Dataverse - Login from IP in the block list

// Use static IP address or CIDR list specified in the
// NetworkAddresses watchlist (from watchlist template)
// with tag "BlockDataverse"
let query_frequency = 1h;
let blocked_networks = MSBizAppsNetworkAddresses()
    | where Tags has "BlockDataverse"
    | summarize by IPSubnet;
let watchlist_entries_count = toscalar (blocked_networks
    | summarize count());
DataverseActivity
| where watchlist_entries_count > 0
| where TimeGenerated >= ago(query_frequency)
| where Message == "UserSignIn" and isnotempty(ClientIp)
| summarize FirstEvent = arg_min(TimeGenerated, *) by UserId, ClientIp, InstanceUrl
| evaluate ipv4_lookup(blocked_networks, ClientIp, IPSubnet)
| extend
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    FirstEvent,
    UserId,
    ClientIp,
    Message,
    InstanceUrl,
    CloudAppId,
    AccountName,
    UPNSuffix

relevantTechniques:
- T1190
- T1133
- T1078
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: ClientIp
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: CloudAppId
    identifier: AppId
  - columnName: InstanceUrl
    identifier: InstanceName
  entityType: CloudApplication
version: 3.2.0
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login from IP in the block list.yaml
description: Identifies Dataverse sign-in activity from IPv4 addresses which are on a predefined block list. Blocked network ranges are maintained in the NetworkAddresses watchlist template.
requiredDataConnectors:
- connectorId: Dataverse
  dataTypes:
  - DataverseActivity
triggerOperator: gt
alertDetailsOverride:
  alertDisplayNameFormat: 'Dataverse - Login from IP in the block list at {{InstanceUrl}} '
  alertDescriptionFormat: Sign-in activity by {{UserId}} in {{InstanceUrl}} was detected from an IP {{ClientIp}} on the block list.
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: 666fef96-1bb8-4abf-ad72-e5cb49561381
queryFrequency: 1h
query: |
  // Use static IP address or CIDR list specified in the
  // NetworkAddresses watchlist (from watchlist template)
  // with tag "BlockDataverse"
  let query_frequency = 1h;
  let blocked_networks = MSBizAppsNetworkAddresses()
      | where Tags has "BlockDataverse"
      | summarize by IPSubnet;
  let watchlist_entries_count = toscalar (blocked_networks
      | summarize count());
  DataverseActivity
  | where watchlist_entries_count > 0
  | where TimeGenerated >= ago(query_frequency)
  | where Message == "UserSignIn" and isnotempty(ClientIp)
  | summarize FirstEvent = arg_min(TimeGenerated, *) by UserId, ClientIp, InstanceUrl
  | evaluate ipv4_lookup(blocked_networks, ClientIp, IPSubnet)
  | extend
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      FirstEvent,
      UserId,
      ClientIp,
      Message,
      InstanceUrl,
      CloudAppId,
      AccountName,
      UPNSuffix  
severity: High
status: Available
queryPeriod: 1d
name: Dataverse - Login from IP in the block list
tactics:
- InitialAccess
kind: Scheduled