Dataverse - Hierarchy security manipulation
| Id | 2df0adf5-92a8-4ee0-a123-3eb5be1eed02 |
| Rulename | Dataverse - Hierarchy security manipulation |
| Description | Identifies suspicious behaviors in hierarchy security including: - Hierarchy security disabled. - User assigns themselves as a manager. - User assigns themselves to a monitored position. |
| Severity | Medium |
| Tactics | PrivilegeEscalation |
| Techniques | T1548 T1078 |
| Required data connectors | Dataverse |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Hierarchy security manipulation.yaml |
| Version | 3.2.0 |
| Arm template | 2df0adf5-92a8-4ee0-a123-3eb5be1eed02.json |
let monitored_position_ids = dynamic([
// Enter a list of monitored position ID (guids)
//"79380ac5-da2a-ed11-9db1-000d3a58d546"
]);
let query_frequency = 1h;
let security_disabled_events = DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message == "Update" and EntityName == "organization"
| mv-expand Fields
| where Fields.Name == "ishierarchicalsecuritymodelenabled"
| where Fields.Value == "False"
| extend Message = "Hierarchy security has been disabled"
| project TimeGenerated, UserId, ClientIp, InstanceUrl, Message;
let assign_self_as_manager_events = DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message == "Update" and EntityName == "systemuser"
| mv-expand Fields
| where Fields.Name == "parentsystemuserid"
| extend ModifiedManager = tostring(Fields.Value)
| where SystemUserId == ModifiedManager
| extend Message = "User added self as manager of another user";
let assign_self_to_position_events = DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message == "Update" and EntityName == "systemuser"
| mv-expand Position = Fields
| where Position.Name == "positionid" and tostring(Position.Value) in (monitored_position_ids)
| mv-expand Target = Fields
| where Target.Name == "systemuserid"
| extend UserAssigned = tostring(Target.Value)
| where SystemUserId == UserAssigned
| extend
Message = "User assigned self to a monitored position",
PositionId = tostring(Position.Value);
union
security_disabled_events,
assign_self_as_manager_events,
assign_self_to_position_events
| extend
CloudAppId = int(32780),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
| project
TimeGenerated,
UserId,
ClientIp,
InstanceUrl,
Message,
PositionId,
CloudAppId,
AccountName,
UPNSuffix
queryPeriod: 1d
query: |
let monitored_position_ids = dynamic([
// Enter a list of monitored position ID (guids)
//"79380ac5-da2a-ed11-9db1-000d3a58d546"
]);
let query_frequency = 1h;
let security_disabled_events = DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message == "Update" and EntityName == "organization"
| mv-expand Fields
| where Fields.Name == "ishierarchicalsecuritymodelenabled"
| where Fields.Value == "False"
| extend Message = "Hierarchy security has been disabled"
| project TimeGenerated, UserId, ClientIp, InstanceUrl, Message;
let assign_self_as_manager_events = DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message == "Update" and EntityName == "systemuser"
| mv-expand Fields
| where Fields.Name == "parentsystemuserid"
| extend ModifiedManager = tostring(Fields.Value)
| where SystemUserId == ModifiedManager
| extend Message = "User added self as manager of another user";
let assign_self_to_position_events = DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message == "Update" and EntityName == "systemuser"
| mv-expand Position = Fields
| where Position.Name == "positionid" and tostring(Position.Value) in (monitored_position_ids)
| mv-expand Target = Fields
| where Target.Name == "systemuserid"
| extend UserAssigned = tostring(Target.Value)
| where SystemUserId == UserAssigned
| extend
Message = "User assigned self to a monitored position",
PositionId = tostring(Position.Value);
union
security_disabled_events,
assign_self_as_manager_events,
assign_self_to_position_events
| extend
CloudAppId = int(32780),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
| project
TimeGenerated,
UserId,
ClientIp,
InstanceUrl,
Message,
PositionId,
CloudAppId,
AccountName,
UPNSuffix
version: 3.2.0
name: Dataverse - Hierarchy security manipulation
entityMappings:
- fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: ClientIp
identifier: Address
entityType: IP
- fieldMappings:
- columnName: CloudAppId
identifier: AppId
- columnName: InstanceUrl
identifier: InstanceName
entityType: CloudApplication
eventGroupingSettings:
aggregationKind: AlertPerResult
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Hierarchy security manipulation.yaml
alertDetailsOverride:
alertDisplayNameFormat: 'Dataverse - Suspicious hierarchy security modifications in {{InstanceUrl}} '
alertDescriptionFormat: '{{Message}}. Events detected for user {{UserId}}.'
description: |
Identifies suspicious behaviors in hierarchy security including:
- Hierarchy security disabled.
- User assigns themselves as a manager.
- User assigns themselves to a monitored position.
kind: Scheduled
status: Available
severity: Medium
requiredDataConnectors:
- connectorId: Dataverse
dataTypes:
- DataverseActivity
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
id: 2df0adf5-92a8-4ee0-a123-3eb5be1eed02
relevantTechniques:
- T1548
- T1078