Dataverse - Executable uploaded to SharePoint document management site
| Id | ba5e608f-7879-4927-8b0d-a9948b4fe6f3 |
| Rulename | Dataverse - Executable uploaded to SharePoint document management site |
| Description | Identifies executable files and scripts uploaded to SharePoint sites used for Dynamics document management, circumventing native file extension restrictions in Dataverse. |
| Severity | Low |
| Tactics | Execution Persistence |
| Techniques | T0863 T0873 |
| Required data connectors | Office365 |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Executable uploaded to SharePoint document management site.yaml |
| Version | 3.2.0 |
| Arm template | ba5e608f-7879-4927-8b0d-a9948b4fe6f3.json |
let file_extensions = dynamic(['com', 'exe', 'bat', 'cmd', 'vbs', 'vbe', 'js', 'jse', 'wsf', 'wsh', 'msc', 'cpl', 'ps1', 'scr']);
let query_frequency = 1h;
DataverseSharePointSites
| join kind=inner (
OfficeActivity
| where TimeGenerated >= ago(query_frequency)
| where OfficeWorkload == "SharePoint" and Operation == "FileUploaded")
on $left.SharePointUrl == $right.Site_Url
| where SourceFileExtension in (file_extensions)
| extend
CloudAppId = int(32780),
SharePointId = int(20892),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
| project
TimeGenerated,
UserId,
ClientIP,
InstanceUrl,
SourceFileName,
SharePointUrl,
CloudAppId,
SharePointId,
AccountName,
UPNSuffix
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Executable uploaded to SharePoint document management site.yaml
eventGroupingSettings:
aggregationKind: SingleAlert
queryPeriod: 14d
version: 3.2.0
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: UPNSuffix
entityType: Account
- fieldMappings:
- identifier: Address
columnName: ClientIP
entityType: IP
- fieldMappings:
- identifier: AppId
columnName: CloudAppId
- identifier: InstanceName
columnName: InstanceUrl
entityType: CloudApplication
- fieldMappings:
- identifier: Name
columnName: SourceFileName
entityType: File
- fieldMappings:
- identifier: AppId
columnName: SharePointId
- identifier: InstanceName
columnName: SharePointUrl
entityType: CloudApplication
alertDetailsOverride:
alertDescriptionFormat: Executable/script {{SourceFileName}} was uploaded by {{UserId}} in SharePoint site {{SharePointUrl}}
alertDisplayNameFormat: Dataverse - Executable files uploaded in document management for {{InstanceUrl}}
relevantTechniques:
- T0863
- T0873
queryFrequency: 1h
triggerOperator: gt
kind: Scheduled
query: |
let file_extensions = dynamic(['com', 'exe', 'bat', 'cmd', 'vbs', 'vbe', 'js', 'jse', 'wsf', 'wsh', 'msc', 'cpl', 'ps1', 'scr']);
let query_frequency = 1h;
DataverseSharePointSites
| join kind=inner (
OfficeActivity
| where TimeGenerated >= ago(query_frequency)
| where OfficeWorkload == "SharePoint" and Operation == "FileUploaded")
on $left.SharePointUrl == $right.Site_Url
| where SourceFileExtension in (file_extensions)
| extend
CloudAppId = int(32780),
SharePointId = int(20892),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
| project
TimeGenerated,
UserId,
ClientIP,
InstanceUrl,
SourceFileName,
SharePointUrl,
CloudAppId,
SharePointId,
AccountName,
UPNSuffix
id: ba5e608f-7879-4927-8b0d-a9948b4fe6f3
tactics:
- Execution
- Persistence
status: Available
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity (SharePoint)
triggerThreshold: 0
name: Dataverse - Executable uploaded to SharePoint document management site
severity: Low
description: Identifies executable files and scripts uploaded to SharePoint sites used for Dynamics document management, circumventing native file extension restrictions in Dataverse.