Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. BTP - Cloud Integration artifact deployment

BTP - Cloud Integration artifact deployment

Back
Ida1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
RulenameBTP - Cloud Integration artifact deployment
DescriptionIdentifies deployment and undeployment of integration artifacts in SAP Cloud Integration.

Integration flows are executable code that can process, transform, and route data between

systems.



Unauthorized artifact deployment could indicate:

- Attacker deploying malicious integration flows for data exfiltration

- Deployment of rogue code for persistent access

- Undeployment of critical integrations causing denial of service
SeverityHigh
TacticsExecution
Persistence
TechniquesT1059
T1546
Required data connectorsSAPBTPAuditEvents
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration artifact deployment.yaml
Version1.1.0
Arm templatea1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d.json
Deploy To Azure
SAPBTPAuditLog_CL
| where Category == "audit.configuration"
| extend objectType = tostring(Message.object.type)
| where objectType in ("Deployment", "Undeployment")
| extend attributes = todynamic(Message.attributes)
| mv-apply attr = attributes on (
    summarize
        SymbolicName = take_anyif(tostring(coalesce(attr.["new"], attr.["old"])), tostring(attr.name) == "symbolicName"),
        ArtifactId = take_anyif(tostring(coalesce(attr.["new"], attr.["old"])), tostring(attr.name) == "id"),
        ArtifactVersion = take_anyif(tostring(coalesce(attr.["new"], attr.["old"])), tostring(attr.name) == "version"),
        DeployedBy = take_anyif(tostring(attr.["new"]), tostring(attr.name) == "deployedBy"),
        UndeployedBy = take_anyif(tostring(attr.["new"]), tostring(attr.name) == "undeployedBy"),
        Creator = take_anyif(tostring(coalesce(attr.["new"], attr.["old"])), tostring(attr.name) == "creator"),
        TenantName = take_anyif(tostring(attr.["new"]), tostring(attr.name) == "tenantName"),
        RuntimeLocationId = take_anyif(tostring(coalesce(attr.["new"], attr.["old"])), tostring(attr.name) == "runtimeLocationId")
)
| extend Actor = case(
    isnotempty(DeployedBy), DeployedBy,
    isnotempty(UndeployedBy), UndeployedBy,
    isnotempty(Creator), Creator,
    ""
)
| extend ActionCategory = iff(objectType == "Deployment", "Deploy", "Undeploy"),
         normalizedAction = iff(objectType == "Deployment", "deployed", "undeployed")
| extend MessageText = strcat("Integration artifact '", SymbolicName, "' (version ", ArtifactVersion, ") was ", normalizedAction, " in tenant ", TenantName)
| extend AccountName = iff(Actor has "@", tostring(split(Actor, "@")[0]), ""),
         UPNSuffix   = iff(Actor has "@", tostring(split(Actor, "@")[1]), "")
| project
    UpdatedOn,
    Actor,
    AccountName,
    UPNSuffix,
    MessageText,
    ArtifactName = SymbolicName,
    ArtifactId,
    ArtifactVersion,
    ActionCategory,
    ObjectType = objectType,
    TenantName,
    RuntimeLocationId,
    Tenant,
    CloudApp = "SAP Cloud Integration"

customDetails:
  ActionCategory: ActionCategory
  ArtifactName: ArtifactName
  TenantName: TenantName
  ArtifactId: ArtifactId
  ArtifactVersion: ArtifactVersion
  RuntimeLocationId: RuntimeLocationId
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: CloudApp
    identifier: Name
  entityType: CloudApplication
alertDetailsOverride:
  alertDisplayNameFormat: 'SAP Cloud Integration: {{MessageText}}'
  alertDescriptionFormat: |
    {{MessageText}} by {{Actor}}.

    This could indicate:
    - Legitimate integration artifact deployment or maintenance
    - Unauthorized deployment of malicious integration code
    - Attacker undeploying security-relevant integrations    
status: Available
queryFrequency: 15m
tactics:
- Execution
- Persistence
triggerThreshold: 0
query: |
  SAPBTPAuditLog_CL
  | where Category == "audit.configuration"
  | extend objectType = tostring(Message.object.type)
  | where objectType in ("Deployment", "Undeployment")
  | extend attributes = todynamic(Message.attributes)
  | mv-apply attr = attributes on (
      summarize
          SymbolicName = take_anyif(tostring(coalesce(attr.["new"], attr.["old"])), tostring(attr.name) == "symbolicName"),
          ArtifactId = take_anyif(tostring(coalesce(attr.["new"], attr.["old"])), tostring(attr.name) == "id"),
          ArtifactVersion = take_anyif(tostring(coalesce(attr.["new"], attr.["old"])), tostring(attr.name) == "version"),
          DeployedBy = take_anyif(tostring(attr.["new"]), tostring(attr.name) == "deployedBy"),
          UndeployedBy = take_anyif(tostring(attr.["new"]), tostring(attr.name) == "undeployedBy"),
          Creator = take_anyif(tostring(coalesce(attr.["new"], attr.["old"])), tostring(attr.name) == "creator"),
          TenantName = take_anyif(tostring(attr.["new"]), tostring(attr.name) == "tenantName"),
          RuntimeLocationId = take_anyif(tostring(coalesce(attr.["new"], attr.["old"])), tostring(attr.name) == "runtimeLocationId")
  )
  | extend Actor = case(
      isnotempty(DeployedBy), DeployedBy,
      isnotempty(UndeployedBy), UndeployedBy,
      isnotempty(Creator), Creator,
      ""
  )
  | extend ActionCategory = iff(objectType == "Deployment", "Deploy", "Undeploy"),
           normalizedAction = iff(objectType == "Deployment", "deployed", "undeployed")
  | extend MessageText = strcat("Integration artifact '", SymbolicName, "' (version ", ArtifactVersion, ") was ", normalizedAction, " in tenant ", TenantName)
  | extend AccountName = iff(Actor has "@", tostring(split(Actor, "@")[0]), ""),
           UPNSuffix   = iff(Actor has "@", tostring(split(Actor, "@")[1]), "")
  | project
      UpdatedOn,
      Actor,
      AccountName,
      UPNSuffix,
      MessageText,
      ArtifactName = SymbolicName,
      ArtifactId,
      ArtifactVersion,
      ActionCategory,
      ObjectType = objectType,
      TenantName,
      RuntimeLocationId,
      Tenant,
      CloudApp = "SAP Cloud Integration"  
queryPeriod: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration artifact deployment.yaml
relevantTechniques:
- T1059
- T1546
version: 1.1.0
kind: Scheduled
requiredDataConnectors:
- dataTypes:
  - SAPBTPAuditLog_CL
  connectorId: SAPBTPAuditEvents
triggerOperator: gt
severity: High
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
eventGroupingSettings:
  aggregationKind: SingleAlert
description: |
  Identifies deployment and undeployment of integration artifacts in SAP Cloud Integration.
  Integration flows are executable code that can process, transform, and route data between
  systems.

  Unauthorized artifact deployment could indicate:
  - Attacker deploying malicious integration flows for data exfiltration
  - Deployment of rogue code for persistent access
  - Undeployment of critical integrations causing denial of service  
name: BTP - Cloud Integration artifact deployment