Detection rules › Kusto
BTP - Mass user deletion in a sub account
Identifies user account deletion activity where the amount of deleted users exceeds a predefined threshold.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Impact | T1485 Data Destruction, T1489 Service Stop, T1531 Account Access Removal |
| Impact | T0813 Denial of Control, T0826 Loss of Availability, T0827 Loss of Control |
Rule body kusto
id: 6f1e58bd-cd95-4dfb-8883-94207f30929a
kind: Scheduled
name: BTP - Mass user deletion in a sub account
description: Identifies user account deletion activity where the amount of deleted
users exceeds a predefined threshold.
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
dataTypes:
- SAPBTPAuditLog_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Impact
relevantTechniques:
- T1531
- T1485
- T1489
- T0813
- T0826
- T0827
query: |
let bulk_delete_threshold = 10;
SAPBTPAuditLog_CL
| where isnotnull(Message.object)
| where Message.object has "scim user" and Message.object has "DELETE"
| mv-expand Attributes = Message.attributes
| where isnotempty(Attributes.old)
| extend DeletedUserName = tostring(parse_json(tostring(Attributes.old)).userName)
| where isnotempty(DeletedUserName)
| summarize
Start = min(UpdatedOn),
End = max(UpdatedOn),
DeletedUsers = make_set(DeletedUserName, 100)
by UserName, Tenant, SpaceId
| where array_length(DeletedUsers) > bulk_delete_threshold
| project Start, End, UserName, DeletedUsers, Tenant, SpaceId, CloudApp = "SAP BTP"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: CloudApp
version: 3.0.5
Stages and Predicates
Parameters
let bulk_delete_threshold = 10;
Stage 1: source
SAPBTPAuditLog_CL
Stage 2: where
| where isnotnull(Message.object)
Stage 3: where
| where Message.object has "scim user" and Message.object has "DELETE"
Stage 4: mv-expand
| mv-expand Attributes = Message.attributes
Stage 5: where
| where isnotempty(Attributes.old)
Stage 6: extend
| extend DeletedUserName = tostring(parse_json(tostring(Attributes.old)).userName)
Stage 7: where
| where isnotempty(DeletedUserName)
Stage 8: summarize
| summarize
Start = min(UpdatedOn),
End = max(UpdatedOn),
DeletedUsers = make_set(DeletedUserName, 100)
by UserName, Tenant, SpaceId
Stage 9: where
| where array_length(DeletedUsers) > bulk_delete_threshold
Stage 10: project
| project Start, End, UserName, DeletedUsers, Tenant, SpaceId, CloudApp = "SAP BTP"
Stage 11: extend
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
DeletedUserName | is_not_null | |
DeletedUsers | gt |
|
object | is_not_null | |
object | match |
|
old | is_not_null |
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
CloudApp | project |
DeletedUsers | project |
End | project |
SpaceId | project |
Start | project |
Tenant | project |
UserName | project |
AccountName | extend |
UPNSuffix | extend |