Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dataverse - Executable uploaded to SharePoint document management site

Back
Idba5e608f-7879-4927-8b0d-a9948b4fe6f3
RulenameDataverse - Executable uploaded to SharePoint document management site
DescriptionIdentifies executable files and scripts uploaded to SharePoint sites used for Dynamics document management, circumventing native file extension restrictions in Dataverse.
SeverityLow
TacticsExecution
Persistence
TechniquesT0863
T0873
Required data connectorsOffice365
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Executable uploaded to SharePoint document management site.yaml
Version3.2.0
Arm templateba5e608f-7879-4927-8b0d-a9948b4fe6f3.json
Deploy To Azure
let file_extensions = dynamic(['com', 'exe', 'bat', 'cmd', 'vbs', 'vbe', 'js', 'jse', 'wsf', 'wsh', 'msc', 'cpl', 'ps1', 'scr']);
let query_frequency = 1h;
DataverseSharePointSites
| join kind=inner (
    OfficeActivity
    | where TimeGenerated >= ago(query_frequency)
    | where OfficeWorkload == "SharePoint" and Operation == "FileUploaded")
    on $left.SharePointUrl == $right.Site_Url
| where SourceFileExtension in (file_extensions)
| extend
    CloudAppId = int(32780),
    SharePointId = int(20892),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    TimeGenerated,
    UserId,
    ClientIP,
    InstanceUrl,
    SourceFileName,
    SharePointUrl,
    CloudAppId,
    SharePointId,
    AccountName,
    UPNSuffix
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIP
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
  - identifier: InstanceName
    columnName: InstanceUrl
- entityType: File
  fieldMappings:
  - identifier: Name
    columnName: SourceFileName
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: SharePointId
  - identifier: InstanceName
    columnName: SharePointUrl
queryFrequency: 1h
name: Dataverse - Executable uploaded to SharePoint document management site
alertDetailsOverride:
  alertDisplayNameFormat: Dataverse - Executable files uploaded in document management for {{InstanceUrl}}
  alertDescriptionFormat: Executable/script {{SourceFileName}} was uploaded by {{UserId}} in SharePoint site {{SharePointUrl}}
kind: Scheduled
tactics:
- Execution
- Persistence
triggerThreshold: 0
query: |
  let file_extensions = dynamic(['com', 'exe', 'bat', 'cmd', 'vbs', 'vbe', 'js', 'jse', 'wsf', 'wsh', 'msc', 'cpl', 'ps1', 'scr']);
  let query_frequency = 1h;
  DataverseSharePointSites
  | join kind=inner (
      OfficeActivity
      | where TimeGenerated >= ago(query_frequency)
      | where OfficeWorkload == "SharePoint" and Operation == "FileUploaded")
      on $left.SharePointUrl == $right.Site_Url
  | where SourceFileExtension in (file_extensions)
  | extend
      CloudAppId = int(32780),
      SharePointId = int(20892),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      TimeGenerated,
      UserId,
      ClientIP,
      InstanceUrl,
      SourceFileName,
      SharePointUrl,
      CloudAppId,
      SharePointId,
      AccountName,
      UPNSuffix  
relevantTechniques:
- T0863
- T0873
triggerOperator: gt
queryPeriod: 14d
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Executable uploaded to SharePoint document management site.yaml
severity: Low
status: Available
id: ba5e608f-7879-4927-8b0d-a9948b4fe6f3
requiredDataConnectors:
- connectorId: Office365
  dataTypes:
  - OfficeActivity (SharePoint)
version: 3.2.0
description: Identifies executable files and scripts uploaded to SharePoint sites used for Dynamics document management, circumventing native file extension restrictions in Dataverse.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ba5e608f-7879-4927-8b0d-a9948b4fe6f3')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ba5e608f-7879-4927-8b0d-a9948b4fe6f3')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Executable/script {{SourceFileName}} was uploaded by {{UserId}} in SharePoint site {{SharePointUrl}}",
          "alertDisplayNameFormat": "Dataverse - Executable files uploaded in document management for {{InstanceUrl}}"
        },
        "alertRuleTemplateName": "ba5e608f-7879-4927-8b0d-a9948b4fe6f3",
        "customDetails": null,
        "description": "Identifies executable files and scripts uploaded to SharePoint sites used for Dynamics document management, circumventing native file extension restrictions in Dataverse.",
        "displayName": "Dataverse - Executable uploaded to SharePoint document management site",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          },
          {
            "entityType": "File",
            "fieldMappings": [
              {
                "columnName": "SourceFileName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "SharePointId",
                "identifier": "AppId"
              },
              {
                "columnName": "SharePointUrl",
                "identifier": "InstanceName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Executable uploaded to SharePoint document management site.yaml",
        "query": "let file_extensions = dynamic(['com', 'exe', 'bat', 'cmd', 'vbs', 'vbe', 'js', 'jse', 'wsf', 'wsh', 'msc', 'cpl', 'ps1', 'scr']);\nlet query_frequency = 1h;\nDataverseSharePointSites\n| join kind=inner (\n    OfficeActivity\n    | where TimeGenerated >= ago(query_frequency)\n    | where OfficeWorkload == \"SharePoint\" and Operation == \"FileUploaded\")\n    on $left.SharePointUrl == $right.Site_Url\n| where SourceFileExtension in (file_extensions)\n| extend\n    CloudAppId = int(32780),\n    SharePointId = int(20892),\n    AccountName = tostring(split(UserId, '@')[0]),\n    UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n    TimeGenerated,\n    UserId,\n    ClientIP,\n    InstanceUrl,\n    SourceFileName,\n    SharePointUrl,\n    CloudAppId,\n    SharePointId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "Persistence"
        ],
        "techniques": null,
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}