Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dataverse - New user agent type that was not used with Office 365

Back
Id094b3c0a-1f63-42f7-9535-c8c7b7198328
RulenameDataverse - New user agent type that was not used with Office 365
DescriptionIdentifies users accessing Dynamics with a User Agent that has not been seen in any Office 365 workloads in the last 14 days.
SeverityLow
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsDataverse
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New user agent type that was not used with Office 365.yaml
Version3.2.0
Arm template094b3c0a-1f63-42f7-9535-c8c7b7198328.json
Deploy To Azure
let query_lookback = 14d;
let query_frequency = 1h;
let known_useragents = dynamic([
    // Enter known user agents to exclude.
    // example:
    // "Agent1", "Agent2", "Agent3"
    ]);
DataverseActivity
| where TimeGenerated > ago(query_frequency)
| where not (UserId has_any ("@onmicrosoft.com", "@microsoft.com", "Unknown"))
| where isnotempty(UserAgent)
| where UserAgent !in~ (known_useragents)
| where UserAgent !hasprefix "azure-logic-apps" and UserAgent !hasprefix "PowerApps"
| join kind = leftanti (
    OfficeActivity
    | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))
    | where isnotempty(UserAgent)
    | summarize by UserAgent)
    on UserAgent
// Exclude user agents with a render agent to reduce noise.
| join kind = leftanti(
    DataverseActivity
    | where TimeGenerated > ago(query_frequency)
    | where UserAgent has_any ("Gecko", "WebKit", "Presto", "Trident", "EdgeHTML", "Blink"))
    on UserAgent
| summarize
    FirstSeen = min(TimeGenerated),
    LatestIP = arg_max(ClientIp, TimeGenerated)
    by UserAgent, UserId, InstanceUrl
| extend
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1]),
    CloudAppId = int(32780)
| project
    FirstSeen,
    UserId,
    UserAgent,
    LatestIP,
    InstanceUrl,
    CloudAppId,
    AccountName,
    UPNSuffix
queryFrequency: 1h
query: |
  let query_lookback = 14d;
  let query_frequency = 1h;
  let known_useragents = dynamic([
      // Enter known user agents to exclude.
      // example:
      // "Agent1", "Agent2", "Agent3"
      ]);
  DataverseActivity
  | where TimeGenerated > ago(query_frequency)
  | where not (UserId has_any ("@onmicrosoft.com", "@microsoft.com", "Unknown"))
  | where isnotempty(UserAgent)
  | where UserAgent !in~ (known_useragents)
  | where UserAgent !hasprefix "azure-logic-apps" and UserAgent !hasprefix "PowerApps"
  | join kind = leftanti (
      OfficeActivity
      | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))
      | where isnotempty(UserAgent)
      | summarize by UserAgent)
      on UserAgent
  // Exclude user agents with a render agent to reduce noise.
  | join kind = leftanti(
      DataverseActivity
      | where TimeGenerated > ago(query_frequency)
      | where UserAgent has_any ("Gecko", "WebKit", "Presto", "Trident", "EdgeHTML", "Blink"))
      on UserAgent
  | summarize
      FirstSeen = min(TimeGenerated),
      LatestIP = arg_max(ClientIp, TimeGenerated)
      by UserAgent, UserId, InstanceUrl
  | extend
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1]),
      CloudAppId = int(32780)
  | project
      FirstSeen,
      UserId,
      UserAgent,
      LatestIP,
      InstanceUrl,
      CloudAppId,
      AccountName,
      UPNSuffix  
version: 3.2.0
description: Identifies users accessing Dynamics with a User Agent that has not been seen in any Office 365 workloads in the last 14 days.
entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: LatestIP
severity: Low
queryPeriod: 14d
eventGroupingSettings:
  aggregationKind: AlertPerResult
kind: Scheduled
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - DataverseActivity
  connectorId: Dataverse
name: Dataverse - New user agent type that was not used with Office 365
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New user agent type that was not used with Office 365.yaml
id: 094b3c0a-1f63-42f7-9535-c8c7b7198328
relevantTechniques:
- T1190
- T1133
status: Available
tactics:
- InitialAccess
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/094b3c0a-1f63-42f7-9535-c8c7b7198328')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/094b3c0a-1f63-42f7-9535-c8c7b7198328')]",
      "properties": {
        "alertRuleTemplateName": "094b3c0a-1f63-42f7-9535-c8c7b7198328",
        "customDetails": null,
        "description": "Identifies users accessing Dynamics with a User Agent that has not been seen in any Office 365 workloads in the last 14 days.",
        "displayName": "Dataverse - New user agent type that was not used with Office 365",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "LatestIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New user agent type that was not used with Office 365.yaml",
        "query": "let query_lookback = 14d;\nlet query_frequency = 1h;\nlet known_useragents = dynamic([\n    // Enter known user agents to exclude.\n    // example:\n    // \"Agent1\", \"Agent2\", \"Agent3\"\n    ]);\nDataverseActivity\n| where TimeGenerated > ago(query_frequency)\n| where not (UserId has_any (\"@onmicrosoft.com\", \"@microsoft.com\", \"Unknown\"))\n| where isnotempty(UserAgent)\n| where UserAgent !in~ (known_useragents)\n| where UserAgent !hasprefix \"azure-logic-apps\" and UserAgent !hasprefix \"PowerApps\"\n| join kind = leftanti (\n    OfficeActivity\n    | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))\n    | where isnotempty(UserAgent)\n    | summarize by UserAgent)\n    on UserAgent\n// Exclude user agents with a render agent to reduce noise.\n| join kind = leftanti(\n    DataverseActivity\n    | where TimeGenerated > ago(query_frequency)\n    | where UserAgent has_any (\"Gecko\", \"WebKit\", \"Presto\", \"Trident\", \"EdgeHTML\", \"Blink\"))\n    on UserAgent\n| summarize\n    FirstSeen = min(TimeGenerated),\n    LatestIP = arg_max(ClientIp, TimeGenerated)\n    by UserAgent, UserId, InstanceUrl\n| extend\n    AccountName = tostring(split(UserId, '@')[0]),\n    UPNSuffix = tostring(split(UserId, '@')[1]),\n    CloudAppId = int(32780)\n| project\n    FirstSeen,\n    UserId,\n    UserAgent,\n    LatestIP,\n    InstanceUrl,\n    CloudAppId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}