Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dataverse - Mass download from SharePoint document management

Back
Id95e02f1b-5886-4043-8f0e-a42e6e23330f
RulenameDataverse - Mass download from SharePoint document management
DescriptionIdentifies mass download (in the last hour) of files from SharePoint sites configured for document management in Dynamics 365. This analytics rule utilizes the MSBizApps-Configuration watchlist to identify SharePoint sites used for Document Management.
SeverityLow
TacticsExfiltration
TechniquesT1567
Required data connectorsOffice365
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass download from SharePoint document management.yaml
Version3.2.0
Arm template95e02f1b-5886-4043-8f0e-a42e6e23330f.json
Deploy To Azure
// Set threshold for number of downloaded files
let detection_threshold = 10000;
let query_frequency = 1h;
DataverseSharePointSites
| join kind=inner (
    OfficeActivity
    | where TimeGenerated >= ago(query_frequency)
    | where OfficeWorkload == "SharePoint" and Operation == "FileDownloaded")
    on $left.SharePointUrl == $right.Site_Url
| summarize FileDownloadCount = count() by UserId, SharePointUrl, InstanceUrl, ClientIP
| where FileDownloadCount > detection_threshold
| extend
    CloudAppId = int(32780),
    SharePointId = int(20892),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    UserId,
    ClientIP,
    FileDownloadCount,
    SharePointUrl,
    InstanceUrl,
    CloudAppId,
    SharePointId,
    AccountName,
    UPNSuffix
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIP
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
  - identifier: InstanceName
    columnName: InstanceUrl
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: SharePointId
  - identifier: InstanceName
    columnName: SharePointUrl
queryFrequency: 1h
name: Dataverse - Mass download from SharePoint document management
alertDetailsOverride:
  alertDisplayNameFormat: 'Dataverse - Mass download detected from document management in {{{InstanceUrl}} '
  alertDescriptionFormat: '{{{FileDownloadCount}} files were downloaded from {{SharePointUrl}}  by {{{UserId}}.'
kind: Scheduled
tactics:
- Exfiltration
triggerThreshold: 0
query: |
  // Set threshold for number of downloaded files
  let detection_threshold = 10000;
  let query_frequency = 1h;
  DataverseSharePointSites
  | join kind=inner (
      OfficeActivity
      | where TimeGenerated >= ago(query_frequency)
      | where OfficeWorkload == "SharePoint" and Operation == "FileDownloaded")
      on $left.SharePointUrl == $right.Site_Url
  | summarize FileDownloadCount = count() by UserId, SharePointUrl, InstanceUrl, ClientIP
  | where FileDownloadCount > detection_threshold
  | extend
      CloudAppId = int(32780),
      SharePointId = int(20892),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      UserId,
      ClientIP,
      FileDownloadCount,
      SharePointUrl,
      InstanceUrl,
      CloudAppId,
      SharePointId,
      AccountName,
      UPNSuffix  
relevantTechniques:
- T1567
triggerOperator: gt
queryPeriod: 14d
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass download from SharePoint document management.yaml
severity: Low
status: Available
id: 95e02f1b-5886-4043-8f0e-a42e6e23330f
requiredDataConnectors:
- connectorId: Office365
  dataTypes:
  - OfficeActivity (SharePoint)
version: 3.2.0
description: Identifies mass download (in the last hour) of files from SharePoint sites configured for document management in Dynamics 365. This analytics rule utilizes the MSBizApps-Configuration watchlist to identify SharePoint sites used for Document Management.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/95e02f1b-5886-4043-8f0e-a42e6e23330f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/95e02f1b-5886-4043-8f0e-a42e6e23330f')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{{FileDownloadCount}} files were downloaded from {{SharePointUrl}}  by {{{UserId}}.",
          "alertDisplayNameFormat": "Dataverse - Mass download detected from document management in {{{InstanceUrl}} "
        },
        "alertRuleTemplateName": "95e02f1b-5886-4043-8f0e-a42e6e23330f",
        "customDetails": null,
        "description": "Identifies mass download (in the last hour) of files from SharePoint sites configured for document management in Dynamics 365. This analytics rule utilizes the MSBizApps-Configuration watchlist to identify SharePoint sites used for Document Management.",
        "displayName": "Dataverse - Mass download from SharePoint document management",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "SharePointId",
                "identifier": "AppId"
              },
              {
                "columnName": "SharePointUrl",
                "identifier": "InstanceName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass download from SharePoint document management.yaml",
        "query": "// Set threshold for number of downloaded files\nlet detection_threshold = 10000;\nlet query_frequency = 1h;\nDataverseSharePointSites\n| join kind=inner (\n    OfficeActivity\n    | where TimeGenerated >= ago(query_frequency)\n    | where OfficeWorkload == \"SharePoint\" and Operation == \"FileDownloaded\")\n    on $left.SharePointUrl == $right.Site_Url\n| summarize FileDownloadCount = count() by UserId, SharePointUrl, InstanceUrl, ClientIP\n| where FileDownloadCount > detection_threshold\n| extend\n    CloudAppId = int(32780),\n    SharePointId = int(20892),\n    AccountName = tostring(split(UserId, '@')[0]),\n    UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n    UserId,\n    ClientIP,\n    FileDownloadCount,\n    SharePointUrl,\n    InstanceUrl,\n    CloudAppId,\n    SharePointId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1567"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}