Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dataverse - SharePoint document management site added or updated

Back
Idc4c3510a-0ee0-4561-9835-47882ffa7f46
RulenameDataverse - SharePoint document management site added or updated
DescriptionIdentifies modifications of SharePoint document management integration. Document management allows storage of data located externally to Dataverse. Combine this analytics rule with the MSBizApps-Add-SharePointSite-To-Watchlist Playbook to automatically update the Dataverse-SharePointSites watchlist. This watchlist can be used to correlate events between Dataverse and SharePoint when using the Office 365 data connector.
SeverityInformational
TacticsExfiltration
TechniquesT1567
T1537
Required data connectorsDataverse
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - SharePoint document management site added or updated.yaml
Version3.2.0
Arm templatec4c3510a-0ee0-4561-9835-47882ffa7f46.json
Deploy To Azure
let query_frequency = 1h;
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message in ("Create", "Update") and EntityName == "sharepointsite"
| mv-expand Fields
| where Fields.Name == "absoluteurl"
| extend
    SharePointAppId = int(20892),
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1]),
    SharePointUrl = tostring(Fields.Value)
| project
    TimeGenerated,
    UserId,
    ClientIp,
    Message,
    SharePointUrl,
    InstanceUrl,
    CloudAppId,
    SharePointAppId,
    AccountName,
    UPNSuffix
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIp
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
  - identifier: InstanceName
    columnName: InstanceUrl
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: SharePointAppId
  - identifier: InstanceName
    columnName: SharePointUrl
queryFrequency: 1h
name: Dataverse - SharePoint document management site added or updated
alertDetailsOverride:
  alertDisplayNameFormat: 'Dataverse - Document management enabled or modified in {{{InstanceUrl}} '
  alertDescriptionFormat: '{{UserId}} made changes to document management in {{{InstanceUrl}}. Sharepoint site {{{SharePointUrl}} was added.'
kind: Scheduled
tactics:
- Exfiltration
triggerThreshold: 0
query: |
  let query_frequency = 1h;
  DataverseActivity
  | where TimeGenerated >= ago(query_frequency)
  | where Message in ("Create", "Update") and EntityName == "sharepointsite"
  | mv-expand Fields
  | where Fields.Name == "absoluteurl"
  | extend
      SharePointAppId = int(20892),
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1]),
      SharePointUrl = tostring(Fields.Value)
  | project
      TimeGenerated,
      UserId,
      ClientIp,
      Message,
      SharePointUrl,
      InstanceUrl,
      CloudAppId,
      SharePointAppId,
      AccountName,
      UPNSuffix  
relevantTechniques:
- T1567
- T1537
triggerOperator: gt
queryPeriod: 1d
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - SharePoint document management site added or updated.yaml
severity: Informational
status: Available
id: c4c3510a-0ee0-4561-9835-47882ffa7f46
requiredDataConnectors:
- connectorId: Dataverse
  dataTypes:
  - DataverseActivity
version: 3.2.0
description: Identifies modifications of SharePoint document management integration. Document management allows storage of data located externally to Dataverse. Combine this analytics rule with the MSBizApps-Add-SharePointSite-To-Watchlist Playbook to automatically update the Dataverse-SharePointSites watchlist. This watchlist can be used to correlate events between Dataverse and SharePoint when using the Office 365 data connector.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/c4c3510a-0ee0-4561-9835-47882ffa7f46')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/c4c3510a-0ee0-4561-9835-47882ffa7f46')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{UserId}} made changes to document management in {{{InstanceUrl}}. Sharepoint site {{{SharePointUrl}} was added.",
          "alertDisplayNameFormat": "Dataverse - Document management enabled or modified in {{{InstanceUrl}} "
        },
        "alertRuleTemplateName": "c4c3510a-0ee0-4561-9835-47882ffa7f46",
        "customDetails": null,
        "description": "Identifies modifications of SharePoint document management integration. Document management allows storage of data located externally to Dataverse. Combine this analytics rule with the MSBizApps-Add-SharePointSite-To-Watchlist Playbook to automatically update the Dataverse-SharePointSites watchlist. This watchlist can be used to correlate events between Dataverse and SharePoint when using the Office 365 data connector.",
        "displayName": "Dataverse - SharePoint document management site added or updated",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "SharePointAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "SharePointUrl",
                "identifier": "InstanceName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - SharePoint document management site added or updated.yaml",
        "query": "let query_frequency = 1h;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message in (\"Create\", \"Update\") and EntityName == \"sharepointsite\"\n| mv-expand Fields\n| where Fields.Name == \"absoluteurl\"\n| extend\n    SharePointAppId = int(20892),\n    CloudAppId = int(32780),\n    AccountName = tostring(split(UserId, '@')[0]),\n    UPNSuffix = tostring(split(UserId, '@')[1]),\n    SharePointUrl = tostring(Fields.Value)\n| project\n    TimeGenerated,\n    UserId,\n    ClientIp,\n    Message,\n    SharePointUrl,\n    InstanceUrl,\n    CloudAppId,\n    SharePointAppId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "Informational",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration"
        ],
        "techniques": [
          "T1537",
          "T1567"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}