Btp v308

.script/tests/KqlvalidationsTests/CustomTables/SAPBTPAuditLog_CL.json

@@ -0,0 +1,49 @@
+{
+    "Name": "SAPBTPAuditLog_CL",
+    "Properties": [
+        {
+            "name": "TimeGenerated",
+            "type": "datetime"
+        },
+        {
+            "name": "UserName",
+            "type": "string"
+        },
+        {
+            "name": "Message",
+            "type": "dynamic"
+        },
+        {
+            "name": "UpdatedOn",
+            "type": "datetime"
+        },
+        {
+            "name": "SubaccountName",
+            "type": "string"
+        },
+        {
+            "name": "MessageUuid",
+            "type": "string"
+        },
+        {
+            "name": "Tenant",
+            "type": "string"
+        },
+        {
+            "name": "OrgId",
+            "type": "string"
+        },
+        {
+            "name": "SpaceId",
+            "type": "string"
+        },
+        {
+            "name": "AlsServiceId",
+            "type": "string"
+        },
+        {
+            "name": "Category",
+            "type": "string"
+        }
+    ]
+}

.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json

@@ -152,6 +152,7 @@
   "SailPointIdentityNow",
   "SalesforceServiceCloud",
   "SAP",
+  "SAPBTPAuditEvents",
   "SecurityEvents",
   "SemperisDSP",
   "SenservaPro",

Solutions/SAP BTP/Analytic Rules/BTP - Failed access attempts across multiple BAS subaccounts.yaml

@@ -0,0 +1,47 @@
+id: 74b243a6-3046-48aa-8b03-e43b3c529cc1
+kind: Scheduled
+name: BTP - Failed access attempts across multiple BAS subaccounts
+description: Identifies failed Business Application Studio access attempts over a
+  predefined number of subaccounts.
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: SAPBTPAuditEvents
+    dataTypes:
+      - SAPBTPAuditLog_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Reconnaissance
+  - Discovery
+relevantTechniques:
+  - T1595
+  - T1526
+query: |
+  let subaccount_detection_threshold = 3;
+  SAPBTPAuditLog_CL
+  | where Category == "audit.security-events" and Message has "Unauthorized access attempt"
+  | summarize Start=min(UpdatedOn), End=max(UpdatedOn), Tenants = make_set(Tenant, 100) by UserName
+  | where array_length(Tenants) > subaccount_detection_threshold
+  | project Start, End, UserName, Tenants, CloudApp = "SAP BTP"
+  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: UPNSuffix
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: Name
+        columnName: CloudApp
+alertDetailsOverride:
+  alertDisplayNameFormat: BTP - Unauthorized access attempt to multiple tenants
+  alertDescriptionFormat: '{{UserName}} attempted, and failed, to log into multiple
+    Business Application Studio dev spaces. Tenants accessed: {{Tenants}}'
+version: 3.0.5

Solutions/SAP BTP/Analytic Rules/BTP - Malware detected in BAS dev space.yaml

@@ -0,0 +1,69 @@
+id: 31997e9a-7447-47f3-8208-4f5d7efe497c
+kind: Scheduled
+name: BTP - Malware detected in BAS dev space
+description: Identifies instances of malware detected using SAP internal malware agent
+  within Business Application Studio dev spaces.
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: SAPBTPAuditEvents
+    dataTypes:
+      - SAPBTPAuditLog_CL
+queryFrequency: 15m
+queryPeriod: 15m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - ResourceDevelopment
+  - Execution
+  - Persistence
+relevantTechniques:
+  - T1584
+  - T1072
+  - T0873
+query: |
+  SAPBTPAuditLog_CL
+  | where Message has "malware"
+  | extend MessageData = parse_json(tostring(Message.data))
+  | extend
+      ClusterID = tostring(MessageData.clusterID),
+      WorkspaceID = tostring(MessageData.wsID),
+      Message = tostring(MessageData.message)
+  | parse Message with * 'user: ' User '.The following issues were detected: ' Malware ',' *
+  | extend
+      AccountName = tostring(split(User, '@')[0]),
+      UPNSuffix = tostring(split(User, '@')[1])
+  | project
+      UpdatedOn,
+      ClusterID,
+      WorkspaceID,
+      Message,
+      User,
+      Malware,
+      Tenant,
+      SpaceId,
+      Category,
+      CloudApp = "SAP BTP",
+      AccountName,
+      UPNSuffix
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: Name
+        columnName: CloudApp
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: UPNSuffix
+  - entityType: Malware
+    fieldMappings:
+      - identifier: Name
+        columnName: Malware
+alertDetailsOverride:
+  alertDisplayNameFormat: BTP - Malware detected in Business Apps Studio dev space
+  alertDescriptionFormat: 'Malware was found in the following subaccount: {{Tenant}}'
+version: 3.0.7

Solutions/SAP BTP/Analytic Rules/BTP - Mass user deletion in a sub account.yaml

@@ -0,0 +1,55 @@
+id: 6f1e58bd-cd95-4dfb-8883-94207f30929a
+kind: Scheduled
+name: BTP - Mass user deletion in a sub account
+description: Identifies user account deletion activity where the amount of deleted
+  users exceeds a predefined threshold.
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: SAPBTPAuditEvents
+    dataTypes:
+      - SAPBTPAuditLog_CL
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+relevantTechniques:
+  - T1531
+  - T1485
+  - T1489
+  - T0813
+  - T0826
+  - T0827
+query: |
+  let bulk_delete_threshold = 10;
+  SAPBTPAuditLog_CL
+  | where isnotnull(Message.object)
+  | where Message.object has "scim user" and Message.object has "DELETE"
+  | mv-expand Attributes = Message.attributes
+  | where isnotempty(Attributes.old)
+  | extend DeletedUserName = tostring(parse_json(tostring(Attributes.old)).userName)
+  | where isnotempty(DeletedUserName)
+  | summarize
+      Start = min(UpdatedOn),
+      End = max(UpdatedOn),
+      DeletedUsers = make_set(DeletedUserName, 100)
+      by UserName, Tenant, SpaceId
+  | where array_length(DeletedUsers) > bulk_delete_threshold
+  | project Start, End, UserName, DeletedUsers, Tenant, SpaceId, CloudApp = "SAP BTP"
+  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: UPNSuffix
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: Name
+        columnName: CloudApp
+version: 3.0.5

Solutions/SAP BTP/Analytic Rules/BTP - Trust and authorization Identity Provider monitor.yaml

@@ -0,0 +1,74 @@
+id: 62357c23-ecdc-4edc-9349-8338063af1ef
+kind: Scheduled
+name: BTP - Trust and authorization Identity Provider monitor
+description: Identifies CRUD operations on Identity Provider settings within a sub
+  account.
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: SAPBTPAuditEvents
+    dataTypes:
+      - SAPBTPAuditLog_CL
+queryFrequency: 15m
+queryPeriod: 15m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - CredentialAccess
+  - PrivilegeEscalation
+relevantTechniques:
+  - T1606
+  - T1556
+  - T1134
+query: |
+  SAPBTPAuditLog_CL
+  | where isnotnull(Message.object)
+  | extend Object = Message.object, Attributes = Message.attributes
+  | where Object.type == "IdentityProvider"
+  | extend CrudType = tostring(parse_json(tostring(Object.id)).crudType)
+  | mv-expand Attributes
+  | extend MessageText = case(
+                             CrudType == "CREATE",
+                             "An identity provider was created",
+                             CrudType == "UPDATE",
+                             "An identity provider was updated",
+                             CrudType == "DELETE",
+                             "An identity provider was deleted",
+                             "Unclassified CRUD operation encountered"
+                         )
+  | extend NewAttributes = parse_json(replace_regex(tostring(Attributes.new), "\\r", ""))
+  | extend OldAttributes = parse_json(replace_regex(tostring(Attributes.old), "\\r", ""))
+  | extend IdentityProviderName = case(
+                                      CrudType == "CREATE" or CrudType == "UPDATE",
+                                      NewAttributes.name,
+                                      CrudType == "DELETE",
+                                      OldAttributes.name,
+                                      "Unknown"
+                                  )
+  | project
+      UpdatedOn,
+      UserName,
+      MessageText,
+      IdentityProviderName,
+      Tenant,
+      SpaceId,
+      CloudApp = "SAP BTP"
+  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: UPNSuffix
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: Name
+        columnName: CloudApp
+alertDetailsOverride:
+  alertDisplayNameFormat: 'SAP BTP: {{MessageText}}'
+  alertDescriptionFormat: '{{MessageText}} by {{UserName}}. Identity provider name:
+    {{IdentityProviderName}}'
+version: 3.0.5

Solutions/SAP BTP/Analytic Rules/BTP - User added to sensitive privileged role collection.yaml

@@ -0,0 +1,45 @@
+id: 5acbe4cb-a379-4acc-9ad3-28dc48ad33d3
+kind: Scheduled
+name: BTP - User added to sensitive privileged role collection
+description: Identifies identity management actions whereby a user is added to a set
+  of monitored privileged role collections.
+severity: Low
+status: Available
+requiredDataConnectors:
+  - connectorId: SAPBTPAuditEvents
+    dataTypes:
+      - SAPBTPAuditLog_CL
+queryFrequency: 15m
+queryPeriod: 15m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - LateralMovement
+  - PrivilegeEscalation
+relevantTechniques:
+  - T0859
+  - T1078
+query: |
+  let monitored_rolecollections = dynamic(["Subaccount Service Administrator", "Subaccount Administrator", "Connectivity and Destination Administrator", "Destination Administrator", "Cloud Connector Administrator"]);
+  SAPBTPAuditLog_CL
+  | where Message.object has "xs_rolecollection2user"
+  | extend ObjectId = parse_json((Message.object).id)
+  | where ObjectId.crudType == "CREATE"
+  | extend RoleCollection = ObjectId.rolecollection_name, TargetUserId = ObjectId.user_id
+  | where RoleCollection in (monitored_rolecollections)
+  | project UpdatedOn, UserName, RoleCollection, TargetUserId, Tenant, SpaceId, CloudApp = "SAP BTP"
+  | extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: UPNSuffix
+  - entityType: CloudApplication
+    fieldMappings:
+      - identifier: Name
+        columnName: CloudApp
+version: 3.0.5