Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Dataverse - Suspicious use of Web API

Dataverse - Suspicious use of Web API

Back
Id8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86
RulenameDataverse - Suspicious use of Web API
DescriptionIdentifies sign-in across multiple Dataverse environments, breaching a predefined threshold, originating from a user with IP address that was used to sign-into the well known Microsoft Entra app registration.
SeverityMedium
TacticsExecution
Exfiltration
Reconnaissance
Discovery
TechniquesT1106
T1567
T1595
T1526
T1580
Required data connectorsAzureActiveDirectory
Dataverse
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Suspicious use of Web API.yaml
Version3.2.0
Arm template8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86.json
Deploy To Azure
let query_frequency = 1h;
let query_lookback = 24h;
// AppID of the multi-tenant Dynamics 365 Example Client Application
let well_known_app_id = "51f81489-12ee-4a9e-aaae-a2591f45987d";
let environment_count_threshold = 10;
SigninLogs
| where TimeGenerated >= ago(query_lookback)
// Comment out the line below to monitor activity from all Azure AD apps
| where AppId == well_known_app_id
| where ResourceIdentity == '00000007-0000-0000-c000-000000000000'
| summarize FirstSeen = min(TimeGenerated) by AppId, UserPrincipalName, IPAddress, AppDisplayName
| join kind=inner (
    DataverseActivity
    | where TimeGenerated >= ago(query_frequency)
    | where Message == "UserSignIn")
    on $left.UserPrincipalName == $right.UserId, $left.IPAddress == $right.ClientIp
| where TimeGenerated between (FirstSeen .. (FirstSeen + 2h))
| summarize InstanceCount = dcount(InstanceUrl, 4), FirstSeen = min(FirstSeen) by UserId, ClientIp, InstanceUrl, AppDisplayName, AppId
| where InstanceCount > environment_count_threshold
| extend
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    FirstSeen,
    UserId,
    ClientIp,
    AppDisplayName,
    AppId,
    InstanceUrl,
    CloudAppId,
    AccountName,
    UPNSuffix

queryPeriod: 14d
description: Identifies sign-in across multiple Dataverse environments, breaching a predefined threshold, originating from a user with IP address that was used to sign-into the well known Microsoft Entra app registration.
tactics:
- Execution
- Exfiltration
- Reconnaissance
- Discovery
version: 3.2.0
relevantTechniques:
- T1106
- T1567
- T1595
- T1526
- T1580
name: Dataverse - Suspicious use of Web API
severity: Medium
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: ClientIp
  entityType: IP
- fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
  - identifier: InstanceName
    columnName: InstanceUrl
  entityType: CloudApplication
alertDetailsOverride:
  alertDescriptionFormat: '{{UserId}} sign-in activity generated in {{InstanceUrl}}. The app used was a well known multi-tenant app not owned or registered by the organization.'
  alertDisplayNameFormat: Dataverse - Suspicious Web API sign-in activity
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Suspicious use of Web API.yaml
requiredDataConnectors:
- dataTypes:
  - DataverseActivity
  connectorId: Dataverse
- dataTypes:
  - SigninLogs
  connectorId: AzureActiveDirectory
query: |
  let query_frequency = 1h;
  let query_lookback = 24h;
  // AppID of the multi-tenant Dynamics 365 Example Client Application
  let well_known_app_id = "51f81489-12ee-4a9e-aaae-a2591f45987d";
  let environment_count_threshold = 10;
  SigninLogs
  | where TimeGenerated >= ago(query_lookback)
  // Comment out the line below to monitor activity from all Azure AD apps
  | where AppId == well_known_app_id
  | where ResourceIdentity == '00000007-0000-0000-c000-000000000000'
  | summarize FirstSeen = min(TimeGenerated) by AppId, UserPrincipalName, IPAddress, AppDisplayName
  | join kind=inner (
      DataverseActivity
      | where TimeGenerated >= ago(query_frequency)
      | where Message == "UserSignIn")
      on $left.UserPrincipalName == $right.UserId, $left.IPAddress == $right.ClientIp
  | where TimeGenerated between (FirstSeen .. (FirstSeen + 2h))
  | summarize InstanceCount = dcount(InstanceUrl, 4), FirstSeen = min(FirstSeen) by UserId, ClientIp, InstanceUrl, AppDisplayName, AppId
  | where InstanceCount > environment_count_threshold
  | extend
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      FirstSeen,
      UserId,
      ClientIp,
      AppDisplayName,
      AppId,
      InstanceUrl,
      CloudAppId,
      AccountName,
      UPNSuffix  
status: Available
triggerThreshold: 0
queryFrequency: 1h
kind: Scheduled
id: 8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86
eventGroupingSettings:
  aggregationKind: AlertPerResult

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{UserId}} sign-in activity generated in {{InstanceUrl}}. The app used was a well known multi-tenant app not owned or registered by the organization.",
          "alertDisplayNameFormat": "Dataverse - Suspicious Web API sign-in activity"
        },
        "alertRuleTemplateName": "8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86",
        "customDetails": null,
        "description": "Identifies sign-in across multiple Dataverse environments, breaching a predefined threshold, originating from a user with IP address that was used to sign-into the well known Microsoft Entra app registration.",
        "displayName": "Dataverse - Suspicious use of Web API",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Suspicious use of Web API.yaml",
        "query": "let query_frequency = 1h;\nlet query_lookback = 24h;\n// AppID of the multi-tenant Dynamics 365 Example Client Application\nlet well_known_app_id = \"51f81489-12ee-4a9e-aaae-a2591f45987d\";\nlet environment_count_threshold = 10;\nSigninLogs\n| where TimeGenerated >= ago(query_lookback)\n// Comment out the line below to monitor activity from all Azure AD apps\n| where AppId == well_known_app_id\n| where ResourceIdentity == '00000007-0000-0000-c000-000000000000'\n| summarize FirstSeen = min(TimeGenerated) by AppId, UserPrincipalName, IPAddress, AppDisplayName\n| join kind=inner (\n    DataverseActivity\n    | where TimeGenerated >= ago(query_frequency)\n    | where Message == \"UserSignIn\")\n    on $left.UserPrincipalName == $right.UserId, $left.IPAddress == $right.ClientIp\n| where TimeGenerated between (FirstSeen .. (FirstSeen + 2h))\n| summarize InstanceCount = dcount(InstanceUrl, 4), FirstSeen = min(FirstSeen) by UserId, ClientIp, InstanceUrl, AppDisplayName, AppId\n| where InstanceCount > environment_count_threshold\n| extend\n    CloudAppId = int(32780),\n    AccountName = tostring(split(UserId, '@')[0]),\n    UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n    FirstSeen,\n    UserId,\n    ClientIp,\n    AppDisplayName,\n    AppId,\n    InstanceUrl,\n    CloudAppId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery",
          "Execution",
          "Exfiltration",
          "Reconnaissance"
        ],
        "techniques": [
          "T1106",
          "T1526",
          "T1567",
          "T1580",
          "T1595"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}