Dataverse - New Dataverse application user activity type
| Id | 5c768e7d-7e5e-4d57-80d4-3f50c96fbf70 |
| Rulename | Dataverse - New Dataverse application user activity type |
| Description | Identifies new or previously unseen activity types associated with Dataverse application (non-interactive) user. |
| Severity | Medium |
| Tactics | CredentialAccess Execution PrivilegeEscalation |
| Techniques | T1635 T0871 T1078 |
| Required data connectors | Dataverse |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New Dataverse application user activity type.yaml |
| Version | 3.2.0 |
| Arm template | 5c768e7d-7e5e-4d57-80d4-3f50c96fbf70.json |
let query_frequency = 1h;
let query_lookback = 14d;
let app_user_regex = "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\\.com$";
let guid_regex = "([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})";
let application_users = DataverseActivity
| where UserId !endswith "@onmicrosoft.com" and UserId != "Unknown"
| summarize by UserId
| where split(UserId, "@")[1] matches regex app_user_regex;
let historical_app_activity = application_users
| join kind = inner (
DataverseActivity
| where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))
| summarize by UserId, EntityName, Message, InstanceUrl)
on
UserId;
let current_activity = application_users
| join kind= inner (
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| summarize by UserId, EntityName, Message, InstanceUrl)
on
UserId;
current_activity
| join kind = leftanti (historical_app_activity) on UserId, Message, EntityName, InstanceUrl
| summarize NewActivities = make_set(strcat(Message, " ", EntityName), 1000) by UserId, InstanceUrl
| extend
AadUserId = extract(guid_regex, 1, tostring(split(UserId, "@")[0])),
CloudAppId = int(32780)
| project
UserId,
NewActivities,
InstanceUrl,
AadUserId,
CloudAppId
relevantTechniques:
- T1635
- T0871
- T1078
entityMappings:
- fieldMappings:
- columnName: AadUserId
identifier: AadUserId
entityType: Account
- fieldMappings:
- columnName: CloudAppId
identifier: AppId
- columnName: InstanceUrl
identifier: InstanceName
entityType: CloudApplication
version: 3.2.0
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New Dataverse application user activity type.yaml
description: Identifies new or previously unseen activity types associated with Dataverse application (non-interactive) user.
requiredDataConnectors:
- connectorId: Dataverse
dataTypes:
- DataverseActivity
triggerOperator: gt
alertDetailsOverride:
alertDisplayNameFormat: 'Dataverse - Unusual non-interactive account activity in {{InstanceUrl}} '
alertDescriptionFormat: '{{UserId}} generated new activities in {{InstanceUrl}} which had not been seen previously in the Dataverse.'
eventGroupingSettings:
aggregationKind: SingleAlert
id: 5c768e7d-7e5e-4d57-80d4-3f50c96fbf70
queryFrequency: 1h
query: |
let query_frequency = 1h;
let query_lookback = 14d;
let app_user_regex = "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\\.com$";
let guid_regex = "([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})";
let application_users = DataverseActivity
| where UserId !endswith "@onmicrosoft.com" and UserId != "Unknown"
| summarize by UserId
| where split(UserId, "@")[1] matches regex app_user_regex;
let historical_app_activity = application_users
| join kind = inner (
DataverseActivity
| where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))
| summarize by UserId, EntityName, Message, InstanceUrl)
on
UserId;
let current_activity = application_users
| join kind= inner (
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| summarize by UserId, EntityName, Message, InstanceUrl)
on
UserId;
current_activity
| join kind = leftanti (historical_app_activity) on UserId, Message, EntityName, InstanceUrl
| summarize NewActivities = make_set(strcat(Message, " ", EntityName), 1000) by UserId, InstanceUrl
| extend
AadUserId = extract(guid_regex, 1, tostring(split(UserId, "@")[0])),
CloudAppId = int(32780)
| project
UserId,
NewActivities,
InstanceUrl,
AadUserId,
CloudAppId
severity: Medium
status: Available
queryPeriod: 14d
name: Dataverse - New Dataverse application user activity type
tactics:
- CredentialAccess
- Execution
- PrivilegeEscalation
kind: Scheduled