Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dataverse - New Dataverse application user activity type

Back
Id5c768e7d-7e5e-4d57-80d4-3f50c96fbf70
RulenameDataverse - New Dataverse application user activity type
DescriptionIdentifies new or previously unseen activity types associated with Dataverse application (non-interactive) user.
SeverityMedium
TacticsCredentialAccess
Execution
PrivilegeEscalation
TechniquesT1635
T0871
T1078
Required data connectorsDataverse
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New Dataverse application user activity type.yaml
Version3.2.0
Arm template5c768e7d-7e5e-4d57-80d4-3f50c96fbf70.json
Deploy To Azure
let query_frequency = 1h;
let query_lookback = 14d;
let app_user_regex = "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\\.com$";
let guid_regex = "([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})";
let application_users = DataverseActivity
    | where UserId !endswith "@onmicrosoft.com" and UserId != "Unknown"
    | summarize by UserId
    | where split(UserId, "@")[1] matches regex app_user_regex;
let historical_app_activity = application_users
    | join kind = inner (
        DataverseActivity
        | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))
        | summarize by UserId, EntityName, Message, InstanceUrl)
        on
        UserId;
let current_activity = application_users
    | join kind= inner (
        DataverseActivity
        | where TimeGenerated >= ago(query_frequency)
        | summarize by UserId, EntityName, Message, InstanceUrl)
        on
        UserId;
current_activity
| join kind = leftanti (historical_app_activity) on UserId, Message, EntityName, InstanceUrl
| summarize NewActivities = make_set(strcat(Message, " ", EntityName), 1000) by UserId, InstanceUrl
| extend
    AadUserId = extract(guid_regex, 1, tostring(split(UserId, "@")[0])),
    CloudAppId = int(32780)
| project
    UserId,
    NewActivities,
    InstanceUrl,
    AadUserId,
    CloudAppId
relevantTechniques:
- T1635
- T0871
- T1078
name: Dataverse - New Dataverse application user activity type
queryPeriod: 14d
triggerThreshold: 0
alertDetailsOverride:
  alertDescriptionFormat: '{{UserId}} generated new activities in {{InstanceUrl}} which had not been seen previously in the Dataverse.'
  alertDisplayNameFormat: 'Dataverse - Unusual non-interactive account activity in {{InstanceUrl}} '
id: 5c768e7d-7e5e-4d57-80d4-3f50c96fbf70
eventGroupingSettings:
  aggregationKind: SingleAlert
severity: Medium
requiredDataConnectors:
- dataTypes:
  - DataverseActivity
  connectorId: Dataverse
description: Identifies new or previously unseen activity types associated with Dataverse application (non-interactive) user.
version: 3.2.0
status: Available
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AadUserId
    identifier: AadUserId
- entityType: CloudApplication
  fieldMappings:
  - columnName: CloudAppId
    identifier: AppId
  - columnName: InstanceUrl
    identifier: InstanceName
tactics:
- CredentialAccess
- Execution
- PrivilegeEscalation
query: |
  let query_frequency = 1h;
  let query_lookback = 14d;
  let app_user_regex = "^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\\.com$";
  let guid_regex = "([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})";
  let application_users = DataverseActivity
      | where UserId !endswith "@onmicrosoft.com" and UserId != "Unknown"
      | summarize by UserId
      | where split(UserId, "@")[1] matches regex app_user_regex;
  let historical_app_activity = application_users
      | join kind = inner (
          DataverseActivity
          | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))
          | summarize by UserId, EntityName, Message, InstanceUrl)
          on
          UserId;
  let current_activity = application_users
      | join kind= inner (
          DataverseActivity
          | where TimeGenerated >= ago(query_frequency)
          | summarize by UserId, EntityName, Message, InstanceUrl)
          on
          UserId;
  current_activity
  | join kind = leftanti (historical_app_activity) on UserId, Message, EntityName, InstanceUrl
  | summarize NewActivities = make_set(strcat(Message, " ", EntityName), 1000) by UserId, InstanceUrl
  | extend
      AadUserId = extract(guid_regex, 1, tostring(split(UserId, "@")[0])),
      CloudAppId = int(32780)
  | project
      UserId,
      NewActivities,
      InstanceUrl,
      AadUserId,
      CloudAppId  
kind: Scheduled
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New Dataverse application user activity type.yaml
queryFrequency: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5c768e7d-7e5e-4d57-80d4-3f50c96fbf70')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5c768e7d-7e5e-4d57-80d4-3f50c96fbf70')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{UserId}} generated new activities in {{InstanceUrl}} which had not been seen previously in the Dataverse.",
          "alertDisplayNameFormat": "Dataverse - Unusual non-interactive account activity in {{InstanceUrl}} "
        },
        "alertRuleTemplateName": "5c768e7d-7e5e-4d57-80d4-3f50c96fbf70",
        "customDetails": null,
        "description": "Identifies new or previously unseen activity types associated with Dataverse application (non-interactive) user.",
        "displayName": "Dataverse - New Dataverse application user activity type",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AadUserId",
                "identifier": "AadUserId"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - New Dataverse application user activity type.yaml",
        "query": "let query_frequency = 1h;\nlet query_lookback = 14d;\nlet app_user_regex = \"^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\\\\.com$\";\nlet guid_regex = \"([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})\";\nlet application_users = DataverseActivity\n    | where UserId !endswith \"@onmicrosoft.com\" and UserId != \"Unknown\"\n    | summarize by UserId\n    | where split(UserId, \"@\")[1] matches regex app_user_regex;\nlet historical_app_activity = application_users\n    | join kind = inner (\n        DataverseActivity\n        | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))\n        | summarize by UserId, EntityName, Message, InstanceUrl)\n        on\n        UserId;\nlet current_activity = application_users\n    | join kind= inner (\n        DataverseActivity\n        | where TimeGenerated >= ago(query_frequency)\n        | summarize by UserId, EntityName, Message, InstanceUrl)\n        on\n        UserId;\ncurrent_activity\n| join kind = leftanti (historical_app_activity) on UserId, Message, EntityName, InstanceUrl\n| summarize NewActivities = make_set(strcat(Message, \" \", EntityName), 1000) by UserId, InstanceUrl\n| extend\n    AadUserId = extract(guid_regex, 1, tostring(split(UserId, \"@\")[0])),\n    CloudAppId = int(32780)\n| project\n    UserId,\n    NewActivities,\n    InstanceUrl,\n    AadUserId,\n    CloudAppId\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Execution",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}