Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. BTP - Cloud Integration package import or transport

BTP - Cloud Integration package import or transport

Back
Idc3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f
RulenameBTP - Cloud Integration package import or transport
DescriptionIdentifies import and transport operations for integration packages and artifacts in

SAP Cloud Integration. Packages contain integration flows, mappings, scripts, and other

artifacts that can be imported from external sources or transported between tenants.



Unauthorized package operations could indicate:

- Supply chain attack through malicious package import

- Lateral movement between environments via artifact transport

- Introduction of backdoors or rogue integration logic
SeverityMedium
TacticsInitialAccess
Persistence
TechniquesT1195
T1546
Required data connectorsSAPBTPAuditEvents
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration package import or transport.yaml
Version1.0.0
Arm templatec3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f.json
Deploy To Azure
let packageActions = dynamic(["Package_Import_Started", "Package_Import_Completed", "Package_Transport_Started", "Package_Transport_Completed", "Artifact_Transport_Started", "Artifact_Transport_Completed"]);
SAPBTPAuditLog_CL
| where Category == "audit.security-events"
| extend data_s = tostring(Message.data),
         ipAddress = tostring(Message.ip)
| extend parsedData = parse_json(data_s)
| extend action = tostring(parsedData.action),
         objectType = tostring(parsedData.objectType),
         objectId = tostring(parsedData.objectId)
| where action in (packageActions)
| extend operationType = case(
    action contains "Import", "Import",
    action contains "Transport", "Transport",
    "Unknown"
),
operationStatus = case(
    action endswith "Started", "Started",
    action endswith "Completed", "Completed",
    "Unknown"
)
| extend MessageText = strcat(objectType, " '", objectId, "' ", tolower(operationType), " ", tolower(operationStatus))
| project
    UpdatedOn,
    UserName,
    MessageText,
    ObjectType = objectType,
    ObjectId = objectId,
    Action = action,
    OperationType = operationType,
    OperationStatus = operationStatus,
    Tenant,
    ipAddress,
    CloudApp = "SAP Cloud Integration"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]

requiredDataConnectors:
- dataTypes:
  - SAPBTPAuditLog_CL
  connectorId: SAPBTPAuditEvents
queryPeriod: 15m
triggerThreshold: 0
queryFrequency: 15m
version: 1.0.0
status: Available
severity: Medium
description: |
  Identifies import and transport operations for integration packages and artifacts in
  SAP Cloud Integration. Packages contain integration flows, mappings, scripts, and other
  artifacts that can be imported from external sources or transported between tenants.

  Unauthorized package operations could indicate:
  - Supply chain attack through malicious package import
  - Lateral movement between environments via artifact transport
  - Introduction of backdoors or rogue integration logic  
customDetails:
  ObjectType: ObjectType
  SourceIP: ipAddress
  OperationStatus: OperationStatus
  Action: Action
  OperationType: OperationType
  ObjectId: ObjectId
name: BTP - Cloud Integration package import or transport
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: ipAddress
  entityType: IP
- fieldMappings:
  - identifier: Name
    columnName: CloudApp
  entityType: CloudApplication
triggerOperator: gt
id: c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f
eventGroupingSettings:
  aggregationKind: SingleAlert
tactics:
- InitialAccess
- Persistence
relevantTechniques:
- T1195
- T1546
kind: Scheduled
alertDetailsOverride:
  alertDisplayNameFormat: 'SAP Cloud Integration: {{MessageText}}'
  alertDescriptionFormat: |
    {{MessageText}} by {{UserName}} from IP {{ipAddress}}.

    This could indicate:
    - Legitimate package management and deployment
    - Import of malicious integration content from untrusted sources
    - Unauthorized transport of artifacts between environments    
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration package import or transport.yaml
query: |
  let packageActions = dynamic(["Package_Import_Started", "Package_Import_Completed", "Package_Transport_Started", "Package_Transport_Completed", "Artifact_Transport_Started", "Artifact_Transport_Completed"]);
  SAPBTPAuditLog_CL
  | where Category == "audit.security-events"
  | extend data_s = tostring(Message.data),
           ipAddress = tostring(Message.ip)
  | extend parsedData = parse_json(data_s)
  | extend action = tostring(parsedData.action),
           objectType = tostring(parsedData.objectType),
           objectId = tostring(parsedData.objectId)
  | where action in (packageActions)
  | extend operationType = case(
      action contains "Import", "Import",
      action contains "Transport", "Transport",
      "Unknown"
  ),
  operationStatus = case(
      action endswith "Started", "Started",
      action endswith "Completed", "Completed",
      "Unknown"
  )
  | extend MessageText = strcat(objectType, " '", objectId, "' ", tolower(operationType), " ", tolower(operationStatus))
  | project
      UpdatedOn,
      UserName,
      MessageText,
      ObjectType = objectType,
      ObjectId = objectId,
      Action = action,
      OperationType = operationType,
      OperationStatus = operationStatus,
      Tenant,
      ipAddress,
      CloudApp = "SAP Cloud Integration"
  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]