Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dataverse - Login from IP in the block list

Back
Id666fef96-1bb8-4abf-ad72-e5cb49561381
RulenameDataverse - Login from IP in the block list
DescriptionIdentifies Dataverse sign-in activity from IPv4 addresses which are on a predefined block list. Blocked network ranges are maintained in the NetworkAddresses watchlist template.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
T1078
Required data connectorsDataverse
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login from IP in the block list.yaml
Version3.2.0
Arm template666fef96-1bb8-4abf-ad72-e5cb49561381.json
Deploy To Azure
// Use static IP address or CIDR list specified in the
// NetworkAddresses watchlist (from watchlist template)
// with tag "BlockDataverse"
let query_frequency = 1h;
let blocked_networks = MSBizAppsNetworkAddresses()
    | where Tags has "BlockDataverse"
    | summarize by IPSubnet;
let watchlist_entries_count = toscalar (blocked_networks
    | summarize count());
DataverseActivity
| where watchlist_entries_count > 0
| where TimeGenerated >= ago(query_frequency)
| where Message == "UserSignIn" and isnotempty(ClientIp)
| summarize FirstEvent = arg_min(TimeGenerated, *) by UserId, ClientIp, InstanceUrl
| evaluate ipv4_lookup(blocked_networks, ClientIp, IPSubnet)
| extend
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    FirstEvent,
    UserId,
    ClientIp,
    Message,
    InstanceUrl,
    CloudAppId,
    AccountName,
    UPNSuffix
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIp
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
  - identifier: InstanceName
    columnName: InstanceUrl
queryFrequency: 1h
name: Dataverse - Login from IP in the block list
alertDetailsOverride:
  alertDisplayNameFormat: 'Dataverse - Login from IP in the block list at {{InstanceUrl}} '
  alertDescriptionFormat: Sign-in activity by {{UserId}} in {{InstanceUrl}} was detected from an IP {{ClientIp}} on the block list.
kind: Scheduled
tactics:
- InitialAccess
triggerThreshold: 0
query: |
  // Use static IP address or CIDR list specified in the
  // NetworkAddresses watchlist (from watchlist template)
  // with tag "BlockDataverse"
  let query_frequency = 1h;
  let blocked_networks = MSBizAppsNetworkAddresses()
      | where Tags has "BlockDataverse"
      | summarize by IPSubnet;
  let watchlist_entries_count = toscalar (blocked_networks
      | summarize count());
  DataverseActivity
  | where watchlist_entries_count > 0
  | where TimeGenerated >= ago(query_frequency)
  | where Message == "UserSignIn" and isnotempty(ClientIp)
  | summarize FirstEvent = arg_min(TimeGenerated, *) by UserId, ClientIp, InstanceUrl
  | evaluate ipv4_lookup(blocked_networks, ClientIp, IPSubnet)
  | extend
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      FirstEvent,
      UserId,
      ClientIp,
      Message,
      InstanceUrl,
      CloudAppId,
      AccountName,
      UPNSuffix  
relevantTechniques:
- T1190
- T1133
- T1078
triggerOperator: gt
queryPeriod: 1d
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login from IP in the block list.yaml
severity: High
status: Available
id: 666fef96-1bb8-4abf-ad72-e5cb49561381
requiredDataConnectors:
- connectorId: Dataverse
  dataTypes:
  - DataverseActivity
version: 3.2.0
description: Identifies Dataverse sign-in activity from IPv4 addresses which are on a predefined block list. Blocked network ranges are maintained in the NetworkAddresses watchlist template.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/666fef96-1bb8-4abf-ad72-e5cb49561381')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/666fef96-1bb8-4abf-ad72-e5cb49561381')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Sign-in activity by {{UserId}} in {{InstanceUrl}} was detected from an IP {{ClientIp}} on the block list.",
          "alertDisplayNameFormat": "Dataverse - Login from IP in the block list at {{InstanceUrl}} "
        },
        "alertRuleTemplateName": "666fef96-1bb8-4abf-ad72-e5cb49561381",
        "customDetails": null,
        "description": "Identifies Dataverse sign-in activity from IPv4 addresses which are on a predefined block list. Blocked network ranges are maintained in the NetworkAddresses watchlist template.",
        "displayName": "Dataverse - Login from IP in the block list",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login from IP in the block list.yaml",
        "query": "// Use static IP address or CIDR list specified in the\n// NetworkAddresses watchlist (from watchlist template)\n// with tag \"BlockDataverse\"\nlet query_frequency = 1h;\nlet blocked_networks = MSBizAppsNetworkAddresses()\n    | where Tags has \"BlockDataverse\"\n    | summarize by IPSubnet;\nlet watchlist_entries_count = toscalar (blocked_networks\n    | summarize count());\nDataverseActivity\n| where watchlist_entries_count > 0\n| where TimeGenerated >= ago(query_frequency)\n| where Message == \"UserSignIn\" and isnotempty(ClientIp)\n| summarize FirstEvent = arg_min(TimeGenerated, *) by UserId, ClientIp, InstanceUrl\n| evaluate ipv4_lookup(blocked_networks, ClientIp, IPSubnet)\n| extend\n    CloudAppId = int(32780),\n    AccountName = tostring(split(UserId, '@')[0]),\n    UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n    FirstEvent,\n    UserId,\n    ClientIp,\n    Message,\n    InstanceUrl,\n    CloudAppId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1133",
          "T1190"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}