Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Dataverse - Terminated employee exfiltration to USB drive

Dataverse - Terminated employee exfiltration to USB drive

Back
Idc5e75cb6-cea0-49c2-a998-da414035aac1
RulenameDataverse - Terminated employee exfiltration to USB drive
DescriptionIdentifies files downloaded from Dataverse by departing or terminated employees which are copied to USB mounted drives.
SeverityHigh
TacticsExfiltration
TechniquesT1052
Required data connectorsDataverse
MicrosoftThreatProtection
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Terminated employee exfiltration to USB drive.yaml
Version3.2.0
Arm templatec5e75cb6-cea0-49c2-a998-da414035aac1.json
Deploy To Azure
let drive_mount_lookback = 14d;
let query_frequency = 1h;
DataverseActivity
| distinct InstanceUrl
| join kind=inner (DeviceFileEvents
    | where TimeGenerated >= ago(query_frequency))
    on $left.InstanceUrl == $right.FileOriginUrl
| join kind=inner (MSBizAppsTerminatedEmployees()) on $left.InitiatingProcessAccountUpn == $right.UserPrincipalName
| join kind=inner (DeviceEvents
    | where TimeGenerated >= ago(drive_mount_lookback)
    | where ActionType == "UsbDriveMounted"
    | extend DriveLetter = tostring(AdditionalFields.DriveLetter)
    | summarize MountedDriveLetters = make_set(DriveLetter, 26) by DeviceId, DeviceName)
    on DeviceId
| extend TargetDriveLetter = tostring(split(FolderPath, "\\")[0])
| where set_has_element(MountedDriveLetters, TargetDriveLetter)
| join kind=inner (DeviceInfo
    | summarize arg_max(TimeGenerated, DeviceId, PublicIP) by DeviceName)
    on DeviceId
| project-rename
    UserId = UserPrincipalName
| summarize LatestEvent = arg_max(TimeGenerated, *), Files = make_set(FileName, 100) by UserId, InstanceUrl
| extend
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    LatestEvent,
    UserId,
    PublicIP,
    Files,
    InstanceUrl,
    CloudAppId,
    AccountName,
    UPNSuffix

status: Available
queryFrequency: 1h
id: c5e75cb6-cea0-49c2-a998-da414035aac1
tactics:
- Exfiltration
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: PublicIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: CloudAppId
    identifier: AppId
  - columnName: InstanceUrl
    identifier: InstanceName
  entityType: CloudApplication
requiredDataConnectors:
- connectorId: Dataverse
  dataTypes:
  - DataverseActivity
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceInfo
  - DeviceEvents
  - DeviceFileEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Terminated employee exfiltration to USB drive.yaml
alertDetailsOverride:
  alertDisplayNameFormat: Dataverse - terminated user copied files from {{InstanceUrl}} to USB
  alertDescriptionFormat: '{{UserId}} , on the TerminatedUsers watchlist, was found to copy files to a USB mounted drive.'
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  let drive_mount_lookback = 14d;
  let query_frequency = 1h;
  DataverseActivity
  | distinct InstanceUrl
  | join kind=inner (DeviceFileEvents
      | where TimeGenerated >= ago(query_frequency))
      on $left.InstanceUrl == $right.FileOriginUrl
  | join kind=inner (MSBizAppsTerminatedEmployees()) on $left.InitiatingProcessAccountUpn == $right.UserPrincipalName
  | join kind=inner (DeviceEvents
      | where TimeGenerated >= ago(drive_mount_lookback)
      | where ActionType == "UsbDriveMounted"
      | extend DriveLetter = tostring(AdditionalFields.DriveLetter)
      | summarize MountedDriveLetters = make_set(DriveLetter, 26) by DeviceId, DeviceName)
      on DeviceId
  | extend TargetDriveLetter = tostring(split(FolderPath, "\\")[0])
  | where set_has_element(MountedDriveLetters, TargetDriveLetter)
  | join kind=inner (DeviceInfo
      | summarize arg_max(TimeGenerated, DeviceId, PublicIP) by DeviceName)
      on DeviceId
  | project-rename
      UserId = UserPrincipalName
  | summarize LatestEvent = arg_max(TimeGenerated, *), Files = make_set(FileName, 100) by UserId, InstanceUrl
  | extend
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      LatestEvent,
      UserId,
      PublicIP,
      Files,
      InstanceUrl,
      CloudAppId,
      AccountName,
      UPNSuffix  
kind: Scheduled
relevantTechniques:
- T1052
name: Dataverse - Terminated employee exfiltration to USB drive
customDetails: {}
triggerThreshold: 0
queryPeriod: 14d
triggerOperator: gt
description: Identifies files downloaded from Dataverse by departing or terminated employees which are copied to USB mounted drives.
severity: High
version: 3.2.0