Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Dataverse - Honeypot instance activity

Dataverse - Honeypot instance activity

Back
Id11650b85-d8cc-49c4-8c04-a8a739635983
RulenameDataverse - Honeypot instance activity
DescriptionIdentifies activities in a predefined Honeypot Dataverse instance. Alerts when either sign-in to the Honeypot is detected or when monitored Dataverse tables in the Honeypot are accessed.



Note: Requires a dedicated Honeypot Dataverse instance in Power Platform with auditing enabled.
SeverityMedium
TacticsDiscovery
Exfiltration
TechniquesT1538
T1526
T1567
Required data connectorsDataverse
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Honeypot instance activity.yaml
Version3.2.0
Arm template11650b85-d8cc-49c4-8c04-a8a739635983.json
Deploy To Azure
let honeypot_dataverse_instances = dynamic(["https://myinstance.crm.dynamics.com/"]);
let honeypot_authorized_users = dynamic(["scanner@mydomain.com"]);
let monitored_dataverse_entities = dynamic(["contact", "account", "opportunity", "lead", "competitor"]);
let query_frequency = 1h;
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where InstanceUrl in (honeypot_dataverse_instances)
| where UserId !in (honeypot_authorized_users)
| where UserId !endswith "@onmicrosoft.com"
    and UserId != "Unknown"
    and isnotempty(ClientIp)
| where Message in ("UserSignIn") or EntityName in (monitored_dataverse_entities)
| summarize
    TimeStart = min(TimeGenerated),
    TimeEnd = max(TimeGenerated),
    Entities = make_set(EntityName, 10),
    Messages = make_set(Message, 10)
    by UserId, ClientIp, InstanceUrl
| extend Severity = iif(array_length(set_difference(Messages, dynamic(["UserSignIn"]))) > 0, "Medium", "Low")
| extend CloudAppId = int(32780)
| extend AccountName = tostring(split(UserId, '@')[0])
| extend UPNSuffix = tostring(split(UserId, '@')[1])
| project
    TimeStart,
    TimeEnd,
    UserId,
    ClientIp,
    InstanceUrl,
    Messages,
    Entities,
    Severity,
    CloudAppId,
    AccountName,
    UPNSuffix

relevantTechniques:
- T1538
- T1526
- T1567
name: Dataverse - Honeypot instance activity
triggerThreshold: 0
tactics:
- Discovery
- Exfiltration
alertDetailsOverride:
  alertSeverityColumnName: Severity
  alertDisplayNameFormat: 'Dataverse - Honeytoken activity detected in {{InstanceUrl}} '
  alertDescriptionFormat: '{{UserId}} from {{ClientIp}} was detected in the Dataverse honeypot instance: {{InstanceUrl}}'
severity: Medium
id: 11650b85-d8cc-49c4-8c04-a8a739635983
status: Available
requiredDataConnectors:
- dataTypes:
  - DataverseActivity
  connectorId: Dataverse
kind: Scheduled
query: |
  let honeypot_dataverse_instances = dynamic(["https://myinstance.crm.dynamics.com/"]);
  let honeypot_authorized_users = dynamic(["scanner@mydomain.com"]);
  let monitored_dataverse_entities = dynamic(["contact", "account", "opportunity", "lead", "competitor"]);
  let query_frequency = 1h;
  DataverseActivity
  | where TimeGenerated >= ago(query_frequency)
  | where InstanceUrl in (honeypot_dataverse_instances)
  | where UserId !in (honeypot_authorized_users)
  | where UserId !endswith "@onmicrosoft.com"
      and UserId != "Unknown"
      and isnotempty(ClientIp)
  | where Message in ("UserSignIn") or EntityName in (monitored_dataverse_entities)
  | summarize
      TimeStart = min(TimeGenerated),
      TimeEnd = max(TimeGenerated),
      Entities = make_set(EntityName, 10),
      Messages = make_set(Message, 10)
      by UserId, ClientIp, InstanceUrl
  | extend Severity = iif(array_length(set_difference(Messages, dynamic(["UserSignIn"]))) > 0, "Medium", "Low")
  | extend CloudAppId = int(32780)
  | extend AccountName = tostring(split(UserId, '@')[0])
  | extend UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      TimeStart,
      TimeEnd,
      UserId,
      ClientIp,
      InstanceUrl,
      Messages,
      Entities,
      Severity,
      CloudAppId,
      AccountName,
      UPNSuffix  
description: |
  Identifies activities in a predefined Honeypot Dataverse instance. Alerts when either sign-in to the Honeypot is detected or when monitored Dataverse tables in the Honeypot are accessed.

  Note: Requires a dedicated Honeypot Dataverse instance in Power Platform with auditing enabled.  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Honeypot instance activity.yaml
triggerOperator: gt
queryPeriod: 1d
queryFrequency: 1h
eventGroupingSettings:
  aggregationKind: SingleAlert
version: 3.2.0
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: ClientIp
    identifier: Address
- entityType: CloudApplication
  fieldMappings:
  - columnName: CloudAppId
    identifier: AppId
  - columnName: InstanceUrl
    identifier: InstanceName