Back
Id666fef96-1bb8-4abf-ad72-e5cb49561381
RulenameDataverse - Login from IP in the block list
DescriptionIdentifies Dataverse sign-in activity from IPv4 addresses which are on a predefined block list. Blocked network ranges are maintained in the NetworkAddresses watchlist template.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
T1078
Required data connectorsDataverse
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Business%20Applications/Analytic%20Rules/Dataverse%20-%20Login%20from%20IP%20in%20the%20block%20list.yaml
Version3.2.0
Arm template666fef96-1bb8-4abf-ad72-e5cb49561381.json
Deploy To Azure
// Use static IP address or CIDR list specified in the
// NetworkAddresses watchlist (from watchlist template)
// with tag "BlockDataverse"
let query_frequency = 1h;
let blocked_networks = MSBizAppsNetworkAddresses()
    | where Tags has "BlockDataverse"
    | summarize by IPSubnet;
let watchlist_entries_count = toscalar (blocked_networks
    | summarize count());
DataverseActivity
| where watchlist_entries_count > 0
| where TimeGenerated >= ago(query_frequency)
| where Message == "UserSignIn" and isnotempty(ClientIp)
| summarize FirstEvent = arg_min(TimeGenerated, *) by UserId, ClientIp, InstanceUrl
| evaluate ipv4_lookup(blocked_networks, ClientIp, IPSubnet)
| extend
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    FirstEvent,
    UserId,
    ClientIp,
    Message,
    InstanceUrl,
    CloudAppId,
    AccountName,
    UPNSuffix
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Business%20Applications/Analytic%20Rules/Dataverse%20-%20Login%20from%20IP%20in%20the%20block%20list.yaml
severity: High
version: 3.2.0
queryPeriod: 1d
relevantTechniques:
- T1190
- T1133
- T1078
eventGroupingSettings:
  aggregationKind: AlertPerResult
name: Dataverse - Login from IP in the block list
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: ClientIp
    identifier: Address
- entityType: CloudApplication
  fieldMappings:
  - columnName: CloudAppId
    identifier: AppId
  - columnName: InstanceUrl
    identifier: InstanceName
status: Available
requiredDataConnectors:
- connectorId: Dataverse
  dataTypes:
  - DataverseActivity
id: 666fef96-1bb8-4abf-ad72-e5cb49561381
alertDetailsOverride:
  alertDisplayNameFormat: 'Dataverse - Login from IP in the block list at {{InstanceUrl}} '
  alertDescriptionFormat: Sign-in activity by {{UserId}} in {{InstanceUrl}} was detected from an IP {{ClientIp}} on the block list.
triggerThreshold: 0
description: Identifies Dataverse sign-in activity from IPv4 addresses which are on a predefined block list. Blocked network ranges are maintained in the NetworkAddresses watchlist template.
triggerOperator: gt
queryFrequency: 1h
query: |
  // Use static IP address or CIDR list specified in the
  // NetworkAddresses watchlist (from watchlist template)
  // with tag "BlockDataverse"
  let query_frequency = 1h;
  let blocked_networks = MSBizAppsNetworkAddresses()
      | where Tags has "BlockDataverse"
      | summarize by IPSubnet;
  let watchlist_entries_count = toscalar (blocked_networks
      | summarize count());
  DataverseActivity
  | where watchlist_entries_count > 0
  | where TimeGenerated >= ago(query_frequency)
  | where Message == "UserSignIn" and isnotempty(ClientIp)
  | summarize FirstEvent = arg_min(TimeGenerated, *) by UserId, ClientIp, InstanceUrl
  | evaluate ipv4_lookup(blocked_networks, ClientIp, IPSubnet)
  | extend
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      FirstEvent,
      UserId,
      ClientIp,
      Message,
      InstanceUrl,
      CloudAppId,
      AccountName,
      UPNSuffix
tactics:
- InitialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/666fef96-1bb8-4abf-ad72-e5cb49561381')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/666fef96-1bb8-4abf-ad72-e5cb49561381')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Sign-in activity by {{UserId}} in {{InstanceUrl}} was detected from an IP {{ClientIp}} on the block list.",
          "alertDisplayNameFormat": "Dataverse - Login from IP in the block list at {{InstanceUrl}} "
        },
        "alertRuleTemplateName": "666fef96-1bb8-4abf-ad72-e5cb49561381",
        "customDetails": null,
        "description": "Identifies Dataverse sign-in activity from IPv4 addresses which are on a predefined block list. Blocked network ranges are maintained in the NetworkAddresses watchlist template.",
        "displayName": "Dataverse - Login from IP in the block list",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Business%20Applications/Analytic%20Rules/Dataverse%20-%20Login%20from%20IP%20in%20the%20block%20list.yaml",
        "query": "// Use static IP address or CIDR list specified in the\n// NetworkAddresses watchlist (from watchlist template)\n// with tag \"BlockDataverse\"\nlet query_frequency = 1h;\nlet blocked_networks = MSBizAppsNetworkAddresses()\n    | where Tags has \"BlockDataverse\"\n    | summarize by IPSubnet;\nlet watchlist_entries_count = toscalar (blocked_networks\n    | summarize count());\nDataverseActivity\n| where watchlist_entries_count > 0\n| where TimeGenerated >= ago(query_frequency)\n| where Message == \"UserSignIn\" and isnotempty(ClientIp)\n| summarize FirstEvent = arg_min(TimeGenerated, *) by UserId, ClientIp, InstanceUrl\n| evaluate ipv4_lookup(blocked_networks, ClientIp, IPSubnet)\n| extend\n    CloudAppId = int(32780),\n    AccountName = tostring(split(UserId, '@')[0]),\n    UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n    FirstEvent,\n    UserId,\n    ClientIp,\n    Message,\n    InstanceUrl,\n    CloudAppId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1133",
          "T1190"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}