PolicyMessage = policyMessage,
Tenant,
ipAddress,
CloudApp = "SAP Cloud Integration"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
status: Available
customDetails:
ObjectType: ObjectType
PolicyMessage: PolicyMessage
SourceIP: ipAddress
Action: Action
ObjectId: ObjectId