FO - Reverted bank account number modifications
| Id | 44b1021c-d517-4b7a-9ba6-a91eab94e632 |
| Rulename | F&O - Reverted bank account number modifications |
| Description | Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later. |
| Severity | Low |
| Tactics | Impact |
| Techniques | T1565 T1496 T0828 T0831 |
| Required data connectors | Dynamics365Finance |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Reverted bank account number modifications.yaml |
| Version | 3.2.0 |
| Arm template | 44b1021c-d517-4b7a-9ba6-a91eab94e632.json |
let detection_window = 24h;
let query_frequency = 15m;
let bank_changes = FinanceOperationsActivity_CL
| where LogType == "Update" and TableName == "BankAccountTable"
| extend AccountId = tostring(parse_json(tostring(FormattedData.AccountID)).NewData)
| extend AccountNum = parse_json(tostring(FormattedData.AccountNum))
| extend
CurrentAccountNum = tostring(AccountNum.NewData),
OldAccountNum = tostring(AccountNum.OldData)
| where CurrentAccountNum != OldAccountNum;
bank_changes
| join kind=inner (bank_changes
| where TimeGenerated >= ago(query_frequency)
| project-rename UpdatedTime = LogCreatedDateTime, UpdatedAccount = CurrentAccountNum)
on $left.OldAccountNum == $right.UpdatedAccount
| where UpdatedTime between (LogCreatedDateTime .. (LogCreatedDateTime + detection_window))
| extend FinOpsAppId = 32780
| project
TimeGenerated,
LogCreatedDateTime,
LogType,
TableName,
Username,
AccountId,
CurrentAccountNum,
OldAccountNum,
FinOpsAppId
alertDetailsOverride:
alertDescriptionFormat: A suspicous bank account change was made in F&O, the bank account number was updated and then changed back to the orginal number a short time later. {{AccountId}} was changed by {{Username}}
alertDisplayNameFormat: F&O - Suspicious bank account number changes
description: Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later.
kind: Scheduled
tactics:
- Impact
requiredDataConnectors:
- connectorId: Dynamics365Finance
dataTypes:
- FinanceOperationsActivity_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Reverted bank account number modifications.yaml
severity: Low
name: F&O - Reverted bank account number modifications
triggerThreshold: 0
queryPeriod: 1d
query: |
let detection_window = 24h;
let query_frequency = 15m;
let bank_changes = FinanceOperationsActivity_CL
| where LogType == "Update" and TableName == "BankAccountTable"
| extend AccountId = tostring(parse_json(tostring(FormattedData.AccountID)).NewData)
| extend AccountNum = parse_json(tostring(FormattedData.AccountNum))
| extend
CurrentAccountNum = tostring(AccountNum.NewData),
OldAccountNum = tostring(AccountNum.OldData)
| where CurrentAccountNum != OldAccountNum;
bank_changes
| join kind=inner (bank_changes
| where TimeGenerated >= ago(query_frequency)
| project-rename UpdatedTime = LogCreatedDateTime, UpdatedAccount = CurrentAccountNum)
on $left.OldAccountNum == $right.UpdatedAccount
| where UpdatedTime between (LogCreatedDateTime .. (LogCreatedDateTime + detection_window))
| extend FinOpsAppId = 32780
| project
TimeGenerated,
LogCreatedDateTime,
LogType,
TableName,
Username,
AccountId,
CurrentAccountNum,
OldAccountNum,
FinOpsAppId
relevantTechniques:
- T1565
- T1496
- T0828
- T0831
id: 44b1021c-d517-4b7a-9ba6-a91eab94e632
queryFrequency: 15m
status: Available
version: 3.2.0
triggerOperator: gt
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- columnName: Username
identifier: FullName
- entityType: CloudApplication
fieldMappings:
- columnName: FinOpsAppId
identifier: AppId