Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. BTP - Cloud Integration package import or transport

BTP - Cloud Integration package import or transport

Back
Idc3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f
RulenameBTP - Cloud Integration package import or transport
DescriptionIdentifies import and transport operations for integration packages and artifacts in

SAP Cloud Integration. Packages contain integration flows, mappings, scripts, and other

artifacts that can be imported from external sources or transported between tenants.



Unauthorized package operations could indicate:

- Supply chain attack through malicious package import

- Lateral movement between environments via artifact transport

- Introduction of backdoors or rogue integration logic
SeverityMedium
TacticsInitialAccess
Persistence
TechniquesT1195
T1546
Required data connectorsSAPBTPAuditEvents
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration package import or transport.yaml
Version1.0.0
Arm templatec3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f.json
Deploy To Azure
let packageActions = dynamic(["Package_Import_Started", "Package_Import_Completed", "Package_Transport_Started", "Package_Transport_Completed", "Artifact_Transport_Started", "Artifact_Transport_Completed"]);
SAPBTPAuditLog_CL
| where Category == "audit.security-events"
| extend data_s = tostring(Message.data),
         ipAddress = tostring(Message.ip)
| extend parsedData = parse_json(data_s)
| extend action = tostring(parsedData.action),
         objectType = tostring(parsedData.objectType),
         objectId = tostring(parsedData.objectId)
| where action in (packageActions)
| extend operationType = case(
    action contains "Import", "Import",
    action contains "Transport", "Transport",
    "Unknown"
),
operationStatus = case(
    action endswith "Started", "Started",
    action endswith "Completed", "Completed",
    "Unknown"
)
| extend MessageText = strcat(objectType, " '", objectId, "' ", tolower(operationType), " ", tolower(operationStatus))
| project
    UpdatedOn,
    UserName,
    MessageText,
    ObjectType = objectType,
    ObjectId = objectId,
    Action = action,
    OperationType = operationType,
    OperationStatus = operationStatus,
    Tenant,
    ipAddress,
    CloudApp = "SAP Cloud Integration"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]

status: Available
relevantTechniques:
- T1195
- T1546
triggerThreshold: 0
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration package import or transport.yaml
queryPeriod: 15m
query: |
  let packageActions = dynamic(["Package_Import_Started", "Package_Import_Completed", "Package_Transport_Started", "Package_Transport_Completed", "Artifact_Transport_Started", "Artifact_Transport_Completed"]);
  SAPBTPAuditLog_CL
  | where Category == "audit.security-events"
  | extend data_s = tostring(Message.data),
           ipAddress = tostring(Message.ip)
  | extend parsedData = parse_json(data_s)
  | extend action = tostring(parsedData.action),
           objectType = tostring(parsedData.objectType),
           objectId = tostring(parsedData.objectId)
  | where action in (packageActions)
  | extend operationType = case(
      action contains "Import", "Import",
      action contains "Transport", "Transport",
      "Unknown"
  ),
  operationStatus = case(
      action endswith "Started", "Started",
      action endswith "Completed", "Completed",
      "Unknown"
  )
  | extend MessageText = strcat(objectType, " '", objectId, "' ", tolower(operationType), " ", tolower(operationStatus))
  | project
      UpdatedOn,
      UserName,
      MessageText,
      ObjectType = objectType,
      ObjectId = objectId,
      Action = action,
      OperationType = operationType,
      OperationStatus = operationStatus,
      Tenant,
      ipAddress,
      CloudApp = "SAP Cloud Integration"
  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]  
id: c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: ipAddress
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: CloudApp
    identifier: Name
  entityType: CloudApplication
customDetails:
  OperationType: OperationType
  ObjectId: ObjectId
  ObjectType: ObjectType
  OperationStatus: OperationStatus
  SourceIP: ipAddress
  Action: Action
name: BTP - Cloud Integration package import or transport
kind: Scheduled
description: |
  Identifies import and transport operations for integration packages and artifacts in
  SAP Cloud Integration. Packages contain integration flows, mappings, scripts, and other
  artifacts that can be imported from external sources or transported between tenants.

  Unauthorized package operations could indicate:
  - Supply chain attack through malicious package import
  - Lateral movement between environments via artifact transport
  - Introduction of backdoors or rogue integration logic  
tactics:
- InitialAccess
- Persistence
version: 1.0.0
alertDetailsOverride:
  alertDisplayNameFormat: 'SAP Cloud Integration: {{MessageText}}'
  alertDescriptionFormat: |
    {{MessageText}} by {{UserName}} from IP {{ipAddress}}.

    This could indicate:
    - Legitimate package management and deployment
    - Import of malicious integration content from untrusted sources
    - Unauthorized transport of artifacts between environments    
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerOperator: gt
queryFrequency: 15m
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
  dataTypes:
  - SAPBTPAuditLog_CL