BTP - Cloud Integration artifact deployment

Back


Id	a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
Rulename	BTP - Cloud Integration artifact deployment
Description	Identifies deployment and undeployment of integration artifacts in SAP Cloud Integration. Integration flows are executable code that can process, transform, and route data between systems. Unauthorized artifact deployment could indicate: - Attacker deploying malicious integration flows for data exfiltration - Deployment of rogue code for persistent access - Undeployment of critical integrations causing denial of service
Severity	High
Tactics	Execution Persistence
Techniques	T1059 T1546
Required data connectors	SAPBTPAuditEvents
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration artifact deployment.yaml
Version	1.0.0
Arm template	a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d.json

KQL

let deploymentActions = dynamic(["Deploy_of_Artifact_Initiated", "Deploy_of_Artifact_Completed", "Undeploy_of_artifact_triggered"]);
SAPBTPAuditLog_CL
| where Category == "audit.security-events"
| extend data_s = tostring(Message.data),
         ipAddress = tostring(Message.ip)
| extend parsedData = parse_json(data_s)
| extend action = tostring(parsedData.action),
         objectType = tostring(parsedData.objectType),
         objectId = tostring(parsedData.objectId)
| where action in (deploymentActions)
| extend normalizedAction = case(
    action == "Deploy_of_Artifact_Initiated", "deployment initiated",
    action == "Deploy_of_Artifact_Completed", "deployed",
    action == "Undeploy_of_artifact_triggered", "undeployed",
    action
),
actionCategory = case(
    action startswith "Deploy", "Deploy",
    action startswith "Undeploy", "Undeploy",
    "Unknown"
)
| extend MessageText = strcat(objectType, " '", objectId, "' was ", normalizedAction)
| project
    UpdatedOn,
    UserName,
    MessageText,
    ArtifactType = objectType,
    ArtifactId = objectId,
    Action = action,
    ActionCategory = actionCategory,
    Tenant,
    ipAddress,
    CloudApp = "SAP Cloud Integration"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]

YAML

relevantTechniques:
- T1059
- T1546
queryFrequency: 15m
description: |
  Identifies deployment and undeployment of integration artifacts in SAP Cloud Integration.
  Integration flows are executable code that can process, transform, and route data between
  systems.

  Unauthorized artifact deployment could indicate:
  - Attacker deploying malicious integration flows for data exfiltration
  - Deployment of rogue code for persistent access
  - Undeployment of critical integrations causing denial of service  
triggerThreshold: 0
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
name: BTP - Cloud Integration artifact deployment
queryPeriod: 15m
customDetails:
  Action: Action
  ArtifactId: ArtifactId
  ActionCategory: ActionCategory
  ArtifactType: ArtifactType
  SourceIP: ipAddress
query: |
  let deploymentActions = dynamic(["Deploy_of_Artifact_Initiated", "Deploy_of_Artifact_Completed", "Undeploy_of_artifact_triggered"]);
  SAPBTPAuditLog_CL
  | where Category == "audit.security-events"
  | extend data_s = tostring(Message.data),
           ipAddress = tostring(Message.ip)
  | extend parsedData = parse_json(data_s)
  | extend action = tostring(parsedData.action),
           objectType = tostring(parsedData.objectType),
           objectId = tostring(parsedData.objectId)
  | where action in (deploymentActions)
  | extend normalizedAction = case(
      action == "Deploy_of_Artifact_Initiated", "deployment initiated",
      action == "Deploy_of_Artifact_Completed", "deployed",
      action == "Undeploy_of_artifact_triggered", "undeployed",
      action
  ),
  actionCategory = case(
      action startswith "Deploy", "Deploy",
      action startswith "Undeploy", "Undeploy",
      "Unknown"
  )
  | extend MessageText = strcat(objectType, " '", objectId, "' was ", normalizedAction)
  | project
      UpdatedOn,
      UserName,
      MessageText,
      ArtifactType = objectType,
      ArtifactId = objectId,
      Action = action,
      ActionCategory = actionCategory,
      Tenant,
      ipAddress,
      CloudApp = "SAP Cloud Integration"
  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]  
severity: High
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerOperator: gt
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: ipAddress
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: CloudApp
    identifier: Name
  entityType: CloudApplication
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration artifact deployment.yaml
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
  dataTypes:
  - SAPBTPAuditLog_CL
alertDetailsOverride:
  alertDisplayNameFormat: 'SAP Cloud Integration: {{MessageText}}'
  alertDescriptionFormat: |
    {{MessageText}} by {{UserName}} from IP {{ipAddress}}.

    This could indicate:
    - Legitimate integration artifact deployment or maintenance
    - Unauthorized deployment of malicious integration code
    - Attacker undeploying security-relevant integrations    
status: Available
version: 1.0.0
tactics:
- Execution
- Persistence
kind: Scheduled

ARM