Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dataverse - Malware found in SharePoint document management site

Back
Id2e3878bb-d519-43aa-9992-ea069df099e4
RulenameDataverse - Malware found in SharePoint document management site
DescriptionThis query identifies malware uploaded via Dynamics 365 document management or directly in SharePoint impacting Dataverse associated SharePoint sites.
SeverityMedium
TacticsExecution
TechniquesT1204
Required data connectorsDataverse
Office365
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Malware found in SharePoint document management site.yaml
Version3.2.0
Arm template2e3878bb-d519-43aa-9992-ea069df099e4.json
Deploy To Azure
let query_frequency = 15m;
  let malware_events = OfficeActivity
      | where OfficeWorkload == "SharePoint" and Operation == "FileMalwareDetected"
      | summarize by MalwareUserId = UserId, SourceFileName, Site_Url
      | join kind=inner (DataverseSharePointSites) on $left.Site_Url == $right.SharePointUrl;
  let file_upload_events = OfficeActivity
      | where OfficeWorkload == "SharePoint" and Operation == "FileUploaded"
      | project TimeGenerated, UserId, Site_Url, SourceFileName, ApplicationId, ClientIP;
  let d365_upload_events = DataverseActivity
      | where TimeGenerated >= ago(query_frequency)
      | where Message == "UploadDocument"
      | summarize by UserId, D365ClientIp = ClientIp;
  malware_events
  | join kind=inner (file_upload_events) on SourceFileName, Site_Url
  | lookup (d365_upload_events) on UserId
  | extend ClientIp = iif(ApplicationId == "00000007-0000-0000-c000-000000000000", D365ClientIp, ClientIP)
  | extend
      CloudAppId = int(32780),
      SharePointId = int(20892),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      TimeGenerated,
      UserId,
      ClientIp,
      InstanceUrl,
      SharePointUrl,
      SourceFileName,
      CloudAppId,
      SharePointId,
      AccountName,
      UPNSuffix
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Malware found in SharePoint document management site.yaml
query: |
  let query_frequency = 15m;
    let malware_events = OfficeActivity
        | where OfficeWorkload == "SharePoint" and Operation == "FileMalwareDetected"
        | summarize by MalwareUserId = UserId, SourceFileName, Site_Url
        | join kind=inner (DataverseSharePointSites) on $left.Site_Url == $right.SharePointUrl;
    let file_upload_events = OfficeActivity
        | where OfficeWorkload == "SharePoint" and Operation == "FileUploaded"
        | project TimeGenerated, UserId, Site_Url, SourceFileName, ApplicationId, ClientIP;
    let d365_upload_events = DataverseActivity
        | where TimeGenerated >= ago(query_frequency)
        | where Message == "UploadDocument"
        | summarize by UserId, D365ClientIp = ClientIp;
    malware_events
    | join kind=inner (file_upload_events) on SourceFileName, Site_Url
    | lookup (d365_upload_events) on UserId
    | extend ClientIp = iif(ApplicationId == "00000007-0000-0000-c000-000000000000", D365ClientIp, ClientIP)
    | extend
        CloudAppId = int(32780),
        SharePointId = int(20892),
        AccountName = tostring(split(UserId, '@')[0]),
        UPNSuffix = tostring(split(UserId, '@')[1])
    | project
        TimeGenerated,
        UserId,
        ClientIp,
        InstanceUrl,
        SharePointUrl,
        SourceFileName,
        CloudAppId,
        SharePointId,
        AccountName,
        UPNSuffix  
description: This query identifies malware uploaded via Dynamics 365 document management or directly in SharePoint impacting Dataverse associated SharePoint sites.
severity: Medium
requiredDataConnectors:
- dataTypes:
  - DataverseActivity
  connectorId: Dataverse
- dataTypes:
  - OfficeActivity (SharePoint)
  connectorId: Office365
eventGroupingSettings:
  aggregationKind: SingleAlert
name: Dataverse - Malware found in SharePoint document management site
triggerThreshold: 0
version: 3.2.0
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: ClientIp
    identifier: Address
- entityType: File
  fieldMappings:
  - columnName: SourceFileName
    identifier: Name
- entityType: CloudApplication
  fieldMappings:
  - columnName: CloudAppId
    identifier: AppId
  - columnName: InstanceUrl
    identifier: InstanceName
- entityType: CloudApplication
  fieldMappings:
  - columnName: SharePointId
    identifier: AppId
  - columnName: SharePointUrl
    identifier: InstanceName
tactics:
- Execution
alertDetailsOverride:
  alertDescriptionFormat: A malicious file {{SourceFileName}} was found in SharePoint site {{SharePointUrl}}. The file was uploaded by {{UserId}}
  alertDisplayNameFormat: 'Dataverse - Malware was found in SharePoint document management site for {{InstanceUrl}} '
relevantTechniques:
- T1204
triggerOperator: gt
kind: Scheduled
id: 2e3878bb-d519-43aa-9992-ea069df099e4
status: Available
queryFrequency: 1h
queryPeriod: 14d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2e3878bb-d519-43aa-9992-ea069df099e4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2e3878bb-d519-43aa-9992-ea069df099e4')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A malicious file {{SourceFileName}} was found in SharePoint site {{SharePointUrl}}. The file was uploaded by {{UserId}}",
          "alertDisplayNameFormat": "Dataverse - Malware was found in SharePoint document management site for {{InstanceUrl}} "
        },
        "alertRuleTemplateName": "2e3878bb-d519-43aa-9992-ea069df099e4",
        "customDetails": null,
        "description": "This query identifies malware uploaded via Dynamics 365 document management or directly in SharePoint impacting Dataverse associated SharePoint sites.",
        "displayName": "Dataverse - Malware found in SharePoint document management site",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "SourceFileName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "SharePointId",
                "identifier": "AppId"
              },
              {
                "columnName": "SharePointUrl",
                "identifier": "InstanceName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Malware found in SharePoint document management site.yaml",
        "query": "let query_frequency = 15m;\n  let malware_events = OfficeActivity\n      | where OfficeWorkload == \"SharePoint\" and Operation == \"FileMalwareDetected\"\n      | summarize by MalwareUserId = UserId, SourceFileName, Site_Url\n      | join kind=inner (DataverseSharePointSites) on $left.Site_Url == $right.SharePointUrl;\n  let file_upload_events = OfficeActivity\n      | where OfficeWorkload == \"SharePoint\" and Operation == \"FileUploaded\"\n      | project TimeGenerated, UserId, Site_Url, SourceFileName, ApplicationId, ClientIP;\n  let d365_upload_events = DataverseActivity\n      | where TimeGenerated >= ago(query_frequency)\n      | where Message == \"UploadDocument\"\n      | summarize by UserId, D365ClientIp = ClientIp;\n  malware_events\n  | join kind=inner (file_upload_events) on SourceFileName, Site_Url\n  | lookup (d365_upload_events) on UserId\n  | extend ClientIp = iif(ApplicationId == \"00000007-0000-0000-c000-000000000000\", D365ClientIp, ClientIP)\n  | extend\n      CloudAppId = int(32780),\n      SharePointId = int(20892),\n      AccountName = tostring(split(UserId, '@')[0]),\n      UPNSuffix = tostring(split(UserId, '@')[1])\n  | project\n      TimeGenerated,\n      UserId,\n      ClientIp,\n      InstanceUrl,\n      SharePointUrl,\n      SourceFileName,\n      CloudAppId,\n      SharePointId,\n      AccountName,\n      UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}