BTP - Cloud Integration package import or transport
| Id | c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f |
| Rulename | BTP - Cloud Integration package import or transport |
| Description | Identifies import and transport operations for integration packages and artifacts in SAP Cloud Integration. Packages contain integration flows, mappings, scripts, and other artifacts that can be imported from external sources or transported between tenants. Unauthorized package operations could indicate: - Supply chain attack through malicious package import - Lateral movement between environments via artifact transport - Introduction of backdoors or rogue integration logic |
| Severity | Medium |
| Tactics | InitialAccess Persistence |
| Techniques | T1195 T1546 |
| Required data connectors | SAPBTPAuditEvents |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration package import or transport.yaml |
| Version | 1.0.0 |
| Arm template | c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f.json |
let packageActions = dynamic(["Package_Import_Started", "Package_Import_Completed", "Package_Transport_Started", "Package_Transport_Completed", "Artifact_Transport_Started", "Artifact_Transport_Completed"]);
SAPBTPAuditLog_CL
| where Category == "audit.security-events"
| extend data_s = tostring(Message.data),
ipAddress = tostring(Message.ip)
| extend parsedData = parse_json(data_s)
| extend action = tostring(parsedData.action),
objectType = tostring(parsedData.objectType),
objectId = tostring(parsedData.objectId)
| where action in (packageActions)
| extend operationType = case(
action contains "Import", "Import",
action contains "Transport", "Transport",
"Unknown"
),
operationStatus = case(
action endswith "Started", "Started",
action endswith "Completed", "Completed",
"Unknown"
)
| extend MessageText = strcat(objectType, " '", objectId, "' ", tolower(operationType), " ", tolower(operationStatus))
| project
UpdatedOn,
UserName,
MessageText,
ObjectType = objectType,
ObjectId = objectId,
Action = action,
OperationType = operationType,
OperationStatus = operationStatus,
Tenant,
ipAddress,
CloudApp = "SAP Cloud Integration"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
name: BTP - Cloud Integration package import or transport
query: |
let packageActions = dynamic(["Package_Import_Started", "Package_Import_Completed", "Package_Transport_Started", "Package_Transport_Completed", "Artifact_Transport_Started", "Artifact_Transport_Completed"]);
SAPBTPAuditLog_CL
| where Category == "audit.security-events"
| extend data_s = tostring(Message.data),
ipAddress = tostring(Message.ip)
| extend parsedData = parse_json(data_s)
| extend action = tostring(parsedData.action),
objectType = tostring(parsedData.objectType),
objectId = tostring(parsedData.objectId)
| where action in (packageActions)
| extend operationType = case(
action contains "Import", "Import",
action contains "Transport", "Transport",
"Unknown"
),
operationStatus = case(
action endswith "Started", "Started",
action endswith "Completed", "Completed",
"Unknown"
)
| extend MessageText = strcat(objectType, " '", objectId, "' ", tolower(operationType), " ", tolower(operationStatus))
| project
UpdatedOn,
UserName,
MessageText,
ObjectType = objectType,
ObjectId = objectId,
Action = action,
OperationType = operationType,
OperationStatus = operationStatus,
Tenant,
ipAddress,
CloudApp = "SAP Cloud Integration"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
queryFrequency: 15m
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
- SAPBTPAuditLog_CL
connectorId: SAPBTPAuditEvents
alertDetailsOverride:
alertDescriptionFormat: |
{{MessageText}} by {{UserName}} from IP {{ipAddress}}.
This could indicate:
- Legitimate package management and deployment
- Import of malicious integration content from untrusted sources
- Unauthorized transport of artifacts between environments
alertDisplayNameFormat: 'SAP Cloud Integration: {{MessageText}}'
status: Available
eventGroupingSettings:
aggregationKind: SingleAlert
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration package import or transport.yaml
description: |
Identifies import and transport operations for integration packages and artifacts in
SAP Cloud Integration. Packages contain integration flows, mappings, scripts, and other
artifacts that can be imported from external sources or transported between tenants.
Unauthorized package operations could indicate:
- Supply chain attack through malicious package import
- Lateral movement between environments via artifact transport
- Introduction of backdoors or rogue integration logic
version: 1.0.0
id: c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f
kind: Scheduled
customDetails:
ObjectType: ObjectType
SourceIP: ipAddress
OperationStatus: OperationStatus
ObjectId: ObjectId
OperationType: OperationType
Action: Action
relevantTechniques:
- T1195
- T1546
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ipAddress
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: CloudApp
severity: Medium
tactics:
- InitialAccess
- Persistence
queryPeriod: 15m