Dataverse - New Dataverse application user activity type
Id | 5c768e7d-7e5e-4d57-80d4-3f50c96fbf70 |
Rulename | Dataverse - New Dataverse application user activity type |
Description | Identifies new or previously unseen activity types associated with Dataverse application (non-interactive) user. |
Severity | Medium |
Tactics | CredentialAccess Execution PrivilegeEscalation |
Techniques | T1635 T0871 T1078 |
Required data connectors | Dataverse |
Kind | Scheduled |
Query frequency | 1h |
Query period | 14d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New Dataverse application user activity type.yaml |
Version | 3.2.0 |
Arm template | 5c768e7d-7e5e-4d57-80d4-3f50c96fbf70.json |
let query_frequency = 1h;
let query_lookback = 14d;
let app_user_regex = "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\\.com$";
let guid_regex = "([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})";
let application_users = DataverseActivity
| where UserId !endswith "@onmicrosoft.com" and UserId != "Unknown"
| summarize by UserId
| where split(UserId, "@")[1] matches regex app_user_regex;
let historical_app_activity = application_users
| join kind = inner (
DataverseActivity
| where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))
| summarize by UserId, EntityName, Message, InstanceUrl)
on
UserId;
let current_activity = application_users
| join kind= inner (
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| summarize by UserId, EntityName, Message, InstanceUrl)
on
UserId;
current_activity
| join kind = leftanti (historical_app_activity) on UserId, Message, EntityName, InstanceUrl
| summarize NewActivities = make_set(strcat(Message, " ", EntityName), 1000) by UserId, InstanceUrl
| extend
AadUserId = extract(guid_regex, 1, tostring(split(UserId, "@")[0])),
CloudAppId = int(32780)
| project
UserId,
NewActivities,
InstanceUrl,
AadUserId,
CloudAppId
relevantTechniques:
- T1635
- T0871
- T1078
name: Dataverse - New Dataverse application user activity type
queryPeriod: 14d
triggerThreshold: 0
alertDetailsOverride:
alertDescriptionFormat: '{{UserId}} generated new activities in {{InstanceUrl}} which had not been seen previously in the Dataverse.'
alertDisplayNameFormat: 'Dataverse - Unusual non-interactive account activity in {{InstanceUrl}} '
id: 5c768e7d-7e5e-4d57-80d4-3f50c96fbf70
eventGroupingSettings:
aggregationKind: SingleAlert
severity: Medium
requiredDataConnectors:
- dataTypes:
- DataverseActivity
connectorId: Dataverse
description: Identifies new or previously unseen activity types associated with Dataverse application (non-interactive) user.
version: 3.2.0
status: Available
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AadUserId
identifier: AadUserId
- entityType: CloudApplication
fieldMappings:
- columnName: CloudAppId
identifier: AppId
- columnName: InstanceUrl
identifier: InstanceName
tactics:
- CredentialAccess
- Execution
- PrivilegeEscalation
query: |
let query_frequency = 1h;
let query_lookback = 14d;
let app_user_regex = "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\\.com$";
let guid_regex = "([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})";
let application_users = DataverseActivity
| where UserId !endswith "@onmicrosoft.com" and UserId != "Unknown"
| summarize by UserId
| where split(UserId, "@")[1] matches regex app_user_regex;
let historical_app_activity = application_users
| join kind = inner (
DataverseActivity
| where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))
| summarize by UserId, EntityName, Message, InstanceUrl)
on
UserId;
let current_activity = application_users
| join kind= inner (
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| summarize by UserId, EntityName, Message, InstanceUrl)
on
UserId;
current_activity
| join kind = leftanti (historical_app_activity) on UserId, Message, EntityName, InstanceUrl
| summarize NewActivities = make_set(strcat(Message, " ", EntityName), 1000) by UserId, InstanceUrl
| extend
AadUserId = extract(guid_regex, 1, tostring(split(UserId, "@")[0])),
CloudAppId = int(32780)
| project
UserId,
NewActivities,
InstanceUrl,
AadUserId,
CloudAppId
kind: Scheduled
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New Dataverse application user activity type.yaml
queryFrequency: 1h
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5c768e7d-7e5e-4d57-80d4-3f50c96fbf70')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5c768e7d-7e5e-4d57-80d4-3f50c96fbf70')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{UserId}} generated new activities in {{InstanceUrl}} which had not been seen previously in the Dataverse.",
"alertDisplayNameFormat": "Dataverse - Unusual non-interactive account activity in {{InstanceUrl}} "
},
"alertRuleTemplateName": "5c768e7d-7e5e-4d57-80d4-3f50c96fbf70",
"customDetails": null,
"description": "Identifies new or previously unseen activity types associated with Dataverse application (non-interactive) user.",
"displayName": "Dataverse - New Dataverse application user activity type",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AadUserId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "CloudAppId",
"identifier": "AppId"
},
{
"columnName": "InstanceUrl",
"identifier": "InstanceName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New Dataverse application user activity type.yaml",
"query": "let query_frequency = 1h;\nlet query_lookback = 14d;\nlet app_user_regex = \"^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\\\\.com$\";\nlet guid_regex = \"([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})\";\nlet application_users = DataverseActivity\n | where UserId !endswith \"@onmicrosoft.com\" and UserId != \"Unknown\"\n | summarize by UserId\n | where split(UserId, \"@\")[1] matches regex app_user_regex;\nlet historical_app_activity = application_users\n | join kind = inner (\n DataverseActivity\n | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))\n | summarize by UserId, EntityName, Message, InstanceUrl)\n on\n UserId;\nlet current_activity = application_users\n | join kind= inner (\n DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | summarize by UserId, EntityName, Message, InstanceUrl)\n on\n UserId;\ncurrent_activity\n| join kind = leftanti (historical_app_activity) on UserId, Message, EntityName, InstanceUrl\n| summarize NewActivities = make_set(strcat(Message, \" \", EntityName), 1000) by UserId, InstanceUrl\n| extend\n AadUserId = extract(guid_regex, 1, tostring(split(UserId, \"@\")[0])),\n CloudAppId = int(32780)\n| project\n UserId,\n NewActivities,\n InstanceUrl,\n AadUserId,\n CloudAppId\n",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess",
"Execution",
"PrivilegeEscalation"
],
"techniques": [
"T1078"
],
"templateVersion": "3.2.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}