Detection rules › Kusto
BTP - User added to sensitive privileged role collection
Identifies identity management actions whereby a user is added to a set of monitored privileged role collections.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1078 Valid Accounts |
| Persistence | T0859 Valid Accounts |
| Lateral Movement | T0859 Valid Accounts |
Rule body kusto
id: 5acbe4cb-a379-4acc-9ad3-28dc48ad33d3
kind: Scheduled
name: BTP - User added to sensitive privileged role collection
description: Identifies identity management actions whereby a user is added to a set
of monitored privileged role collections.
severity: Low
status: Available
requiredDataConnectors:
- connectorId: SAPBTPAuditEvents
dataTypes:
- SAPBTPAuditLog_CL
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
- LateralMovement
- PrivilegeEscalation
relevantTechniques:
- T0859
- T1078
query: |
let monitored_rolecollections = dynamic(["Subaccount Service Administrator", "Subaccount Administrator", "Connectivity and Destination Administrator", "Destination Administrator", "Cloud Connector Administrator"]);
SAPBTPAuditLog_CL
| where Message.object has "xs_rolecollection2user"
| extend ObjectId = parse_json((Message.object).id)
| where ObjectId.crudType == "CREATE"
| extend RoleCollection = ObjectId.rolecollection_name, TargetUserId = ObjectId.user_id
| where RoleCollection in (monitored_rolecollections)
| project UpdatedOn, UserName, RoleCollection, TargetUserId, Tenant, SpaceId, CloudApp = "SAP BTP"
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: CloudApp
version: 3.0.5
Stages and Predicates
Let binding: monitored_rolecollections
let monitored_rolecollections = dynamic(["Subaccount Service Administrator", "Subaccount Administrator", "Connectivity and Destination Administrator", "Destination Administrator", "Cloud Connector Administrator"]);
Stage 1: source
SAPBTPAuditLog_CL
Stage 2: where
| where Message.object has "xs_rolecollection2user"
Stage 3: extend
| extend ObjectId = parse_json((Message.object).id)
Stage 4: where
| where ObjectId.crudType == "CREATE"
Stage 5: extend
| extend RoleCollection = ObjectId.rolecollection_name, TargetUserId = ObjectId.user_id
Stage 6: where
| where RoleCollection in (monitored_rolecollections)
References monitored_rolecollections (defined above).
Stage 7: project
| project UpdatedOn, UserName, RoleCollection, TargetUserId, Tenant, SpaceId, CloudApp = "SAP BTP"
Stage 8: extend
| extend AccountName = split(UserName, "@")[0], UPNSuffix = split(UserName, "@")[1]
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
RoleCollection | in |
|
crudType | eq |
|
object | match |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
CloudApp | project |
RoleCollection | project |
SpaceId | project |
TargetUserId | project |
Tenant | project |
UpdatedOn | project |
UserName | project |
AccountName | extend |
UPNSuffix | extend |