Dataverse - Anomalous application user activity
| Id | 0820da12-e895-417f-9175-7c256fcfb33e |
| Rulename | Dataverse - Anomalous application user activity |
| Description | Identifies anomalies in activity patterns of Dataverse application (non-interactive) users, based on activity falling outside the normal pattern of use. |
| Severity | Medium |
| Tactics | CredentialAccess Execution Persistence |
| Techniques | T1528 T1569 T0871 T0834 T0859 |
| Required data connectors | Dataverse |
| Kind | Scheduled |
| Query frequency | 5h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Anomalous application user activity.yaml |
| Version | 3.2.0 |
| Arm template | 0820da12-e895-417f-9175-7c256fcfb33e.json |
let query_lookback = 14d;
let query_frequency = 5h;
let anomaly_threshold = 2.5;
let seasonality = -1;
let trend = 'linefit';
let step_duration = 5h;
let app_user_regex = "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\\.com$";
let guid_regex = "([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})";
let application_users = DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where UserId !endswith "@onmicrosoft.com" and UserId != "Unknown"
| summarize by UserId
| where split(UserId, "@")[1] matches regex app_user_regex;
DataverseActivity
| where TimeGenerated >= startofday(ago(query_lookback))
| where UserId in (application_users)
| where isnotempty(OriginalObjectId)
| make-series TotalEvents = count() default=0 on TimeGenerated from startofday(ago(query_lookback)) to now() step step_duration by UserId, InstanceUrl, OriginalObjectId
| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(TotalEvents, anomaly_threshold, seasonality, trend)
| mv-expand
TotalEvents to typeof(double),
AnomalyTimeGenerated = TimeGenerated to typeof(datetime),
Anomalies to typeof(double),
Score to typeof(double),
Baseline to typeof(long)
| where Anomalies > 0
| extend Details = bag_pack(
"TotalEvents",
TotalEvents,
"Anomalies",
Anomalies,
"Baseline",
Baseline,
"Score",
Score,
"OriginalObjectId",
OriginalObjectId
)
| summarize Details = make_set(Details, 100) by UserId, InstanceUrl, AnomalyTimeGenerated
| extend
CloudAppId = int(32780),
AadUserId = extract(guid_regex, 1, tostring(split(UserId, "@")[0]))
| project
AnomalyTimeGenerated,
UserId,
AadUserId,
InstanceUrl,
Details,
CloudAppId
id: 0820da12-e895-417f-9175-7c256fcfb33e
eventGroupingSettings:
aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
- DataverseActivity
connectorId: Dataverse
name: Dataverse - Anomalous application user activity
version: 3.2.0
query: |
let query_lookback = 14d;
let query_frequency = 5h;
let anomaly_threshold = 2.5;
let seasonality = -1;
let trend = 'linefit';
let step_duration = 5h;
let app_user_regex = "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\\.com$";
let guid_regex = "([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})";
let application_users = DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where UserId !endswith "@onmicrosoft.com" and UserId != "Unknown"
| summarize by UserId
| where split(UserId, "@")[1] matches regex app_user_regex;
DataverseActivity
| where TimeGenerated >= startofday(ago(query_lookback))
| where UserId in (application_users)
| where isnotempty(OriginalObjectId)
| make-series TotalEvents = count() default=0 on TimeGenerated from startofday(ago(query_lookback)) to now() step step_duration by UserId, InstanceUrl, OriginalObjectId
| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(TotalEvents, anomaly_threshold, seasonality, trend)
| mv-expand
TotalEvents to typeof(double),
AnomalyTimeGenerated = TimeGenerated to typeof(datetime),
Anomalies to typeof(double),
Score to typeof(double),
Baseline to typeof(long)
| where Anomalies > 0
| extend Details = bag_pack(
"TotalEvents",
TotalEvents,
"Anomalies",
Anomalies,
"Baseline",
Baseline,
"Score",
Score,
"OriginalObjectId",
OriginalObjectId
)
| summarize Details = make_set(Details, 100) by UserId, InstanceUrl, AnomalyTimeGenerated
| extend
CloudAppId = int(32780),
AadUserId = extract(guid_regex, 1, tostring(split(UserId, "@")[0]))
| project
AnomalyTimeGenerated,
UserId,
AadUserId,
InstanceUrl,
Details,
CloudAppId
entityMappings:
- fieldMappings:
- identifier: AadUserId
columnName: AadUserId
entityType: Account
- fieldMappings:
- identifier: AppId
columnName: CloudAppId
- identifier: InstanceName
columnName: InstanceUrl
entityType: CloudApplication
triggerThreshold: 0
alertDetailsOverride:
alertDescriptionFormat: 'Anomaly detected on {{UserId}} in {{InstanceUrl}}. Details: {{Details}}'
alertDisplayNameFormat: 'Dataverse - Non-interactive account anomaly detected in {{InstanceUrl}} '
relevantTechniques:
- T1528
- T1569
- T0871
- T0834
- T0859
tactics:
- CredentialAccess
- Execution
- Persistence
kind: Scheduled
queryPeriod: 14d
queryFrequency: 5h
severity: Medium
triggerOperator: gt
status: Available
description: Identifies anomalies in activity patterns of Dataverse application (non-interactive) users, based on activity falling outside the normal pattern of use.
customDetails:
InstranceUrl: InstanceUrl
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Anomalous application user activity.yaml