BTP - Mass user deletion in SAP Cloud Identity Service
| Id | a3b8e7c4-5f2d-4a1e-9c6b-8d7f3e2a1b0c |
| Rulename | BTP - Mass user deletion in SAP Cloud Identity Service |
| Description | Identifies mass user deletion activity in SAP Cloud Identity Service where the amount of deleted users exceeds a predefined threshold. |
| Severity | Medium |
| Tactics | Impact |
| Techniques | T1531 T1485 T1489 T0813 T0826 T0827 |
| Required data connectors | SAPBTPAuditEvents |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Mass user deletion in Cloud Identity Service.yaml |
| Version | 3.0.0 |
| Arm template | a3b8e7c4-5f2d-4a1e-9c6b-8d7f3e2a1b0c.json |
let bulk_delete_threshold = 10;
SAPBTPAuditLog_CL
| extend data_s = tostring(Message.data)
| extend action = extract(@"action=""([^""]+)""", 1, data_s),
objectType = extract(@"objectType=""([^""]+)""", 1, data_s),
impactedUser = extract(@"serviceProviderName=""([^""]+)""", 1, data_s)
| where action == "delete"
| where objectType == "authorization"
| where isnotempty(impactedUser)
| summarize
Start = min(UpdatedOn),
End = max(UpdatedOn),
DeleteCount = count(),
DeletedUsers = make_set(impactedUser, 100)
by UserName, Tenant, SpaceId
| where array_length(DeletedUsers) > bulk_delete_threshold
| project Start, End, UserName, DeletedUsers, DeleteCount, Tenant, SpaceId, CloudApp = "SAP BTP"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
tactics:
- Impact
severity: Medium
entityMappings:
- fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: CloudApp
identifier: Name
entityType: CloudApplication
description: Identifies mass user deletion activity in SAP Cloud Identity Service where the amount of deleted users exceeds a predefined threshold.
version: 3.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Mass user deletion in Cloud Identity Service.yaml
requiredDataConnectors:
- dataTypes:
- SAPBTPAuditLog_CL
connectorId: SAPBTPAuditEvents
name: BTP - Mass user deletion in SAP Cloud Identity Service
query: |
let bulk_delete_threshold = 10;
SAPBTPAuditLog_CL
| extend data_s = tostring(Message.data)
| extend action = extract(@"action=""([^""]+)""", 1, data_s),
objectType = extract(@"objectType=""([^""]+)""", 1, data_s),
impactedUser = extract(@"serviceProviderName=""([^""]+)""", 1, data_s)
| where action == "delete"
| where objectType == "authorization"
| where isnotempty(impactedUser)
| summarize
Start = min(UpdatedOn),
End = max(UpdatedOn),
DeleteCount = count(),
DeletedUsers = make_set(impactedUser, 100)
by UserName, Tenant, SpaceId
| where array_length(DeletedUsers) > bulk_delete_threshold
| project Start, End, UserName, DeletedUsers, DeleteCount, Tenant, SpaceId, CloudApp = "SAP BTP"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
id: a3b8e7c4-5f2d-4a1e-9c6b-8d7f3e2a1b0c
relevantTechniques:
- T1531
- T1485
- T1489
- T0813
- T0826
- T0827
queryFrequency: 1h
queryPeriod: 1h
eventGroupingSettings:
aggregationKind: SingleAlert
triggerThreshold: 0
status: Available
kind: Scheduled
triggerOperator: gt