BTP - Cloud Integration JDBC data source changes

SAPBTPAuditLog_CL
| where Category == "audit.security-events"
| extend data_s = tostring(Message.data),
         ipAddress = tostring(Message.ip)
| extend parsedData = parse_json(data_s)
| extend action = tostring(parsedData.action),
         objectType = tostring(parsedData.objectType),
         objectId = tostring(parsedData.objectId)
| where objectType == "Data Source"
| where action in ("PasswordStore", "PasswordDelete")
| extend normalizedAction = case(
    action == "PasswordStore", "deployed",
    action == "PasswordDelete", "undeployed",
    action
)
| extend MessageText = strcat("JDBC data source '", objectId, "' was ", normalizedAction)
| project
    UpdatedOn,
    UserName,
    MessageText,
    DataSourceName = objectId,
    Action = action,
    Tenant,
    ipAddress,
    CloudApp = "SAP Cloud Integration"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]

relevantTechniques:
- T1552
- T1021
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: ipAddress
    identifier: Address
- entityType: CloudApplication
  fieldMappings:
  - columnName: CloudApp
    identifier: Name
eventGroupingSettings:
  aggregationKind: SingleAlert
version: 1.0.0
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
severity: High
kind: Scheduled
queryFrequency: 15m
description: |
  Identifies deployment and undeployment of JDBC data source configurations in SAP Cloud Integration.
  JDBC data sources contain database connection credentials and configuration that enable
  integration flows to access backend databases.

  Unauthorized JDBC data source manipulation could indicate:
  - Attacker adding rogue database connections for data exfiltration
  - Credential theft by accessing stored database passwords
  - Modification of connection strings to redirect traffic to attacker-controlled systems  
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
  dataTypes:
  - SAPBTPAuditLog_CL
triggerOperator: gt
name: BTP - Cloud Integration JDBC data source changes
tactics:
- CredentialAccess
- LateralMovement
alertDetailsOverride:
  alertDescriptionFormat: |
    {{MessageText}} by {{UserName}} from IP {{ipAddress}}.

    JDBC data sources contain database connection credentials. Changes to these configurations
    should be carefully reviewed.

    This could indicate:
    - Legitimate database configuration management
    - Unauthorized database connection configuration
    - Attacker establishing lateral movement paths to backend systems    
  alertDisplayNameFormat: 'SAP Cloud Integration: {{MessageText}}'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration JDBC data source changes.yaml
triggerThreshold: 0
queryPeriod: 15m
query: |
  SAPBTPAuditLog_CL
  | where Category == "audit.security-events"
  | extend data_s = tostring(Message.data),
           ipAddress = tostring(Message.ip)
  | extend parsedData = parse_json(data_s)
  | extend action = tostring(parsedData.action),
           objectType = tostring(parsedData.objectType),
           objectId = tostring(parsedData.objectId)
  | where objectType == "Data Source"
  | where action in ("PasswordStore", "PasswordDelete")
  | extend normalizedAction = case(
      action == "PasswordStore", "deployed",
      action == "PasswordDelete", "undeployed",
      action
  )
  | extend MessageText = strcat("JDBC data source '", objectId, "' was ", normalizedAction)
  | project
      UpdatedOn,
      UserName,
      MessageText,
      DataSourceName = objectId,
      Action = action,
      Tenant,
      ipAddress,
      CloudApp = "SAP Cloud Integration"
  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]  
status: Available
customDetails:
  DataSourceName: DataSourceName
  Action: Action
  SourceIP: ipAddress