Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Dataverse - Malware found in SharePoint document management site

Dataverse - Malware found in SharePoint document management site

Back
Id2e3878bb-d519-43aa-9992-ea069df099e4
RulenameDataverse - Malware found in SharePoint document management site
DescriptionThis query identifies malware uploaded via Dynamics 365 document management or directly in SharePoint impacting Dataverse associated SharePoint sites.
SeverityMedium
TacticsExecution
TechniquesT1204
Required data connectorsDataverse
Office365
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Malware found in SharePoint document management site.yaml
Version3.2.0
Arm template2e3878bb-d519-43aa-9992-ea069df099e4.json
Deploy To Azure
let query_frequency = 15m;
  let malware_events = OfficeActivity
      | where OfficeWorkload == "SharePoint" and Operation == "FileMalwareDetected"
      | summarize by MalwareUserId = UserId, SourceFileName, Site_Url
      | join kind=inner (DataverseSharePointSites) on $left.Site_Url == $right.SharePointUrl;
  let file_upload_events = OfficeActivity
      | where OfficeWorkload == "SharePoint" and Operation == "FileUploaded"
      | project TimeGenerated, UserId, Site_Url, SourceFileName, ApplicationId, ClientIP;
  let d365_upload_events = DataverseActivity
      | where TimeGenerated >= ago(query_frequency)
      | where Message == "UploadDocument"
      | summarize by UserId, D365ClientIp = ClientIp;
  malware_events
  | join kind=inner (file_upload_events) on SourceFileName, Site_Url
  | lookup (d365_upload_events) on UserId
  | extend ClientIp = iif(ApplicationId == "00000007-0000-0000-c000-000000000000", D365ClientIp, ClientIP)
  | extend
      CloudAppId = int(32780),
      SharePointId = int(20892),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      TimeGenerated,
      UserId,
      ClientIp,
      InstanceUrl,
      SharePointUrl,
      SourceFileName,
      CloudAppId,
      SharePointId,
      AccountName,
      UPNSuffix

description: This query identifies malware uploaded via Dynamics 365 document management or directly in SharePoint impacting Dataverse associated SharePoint sites.
triggerThreshold: 0
queryPeriod: 14d
version: 3.2.0
query: |
  let query_frequency = 15m;
    let malware_events = OfficeActivity
        | where OfficeWorkload == "SharePoint" and Operation == "FileMalwareDetected"
        | summarize by MalwareUserId = UserId, SourceFileName, Site_Url
        | join kind=inner (DataverseSharePointSites) on $left.Site_Url == $right.SharePointUrl;
    let file_upload_events = OfficeActivity
        | where OfficeWorkload == "SharePoint" and Operation == "FileUploaded"
        | project TimeGenerated, UserId, Site_Url, SourceFileName, ApplicationId, ClientIP;
    let d365_upload_events = DataverseActivity
        | where TimeGenerated >= ago(query_frequency)
        | where Message == "UploadDocument"
        | summarize by UserId, D365ClientIp = ClientIp;
    malware_events
    | join kind=inner (file_upload_events) on SourceFileName, Site_Url
    | lookup (d365_upload_events) on UserId
    | extend ClientIp = iif(ApplicationId == "00000007-0000-0000-c000-000000000000", D365ClientIp, ClientIP)
    | extend
        CloudAppId = int(32780),
        SharePointId = int(20892),
        AccountName = tostring(split(UserId, '@')[0]),
        UPNSuffix = tostring(split(UserId, '@')[1])
    | project
        TimeGenerated,
        UserId,
        ClientIp,
        InstanceUrl,
        SharePointUrl,
        SourceFileName,
        CloudAppId,
        SharePointId,
        AccountName,
        UPNSuffix  
queryFrequency: 1h
requiredDataConnectors:
- connectorId: Dataverse
  dataTypes:
  - DataverseActivity
- connectorId: Office365
  dataTypes:
  - OfficeActivity (SharePoint)
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Malware found in SharePoint document management site.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIp
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: SourceFileName
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
  - identifier: InstanceName
    columnName: InstanceUrl
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: SharePointId
  - identifier: InstanceName
    columnName: SharePointUrl
alertDetailsOverride:
  alertDescriptionFormat: A malicious file {{SourceFileName}} was found in SharePoint site {{SharePointUrl}}. The file was uploaded by {{UserId}}
  alertDisplayNameFormat: 'Dataverse - Malware was found in SharePoint document management site for {{InstanceUrl}} '
severity: Medium
tactics:
- Execution
relevantTechniques:
- T1204
id: 2e3878bb-d519-43aa-9992-ea069df099e4
kind: Scheduled
name: Dataverse - Malware found in SharePoint document management site
status: Available
triggerOperator: gt