Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dataverse - Removal of blocked file extensions

Back
Id1b1061be-2595-4492-af6d-1c8a5fc9576d
RulenameDataverse - Removal of blocked file extensions
DescriptionIdentifies modifications to an environment’s blocked file extensions and extracts the removed extension.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1629
Required data connectorsDataverse
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Removal of blocked file extensions.yaml
Version3.2.0
Arm template1b1061be-2595-4492-af6d-1c8a5fc9576d.json
Deploy To Azure
let query_frequency = 1h;
let default_attachments = split('ade;adp;app;asa;ashx;asmx;asp;bas;bat;cdx;cer;chm;class;cmd;com;config;cpl;crt;csh;dll;exe;fxp;hlp;hta;htr;htw;ida;idc;idq;inf;ins;isp;its;jar;js;jse;ksh;lnk;mad;maf;mag;mam;maq;mar;mas;mat;mau;mav;maw;mda;mdb;mde;mdt;mdw;mdz;msc;msh;msh1;msh1xml;msh2;msh2xml;mshxml;msi;msp;mst;ops;pcd;pif;prf;prg;printer;pst;reg;rem;scf;scr;sct;shb;shs;shtm;shtml;soap;stm;tmp;url;vb;vbe;vbs;vsmacros;vss;vst;vsw;ws;wsc;wsf;wsh', ";");
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message == "Update" and EntityName =~ 'organization'
| mv-expand Fields
| where Fields.Name == "blockedattachments"
| extend
    UpdatedAttachments = split(tostring(Fields.Value), ";"),
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| extend RemovedAttachments = set_difference(default_attachments, UpdatedAttachments)
| project
    TimeGenerated,
    UserId,
    ClientIp,
    InstanceUrl,
    RemovedAttachments,
    CloudAppId,
    AccountName,
    UPNSuffix
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Removal of blocked file extensions.yaml
description: Identifies modifications to an environment's blocked file extensions and extracts the removed extension.
relevantTechniques:
- T1629
version: 3.2.0
tactics:
- DefenseEvasion
alertDetailsOverride:
  alertDisplayNameFormat: 'Dataverse - Blocked file extension removed in {{InstanceUrl}} '
  alertDescriptionFormat: '{{UserId}} modified environment blocked extensions list. {{UserId}} removed the following extensions {{RemovedAttachments}}.'
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: ClientIp
  entityType: IP
- fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
  - identifier: InstanceName
    columnName: InstanceUrl
  entityType: CloudApplication
name: Dataverse - Removal of blocked file extensions
triggerOperator: gt
severity: Medium
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - DataverseActivity
  connectorId: Dataverse
status: Available
query: |
  let query_frequency = 1h;
  let default_attachments = split('ade;adp;app;asa;ashx;asmx;asp;bas;bat;cdx;cer;chm;class;cmd;com;config;cpl;crt;csh;dll;exe;fxp;hlp;hta;htr;htw;ida;idc;idq;inf;ins;isp;its;jar;js;jse;ksh;lnk;mad;maf;mag;mam;maq;mar;mas;mat;mau;mav;maw;mda;mdb;mde;mdt;mdw;mdz;msc;msh;msh1;msh1xml;msh2;msh2xml;mshxml;msi;msp;mst;ops;pcd;pif;prf;prg;printer;pst;reg;rem;scf;scr;sct;shb;shs;shtm;shtml;soap;stm;tmp;url;vb;vbe;vbs;vsmacros;vss;vst;vsw;ws;wsc;wsf;wsh', ";");
  DataverseActivity
  | where TimeGenerated >= ago(query_frequency)
  | where Message == "Update" and EntityName =~ 'organization'
  | mv-expand Fields
  | where Fields.Name == "blockedattachments"
  | extend
      UpdatedAttachments = split(tostring(Fields.Value), ";"),
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | extend RemovedAttachments = set_difference(default_attachments, UpdatedAttachments)
  | project
      TimeGenerated,
      UserId,
      ClientIp,
      InstanceUrl,
      RemovedAttachments,
      CloudAppId,
      AccountName,
      UPNSuffix  
id: 1b1061be-2595-4492-af6d-1c8a5fc9576d
queryPeriod: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1b1061be-2595-4492-af6d-1c8a5fc9576d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1b1061be-2595-4492-af6d-1c8a5fc9576d')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{UserId}} modified environment blocked extensions list. {{UserId}} removed the following extensions {{RemovedAttachments}}.",
          "alertDisplayNameFormat": "Dataverse - Blocked file extension removed in {{InstanceUrl}} "
        },
        "alertRuleTemplateName": "1b1061be-2595-4492-af6d-1c8a5fc9576d",
        "customDetails": null,
        "description": "Identifies modifications to an environment's blocked file extensions and extracts the removed extension.",
        "displayName": "Dataverse - Removal of blocked file extensions",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Removal of blocked file extensions.yaml",
        "query": "let query_frequency = 1h;\nlet default_attachments = split('ade;adp;app;asa;ashx;asmx;asp;bas;bat;cdx;cer;chm;class;cmd;com;config;cpl;crt;csh;dll;exe;fxp;hlp;hta;htr;htw;ida;idc;idq;inf;ins;isp;its;jar;js;jse;ksh;lnk;mad;maf;mag;mam;maq;mar;mas;mat;mau;mav;maw;mda;mdb;mde;mdt;mdw;mdz;msc;msh;msh1;msh1xml;msh2;msh2xml;mshxml;msi;msp;mst;ops;pcd;pif;prf;prg;printer;pst;reg;rem;scf;scr;sct;shb;shs;shtm;shtml;soap;stm;tmp;url;vb;vbe;vbs;vsmacros;vss;vst;vsw;ws;wsc;wsf;wsh', \";\");\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message == \"Update\" and EntityName =~ 'organization'\n| mv-expand Fields\n| where Fields.Name == \"blockedattachments\"\n| extend\n    UpdatedAttachments = split(tostring(Fields.Value), \";\"),\n    CloudAppId = int(32780),\n    AccountName = tostring(split(UserId, '@')[0]),\n    UPNSuffix = tostring(split(UserId, '@')[1])\n| extend RemovedAttachments = set_difference(default_attachments, UpdatedAttachments)\n| project\n    TimeGenerated,\n    UserId,\n    ClientIp,\n    InstanceUrl,\n    RemovedAttachments,\n    CloudAppId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": null,
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}