Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Dataverse - Bulk record ownership re-assignment or sharing

Dataverse - Bulk record ownership re-assignment or sharing

Back
Id6e480329-84bc-409a-b97b-22e8102af3ca
RulenameDataverse - Bulk record ownership re-assignment or sharing
DescriptionIdentifies individual record ownership changes including sharing of records with other users/teams or re-assignment of ownership exceeding a pre-defined threshold.
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1548
Required data connectorsDataverse
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Bulk record ownership re-assignment or sharing.yaml
Version3.2.0
Arm template6e480329-84bc-409a-b97b-22e8102af3ca.json
Deploy To Azure
// Set threshold for number of shared/assigned records
let detection_threshold = 100;
let query_frequency = 1h;
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message in ("ModifyAccess", "Assign", "GrantAccess")
| summarize
    FirstEvent = min(TimeGenerated),
    LastEvent = max(TimeGenerated),
    Events = count()
    by UserId, Message, InstanceUrl, ClientIp
| where Events > detection_threshold
| extend
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    FirstEvent,
    LastEvent,
    Message,
    Events,
    UserId,
    ClientIp,
    InstanceUrl,
    CloudAppId,
    AccountName,
    UPNSuffix

requiredDataConnectors:
- connectorId: Dataverse
  dataTypes:
  - DataverseActivity
triggerThreshold: 0
version: 3.2.0
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Bulk record ownership re-assignment or sharing.yaml
name: Dataverse - Bulk record ownership re-assignment or sharing
id: 6e480329-84bc-409a-b97b-22e8102af3ca
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 1h
query: |
  // Set threshold for number of shared/assigned records
  let detection_threshold = 100;
  let query_frequency = 1h;
  DataverseActivity
  | where TimeGenerated >= ago(query_frequency)
  | where Message in ("ModifyAccess", "Assign", "GrantAccess")
  | summarize
      FirstEvent = min(TimeGenerated),
      LastEvent = max(TimeGenerated),
      Events = count()
      by UserId, Message, InstanceUrl, ClientIp
  | where Events > detection_threshold
  | extend
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      FirstEvent,
      LastEvent,
      Message,
      Events,
      UserId,
      ClientIp,
      InstanceUrl,
      CloudAppId,
      AccountName,
      UPNSuffix  
severity: Medium
alertDetailsOverride:
  alertDescriptionFormat: '{{Events}} events of type {{Message}} detected in {{InstanceUrl}} could indicate suspicious or malicious activity.'
  alertDisplayNameFormat: Dataverse - High number of record access modification events detected
tactics:
- PrivilegeEscalation
kind: Scheduled
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: ClientIp
  entityType: IP
- fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
  - identifier: InstanceName
    columnName: InstanceUrl
  entityType: CloudApplication
triggerOperator: gt
description: Identifies individual record ownership changes including sharing of records with other users/teams or re-assignment of ownership exceeding a pre-defined threshold.
relevantTechniques:
- T1548
status: Available