BTP - Cloud Integration JDBC data source changes

SAPBTPAuditLog_CL
| where Category == "audit.security-events"
| extend data_s = tostring(Message.data),
         ipAddress = tostring(Message.ip)
| extend parsedData = parse_json(data_s)
| extend action = tostring(parsedData.action),
         objectType = tostring(parsedData.objectType),
         objectId = tostring(parsedData.objectId)
| where objectType == "Data Source"
| where action in ("PasswordStore", "PasswordDelete")
| extend normalizedAction = case(
    action == "PasswordStore", "deployed",
    action == "PasswordDelete", "undeployed",
    action
)
| extend MessageText = strcat("JDBC data source '", objectId, "' was ", normalizedAction)
| project
    UpdatedOn,
    UserName,
    MessageText,
    DataSourceName = objectId,
    Action = action,
    Tenant,
    ipAddress,
    CloudApp = "SAP Cloud Integration"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]

customDetails:
  DataSourceName: DataSourceName
  SourceIP: ipAddress
  Action: Action
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
name: BTP - Cloud Integration JDBC data source changes
queryPeriod: 15m
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
  dataTypes:
  - SAPBTPAuditLog_CL
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration JDBC data source changes.yaml
kind: Scheduled
eventGroupingSettings:
  aggregationKind: SingleAlert
relevantTechniques:
- T1552
- T1021
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ipAddress
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: CloudApp
severity: High
query: |
  SAPBTPAuditLog_CL
  | where Category == "audit.security-events"
  | extend data_s = tostring(Message.data),
           ipAddress = tostring(Message.ip)
  | extend parsedData = parse_json(data_s)
  | extend action = tostring(parsedData.action),
           objectType = tostring(parsedData.objectType),
           objectId = tostring(parsedData.objectId)
  | where objectType == "Data Source"
  | where action in ("PasswordStore", "PasswordDelete")
  | extend normalizedAction = case(
      action == "PasswordStore", "deployed",
      action == "PasswordDelete", "undeployed",
      action
  )
  | extend MessageText = strcat("JDBC data source '", objectId, "' was ", normalizedAction)
  | project
      UpdatedOn,
      UserName,
      MessageText,
      DataSourceName = objectId,
      Action = action,
      Tenant,
      ipAddress,
      CloudApp = "SAP Cloud Integration"
  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]  
triggerThreshold: 0
triggerOperator: gt
tactics:
- CredentialAccess
- LateralMovement
status: Available
queryFrequency: 15m
alertDetailsOverride:
  alertDisplayNameFormat: 'SAP Cloud Integration: {{MessageText}}'
  alertDescriptionFormat: |
    {{MessageText}} by {{UserName}} from IP {{ipAddress}}.

    JDBC data sources contain database connection credentials. Changes to these configurations
    should be carefully reviewed.

    This could indicate:
    - Legitimate database configuration management
    - Unauthorized database connection configuration
    - Attacker establishing lateral movement paths to backend systems    
description: |
  Identifies deployment and undeployment of JDBC data source configurations in SAP Cloud Integration.
  JDBC data sources contain database connection credentials and configuration that enable
  integration flows to access backend databases.

  Unauthorized JDBC data source manipulation could indicate:
  - Attacker adding rogue database connections for data exfiltration
  - Credential theft by accessing stored database passwords
  - Modification of connection strings to redirect traffic to attacker-controlled systems