Dataverse - Login from IP not in the allow list

// Use static IP address or CIDR list specified in the
// NetworkAddresses watchlist template with tag "AllowDataverse"
let allowed_networks = MSBizAppsNetworkAddresses()
    | where Tags has "AllowDataverse"
    | summarize by IPSubnet;
let query_frequency = 1h;
let watchlist_entries_count = toscalar (allowed_networks
    | summarize count());
let dataverse_signin_activity = materialize(
    DataverseActivity
    | where watchlist_entries_count > 0
    | where TimeGenerated >= ago (query_frequency)
    | where Message == "UserSignIn" and isnotempty(ClientIp)
    | summarize FirstEvent = arg_min(TimeGenerated, *) by UserId, ClientIp, InstanceUrl
    );
let authorized_ip_addresses = dataverse_signin_activity
    | evaluate ipv4_lookup(allowed_networks, ClientIp, IPSubnet);
dataverse_signin_activity
| join kind=leftanti(authorized_ip_addresses) on ClientIp
| extend
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    FirstEvent,
    UserId,
    ClientIp,
    InstanceUrl,
    CloudAppId,
    AccountName,
    UPNSuffix

eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- connectorId: Dataverse
  dataTypes:
  - DataverseActivity
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login from IP not in the allow list.yaml
triggerThreshold: 0
status: Available
relevantTechniques:
- T1078
- T1190
- T1133
queryPeriod: 1d
name: Dataverse - Login from IP not in the allow list
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: ClientIp
    identifier: Address
- entityType: CloudApplication
  fieldMappings:
  - columnName: CloudAppId
    identifier: AppId
  - columnName: InstanceUrl
    identifier: InstanceName
alertDetailsOverride:
  alertDisplayNameFormat: 'Dataverse - Login from IP not on the allow list in {{InstanceUrl}} '
  alertDescriptionFormat: Sign-in activity detected in {{InstanceUrl}} from an IP {{ClientIp}} not on the allow list.
queryFrequency: 1h
triggerOperator: gt
kind: Scheduled
description: Identifies logons from IPv4 addresses not matching IPv4 subnets maintained on an allow list. This analytics rule uses the NetworkAddresses watchlist template.
tactics:
- InitialAccess
severity: High
version: 3.2.0
query: |
  // Use static IP address or CIDR list specified in the
  // NetworkAddresses watchlist template with tag "AllowDataverse"
  let allowed_networks = MSBizAppsNetworkAddresses()
      | where Tags has "AllowDataverse"
      | summarize by IPSubnet;
  let query_frequency = 1h;
  let watchlist_entries_count = toscalar (allowed_networks
      | summarize count());
  let dataverse_signin_activity = materialize(
      DataverseActivity
      | where watchlist_entries_count > 0
      | where TimeGenerated >= ago (query_frequency)
      | where Message == "UserSignIn" and isnotempty(ClientIp)
      | summarize FirstEvent = arg_min(TimeGenerated, *) by UserId, ClientIp, InstanceUrl
      );
  let authorized_ip_addresses = dataverse_signin_activity
      | evaluate ipv4_lookup(allowed_networks, ClientIp, IPSubnet);
  dataverse_signin_activity
  | join kind=leftanti(authorized_ip_addresses) on ClientIp
  | extend
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      FirstEvent,
      UserId,
      ClientIp,
      InstanceUrl,
      CloudAppId,
      AccountName,
      UPNSuffix  
id: 81c693fe-f6c4-4352-bc10-3526f6e22637