Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dataverse - Removal of blocked file extensions

Back
Id1b1061be-2595-4492-af6d-1c8a5fc9576d
RulenameDataverse - Removal of blocked file extensions
DescriptionIdentifies modifications to an environment’s blocked file extensions and extracts the removed extension.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1629
Required data connectorsDataverse
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Removal of blocked file extensions.yaml
Version3.2.0
Arm template1b1061be-2595-4492-af6d-1c8a5fc9576d.json
Deploy To Azure
let query_frequency = 1h;
let default_attachments = split('ade;adp;app;asa;ashx;asmx;asp;bas;bat;cdx;cer;chm;class;cmd;com;config;cpl;crt;csh;dll;exe;fxp;hlp;hta;htr;htw;ida;idc;idq;inf;ins;isp;its;jar;js;jse;ksh;lnk;mad;maf;mag;mam;maq;mar;mas;mat;mau;mav;maw;mda;mdb;mde;mdt;mdw;mdz;msc;msh;msh1;msh1xml;msh2;msh2xml;mshxml;msi;msp;mst;ops;pcd;pif;prf;prg;printer;pst;reg;rem;scf;scr;sct;shb;shs;shtm;shtml;soap;stm;tmp;url;vb;vbe;vbs;vsmacros;vss;vst;vsw;ws;wsc;wsf;wsh', ";");
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message == "Update" and EntityName =~ 'organization'
| mv-expand Fields
| where Fields.Name == "blockedattachments"
| extend
    UpdatedAttachments = split(tostring(Fields.Value), ";"),
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| extend RemovedAttachments = set_difference(default_attachments, UpdatedAttachments)
| project
    TimeGenerated,
    UserId,
    ClientIp,
    InstanceUrl,
    RemovedAttachments,
    CloudAppId,
    AccountName,
    UPNSuffix
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIp
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
  - identifier: InstanceName
    columnName: InstanceUrl
queryFrequency: 1h
name: Dataverse - Removal of blocked file extensions
alertDetailsOverride:
  alertDisplayNameFormat: 'Dataverse - Blocked file extension removed in {{InstanceUrl}} '
  alertDescriptionFormat: '{{UserId}} modified environment blocked extensions list. {{UserId}} removed the following extensions {{RemovedAttachments}}.'
kind: Scheduled
tactics:
- DefenseEvasion
triggerThreshold: 0
query: |
  let query_frequency = 1h;
  let default_attachments = split('ade;adp;app;asa;ashx;asmx;asp;bas;bat;cdx;cer;chm;class;cmd;com;config;cpl;crt;csh;dll;exe;fxp;hlp;hta;htr;htw;ida;idc;idq;inf;ins;isp;its;jar;js;jse;ksh;lnk;mad;maf;mag;mam;maq;mar;mas;mat;mau;mav;maw;mda;mdb;mde;mdt;mdw;mdz;msc;msh;msh1;msh1xml;msh2;msh2xml;mshxml;msi;msp;mst;ops;pcd;pif;prf;prg;printer;pst;reg;rem;scf;scr;sct;shb;shs;shtm;shtml;soap;stm;tmp;url;vb;vbe;vbs;vsmacros;vss;vst;vsw;ws;wsc;wsf;wsh', ";");
  DataverseActivity
  | where TimeGenerated >= ago(query_frequency)
  | where Message == "Update" and EntityName =~ 'organization'
  | mv-expand Fields
  | where Fields.Name == "blockedattachments"
  | extend
      UpdatedAttachments = split(tostring(Fields.Value), ";"),
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | extend RemovedAttachments = set_difference(default_attachments, UpdatedAttachments)
  | project
      TimeGenerated,
      UserId,
      ClientIp,
      InstanceUrl,
      RemovedAttachments,
      CloudAppId,
      AccountName,
      UPNSuffix  
relevantTechniques:
- T1629
triggerOperator: gt
queryPeriod: 1d
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Removal of blocked file extensions.yaml
severity: Medium
status: Available
id: 1b1061be-2595-4492-af6d-1c8a5fc9576d
requiredDataConnectors:
- connectorId: Dataverse
  dataTypes:
  - DataverseActivity
version: 3.2.0
description: Identifies modifications to an environment's blocked file extensions and extracts the removed extension.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1b1061be-2595-4492-af6d-1c8a5fc9576d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1b1061be-2595-4492-af6d-1c8a5fc9576d')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{UserId}} modified environment blocked extensions list. {{UserId}} removed the following extensions {{RemovedAttachments}}.",
          "alertDisplayNameFormat": "Dataverse - Blocked file extension removed in {{InstanceUrl}} "
        },
        "alertRuleTemplateName": "1b1061be-2595-4492-af6d-1c8a5fc9576d",
        "customDetails": null,
        "description": "Identifies modifications to an environment's blocked file extensions and extracts the removed extension.",
        "displayName": "Dataverse - Removal of blocked file extensions",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Removal of blocked file extensions.yaml",
        "query": "let query_frequency = 1h;\nlet default_attachments = split('ade;adp;app;asa;ashx;asmx;asp;bas;bat;cdx;cer;chm;class;cmd;com;config;cpl;crt;csh;dll;exe;fxp;hlp;hta;htr;htw;ida;idc;idq;inf;ins;isp;its;jar;js;jse;ksh;lnk;mad;maf;mag;mam;maq;mar;mas;mat;mau;mav;maw;mda;mdb;mde;mdt;mdw;mdz;msc;msh;msh1;msh1xml;msh2;msh2xml;mshxml;msi;msp;mst;ops;pcd;pif;prf;prg;printer;pst;reg;rem;scf;scr;sct;shb;shs;shtm;shtml;soap;stm;tmp;url;vb;vbe;vbs;vsmacros;vss;vst;vsw;ws;wsc;wsf;wsh', \";\");\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message == \"Update\" and EntityName =~ 'organization'\n| mv-expand Fields\n| where Fields.Name == \"blockedattachments\"\n| extend\n    UpdatedAttachments = split(tostring(Fields.Value), \";\"),\n    CloudAppId = int(32780),\n    AccountName = tostring(split(UserId, '@')[0]),\n    UPNSuffix = tostring(split(UserId, '@')[1])\n| extend RemovedAttachments = set_difference(default_attachments, UpdatedAttachments)\n| project\n    TimeGenerated,\n    UserId,\n    ClientIp,\n    InstanceUrl,\n    RemovedAttachments,\n    CloudAppId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": null,
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}