Dataverse - Bulk record ownership re-assignment or sharing

// Set threshold for number of shared/assigned records
let detection_threshold = 100;
let query_frequency = 1h;
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message in ("ModifyAccess", "Assign", "GrantAccess")
| summarize
    FirstEvent = min(TimeGenerated),
    LastEvent = max(TimeGenerated),
    Events = count()
    by UserId, Message, InstanceUrl, ClientIp
| where Events > detection_threshold
| extend
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    FirstEvent,
    LastEvent,
    Message,
    Events,
    UserId,
    ClientIp,
    InstanceUrl,
    CloudAppId,
    AccountName,
    UPNSuffix

queryPeriod: 1d
query: |
  // Set threshold for number of shared/assigned records
  let detection_threshold = 100;
  let query_frequency = 1h;
  DataverseActivity
  | where TimeGenerated >= ago(query_frequency)
  | where Message in ("ModifyAccess", "Assign", "GrantAccess")
  | summarize
      FirstEvent = min(TimeGenerated),
      LastEvent = max(TimeGenerated),
      Events = count()
      by UserId, Message, InstanceUrl, ClientIp
  | where Events > detection_threshold
  | extend
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      FirstEvent,
      LastEvent,
      Message,
      Events,
      UserId,
      ClientIp,
      InstanceUrl,
      CloudAppId,
      AccountName,
      UPNSuffix  
version: 3.2.0
name: Dataverse - Bulk record ownership re-assignment or sharing
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: ClientIp
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: CloudAppId
    identifier: AppId
  - columnName: InstanceUrl
    identifier: InstanceName
  entityType: CloudApplication
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Bulk record ownership re-assignment or sharing.yaml
alertDetailsOverride:
  alertDisplayNameFormat: Dataverse - High number of record access modification events detected
  alertDescriptionFormat: '{{Events}} events of type {{Message}} detected in {{InstanceUrl}} could indicate suspicious or malicious activity.'
description: Identifies individual record ownership changes including sharing of records with other users/teams or re-assignment of ownership exceeding a pre-defined threshold.
kind: Scheduled
status: Available
severity: Medium
requiredDataConnectors:
- connectorId: Dataverse
  dataTypes:
  - DataverseActivity
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
id: 6e480329-84bc-409a-b97b-22e8102af3ca
relevantTechniques:
- T1548