Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dataverse - Removal of blocked file extensions

Back
Id1b1061be-2595-4492-af6d-1c8a5fc9576d
RulenameDataverse - Removal of blocked file extensions
DescriptionIdentifies modifications to an environment’s blocked file extensions and extracts the removed extension.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1629
Required data connectorsDataverse
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Removal of blocked file extensions.yaml
Version3.2.0
Arm template1b1061be-2595-4492-af6d-1c8a5fc9576d.json
Deploy To Azure
let query_frequency = 1h;
let default_attachments = split('ade;adp;app;asa;ashx;asmx;asp;bas;bat;cdx;cer;chm;class;cmd;com;config;cpl;crt;csh;dll;exe;fxp;hlp;hta;htr;htw;ida;idc;idq;inf;ins;isp;its;jar;js;jse;ksh;lnk;mad;maf;mag;mam;maq;mar;mas;mat;mau;mav;maw;mda;mdb;mde;mdt;mdw;mdz;msc;msh;msh1;msh1xml;msh2;msh2xml;mshxml;msi;msp;mst;ops;pcd;pif;prf;prg;printer;pst;reg;rem;scf;scr;sct;shb;shs;shtm;shtml;soap;stm;tmp;url;vb;vbe;vbs;vsmacros;vss;vst;vsw;ws;wsc;wsf;wsh', ";");
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message == "Update" and EntityName =~ 'organization'
| mv-expand Fields
| where Fields.Name == "blockedattachments"
| extend
    UpdatedAttachments = split(tostring(Fields.Value), ";"),
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| extend RemovedAttachments = set_difference(default_attachments, UpdatedAttachments)
| project
    TimeGenerated,
    UserId,
    ClientIp,
    InstanceUrl,
    RemovedAttachments,
    CloudAppId,
    AccountName,
    UPNSuffix
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Removal of blocked file extensions.yaml
query: |
  let query_frequency = 1h;
  let default_attachments = split('ade;adp;app;asa;ashx;asmx;asp;bas;bat;cdx;cer;chm;class;cmd;com;config;cpl;crt;csh;dll;exe;fxp;hlp;hta;htr;htw;ida;idc;idq;inf;ins;isp;its;jar;js;jse;ksh;lnk;mad;maf;mag;mam;maq;mar;mas;mat;mau;mav;maw;mda;mdb;mde;mdt;mdw;mdz;msc;msh;msh1;msh1xml;msh2;msh2xml;mshxml;msi;msp;mst;ops;pcd;pif;prf;prg;printer;pst;reg;rem;scf;scr;sct;shb;shs;shtm;shtml;soap;stm;tmp;url;vb;vbe;vbs;vsmacros;vss;vst;vsw;ws;wsc;wsf;wsh', ";");
  DataverseActivity
  | where TimeGenerated >= ago(query_frequency)
  | where Message == "Update" and EntityName =~ 'organization'
  | mv-expand Fields
  | where Fields.Name == "blockedattachments"
  | extend
      UpdatedAttachments = split(tostring(Fields.Value), ";"),
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | extend RemovedAttachments = set_difference(default_attachments, UpdatedAttachments)
  | project
      TimeGenerated,
      UserId,
      ClientIp,
      InstanceUrl,
      RemovedAttachments,
      CloudAppId,
      AccountName,
      UPNSuffix  
description: Identifies modifications to an environment's blocked file extensions and extracts the removed extension.
severity: Medium
requiredDataConnectors:
- dataTypes:
  - DataverseActivity
  connectorId: Dataverse
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: Dataverse - Removal of blocked file extensions
triggerThreshold: 0
version: 3.2.0
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: ClientIp
    identifier: Address
- entityType: CloudApplication
  fieldMappings:
  - columnName: CloudAppId
    identifier: AppId
  - columnName: InstanceUrl
    identifier: InstanceName
tactics:
- DefenseEvasion
alertDetailsOverride:
  alertDescriptionFormat: '{{UserId}} modified environment blocked extensions list. {{UserId}} removed the following extensions {{RemovedAttachments}}.'
  alertDisplayNameFormat: 'Dataverse - Blocked file extension removed in {{InstanceUrl}} '
relevantTechniques:
- T1629
triggerOperator: gt
kind: Scheduled
id: 1b1061be-2595-4492-af6d-1c8a5fc9576d
status: Available
queryFrequency: 1h
queryPeriod: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1b1061be-2595-4492-af6d-1c8a5fc9576d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1b1061be-2595-4492-af6d-1c8a5fc9576d')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{UserId}} modified environment blocked extensions list. {{UserId}} removed the following extensions {{RemovedAttachments}}.",
          "alertDisplayNameFormat": "Dataverse - Blocked file extension removed in {{InstanceUrl}} "
        },
        "alertRuleTemplateName": "1b1061be-2595-4492-af6d-1c8a5fc9576d",
        "customDetails": null,
        "description": "Identifies modifications to an environment's blocked file extensions and extracts the removed extension.",
        "displayName": "Dataverse - Removal of blocked file extensions",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Removal of blocked file extensions.yaml",
        "query": "let query_frequency = 1h;\nlet default_attachments = split('ade;adp;app;asa;ashx;asmx;asp;bas;bat;cdx;cer;chm;class;cmd;com;config;cpl;crt;csh;dll;exe;fxp;hlp;hta;htr;htw;ida;idc;idq;inf;ins;isp;its;jar;js;jse;ksh;lnk;mad;maf;mag;mam;maq;mar;mas;mat;mau;mav;maw;mda;mdb;mde;mdt;mdw;mdz;msc;msh;msh1;msh1xml;msh2;msh2xml;mshxml;msi;msp;mst;ops;pcd;pif;prf;prg;printer;pst;reg;rem;scf;scr;sct;shb;shs;shtm;shtml;soap;stm;tmp;url;vb;vbe;vbs;vsmacros;vss;vst;vsw;ws;wsc;wsf;wsh', \";\");\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message == \"Update\" and EntityName =~ 'organization'\n| mv-expand Fields\n| where Fields.Name == \"blockedattachments\"\n| extend\n    UpdatedAttachments = split(tostring(Fields.Value), \";\"),\n    CloudAppId = int(32780),\n    AccountName = tostring(split(UserId, '@')[0]),\n    UPNSuffix = tostring(split(UserId, '@')[1])\n| extend RemovedAttachments = set_difference(default_attachments, UpdatedAttachments)\n| project\n    TimeGenerated,\n    UserId,\n    ClientIp,\n    InstanceUrl,\n    RemovedAttachments,\n    CloudAppId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": null,
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}