Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dataverse - Executable uploaded to SharePoint document management site

Back
Idba5e608f-7879-4927-8b0d-a9948b4fe6f3
RulenameDataverse - Executable uploaded to SharePoint document management site
DescriptionIdentifies executable files and scripts uploaded to SharePoint sites used for Dynamics document management, circumventing native file extension restrictions in Dataverse.
SeverityLow
TacticsExecution
Persistence
TechniquesT0863
T0873
Required data connectorsOffice365
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Executable uploaded to SharePoint document management site.yaml
Version3.2.0
Arm templateba5e608f-7879-4927-8b0d-a9948b4fe6f3.json
Deploy To Azure
let file_extensions = dynamic(['com', 'exe', 'bat', 'cmd', 'vbs', 'vbe', 'js', 'jse', 'wsf', 'wsh', 'msc', 'cpl', 'ps1', 'scr']);
let query_frequency = 1h;
DataverseSharePointSites
| join kind=inner (
    OfficeActivity
    | where TimeGenerated >= ago(query_frequency)
    | where OfficeWorkload == "SharePoint" and Operation == "FileUploaded")
    on $left.SharePointUrl == $right.Site_Url
| where SourceFileExtension in (file_extensions)
| extend
    CloudAppId = int(32780),
    SharePointId = int(20892),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    TimeGenerated,
    UserId,
    ClientIP,
    InstanceUrl,
    SourceFileName,
    SharePointUrl,
    CloudAppId,
    SharePointId,
    AccountName,
    UPNSuffix
status: Available
query: |
  let file_extensions = dynamic(['com', 'exe', 'bat', 'cmd', 'vbs', 'vbe', 'js', 'jse', 'wsf', 'wsh', 'msc', 'cpl', 'ps1', 'scr']);
  let query_frequency = 1h;
  DataverseSharePointSites
  | join kind=inner (
      OfficeActivity
      | where TimeGenerated >= ago(query_frequency)
      | where OfficeWorkload == "SharePoint" and Operation == "FileUploaded")
      on $left.SharePointUrl == $right.Site_Url
  | where SourceFileExtension in (file_extensions)
  | extend
      CloudAppId = int(32780),
      SharePointId = int(20892),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      TimeGenerated,
      UserId,
      ClientIP,
      InstanceUrl,
      SourceFileName,
      SharePointUrl,
      CloudAppId,
      SharePointId,
      AccountName,
      UPNSuffix  
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: SingleAlert
version: 3.2.0
triggerOperator: gt
tactics:
- Execution
- Persistence
relevantTechniques:
- T0863
- T0873
kind: Scheduled
queryFrequency: 1h
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: ClientIP
  entityType: IP
- fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
  - identifier: InstanceName
    columnName: InstanceUrl
  entityType: CloudApplication
- fieldMappings:
  - identifier: Name
    columnName: SourceFileName
  entityType: File
- fieldMappings:
  - identifier: AppId
    columnName: SharePointId
  - identifier: InstanceName
    columnName: SharePointUrl
  entityType: CloudApplication
severity: Low
queryPeriod: 14d
id: ba5e608f-7879-4927-8b0d-a9948b4fe6f3
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Executable uploaded to SharePoint document management site.yaml
description: Identifies executable files and scripts uploaded to SharePoint sites used for Dynamics document management, circumventing native file extension restrictions in Dataverse.
requiredDataConnectors:
- connectorId: Office365
  dataTypes:
  - OfficeActivity (SharePoint)
alertDetailsOverride:
  alertDescriptionFormat: Executable/script {{SourceFileName}} was uploaded by {{UserId}} in SharePoint site {{SharePointUrl}}
  alertDisplayNameFormat: Dataverse - Executable files uploaded in document management for {{InstanceUrl}}
name: Dataverse - Executable uploaded to SharePoint document management site
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ba5e608f-7879-4927-8b0d-a9948b4fe6f3')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ba5e608f-7879-4927-8b0d-a9948b4fe6f3')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Executable/script {{SourceFileName}} was uploaded by {{UserId}} in SharePoint site {{SharePointUrl}}",
          "alertDisplayNameFormat": "Dataverse - Executable files uploaded in document management for {{InstanceUrl}}"
        },
        "alertRuleTemplateName": "ba5e608f-7879-4927-8b0d-a9948b4fe6f3",
        "customDetails": null,
        "description": "Identifies executable files and scripts uploaded to SharePoint sites used for Dynamics document management, circumventing native file extension restrictions in Dataverse.",
        "displayName": "Dataverse - Executable uploaded to SharePoint document management site",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "SourceFileName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "SharePointId",
                "identifier": "AppId"
              },
              {
                "columnName": "SharePointUrl",
                "identifier": "InstanceName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Executable uploaded to SharePoint document management site.yaml",
        "query": "let file_extensions = dynamic(['com', 'exe', 'bat', 'cmd', 'vbs', 'vbe', 'js', 'jse', 'wsf', 'wsh', 'msc', 'cpl', 'ps1', 'scr']);\nlet query_frequency = 1h;\nDataverseSharePointSites\n| join kind=inner (\n    OfficeActivity\n    | where TimeGenerated >= ago(query_frequency)\n    | where OfficeWorkload == \"SharePoint\" and Operation == \"FileUploaded\")\n    on $left.SharePointUrl == $right.Site_Url\n| where SourceFileExtension in (file_extensions)\n| extend\n    CloudAppId = int(32780),\n    SharePointId = int(20892),\n    AccountName = tostring(split(UserId, '@')[0]),\n    UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n    TimeGenerated,\n    UserId,\n    ClientIP,\n    InstanceUrl,\n    SourceFileName,\n    SharePointUrl,\n    CloudAppId,\n    SharePointId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "Persistence"
        ],
        "techniques": null,
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}