Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dataverse - Malware found in SharePoint document management site

Back
Id2e3878bb-d519-43aa-9992-ea069df099e4
RulenameDataverse - Malware found in SharePoint document management site
DescriptionThis query identifies malware uploaded via Dynamics 365 document management or directly in SharePoint impacting Dataverse associated SharePoint sites.
SeverityMedium
TacticsExecution
TechniquesT1204
Required data connectorsDataverse
Office365
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Malware found in SharePoint document management site.yaml
Version3.2.0
Arm template2e3878bb-d519-43aa-9992-ea069df099e4.json
Deploy To Azure
let query_frequency = 15m;
  let malware_events = OfficeActivity
      | where OfficeWorkload == "SharePoint" and Operation == "FileMalwareDetected"
      | summarize by MalwareUserId = UserId, SourceFileName, Site_Url
      | join kind=inner (DataverseSharePointSites) on $left.Site_Url == $right.SharePointUrl;
  let file_upload_events = OfficeActivity
      | where OfficeWorkload == "SharePoint" and Operation == "FileUploaded"
      | project TimeGenerated, UserId, Site_Url, SourceFileName, ApplicationId, ClientIP;
  let d365_upload_events = DataverseActivity
      | where TimeGenerated >= ago(query_frequency)
      | where Message == "UploadDocument"
      | summarize by UserId, D365ClientIp = ClientIp;
  malware_events
  | join kind=inner (file_upload_events) on SourceFileName, Site_Url
  | lookup (d365_upload_events) on UserId
  | extend ClientIp = iif(ApplicationId == "00000007-0000-0000-c000-000000000000", D365ClientIp, ClientIP)
  | extend
      CloudAppId = int(32780),
      SharePointId = int(20892),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      TimeGenerated,
      UserId,
      ClientIp,
      InstanceUrl,
      SharePointUrl,
      SourceFileName,
      CloudAppId,
      SharePointId,
      AccountName,
      UPNSuffix
queryFrequency: 1h
queryPeriod: 14d
query: |
  let query_frequency = 15m;
    let malware_events = OfficeActivity
        | where OfficeWorkload == "SharePoint" and Operation == "FileMalwareDetected"
        | summarize by MalwareUserId = UserId, SourceFileName, Site_Url
        | join kind=inner (DataverseSharePointSites) on $left.Site_Url == $right.SharePointUrl;
    let file_upload_events = OfficeActivity
        | where OfficeWorkload == "SharePoint" and Operation == "FileUploaded"
        | project TimeGenerated, UserId, Site_Url, SourceFileName, ApplicationId, ClientIP;
    let d365_upload_events = DataverseActivity
        | where TimeGenerated >= ago(query_frequency)
        | where Message == "UploadDocument"
        | summarize by UserId, D365ClientIp = ClientIp;
    malware_events
    | join kind=inner (file_upload_events) on SourceFileName, Site_Url
    | lookup (d365_upload_events) on UserId
    | extend ClientIp = iif(ApplicationId == "00000007-0000-0000-c000-000000000000", D365ClientIp, ClientIP)
    | extend
        CloudAppId = int(32780),
        SharePointId = int(20892),
        AccountName = tostring(split(UserId, '@')[0]),
        UPNSuffix = tostring(split(UserId, '@')[1])
    | project
        TimeGenerated,
        UserId,
        ClientIp,
        InstanceUrl,
        SharePointUrl,
        SourceFileName,
        CloudAppId,
        SharePointId,
        AccountName,
        UPNSuffix  
tactics:
- Execution
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Malware found in SharePoint document management site.yaml
relevantTechniques:
- T1204
triggerThreshold: 0
triggerOperator: gt
kind: Scheduled
id: 2e3878bb-d519-43aa-9992-ea069df099e4
status: Available
name: Dataverse - Malware found in SharePoint document management site
eventGroupingSettings:
  aggregationKind: SingleAlert
version: 3.2.0
description: This query identifies malware uploaded via Dynamics 365 document management or directly in SharePoint impacting Dataverse associated SharePoint sites.
requiredDataConnectors:
- dataTypes:
  - DataverseActivity
  connectorId: Dataverse
- dataTypes:
  - OfficeActivity (SharePoint)
  connectorId: Office365
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIp
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: SourceFileName
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
  - identifier: InstanceName
    columnName: InstanceUrl
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: SharePointId
  - identifier: InstanceName
    columnName: SharePointUrl
alertDetailsOverride:
  alertDisplayNameFormat: 'Dataverse - Malware was found in SharePoint document management site for {{InstanceUrl}} '
  alertDescriptionFormat: A malicious file {{SourceFileName}} was found in SharePoint site {{SharePointUrl}}. The file was uploaded by {{UserId}}
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2e3878bb-d519-43aa-9992-ea069df099e4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2e3878bb-d519-43aa-9992-ea069df099e4')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A malicious file {{SourceFileName}} was found in SharePoint site {{SharePointUrl}}. The file was uploaded by {{UserId}}",
          "alertDisplayNameFormat": "Dataverse - Malware was found in SharePoint document management site for {{InstanceUrl}} "
        },
        "alertRuleTemplateName": "2e3878bb-d519-43aa-9992-ea069df099e4",
        "customDetails": null,
        "description": "This query identifies malware uploaded via Dynamics 365 document management or directly in SharePoint impacting Dataverse associated SharePoint sites.",
        "displayName": "Dataverse - Malware found in SharePoint document management site",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "SourceFileName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "SharePointId",
                "identifier": "AppId"
              },
              {
                "columnName": "SharePointUrl",
                "identifier": "InstanceName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Malware found in SharePoint document management site.yaml",
        "query": "let query_frequency = 15m;\n  let malware_events = OfficeActivity\n      | where OfficeWorkload == \"SharePoint\" and Operation == \"FileMalwareDetected\"\n      | summarize by MalwareUserId = UserId, SourceFileName, Site_Url\n      | join kind=inner (DataverseSharePointSites) on $left.Site_Url == $right.SharePointUrl;\n  let file_upload_events = OfficeActivity\n      | where OfficeWorkload == \"SharePoint\" and Operation == \"FileUploaded\"\n      | project TimeGenerated, UserId, Site_Url, SourceFileName, ApplicationId, ClientIP;\n  let d365_upload_events = DataverseActivity\n      | where TimeGenerated >= ago(query_frequency)\n      | where Message == \"UploadDocument\"\n      | summarize by UserId, D365ClientIp = ClientIp;\n  malware_events\n  | join kind=inner (file_upload_events) on SourceFileName, Site_Url\n  | lookup (d365_upload_events) on UserId\n  | extend ClientIp = iif(ApplicationId == \"00000007-0000-0000-c000-000000000000\", D365ClientIp, ClientIP)\n  | extend\n      CloudAppId = int(32780),\n      SharePointId = int(20892),\n      AccountName = tostring(split(UserId, '@')[0]),\n      UPNSuffix = tostring(split(UserId, '@')[1])\n  | project\n      TimeGenerated,\n      UserId,\n      ClientIp,\n      InstanceUrl,\n      SharePointUrl,\n      SourceFileName,\n      CloudAppId,\n      SharePointId,\n      AccountName,\n      UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}