SAP BTP: 10 New Enterprise Security Detections for Cloud Integration and Identity Service

What Changed

• 10 new Analytic Rules added to detect tampering and unauthorized access in SAP BTP Cloud Integration, Cloud Identity Service, and Build Work Zone
• Data connector enhancements including queryWindowDelayInMin configuration for handling SAP log delays
• Connection tooling updates with improved authentication flows and subaccount management

Detection Logic

The new Analytic Rules target critical SAP BTP enterprise security scenarios:

Cloud Integration Security (5 rules):

• JDBC data source deployment/undeployment monitoring (credential access detection)
• Access policy and artifact reference tampering (privilege escalation and defense evasion)
• Security material manipulation (certificate, keystore changes)
• Package import/transport and artifact deployment (supply chain monitoring)

Identity Service Monitoring (2 rules):

• Application configuration CRUD operations for SAML/OIDC providers (federation tampering)
• Mass user deletion events (impact and defense evasion)

Service Availability (3 rules):

• Audit log service availability monitoring (defense evasion via service disabling)
• Build Work Zone unauthorized OData access and role tampering
• Privileged administrator list modifications

Primary data source: SAPBTPAuditLog_CL Core logic focuses on high-risk configuration changes, mass deletion events, and service tampering attempts Entity types mapped: Account, IP, CloudApplication

MITRE Mapping

• T1562.008: Impair Defenses (audit log service monitoring)
• T1606: Forge Web Credentials (federated application tampering)
• T1556: Modify Authentication Process (identity service configuration)
• T1552: Unsecured Credentials (JDBC data source access)
• T1078: Valid Accounts (unauthorized access detection)
• T1531: Account Access Removal (mass user deletion)
• T1222: File and Directory Permissions Modification (access policy tampering)
• T1548: Abuse Elevation Control Mechanism (privilege escalation via policy changes)

Security Impact

Detection Gap Closed: SAP BTP enterprise environments previously had limited coverage for Cloud Integration service tampering, federated identity manipulation, and systematic audit log suppression attacks. These detections provide comprehensive monitoring for credential theft, lateral movement, and defense evasion techniques targeting SAP enterprise cloud platform.

Data Connector Enhancement: Addition of queryWindowDelayInMin addresses SAP BTP inherent log delivery delays, preventing false negatives in time-sensitive detections.

Affected Files

Solutions/SAP BTP/Analytic Rules/BTP - Audit log service unavailable.yaml
Solutions/SAP BTP/Analytic Rules/BTP - Build Work Zone unauthorized access and role tampering.yaml
Solutions/SAP BTP/Analytic Rules/BTP - Cloud Identity Service application configuration monitor.yaml
Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration JDBC data source changes.yaml
Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration access policy tampering.yaml
Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration artifact deployment.yaml
Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration package import or transport.yaml
Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration tampering with security material.yaml
Solutions/SAP BTP/Analytic Rules/BTP - Mass user deletion in Cloud Identity Service.yaml
Solutions/SAP BTP/Analytic Rules/BTP - User added to privileged Administrators list.yaml
Solutions/SAP BTP/Data Connectors/SAPBTPPollerConnector/SAPBTP_DataConnectorDefinition.json
Solutions/SAP BTP/Data Connectors/SAPBTPPollerConnector/SAPBTP_PollingConfig.json
Solutions/SAP BTP/Data Connectors/SAPBTPPollerConnector/SAPBTP_Tables.json
Solutions/SAP BTP/Tools/BtpHelpers.ps1
Solutions/SAP BTP/Tools/README.md
Solutions/SAP BTP/Tools/connect-sentinel-to-btp.ps1
Solutions/SAP BTP/Tools/export-subaccounts.ps1
(packaging artefacts: 3.0.11.zip, ReleaseNotes.md, Solution_SAPBTP.json, createUiDefinition.json, mainTemplate.json)