Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dataverse - Malware found in SharePoint document management site

Back
Id2e3878bb-d519-43aa-9992-ea069df099e4
RulenameDataverse - Malware found in SharePoint document management site
DescriptionThis query identifies malware uploaded via Dynamics 365 document management or directly in SharePoint impacting Dataverse associated SharePoint sites.
SeverityMedium
TacticsExecution
TechniquesT1204
Required data connectorsDataverse
Office365
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Malware found in SharePoint document management site.yaml
Version3.2.0
Arm template2e3878bb-d519-43aa-9992-ea069df099e4.json
Deploy To Azure
let query_frequency = 15m;
  let malware_events = OfficeActivity
      | where OfficeWorkload == "SharePoint" and Operation == "FileMalwareDetected"
      | summarize by MalwareUserId = UserId, SourceFileName, Site_Url
      | join kind=inner (DataverseSharePointSites) on $left.Site_Url == $right.SharePointUrl;
  let file_upload_events = OfficeActivity
      | where OfficeWorkload == "SharePoint" and Operation == "FileUploaded"
      | project TimeGenerated, UserId, Site_Url, SourceFileName, ApplicationId, ClientIP;
  let d365_upload_events = DataverseActivity
      | where TimeGenerated >= ago(query_frequency)
      | where Message == "UploadDocument"
      | summarize by UserId, D365ClientIp = ClientIp;
  malware_events
  | join kind=inner (file_upload_events) on SourceFileName, Site_Url
  | lookup (d365_upload_events) on UserId
  | extend ClientIp = iif(ApplicationId == "00000007-0000-0000-c000-000000000000", D365ClientIp, ClientIP)
  | extend
      CloudAppId = int(32780),
      SharePointId = int(20892),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      TimeGenerated,
      UserId,
      ClientIp,
      InstanceUrl,
      SharePointUrl,
      SourceFileName,
      CloudAppId,
      SharePointId,
      AccountName,
      UPNSuffix
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIp
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: SourceFileName
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
  - identifier: InstanceName
    columnName: InstanceUrl
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: SharePointId
  - identifier: InstanceName
    columnName: SharePointUrl
queryFrequency: 1h
name: Dataverse - Malware found in SharePoint document management site
alertDetailsOverride:
  alertDisplayNameFormat: 'Dataverse - Malware was found in SharePoint document management site for {{InstanceUrl}} '
  alertDescriptionFormat: A malicious file {{SourceFileName}} was found in SharePoint site {{SharePointUrl}}. The file was uploaded by {{UserId}}
kind: Scheduled
tactics:
- Execution
triggerThreshold: 0
query: |
  let query_frequency = 15m;
    let malware_events = OfficeActivity
        | where OfficeWorkload == "SharePoint" and Operation == "FileMalwareDetected"
        | summarize by MalwareUserId = UserId, SourceFileName, Site_Url
        | join kind=inner (DataverseSharePointSites) on $left.Site_Url == $right.SharePointUrl;
    let file_upload_events = OfficeActivity
        | where OfficeWorkload == "SharePoint" and Operation == "FileUploaded"
        | project TimeGenerated, UserId, Site_Url, SourceFileName, ApplicationId, ClientIP;
    let d365_upload_events = DataverseActivity
        | where TimeGenerated >= ago(query_frequency)
        | where Message == "UploadDocument"
        | summarize by UserId, D365ClientIp = ClientIp;
    malware_events
    | join kind=inner (file_upload_events) on SourceFileName, Site_Url
    | lookup (d365_upload_events) on UserId
    | extend ClientIp = iif(ApplicationId == "00000007-0000-0000-c000-000000000000", D365ClientIp, ClientIP)
    | extend
        CloudAppId = int(32780),
        SharePointId = int(20892),
        AccountName = tostring(split(UserId, '@')[0]),
        UPNSuffix = tostring(split(UserId, '@')[1])
    | project
        TimeGenerated,
        UserId,
        ClientIp,
        InstanceUrl,
        SharePointUrl,
        SourceFileName,
        CloudAppId,
        SharePointId,
        AccountName,
        UPNSuffix  
relevantTechniques:
- T1204
triggerOperator: gt
queryPeriod: 14d
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Malware found in SharePoint document management site.yaml
severity: Medium
status: Available
id: 2e3878bb-d519-43aa-9992-ea069df099e4
requiredDataConnectors:
- connectorId: Dataverse
  dataTypes:
  - DataverseActivity
- connectorId: Office365
  dataTypes:
  - OfficeActivity (SharePoint)
version: 3.2.0
description: This query identifies malware uploaded via Dynamics 365 document management or directly in SharePoint impacting Dataverse associated SharePoint sites.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2e3878bb-d519-43aa-9992-ea069df099e4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2e3878bb-d519-43aa-9992-ea069df099e4')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A malicious file {{SourceFileName}} was found in SharePoint site {{SharePointUrl}}. The file was uploaded by {{UserId}}",
          "alertDisplayNameFormat": "Dataverse - Malware was found in SharePoint document management site for {{InstanceUrl}} "
        },
        "alertRuleTemplateName": "2e3878bb-d519-43aa-9992-ea069df099e4",
        "customDetails": null,
        "description": "This query identifies malware uploaded via Dynamics 365 document management or directly in SharePoint impacting Dataverse associated SharePoint sites.",
        "displayName": "Dataverse - Malware found in SharePoint document management site",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "SourceFileName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "SharePointId",
                "identifier": "AppId"
              },
              {
                "columnName": "SharePointUrl",
                "identifier": "InstanceName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Malware found in SharePoint document management site.yaml",
        "query": "let query_frequency = 15m;\n  let malware_events = OfficeActivity\n      | where OfficeWorkload == \"SharePoint\" and Operation == \"FileMalwareDetected\"\n      | summarize by MalwareUserId = UserId, SourceFileName, Site_Url\n      | join kind=inner (DataverseSharePointSites) on $left.Site_Url == $right.SharePointUrl;\n  let file_upload_events = OfficeActivity\n      | where OfficeWorkload == \"SharePoint\" and Operation == \"FileUploaded\"\n      | project TimeGenerated, UserId, Site_Url, SourceFileName, ApplicationId, ClientIP;\n  let d365_upload_events = DataverseActivity\n      | where TimeGenerated >= ago(query_frequency)\n      | where Message == \"UploadDocument\"\n      | summarize by UserId, D365ClientIp = ClientIp;\n  malware_events\n  | join kind=inner (file_upload_events) on SourceFileName, Site_Url\n  | lookup (d365_upload_events) on UserId\n  | extend ClientIp = iif(ApplicationId == \"00000007-0000-0000-c000-000000000000\", D365ClientIp, ClientIP)\n  | extend\n      CloudAppId = int(32780),\n      SharePointId = int(20892),\n      AccountName = tostring(split(UserId, '@')[0]),\n      UPNSuffix = tostring(split(UserId, '@')[1])\n  | project\n      TimeGenerated,\n      UserId,\n      ClientIp,\n      InstanceUrl,\n      SharePointUrl,\n      SourceFileName,\n      CloudAppId,\n      SharePointId,\n      AccountName,\n      UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}