BTP - Mass user deletion in SAP Cloud Identity Service

Back


Id	a3b8e7c4-5f2d-4a1e-9c6b-8d7f3e2a1b0c
Rulename	BTP - Mass user deletion in SAP Cloud Identity Service
Description	Identifies mass user deletion activity in SAP Cloud Identity Service where the amount of deleted users exceeds a predefined threshold.
Severity	Medium
Tactics	Impact
Techniques	T1531 T1485 T1489 T0813 T0826 T0827
Required data connectors	SAPBTPAuditEvents
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Mass user deletion in Cloud Identity Service.yaml
Version	3.0.0
Arm template	a3b8e7c4-5f2d-4a1e-9c6b-8d7f3e2a1b0c.json

KQL

let bulk_delete_threshold = 10;
SAPBTPAuditLog_CL
| extend data_s = tostring(Message.data)
| extend action = extract(@"action=""([^""]+)""", 1, data_s),
         objectType = extract(@"objectType=""([^""]+)""", 1, data_s),
         impactedUser = extract(@"serviceProviderName=""([^""]+)""", 1, data_s)
| where action == "delete"
| where objectType == "authorization"
| where isnotempty(impactedUser)
| summarize
    Start = min(UpdatedOn),
    End = max(UpdatedOn),
    DeleteCount = count(),
    DeletedUsers = make_set(impactedUser, 100)
    by UserName, Tenant, SpaceId
| where array_length(DeletedUsers) > bulk_delete_threshold
| project Start, End, UserName, DeletedUsers, DeleteCount, Tenant, SpaceId, CloudApp = "SAP BTP"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]

YAML

queryPeriod: 1h
id: a3b8e7c4-5f2d-4a1e-9c6b-8d7f3e2a1b0c
version: 3.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Mass user deletion in Cloud Identity Service.yaml
triggerOperator: gt
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Name
    columnName: CloudApp
  entityType: CloudApplication
status: Available
name: BTP - Mass user deletion in SAP Cloud Identity Service
relevantTechniques:
- T1531
- T1485
- T1489
- T0813
- T0826
- T0827
description: Identifies mass user deletion activity in SAP Cloud Identity Service where the amount of deleted users exceeds a predefined threshold.
query: |
  let bulk_delete_threshold = 10;
  SAPBTPAuditLog_CL
  | extend data_s = tostring(Message.data)
  | extend action = extract(@"action=""([^""]+)""", 1, data_s),
           objectType = extract(@"objectType=""([^""]+)""", 1, data_s),
           impactedUser = extract(@"serviceProviderName=""([^""]+)""", 1, data_s)
  | where action == "delete"
  | where objectType == "authorization"
  | where isnotempty(impactedUser)
  | summarize
      Start = min(UpdatedOn),
      End = max(UpdatedOn),
      DeleteCount = count(),
      DeletedUsers = make_set(impactedUser, 100)
      by UserName, Tenant, SpaceId
  | where array_length(DeletedUsers) > bulk_delete_threshold
  | project Start, End, UserName, DeletedUsers, DeleteCount, Tenant, SpaceId, CloudApp = "SAP BTP"
  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]  
kind: Scheduled
tactics:
- Impact
requiredDataConnectors:
- dataTypes:
  - SAPBTPAuditLog_CL
  connectorId: SAPBTPAuditEvents
severity: Medium
queryFrequency: 1h
eventGroupingSettings:
  aggregationKind: SingleAlert

ARM