Dataverse - SharePoint document management site added or updated
| Id | c4c3510a-0ee0-4561-9835-47882ffa7f46 |
| Rulename | Dataverse - SharePoint document management site added or updated |
| Description | Identifies modifications of SharePoint document management integration. Document management allows storage of data located externally to Dataverse. Combine this analytics rule with the MSBizApps-Add-SharePointSite-To-Watchlist Playbook to automatically update the Dataverse-SharePointSites watchlist. This watchlist can be used to correlate events between Dataverse and SharePoint when using the Office 365 data connector. |
| Severity | Informational |
| Tactics | Exfiltration |
| Techniques | T1567 T1537 |
| Required data connectors | Dataverse |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - SharePoint document management site added or updated.yaml |
| Version | 3.2.0 |
| Arm template | c4c3510a-0ee0-4561-9835-47882ffa7f46.json |
let query_frequency = 1h;
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message in ("Create", "Update") and EntityName == "sharepointsite"
| mv-expand Fields
| where Fields.Name == "absoluteurl"
| extend
SharePointAppId = int(20892),
CloudAppId = int(32780),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1]),
SharePointUrl = tostring(Fields.Value)
| project
TimeGenerated,
UserId,
ClientIp,
Message,
SharePointUrl,
InstanceUrl,
CloudAppId,
SharePointAppId,
AccountName,
UPNSuffix
queryPeriod: 1d
query: |
let query_frequency = 1h;
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message in ("Create", "Update") and EntityName == "sharepointsite"
| mv-expand Fields
| where Fields.Name == "absoluteurl"
| extend
SharePointAppId = int(20892),
CloudAppId = int(32780),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1]),
SharePointUrl = tostring(Fields.Value)
| project
TimeGenerated,
UserId,
ClientIp,
Message,
SharePointUrl,
InstanceUrl,
CloudAppId,
SharePointAppId,
AccountName,
UPNSuffix
version: 3.2.0
name: Dataverse - SharePoint document management site added or updated
entityMappings:
- fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: ClientIp
identifier: Address
entityType: IP
- fieldMappings:
- columnName: CloudAppId
identifier: AppId
- columnName: InstanceUrl
identifier: InstanceName
entityType: CloudApplication
- fieldMappings:
- columnName: SharePointAppId
identifier: AppId
- columnName: SharePointUrl
identifier: InstanceName
entityType: CloudApplication
eventGroupingSettings:
aggregationKind: AlertPerResult
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - SharePoint document management site added or updated.yaml
alertDetailsOverride:
alertDisplayNameFormat: 'Dataverse - Document management enabled or modified in {{{InstanceUrl}} '
alertDescriptionFormat: '{{UserId}} made changes to document management in {{{InstanceUrl}}. Sharepoint site {{{SharePointUrl}} was added.'
description: Identifies modifications of SharePoint document management integration. Document management allows storage of data located externally to Dataverse. Combine this analytics rule with the MSBizApps-Add-SharePointSite-To-Watchlist Playbook to automatically update the Dataverse-SharePointSites watchlist. This watchlist can be used to correlate events between Dataverse and SharePoint when using the Office 365 data connector.
kind: Scheduled
status: Available
severity: Informational
requiredDataConnectors:
- connectorId: Dataverse
dataTypes:
- DataverseActivity
triggerOperator: gt
triggerThreshold: 0
tactics:
- Exfiltration
id: c4c3510a-0ee0-4561-9835-47882ffa7f46
relevantTechniques:
- T1567
- T1537