FO - Reverted bank account number modifications
| Id | 44b1021c-d517-4b7a-9ba6-a91eab94e632 |
| Rulename | F&O - Reverted bank account number modifications |
| Description | Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later. |
| Severity | Low |
| Tactics | Impact |
| Techniques | T1565 T1496 T0828 T0831 |
| Required data connectors | Dynamics365Finance |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Reverted bank account number modifications.yaml |
| Version | 3.2.0 |
| Arm template | 44b1021c-d517-4b7a-9ba6-a91eab94e632.json |
let detection_window = 24h;
let query_frequency = 15m;
let bank_changes = FinanceOperationsActivity_CL
| where LogType == "Update" and TableName == "BankAccountTable"
| extend AccountId = tostring(parse_json(tostring(FormattedData.AccountID)).NewData)
| extend AccountNum = parse_json(tostring(FormattedData.AccountNum))
| extend
CurrentAccountNum = tostring(AccountNum.NewData),
OldAccountNum = tostring(AccountNum.OldData)
| where CurrentAccountNum != OldAccountNum;
bank_changes
| join kind=inner (bank_changes
| where TimeGenerated >= ago(query_frequency)
| project-rename UpdatedTime = LogCreatedDateTime, UpdatedAccount = CurrentAccountNum)
on $left.OldAccountNum == $right.UpdatedAccount
| where UpdatedTime between (LogCreatedDateTime .. (LogCreatedDateTime + detection_window))
| extend FinOpsAppId = 32780
| project
TimeGenerated,
LogCreatedDateTime,
LogType,
TableName,
Username,
AccountId,
CurrentAccountNum,
OldAccountNum,
FinOpsAppId
relevantTechniques:
- T1565
- T1496
- T0828
- T0831
name: F&O - Reverted bank account number modifications
queryPeriod: 1d
triggerThreshold: 0
alertDetailsOverride:
alertDescriptionFormat: A suspicous bank account change was made in F&O, the bank account number was updated and then changed back to the orginal number a short time later. {{AccountId}} was changed by {{Username}}
alertDisplayNameFormat: F&O - Suspicious bank account number changes
id: 44b1021c-d517-4b7a-9ba6-a91eab94e632
eventGroupingSettings:
aggregationKind: SingleAlert
severity: Low
requiredDataConnectors:
- dataTypes:
- FinanceOperationsActivity_CL
connectorId: Dynamics365Finance
description: Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later.
version: 3.2.0
status: Available
entityMappings:
- entityType: Account
fieldMappings:
- columnName: Username
identifier: FullName
- entityType: CloudApplication
fieldMappings:
- columnName: FinOpsAppId
identifier: AppId
tactics:
- Impact
query: |
let detection_window = 24h;
let query_frequency = 15m;
let bank_changes = FinanceOperationsActivity_CL
| where LogType == "Update" and TableName == "BankAccountTable"
| extend AccountId = tostring(parse_json(tostring(FormattedData.AccountID)).NewData)
| extend AccountNum = parse_json(tostring(FormattedData.AccountNum))
| extend
CurrentAccountNum = tostring(AccountNum.NewData),
OldAccountNum = tostring(AccountNum.OldData)
| where CurrentAccountNum != OldAccountNum;
bank_changes
| join kind=inner (bank_changes
| where TimeGenerated >= ago(query_frequency)
| project-rename UpdatedTime = LogCreatedDateTime, UpdatedAccount = CurrentAccountNum)
on $left.OldAccountNum == $right.UpdatedAccount
| where UpdatedTime between (LogCreatedDateTime .. (LogCreatedDateTime + detection_window))
| extend FinOpsAppId = 32780
| project
TimeGenerated,
LogCreatedDateTime,
LogType,
TableName,
Username,
AccountId,
CurrentAccountNum,
OldAccountNum,
FinOpsAppId
kind: Scheduled
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Reverted bank account number modifications.yaml
queryFrequency: 15m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/44b1021c-d517-4b7a-9ba6-a91eab94e632')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/44b1021c-d517-4b7a-9ba6-a91eab94e632')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "A suspicous bank account change was made in F&O, the bank account number was updated and then changed back to the orginal number a short time later. {{AccountId}} was changed by {{Username}}",
"alertDisplayNameFormat": "F&O - Suspicious bank account number changes"
},
"alertRuleTemplateName": "44b1021c-d517-4b7a-9ba6-a91eab94e632",
"customDetails": null,
"description": "Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later.",
"displayName": "F&O - Reverted bank account number modifications",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Username",
"identifier": "FullName"
}
]
},
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "FinOpsAppId",
"identifier": "AppId"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Reverted bank account number modifications.yaml",
"query": "let detection_window = 24h;\nlet query_frequency = 15m;\nlet bank_changes = FinanceOperationsActivity_CL\n | where LogType == \"Update\" and TableName == \"BankAccountTable\"\n | extend AccountId = tostring(parse_json(tostring(FormattedData.AccountID)).NewData)\n | extend AccountNum = parse_json(tostring(FormattedData.AccountNum))\n | extend\n CurrentAccountNum = tostring(AccountNum.NewData),\n OldAccountNum = tostring(AccountNum.OldData)\n | where CurrentAccountNum != OldAccountNum;\nbank_changes\n| join kind=inner (bank_changes\n | where TimeGenerated >= ago(query_frequency)\n | project-rename UpdatedTime = LogCreatedDateTime, UpdatedAccount = CurrentAccountNum)\n on $left.OldAccountNum == $right.UpdatedAccount\n| where UpdatedTime between (LogCreatedDateTime .. (LogCreatedDateTime + detection_window))\n| extend FinOpsAppId = 32780\n| project\n TimeGenerated,\n LogCreatedDateTime,\n LogType,\n TableName,\n Username,\n AccountId,\n CurrentAccountNum,\n OldAccountNum,\n FinOpsAppId\n",
"queryFrequency": "PT15M",
"queryPeriod": "P1D",
"severity": "Low",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1496",
"T1565"
],
"templateVersion": "3.2.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}