BTP - Cloud Integration access policy tampering
| Id | 9e6f4b2c-0d3e-5a8f-c9b7-2f5d8a1e4c6b |
| Rulename | BTP - Cloud Integration access policy tampering |
| Description | Identifies changes to access policies in SAP Cloud Integration. Access policies control authorization for integration artifacts, defining which users and roles can access specific integration flows and related content. Unauthorized access policy manipulation could indicate: - Attacker granting themselves access to sensitive integration artifacts - Removal of security controls to enable further malicious activity - Defense evasion by modifying artifact references to hide unauthorized access |
| Severity | High |
| Tactics | DefenseEvasion PrivilegeEscalation |
| Techniques | T1548 T1222 |
| Required data connectors | SAPBTPAuditEvents |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration access policy tampering.yaml |
| Version | 1.0.0 |
| Arm template | 9e6f4b2c-0d3e-5a8f-c9b7-2f5d8a1e4c6b.json |
let accessPolicyTypes = dynamic(["Access Policy", "Artifact Reference"]);
let monitoredActions = dynamic(["Create", "Change", "Delete"]);
SAPBTPAuditLog_CL
| where Category == "audit.security-events"
| extend data_s = tostring(Message.data),
ipAddress = tostring(Message.ip)
| extend parsedData = parse_json(data_s)
| extend action = tostring(parsedData.action),
objectType = tostring(parsedData.objectType),
objectId = tostring(parsedData.objectId),
policyMessage = tostring(parsedData.attributes.message)
| where objectType in (accessPolicyTypes)
| where action in (monitoredActions)
| extend normalizedAction = case(
action == "Create", "created",
action == "Change", "modified",
action == "Delete", "deleted",
action
)
| extend MessageText = case(
objectType == "Access Policy", strcat("Access policy '", objectId, "' was ", normalizedAction),
objectType == "Artifact Reference", strcat("Artifact reference '", objectId, "' was ", normalizedAction),
strcat(objectType, " '", objectId, "' was ", normalizedAction)
)
| project
UpdatedOn,
UserName,
MessageText,
ObjectType = objectType,
ObjectId = objectId,
Action = action,
PolicyMessage = policyMessage,
Tenant,
ipAddress,
CloudApp = "SAP Cloud Integration"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
id: 9e6f4b2c-0d3e-5a8f-c9b7-2f5d8a1e4c6b
triggerOperator: gt
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: UPNSuffix
entityType: Account
- fieldMappings:
- identifier: Address
columnName: ipAddress
entityType: IP
- fieldMappings:
- identifier: Name
columnName: CloudApp
entityType: CloudApplication
eventGroupingSettings:
aggregationKind: SingleAlert
requiredDataConnectors:
- dataTypes:
- SAPBTPAuditLog_CL
connectorId: SAPBTPAuditEvents
queryFrequency: 15m
alertDetailsOverride:
alertDisplayNameFormat: 'SAP Cloud Integration: {{MessageText}}'
alertDescriptionFormat: |
{{MessageText}} by {{UserName}} from IP {{ipAddress}}.
This could indicate:
- Legitimate access policy administration
- Unauthorized privilege escalation attempt
- Attacker modifying security controls to access sensitive integrations
queryPeriod: 15m
status: Available
query: |
let accessPolicyTypes = dynamic(["Access Policy", "Artifact Reference"]);
let monitoredActions = dynamic(["Create", "Change", "Delete"]);
SAPBTPAuditLog_CL
| where Category == "audit.security-events"
| extend data_s = tostring(Message.data),
ipAddress = tostring(Message.ip)
| extend parsedData = parse_json(data_s)
| extend action = tostring(parsedData.action),
objectType = tostring(parsedData.objectType),
objectId = tostring(parsedData.objectId),
policyMessage = tostring(parsedData.attributes.message)
| where objectType in (accessPolicyTypes)
| where action in (monitoredActions)
| extend normalizedAction = case(
action == "Create", "created",
action == "Change", "modified",
action == "Delete", "deleted",
action
)
| extend MessageText = case(
objectType == "Access Policy", strcat("Access policy '", objectId, "' was ", normalizedAction),
objectType == "Artifact Reference", strcat("Artifact reference '", objectId, "' was ", normalizedAction),
strcat(objectType, " '", objectId, "' was ", normalizedAction)
)
| project
UpdatedOn,
UserName,
MessageText,
ObjectType = objectType,
ObjectId = objectId,
Action = action,
PolicyMessage = policyMessage,
Tenant,
ipAddress,
CloudApp = "SAP Cloud Integration"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
name: BTP - Cloud Integration access policy tampering
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration access policy tampering.yaml
tactics:
- DefenseEvasion
- PrivilegeEscalation
severity: High
relevantTechniques:
- T1548
- T1222
triggerThreshold: 0
version: 1.0.0
description: |
Identifies changes to access policies in SAP Cloud Integration. Access policies control
authorization for integration artifacts, defining which users and roles can access specific
integration flows and related content.
Unauthorized access policy manipulation could indicate:
- Attacker granting themselves access to sensitive integration artifacts
- Removal of security controls to enable further malicious activity
- Defense evasion by modifying artifact references to hide unauthorized access
customDetails:
ObjectId: ObjectId
ObjectType: ObjectType
SourceIP: ipAddress
PolicyMessage: PolicyMessage
Action: Action