Merge pull request #309995 from MartinPankraz/btp-analytic-rule-update

rule documentation update

Author: Stacyrch140

articles/sentinel/sap/deploy-sap-btp-solution.md

@@ -26,15 +26,15 @@ Before you begin, verify that:
 - The Microsoft Sentinel solution is enabled.
 - You have a defined Microsoft Sentinel workspace, and you have read and write permissions to the workspace.
 - Your organization uses SAP BTP (in a Cloud Foundry environment) to streamline interactions with SAP applications and other business applications.
-- You have an SAP BTP account (which supports BTP accounts in the Cloud Foundry environment). You can also use a [SAP BTP trial account](https://cockpit.hanatrial.ondemand.com/).
-- You have the SAP BTP auditlog-management service and service key (see [Set up the BTP account and solution](#set-up-the-btp-account-and-solution)).
+- You have an SAP BTP Subaccount (which supports BTP Subaccounts in the Cloud Foundry environment). You can also use a [SAP BTP trial account](https://cockpit.hanatrial.ondemand.com/).
+- You have the SAP BTP auditlog-management service and service key (see [Set up the BTP Subaccount and solution](#set-up-the-btp-subaccount-and-solution)).
 - You have the Microsoft Sentinel Contributor role on the target Microsoft Sentinel workspace.
 
-## Set up the BTP account and solution
+## Set up the BTP subaccount and solution
 
-To set up the BTP account and the solution:
+To set up the BTP subaccount and the solution manually from the SAP BTP cockpit and Azure portal, follow these steps:
 
-1. After you can sign in to your BTP account (see the [prerequisites](#prerequisites)), follow the [audit log retrieval steps](https://help.sap.com/docs/btp/sap-business-technology-platform/audit-log-retrieval-api-usage-for-subaccounts-in-cloud-foundry-environment) on the SAP BTP system.
+1. After you can sign in to your BTP Subaccount (see the [prerequisites](#prerequisites)), follow the [audit log retrieval steps](https://help.sap.com/docs/btp/sap-business-technology-platform/audit-log-retrieval-api-usage-for-subaccounts-in-cloud-foundry-environment) on the SAP BTP system.
 
 1. In the SAP BTP cockpit, select the **Audit Log Management Service**.
 
@@ -73,6 +73,11 @@ To set up the BTP account and the solution:
 1. On the connector page, make sure that you meet the required prerequisites listed and complete the configuration steps. When you're ready, select **Add account**.
 1. Specify the parameters that you defined earlier during the configuration. The subaccount name specified is projected as a column in the `SAPBTPAuditLog_CL` table and can be used to filter the logs when you have multiple subaccounts.
 
+    Consider the advanced options, if needed:
+
+    - **Polling Frequency**: The frequency at which the connector polls for new data. The default is 1 minute.
+    - **Log Ingest Delay**: The estimated delay between the time the event is generated in SAP BTP and the time it's available on the SAP BTP audit log service for ingestion in Microsoft Sentinel. The default is 20 minutes.
+
     > [!NOTE]
     > Retrieving audits for the global account doesn't automatically retrieve audits for the subaccount. Follow the connector configuration steps for each of the subaccounts you want to monitor, and also follow these steps for the global account. Review these [account auditing configuration considerations](#consider-your-account-auditing-configurations).
 
@@ -84,6 +89,9 @@ To set up the BTP account and the solution:
 
 1. Enable the [workbook](sap-btp-security-content.md#sap-btp-workbook) and the [analytics rules](sap-btp-security-content.md#built-in-analytics-rules) that are provided as part of the solution by following [these guidelines](../sentinel-solutions-deploy.md#analytics-rule).
 
+> [!NOTE]
+> To onboard SAP BTP subaccounts at scale, API and CLI based approaches are recommended. Get started with [this script library](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP%20BTP/Tools/).
+
 ## Consider your account auditing configurations
 
 The final step in the deployment process is to consider your global account and subaccount auditing configurations.
@@ -104,7 +112,7 @@ You also can retrieve the logs via the UI:
 1. In the new instance, create a service key.
 1. View the service key and retrieve the required parameters from step 4 of the configuration instructions in the data connector UI (**url**, **uaa.url**, **uaa.clientid**, and **uaa.clientsecret**).
 
-## Use tools for mass-onboarding of SAP BTP subaccounts to Microsoft Sentinel
+## Mass-Onboard SAP BTP subaccounts at scale
 
 To onboard SAP BTP subaccounts at scale, API and CLI based approaches are recommended. Get started with [this script library](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SAP%20BTP/Tools/).
 
@@ -120,7 +128,6 @@ Before you start, collect the values you need for the scripts parameters, includ
 - The key vault and the name of the key vault secret.
 - The name of the data connector you want to update with a new secret.  To identify the data connector name, open the SAP BPT data connector in the Microsoft Sentinel data connectors page. The data connector name has the following syntax: *BTP_{connector name}*
 
-
 ```powershell
 param(
     [Parameter(Mandatory = $true)] [string]$subscriptionId,

articles/sentinel/sap/sap-btp-security-content.md

@@ -40,13 +40,49 @@ For more information, see [Tutorial: Visualize and monitor your data](../monitor
 
 ## Built-in analytics rules
 
+These analytics rules detect suspicious activity using SAP BTP audit logs. The rules are organized by SAP service or product area. For more information see SAP's official documentation about [Security Events Logged by Cloud Foundry Services](https://help.sap.com/docs/btp/sap-business-technology-platform/security-events-logged-by-cf-services?version=Cloud) on SAP BTP.
+
+**Data sources**: SAPBTPAuditLog_CL
+
+### SAP Cloud Integration - Integration Suite
+
+| Rule name | Description | Source action | Tactics |
+| --------- | --------- | --------- | --------- |
+| **BTP - Cloud Integration access policy tampering** | Detects unauthorized modification of access policies that could allow attackers to gain access to sensitive integration artifacts or evade security controls. | Create, change, or delete access policies or artifact references in SAP Cloud Integration. | Defense Evasion, Privilege Escalation |
+| **BTP - Cloud Integration artifact deployment** | Detects deployment of potentially malicious integration flows that could be used for data exfiltration, persistence, or executing unauthorized code in the integration environment. | Deploy or undeploy integration artifacts in SAP Cloud Integration. | Execution, Persistence |
+| **BTP - Cloud Integration JDBC data source changes** | Detects manipulation of database connections that could enable unauthorized access to backend systems or credential theft from stored connection strings. | Deploy or undeploy JDBC data sources in SAP Cloud Integration. | Credential Access, Lateral Movement |
+| **BTP - Cloud Integration package import or transport** | Detects potentially malicious package imports that could introduce backdoors, supply chain compromises, or unauthorized code into the integration environment. | Import or transport integration packages/artifacts in SAP Cloud Integration. | Initial Access, Persistence |
+| **BTP - Cloud Integration tampering with security material** | Detects unauthorized access to credentials, certificates, and encryption keys that could enable attackers to compromise external systems or intercept encrypted communications. | Create, update, or delete credentials, X.509 certificates, or PGP keys in SAP Cloud Integration. | Credential Access, Defense Evasion |
+
+### SAP Cloud Identity Service - Identity Authentication
+
+| Rule name | Description | Source action | Tactics |
+| --------- | --------- | --------- | --------- |
+| **BTP - Cloud Identity Service application configuration monitor** | Detects creation or modification of federated applications (SAML/OIDC) that could allow attackers to establish persistent backdoor access through rogue SSO configurations. | Create, update, or delete SSO domain/service provider configurations in SAP Cloud Identity Service. | Credential Access, Privilege Escalation |
+| **BTP - Mass user deletion in Cloud Identity Service** | Detects large-scale user account deletion that could indicate a destructive attack, attempted cover-up of unauthorized activity, or denial of service against legitimate users.<br>Default threshold: 10 | Delete count of user accounts over the defined threshold in SAP Cloud Identity Service. | Impact |
+| **BTP - User added to privileged Administrators list** | Detects privilege escalation through assignment of powerful identity management permissions that could enable attackers to create backdoor accounts or modify authentication controls. | Grant privileged administrator permissions to a user in SAP Cloud Identity Service. | Lateral Movement, Privilege Escalation |
+
+### SAP Business Application Studio (BAS)
+
+| Rule name | Description | Source action | Tactics |
+| --------- | --------- | --------- | --------- |
+| **BTP - Failed access attempts across multiple BAS subaccounts** | Detects reconnaissance activity or credential spray attacks targeting development environments across multiple subaccounts, indicating potential preparation for a broader compromise.<br>Default threshold: 3 | Run failed sign-in attempts to BAS over the defined threshold number of subaccounts. | Discovery, Reconnaissance |
+| **BTP - Malware detected in BAS dev space** | Detects malicious code in development workspaces that could be used to compromise the software supply chain, inject backdoors into applications, or establish persistence in the development environment. | Copy or create a malware file in a BAS developer space. | Execution, Persistence, Resource Development |
+
+### SAP Build Work Zone
+
+| Rule name | Description | Source action | Tactics |
+| --------- | --------- | --------- | --------- |
+| **BTP - Build Work Zone unauthorized access and role tampering** | Detects attempts to access restricted portal resources or mass deletion of access controls that could indicate an attacker removing security boundaries or covering tracks after unauthorized activity. | Detect unauthorized OData service access or mass deletion of roles/users in SAP Build Work Zone. | Initial Access, Persistence, Defense Evasion |
+
+### SAP BTP platform and subaccounts
+
 | Rule name | Description | Source action | Tactics |
 | --------- | --------- | --------- | --------- |
-| **BTP - Failed access attempts across multiple BAS subaccounts** |Identifies failed Business Application Studio (BAS) access attempts over a predefined number of subaccounts.<br>Default threshold: 3 | Run failed sign-in attempts to BAS over the defined threshold number of subaccounts. <br><br>**Data sources**: SAPBTPAuditLog_CL | Discovery, Reconnaissance |
-| **BTP - Malware detected in BAS dev space** |Identifies instances of malware detected by the SAP internal malware agent within BAS developer spaces. | Copy or create a malware file in a BAS developer space. <br><br>**Data sources**: SAPBTPAuditLog_CL| Execution, Persistence, Resource Development |
-| **BTP - User added to sensitive privileged role collection** |Identifies identity management actions where a user is added to a set of monitored privileged role collections. | Assign one of the following role collections to a user: <br>- `Subaccount Service Administrator`<br>- `Subaccount Administrator`<br>- `Connectivity and Destination Administrator`<br>- `Destination Administrator`<br>- `Cloud Connector Administrator` <br><br>**Data sources**: SAPBTPAuditLog_CL | Lateral Movement, Privilege Escalation |
-| **BTP - Trust and authorization Identity Provider monitor** |Identifies create, read, update, and delete (CRUD) operations on Identity Provider settings within a subaccount. | Change, read, update, or delete any of the identity provider settings within a subaccount. <br><br>**Data sources**: SAPBTPAuditLog_CL | Credential Access, Privilege Escalation |
-| **BTP - Mass user deletion in a subaccount** |Identifies user account deletion activity where the number of deleted users exceeds a predefined threshold.<br>Default threshold: 10 | Delete count of user accounts over the defined threshold. <br><br>**Data sources**: SAPBTPAuditLog_CL | Impact |
+| **BTP - Audit log service unavailable** | Detects potential tampering with audit logging that could indicate an attacker attempting to operate without detection by disabling security monitoring or hiding malicious activity. | Subaccount fails to report audit logs exceeding configured threshold (default: 60 minutes). | Defense Evasion |
+| **BTP - Mass user deletion in a subaccount** | Detects large-scale user deletion that could indicate a destructive attack, sabotage attempt, or effort to disrupt business operations by removing user access.<br>Default threshold: 10 | Delete count of user accounts over the defined threshold. | Impact |
+| **BTP - Trust and authorization Identity Provider monitor** | Detects modifications to federation and authentication settings that could enable attackers to establish alternate authentication paths, bypass security controls, or gain unauthorized access through identity provider manipulation. | Change, read, update, or delete any of the identity provider settings within a subaccount. | Credential Access, Privilege Escalation |
+| **BTP - User added to sensitive privileged role collection** | Detects privilege escalation attempts through assignment of powerful administrative roles that could enable full control over subaccounts, connectivity, and security configurations. | Assign one of the following role collections to a user: <br>- `Subaccount Service Administrator`<br>- `Subaccount Administrator`<br>- `Connectivity and Destination Administrator`<br>- `Destination Administrator`<br>- `Cloud Connector Administrator` | Lateral Movement, Privilege Escalation |
 
 ## Next steps
 

articles/sentinel/sap/sap-btp-solution-overview.md

@@ -17,6 +17,22 @@ SAP BTP is a cloud-based solution that provides a wide range of tools and servic
 
 The Microsoft Sentinel solution for SAP BTP monitors and protects your SAP Business Technology Platform (BTP) system by collecting audits and activity logs from the BTP infrastructure and BTP based apps, and detecting threats, suspicious activities, illegitimate activities, and more.
 
+## What SAP services are covered
+
+The Microsoft Sentinel Solution for SAP BTP covers all SAP BTP services that log security-relevant events to the [SAP Audit Log Management service](https://help.sap.com/docs/btp/sap-business-technology-platform/security-events-logged-by-cf-services). See [SAP's official documentation](https://help.sap.com/docs/btp/sap-business-technology-platform/security-events-logged-by-cf-services) for the latest list of supported services and logged events.
+
+Among the supported services are, but not limited to:
+
+- **SAP Cloud Integration - Integration Suite**: A service that enables you to connect different SAP applications and systems, both on-premises and in the cloud, to facilitate data exchange and integration processes.
+- **SAP Cloud Identity Service - Identity Authentication**: A service that provides secure and seamless access to SAP applications and services through single sign-on (SSO), multi-factor authentication (MFA) and proxy scenarios with Microsoft Entra ID.
+- **SAP Business Application Studio (BAS)**: A cloud-based development environment that provides tools and services for building, testing, and deploying applications on SAP BTP using low-code and pro-code approaches.
+- **SAP Build Apps**: A low-code development platform that allows you to create custom business applications quickly and easily using visual modeling and prebuilt components, without requiring extensive coding knowledge.
+- **SAP Build Work Zone**: A unified point of access to SAP applications (such as SAP S/4HANA), custom-built, and third party applications and extensions, both on the cloud and on premise.
+- **SAP Datasphere - SAP Business Data Cloud**: A cloud-based data management and analytics platform that enables you to collect, store, process, and analyze large volumes of data from various sources, including SAP and non-SAP systems.
+- **SAP AI Core**: A service that allows you to build, deploy, and manage AI models and applications on SAP BTP, leveraging machine learning and deep learning techniques to enhance business processes and decision-making.
+- **SAP Event Mesh**: A service that enables event-driven architecture and real-time data processing on SAP BTP, allowing you to create, publish, and subscribe to events across different applications and systems.
+
+
 ## Solution architecture
 
 The following image illustrates how Microsoft Sentinel retrieves the complete BTP's audit log information using SAP Audit Log Management service. The Microsoft Sentinel solution for SAP BTP provides built-in analytics rules and detections for selected scenarios, which you can extend to cover more of the audit log information and events.