Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dataverse - Export activity from terminated or notified employee

Back
Id0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b
RulenameDataverse - Export activity from terminated or notified employee
DescriptionThis query identifies Dataverse export activity triggered by terminated, or employees about to leave the organization. This analytics rule uses the TerminatedEmployees watchlist template.
SeverityMedium
TacticsExfiltration
TechniquesT1567
T1048
Required data connectorsDataverse
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Export activity from terminated or notified employee.yaml
Version3.2.0
Arm template0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b.json
Deploy To Azure
// Set a time period before employee terminatation date to search for export events
let termination_watch_period = 7d;
let query_frequency = 1h;
let exportEvents = dynamic(['ExportToExcel', 'ExportPdfDocument', 'ExportWordDocument', 'ExecutePowerBISql']);
MSBizAppsTerminatedEmployees
| where (UserState =~ "Terminated") or (UserState =~ "Notified" and TerminationDate <= startofday(now()) + termination_watch_period)
| join kind=inner (DataverseActivity
    | where TimeGenerated >= ago(query_frequency)
    | where Message in (exportEvents))
    on $left.UserPrincipalName == $right.UserId
| summarize
    FirstEvent = min(TimeGenerated),
    LastEvent = max(TimeGenerated),
    Event = make_set(Message, 4)
    by UserId, InstanceUrl, ClientIp, UserState
| extend
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    FirstEvent,
    LastEvent,
    UserId,
    ClientIp,
    UserState,
    InstanceUrl,
    CloudAppId,
    AccountName,
    UPNSuffix
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIp
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
  - identifier: InstanceName
    columnName: InstanceUrl
queryFrequency: 1h
name: Dataverse - Export activity from terminated or notified employee
alertDetailsOverride:
  alertDisplayNameFormat: 'Dataverse - Export events detected from a terminated employee in {{InstanceUrl}} '
  alertDescriptionFormat: Export events where employee state found matching {{UserState}} found in {{InstanceUrl}}.
kind: Scheduled
tactics:
- Exfiltration
triggerThreshold: 0
query: |
  // Set a time period before employee terminatation date to search for export events
  let termination_watch_period = 7d;
  let query_frequency = 1h;
  let exportEvents = dynamic(['ExportToExcel', 'ExportPdfDocument', 'ExportWordDocument', 'ExecutePowerBISql']);
  MSBizAppsTerminatedEmployees
  | where (UserState =~ "Terminated") or (UserState =~ "Notified" and TerminationDate <= startofday(now()) + termination_watch_period)
  | join kind=inner (DataverseActivity
      | where TimeGenerated >= ago(query_frequency)
      | where Message in (exportEvents))
      on $left.UserPrincipalName == $right.UserId
  | summarize
      FirstEvent = min(TimeGenerated),
      LastEvent = max(TimeGenerated),
      Event = make_set(Message, 4)
      by UserId, InstanceUrl, ClientIp, UserState
  | extend
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      FirstEvent,
      LastEvent,
      UserId,
      ClientIp,
      UserState,
      InstanceUrl,
      CloudAppId,
      AccountName,
      UPNSuffix  
relevantTechniques:
- T1567
- T1048
triggerOperator: gt
queryPeriod: 1d
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Export activity from terminated or notified employee.yaml
severity: Medium
status: Available
id: 0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b
requiredDataConnectors:
- connectorId: Dataverse
  dataTypes:
  - DataverseActivity
version: 3.2.0
description: This query identifies Dataverse export activity triggered by terminated, or employees about to leave the organization. This analytics rule uses the TerminatedEmployees watchlist template.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Export events where employee state found matching {{UserState}} found in {{InstanceUrl}}.",
          "alertDisplayNameFormat": "Dataverse - Export events detected from a terminated employee in {{InstanceUrl}} "
        },
        "alertRuleTemplateName": "0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b",
        "customDetails": null,
        "description": "This query identifies Dataverse export activity triggered by terminated, or employees about to leave the organization. This analytics rule uses the TerminatedEmployees watchlist template.",
        "displayName": "Dataverse - Export activity from terminated or notified employee",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Export activity from terminated or notified employee.yaml",
        "query": "// Set a time period before employee terminatation date to search for export events\nlet termination_watch_period = 7d;\nlet query_frequency = 1h;\nlet exportEvents = dynamic(['ExportToExcel', 'ExportPdfDocument', 'ExportWordDocument', 'ExecutePowerBISql']);\nMSBizAppsTerminatedEmployees\n| where (UserState =~ \"Terminated\") or (UserState =~ \"Notified\" and TerminationDate <= startofday(now()) + termination_watch_period)\n| join kind=inner (DataverseActivity\n    | where TimeGenerated >= ago(query_frequency)\n    | where Message in (exportEvents))\n    on $left.UserPrincipalName == $right.UserId\n| summarize\n    FirstEvent = min(TimeGenerated),\n    LastEvent = max(TimeGenerated),\n    Event = make_set(Message, 4)\n    by UserId, InstanceUrl, ClientIp, UserState\n| extend\n    CloudAppId = int(32780),\n    AccountName = tostring(split(UserId, '@')[0]),\n    UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n    FirstEvent,\n    LastEvent,\n    UserId,\n    ClientIp,\n    UserState,\n    InstanceUrl,\n    CloudAppId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1048",
          "T1567"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}