Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. BTP - Cloud Integration package import or transport

BTP - Cloud Integration package import or transport

Back
Idc3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f
RulenameBTP - Cloud Integration package import or transport
DescriptionIdentifies import and transport operations for integration packages and artifacts in

SAP Cloud Integration. Packages contain integration flows, mappings, scripts, and other

artifacts that can be imported from external sources or transported between tenants.



Unauthorized package operations could indicate:

- Supply chain attack through malicious package import

- Lateral movement between environments via artifact transport

- Introduction of backdoors or rogue integration logic
SeverityMedium
TacticsInitialAccess
Persistence
TechniquesT1195
T1546
Required data connectorsSAPBTPAuditEvents
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration package import or transport.yaml
Version1.0.0
Arm templatec3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f.json
Deploy To Azure
let packageActions = dynamic(["Package_Import_Started", "Package_Import_Completed", "Package_Transport_Started", "Package_Transport_Completed", "Artifact_Transport_Started", "Artifact_Transport_Completed"]);
SAPBTPAuditLog_CL
| where Category == "audit.security-events"
| extend data_s = tostring(Message.data),
         ipAddress = tostring(Message.ip)
| extend parsedData = parse_json(data_s)
| extend action = tostring(parsedData.action),
         objectType = tostring(parsedData.objectType),
         objectId = tostring(parsedData.objectId)
| where action in (packageActions)
| extend operationType = case(
    action contains "Import", "Import",
    action contains "Transport", "Transport",
    "Unknown"
),
operationStatus = case(
    action endswith "Started", "Started",
    action endswith "Completed", "Completed",
    "Unknown"
)
| extend MessageText = strcat(objectType, " '", objectId, "' ", tolower(operationType), " ", tolower(operationStatus))
| project
    UpdatedOn,
    UserName,
    MessageText,
    ObjectType = objectType,
    ObjectId = objectId,
    Action = action,
    OperationType = operationType,
    OperationStatus = operationStatus,
    Tenant,
    ipAddress,
    CloudApp = "SAP Cloud Integration"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]

relevantTechniques:
- T1195
- T1546
queryFrequency: 15m
description: |
  Identifies import and transport operations for integration packages and artifacts in
  SAP Cloud Integration. Packages contain integration flows, mappings, scripts, and other
  artifacts that can be imported from external sources or transported between tenants.

  Unauthorized package operations could indicate:
  - Supply chain attack through malicious package import
  - Lateral movement between environments via artifact transport
  - Introduction of backdoors or rogue integration logic  
triggerThreshold: 0
id: c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f
name: BTP - Cloud Integration package import or transport
queryPeriod: 15m
customDetails:
  OperationType: OperationType
  OperationStatus: OperationStatus
  Action: Action
  ObjectId: ObjectId
  ObjectType: ObjectType
  SourceIP: ipAddress
query: |
  let packageActions = dynamic(["Package_Import_Started", "Package_Import_Completed", "Package_Transport_Started", "Package_Transport_Completed", "Artifact_Transport_Started", "Artifact_Transport_Completed"]);
  SAPBTPAuditLog_CL
  | where Category == "audit.security-events"
  | extend data_s = tostring(Message.data),
           ipAddress = tostring(Message.ip)
  | extend parsedData = parse_json(data_s)
  | extend action = tostring(parsedData.action),
           objectType = tostring(parsedData.objectType),
           objectId = tostring(parsedData.objectId)
  | where action in (packageActions)
  | extend operationType = case(
      action contains "Import", "Import",
      action contains "Transport", "Transport",
      "Unknown"
  ),
  operationStatus = case(
      action endswith "Started", "Started",
      action endswith "Completed", "Completed",
      "Unknown"
  )
  | extend MessageText = strcat(objectType, " '", objectId, "' ", tolower(operationType), " ", tolower(operationStatus))
  | project
      UpdatedOn,
      UserName,
      MessageText,
      ObjectType = objectType,
      ObjectId = objectId,
      Action = action,
      OperationType = operationType,
      OperationStatus = operationStatus,
      Tenant,
      ipAddress,
      CloudApp = "SAP Cloud Integration"
  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]  
severity: Medium
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerOperator: gt
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: ipAddress
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: CloudApp
    identifier: Name
  entityType: CloudApplication
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration package import or transport.yaml
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
  dataTypes:
  - SAPBTPAuditLog_CL
alertDetailsOverride:
  alertDisplayNameFormat: 'SAP Cloud Integration: {{MessageText}}'
  alertDescriptionFormat: |
    {{MessageText}} by {{UserName}} from IP {{ipAddress}}.

    This could indicate:
    - Legitimate package management and deployment
    - Import of malicious integration content from untrusted sources
    - Unauthorized transport of artifacts between environments    
status: Available
version: 1.0.0
tactics:
- InitialAccess
- Persistence
kind: Scheduled