BTP - Cloud Integration package import or transport
| Id | c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f |
| Rulename | BTP - Cloud Integration package import or transport |
| Description | Identifies import and transport operations for integration packages and artifacts in SAP Cloud Integration. Packages contain integration flows, mappings, scripts, and other artifacts that can be imported from external sources or transported between tenants. Unauthorized package operations could indicate: - Supply chain attack through malicious package import - Lateral movement between environments via artifact transport - Introduction of backdoors or rogue integration logic |
| Severity | Medium |
| Tactics | InitialAccess Persistence |
| Techniques | T1195 T1546 |
| Required data connectors | SAPBTPAuditEvents |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 15m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration package import or transport.yaml |
| Version | 1.0.0 |
| Arm template | c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f.json |
let packageActions = dynamic(["Package_Import_Started", "Package_Import_Completed", "Package_Transport_Started", "Package_Transport_Completed", "Artifact_Transport_Started", "Artifact_Transport_Completed"]);
SAPBTPAuditLog_CL
| where Category == "audit.security-events"
| extend data_s = tostring(Message.data),
ipAddress = tostring(Message.ip)
| extend parsedData = parse_json(data_s)
| extend action = tostring(parsedData.action),
objectType = tostring(parsedData.objectType),
objectId = tostring(parsedData.objectId)
| where action in (packageActions)
| extend operationType = case(
action contains "Import", "Import",
action contains "Transport", "Transport",
"Unknown"
),
operationStatus = case(
action endswith "Started", "Started",
action endswith "Completed", "Completed",
"Unknown"
)
| extend MessageText = strcat(objectType, " '", objectId, "' ", tolower(operationType), " ", tolower(operationStatus))
| project
UpdatedOn,
UserName,
MessageText,
ObjectType = objectType,
ObjectId = objectId,
Action = action,
OperationType = operationType,
OperationStatus = operationStatus,
Tenant,
ipAddress,
CloudApp = "SAP Cloud Integration"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
severity: Medium
triggerOperator: gt
relevantTechniques:
- T1195
- T1546
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration package import or transport.yaml
id: c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f
customDetails:
Action: Action
OperationType: OperationType
ObjectType: ObjectType
OperationStatus: OperationStatus
SourceIP: ipAddress
ObjectId: ObjectId
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: UPNSuffix
entityType: Account
- fieldMappings:
- identifier: Address
columnName: ipAddress
entityType: IP
- fieldMappings:
- identifier: Name
columnName: CloudApp
entityType: CloudApplication
kind: Scheduled
status: Available
tactics:
- InitialAccess
- Persistence
queryFrequency: 15m
eventGroupingSettings:
aggregationKind: SingleAlert
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
dataTypes:
- SAPBTPAuditLog_CL
queryPeriod: 15m
version: 1.0.0
description: |
Identifies import and transport operations for integration packages and artifacts in
SAP Cloud Integration. Packages contain integration flows, mappings, scripts, and other
artifacts that can be imported from external sources or transported between tenants.
Unauthorized package operations could indicate:
- Supply chain attack through malicious package import
- Lateral movement between environments via artifact transport
- Introduction of backdoors or rogue integration logic
alertDetailsOverride:
alertDisplayNameFormat: 'SAP Cloud Integration: {{MessageText}}'
alertDescriptionFormat: |
{{MessageText}} by {{UserName}} from IP {{ipAddress}}.
This could indicate:
- Legitimate package management and deployment
- Import of malicious integration content from untrusted sources
- Unauthorized transport of artifacts between environments
triggerThreshold: 0
query: |
let packageActions = dynamic(["Package_Import_Started", "Package_Import_Completed", "Package_Transport_Started", "Package_Transport_Completed", "Artifact_Transport_Started", "Artifact_Transport_Completed"]);
SAPBTPAuditLog_CL
| where Category == "audit.security-events"
| extend data_s = tostring(Message.data),
ipAddress = tostring(Message.ip)
| extend parsedData = parse_json(data_s)
| extend action = tostring(parsedData.action),
objectType = tostring(parsedData.objectType),
objectId = tostring(parsedData.objectId)
| where action in (packageActions)
| extend operationType = case(
action contains "Import", "Import",
action contains "Transport", "Transport",
"Unknown"
),
operationStatus = case(
action endswith "Started", "Started",
action endswith "Completed", "Completed",
"Unknown"
)
| extend MessageText = strcat(objectType, " '", objectId, "' ", tolower(operationType), " ", tolower(operationStatus))
| project
UpdatedOn,
UserName,
MessageText,
ObjectType = objectType,
ObjectId = objectId,
Action = action,
OperationType = operationType,
OperationStatus = operationStatus,
Tenant,
ipAddress,
CloudApp = "SAP Cloud Integration"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
name: BTP - Cloud Integration package import or transport