Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. New Dynamics 365 User Agent

New Dynamics 365 User Agent

Back
Id8ec3a7f9-9f55-4be3-aeb6-9188f91b278e
RulenameNew Dynamics 365 User Agent
DescriptionDetects users accessing Dynamics from a User Agent that has not been seen the 14 days. Has configurable filter for known good user agents such as PowerApps. Also includes optional section to exclude User Agents to indicate a browser being used.
SeverityLow
TacticsInitialAccess
TechniquesT1078
Required data connectorsDynamics365
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/Dynamics365Activity/NewDynamicsUserAgent.yaml
Version1.0.1
Arm template8ec3a7f9-9f55-4be3-aeb6-9188f91b278e.json
Deploy To Azure
let lookback = 14d;
let timeframe = 1d;
let user_accounts = "(([a-zA-Z]{1,})\\.([a-zA-Z]{1,}))@.*";
let known_useragents = dynamic([]);
Dynamics365Activity
| where TimeGenerated between(ago(lookback)..ago(timeframe))
| where isnotempty(UserAgent)
| summarize by UserAgent, UserId
| join kind = rightanti (Dynamics365Activity
| where TimeGenerated > ago(timeframe)
| where isnotempty(UserAgent)
| where UserAgent !in~ (known_useragents)
| where UserAgent !hasprefix "azure-logic-apps" and UserAgent !hasprefix "PowerApps"
| where UserId matches regex user_accounts)
on UserAgent, UserId
// Uncomment this section to exclude user agents with a rendering engine, indicating browsers.
//| join kind = leftanti(
//Dynamics365Activity
//| where TimeGenerated between(ago(lookback)..ago(timeframe))
//| where UserAgent has_any ("Gecko", "WebKit", "Presto", "Trident", "EdgeHTML", "Blink")) on UserAgent
| summarize FirstSeen = min(TimeGenerated), IPs = make_set(ClientIP) by UserAgent, UserId
| extend timestamp = FirstSeen, AccountCustomEntity = UserId

name: New Dynamics 365 User Agent
query: |
  let lookback = 14d;
  let timeframe = 1d;
  let user_accounts = "(([a-zA-Z]{1,})\\.([a-zA-Z]{1,}))@.*";
  let known_useragents = dynamic([]);
  Dynamics365Activity
  | where TimeGenerated between(ago(lookback)..ago(timeframe))
  | where isnotempty(UserAgent)
  | summarize by UserAgent, UserId
  | join kind = rightanti (Dynamics365Activity
  | where TimeGenerated > ago(timeframe)
  | where isnotempty(UserAgent)
  | where UserAgent !in~ (known_useragents)
  | where UserAgent !hasprefix "azure-logic-apps" and UserAgent !hasprefix "PowerApps"
  | where UserId matches regex user_accounts)
  on UserAgent, UserId
  // Uncomment this section to exclude user agents with a rendering engine, indicating browsers.
  //| join kind = leftanti(
  //Dynamics365Activity
  //| where TimeGenerated between(ago(lookback)..ago(timeframe))
  //| where UserAgent has_any ("Gecko", "WebKit", "Presto", "Trident", "EdgeHTML", "Blink")) on UserAgent
  | summarize FirstSeen = min(TimeGenerated), IPs = make_set(ClientIP) by UserAgent, UserId
  | extend timestamp = FirstSeen, AccountCustomEntity = UserId  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Dynamics365Activity/NewDynamicsUserAgent.yaml
queryFrequency: 1d
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - Dynamics365Activity
  connectorId: Dynamics365
version: 1.0.1
status: Available
queryPeriod: 14d
id: 8ec3a7f9-9f55-4be3-aeb6-9188f91b278e
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
metadata:
  source:
    kind: Community
  author:
    name: Microsoft
  categories:
    domains:
    - Cloud Provider
    - IT Operations
    - Storage
  support:
    tier: Microsoft
relevantTechniques:
- T1078
severity: Low
description: |
    'Detects users accessing Dynamics from a User Agent that has not been seen the 14 days. Has configurable filter for known good user agents such as PowerApps. Also includes optional section to exclude User Agents to indicate a browser being used.'
kind: Scheduled
tactics:
- InitialAccess

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8ec3a7f9-9f55-4be3-aeb6-9188f91b278e')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8ec3a7f9-9f55-4be3-aeb6-9188f91b278e')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "New Dynamics 365 User Agent",
        "description": "'Detects users accessing Dynamics from a User Agent that has not been seen the 14 days. Has configurable filter for known good user agents such as PowerApps. Also includes optional section to exclude User Agents to indicate a browser being used.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "let lookback = 14d;\nlet timeframe = 1d;\nlet user_accounts = \"(([a-zA-Z]{1,})\\\\.([a-zA-Z]{1,}))@.*\";\nlet known_useragents = dynamic([]);\nDynamics365Activity\n| where TimeGenerated between(ago(lookback)..ago(timeframe))\n| where isnotempty(UserAgent)\n| summarize by UserAgent, UserId\n| join kind = rightanti (Dynamics365Activity\n| where TimeGenerated > ago(timeframe)\n| where isnotempty(UserAgent)\n| where UserAgent !in~ (known_useragents)\n| where UserAgent !hasprefix \"azure-logic-apps\" and UserAgent !hasprefix \"PowerApps\"\n| where UserId matches regex user_accounts)\non UserAgent, UserId\n// Uncomment this section to exclude user agents with a rendering engine, indicating browsers.\n//| join kind = leftanti(\n//Dynamics365Activity\n//| where TimeGenerated between(ago(lookback)..ago(timeframe))\n//| where UserAgent has_any (\"Gecko\", \"WebKit\", \"Presto\", \"Trident\", \"EdgeHTML\", \"Blink\")) on UserAgent\n| summarize FirstSeen = min(TimeGenerated), IPs = make_set(ClientIP) by UserAgent, UserId\n| extend timestamp = FirstSeen, AccountCustomEntity = UserId\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "alertRuleTemplateName": "8ec3a7f9-9f55-4be3-aeb6-9188f91b278e",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Dynamics365Activity/NewDynamicsUserAgent.yaml"
      }
    }
  ]
}