Dataverse - SharePoint document management site added or updated
| Id | c4c3510a-0ee0-4561-9835-47882ffa7f46 |
| Rulename | Dataverse - SharePoint document management site added or updated |
| Description | Identifies modifications of SharePoint document management integration. Document management allows storage of data located externally to Dataverse. Combine this analytics rule with the MSBizApps-Add-SharePointSite-To-Watchlist Playbook to automatically update the Dataverse-SharePointSites watchlist. This watchlist can be used to correlate events between Dataverse and SharePoint when using the Office 365 data connector. |
| Severity | Informational |
| Tactics | Exfiltration |
| Techniques | T1567 T1537 |
| Required data connectors | Dataverse |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - SharePoint document management site added or updated.yaml |
| Version | 3.2.0 |
| Arm template | c4c3510a-0ee0-4561-9835-47882ffa7f46.json |
let query_frequency = 1h;
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message in ("Create", "Update") and EntityName == "sharepointsite"
| mv-expand Fields
| where Fields.Name == "absoluteurl"
| extend
SharePointAppId = int(20892),
CloudAppId = int(32780),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1]),
SharePointUrl = tostring(Fields.Value)
| project
TimeGenerated,
UserId,
ClientIp,
Message,
SharePointUrl,
InstanceUrl,
CloudAppId,
SharePointAppId,
AccountName,
UPNSuffix
name: Dataverse - SharePoint document management site added or updated
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDisplayNameFormat: 'Dataverse - Document management enabled or modified in {{{InstanceUrl}} '
alertDescriptionFormat: '{{UserId}} made changes to document management in {{{InstanceUrl}}. Sharepoint site {{{SharePointUrl}} was added.'
id: c4c3510a-0ee0-4561-9835-47882ffa7f46
requiredDataConnectors:
- connectorId: Dataverse
dataTypes:
- DataverseActivity
severity: Informational
triggerThreshold: 0
version: 3.2.0
description: Identifies modifications of SharePoint document management integration. Document management allows storage of data located externally to Dataverse. Combine this analytics rule with the MSBizApps-Add-SharePointSite-To-Watchlist Playbook to automatically update the Dataverse-SharePointSites watchlist. This watchlist can be used to correlate events between Dataverse and SharePoint when using the Office 365 data connector.
relevantTechniques:
- T1567
- T1537
kind: Scheduled
queryPeriod: 1d
tactics:
- Exfiltration
queryFrequency: 1h
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: UPNSuffix
entityType: Account
- fieldMappings:
- identifier: Address
columnName: ClientIp
entityType: IP
- fieldMappings:
- identifier: AppId
columnName: CloudAppId
- identifier: InstanceName
columnName: InstanceUrl
entityType: CloudApplication
- fieldMappings:
- identifier: AppId
columnName: SharePointAppId
- identifier: InstanceName
columnName: SharePointUrl
entityType: CloudApplication
status: Available
triggerOperator: gt
query: |
let query_frequency = 1h;
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message in ("Create", "Update") and EntityName == "sharepointsite"
| mv-expand Fields
| where Fields.Name == "absoluteurl"
| extend
SharePointAppId = int(20892),
CloudAppId = int(32780),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1]),
SharePointUrl = tostring(Fields.Value)
| project
TimeGenerated,
UserId,
ClientIp,
Message,
SharePointUrl,
InstanceUrl,
CloudAppId,
SharePointAppId,
AccountName,
UPNSuffix
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - SharePoint document management site added or updated.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c4c3510a-0ee0-4561-9835-47882ffa7f46')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c4c3510a-0ee0-4561-9835-47882ffa7f46')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{UserId}} made changes to document management in {{{InstanceUrl}}. Sharepoint site {{{SharePointUrl}} was added.",
"alertDisplayNameFormat": "Dataverse - Document management enabled or modified in {{{InstanceUrl}} "
},
"alertRuleTemplateName": "c4c3510a-0ee0-4561-9835-47882ffa7f46",
"customDetails": null,
"description": "Identifies modifications of SharePoint document management integration. Document management allows storage of data located externally to Dataverse. Combine this analytics rule with the MSBizApps-Add-SharePointSite-To-Watchlist Playbook to automatically update the Dataverse-SharePointSites watchlist. This watchlist can be used to correlate events between Dataverse and SharePoint when using the Office 365 data connector.",
"displayName": "Dataverse - SharePoint document management site added or updated",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "ClientIp",
"identifier": "Address"
}
]
},
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "CloudAppId",
"identifier": "AppId"
},
{
"columnName": "InstanceUrl",
"identifier": "InstanceName"
}
]
},
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "SharePointAppId",
"identifier": "AppId"
},
{
"columnName": "SharePointUrl",
"identifier": "InstanceName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - SharePoint document management site added or updated.yaml",
"query": "let query_frequency = 1h;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message in (\"Create\", \"Update\") and EntityName == \"sharepointsite\"\n| mv-expand Fields\n| where Fields.Name == \"absoluteurl\"\n| extend\n SharePointAppId = int(20892),\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1]),\n SharePointUrl = tostring(Fields.Value)\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n Message,\n SharePointUrl,\n InstanceUrl,\n CloudAppId,\n SharePointAppId,\n AccountName,\n UPNSuffix\n",
"queryFrequency": "PT1H",
"queryPeriod": "P1D",
"severity": "Informational",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Exfiltration"
],
"techniques": [
"T1537",
"T1567"
],
"templateVersion": "3.2.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}