Dataverse - Executable uploaded to SharePoint document management site
| Id | ba5e608f-7879-4927-8b0d-a9948b4fe6f3 |
| Rulename | Dataverse - Executable uploaded to SharePoint document management site |
| Description | Identifies executable files and scripts uploaded to SharePoint sites used for Dynamics document management, circumventing native file extension restrictions in Dataverse. |
| Severity | Low |
| Tactics | Execution Persistence |
| Techniques | T0863 T0873 |
| Required data connectors | Office365 |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Executable uploaded to SharePoint document management site.yaml |
| Version | 3.2.0 |
| Arm template | ba5e608f-7879-4927-8b0d-a9948b4fe6f3.json |
let file_extensions = dynamic(['com', 'exe', 'bat', 'cmd', 'vbs', 'vbe', 'js', 'jse', 'wsf', 'wsh', 'msc', 'cpl', 'ps1', 'scr']);
let query_frequency = 1h;
DataverseSharePointSites
| join kind=inner (
OfficeActivity
| where TimeGenerated >= ago(query_frequency)
| where OfficeWorkload == "SharePoint" and Operation == "FileUploaded")
on $left.SharePointUrl == $right.Site_Url
| where SourceFileExtension in (file_extensions)
| extend
CloudAppId = int(32780),
SharePointId = int(20892),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
| project
TimeGenerated,
UserId,
ClientIP,
InstanceUrl,
SourceFileName,
SharePointUrl,
CloudAppId,
SharePointId,
AccountName,
UPNSuffix
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity (SharePoint)
kind: Scheduled
tactics:
- Execution
- Persistence
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Executable uploaded to SharePoint document management site.yaml
id: ba5e608f-7879-4927-8b0d-a9948b4fe6f3
name: Dataverse - Executable uploaded to SharePoint document management site
triggerOperator: gt
alertDetailsOverride:
alertDisplayNameFormat: Dataverse - Executable files uploaded in document management for {{InstanceUrl}}
alertDescriptionFormat: Executable/script {{SourceFileName}} was uploaded by {{UserId}} in SharePoint site {{SharePointUrl}}
status: Available
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
- entityType: IP
fieldMappings:
- columnName: ClientIP
identifier: Address
- entityType: CloudApplication
fieldMappings:
- columnName: CloudAppId
identifier: AppId
- columnName: InstanceUrl
identifier: InstanceName
- entityType: File
fieldMappings:
- columnName: SourceFileName
identifier: Name
- entityType: CloudApplication
fieldMappings:
- columnName: SharePointId
identifier: AppId
- columnName: SharePointUrl
identifier: InstanceName
queryFrequency: 1h
description: Identifies executable files and scripts uploaded to SharePoint sites used for Dynamics document management, circumventing native file extension restrictions in Dataverse.
version: 3.2.0
relevantTechniques:
- T0863
- T0873
queryPeriod: 14d
severity: Low
triggerThreshold: 0
query: |
let file_extensions = dynamic(['com', 'exe', 'bat', 'cmd', 'vbs', 'vbe', 'js', 'jse', 'wsf', 'wsh', 'msc', 'cpl', 'ps1', 'scr']);
let query_frequency = 1h;
DataverseSharePointSites
| join kind=inner (
OfficeActivity
| where TimeGenerated >= ago(query_frequency)
| where OfficeWorkload == "SharePoint" and Operation == "FileUploaded")
on $left.SharePointUrl == $right.Site_Url
| where SourceFileExtension in (file_extensions)
| extend
CloudAppId = int(32780),
SharePointId = int(20892),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
| project
TimeGenerated,
UserId,
ClientIP,
InstanceUrl,
SourceFileName,
SharePointUrl,
CloudAppId,
SharePointId,
AccountName,
UPNSuffix
eventGroupingSettings:
aggregationKind: SingleAlert