What Changed
Updated the Cloud Integration artifact deployment analytic rule to use audit.configuration events instead of audit.security-events, significantly improving the context extracted from deployment activities.
Detection Logic
Primary data source switched to audit.configuration events filtering on Deployment and Undeployment object types. Core logic extracts artifact metadata (symbolic name, ID, version), resolves actor from deployedBy/undeployedBy/creator fields, and includes tenant name plus runtime location context.
Entity types mapped: Account (with AccountName/UPNSuffix split) and CloudApplication. IP address mapping removed as configuration events lack this context.
MITRE Mapping
Execution (T1059) and Persistence (T1546) techniques remain mapped, reflecting potential abuse of integration deployment capabilities for code execution or persistence establishment.
Security Impact (Visibility & Fidelity)
Enhanced visibility into Cloud Integration artifact lifecycle with richer context: artifact symbolic names, version tracking, and proper actor attribution. The switch from security events to configuration events provides more reliable deployment tracking and eliminates IP address dependency for attribution.
Affected Files
Solutions/SAP BTP/Analytic Rules/BTP - Cloud Integration artifact deployment.yaml
(packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_SAPBTP.json, createUiDefinition.json, mainTemplate.json)