Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Dataverse - TI map URL to DataverseActivity

Dataverse - TI map URL to DataverseActivity

Back
Idd88a0e22-3b6a-40c2-af28-c064b44d03b7
RulenameDataverse - TI map URL to DataverseActivity
DescriptionIdentifies a match in DataverseActivity from any URL IOC from Microsoft Sentinel Threat Intelligence.
SeverityMedium
TacticsInitialAccess
Execution
Persistence
TechniquesT1566
T1456
T1474
T0819
T0865
T0862
T0863
T1204
T1574
T0873
Required data connectorsDataverse
MicrosoftDefenderThreatIntelligence
ThreatIntelligence
ThreatIntelligenceTaxii
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - TI map URL to DataverseActivity.yaml
Version3.2.0
Arm templated88a0e22-3b6a-40c2-af28-c064b44d03b7.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true
| where isnotempty(Url)
| join kind=innerunique (
    DataverseActivity
    | where TimeGenerated >= ago(dt_lookBack)
    | where Message in ("Create", "Update")
    | where isnotempty(Fields) and Fields has "http"
    | extend
        ExtractedUrls = extract_all("(http[s]?://(?:[a-zA-Z\\.-]|[0-9])+)", tostring(Fields)),
        DataverseActivity_TimeGenerated = TimeGenerated
    | mv-expand Url = ExtractedUrls
    | project
        DataverseActivity_TimeGenerated,
        tostring(Url),
        UserId,
        ClientIp,
        InstanceUrl,
        EntityName
    )
    on Url
| where DataverseActivity_TimeGenerated < ExpirationDateTime
| summarize DataverseActivity_TimeGenerated  = arg_max(DataverseActivity_TimeGenerated, *) by IndicatorId, Url
| extend
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    DataverseActivity_TimeGenerated,
    Description,
    ActivityGroupNames,
    IndicatorId,
    ThreatType,
    ExpirationDateTime,
    ConfidenceScore,
    UserId,
    ClientIp,
    InstanceUrl,
    CloudAppId,
    AccountName,
    UPNSuffix,
    Url

id: d88a0e22-3b6a-40c2-af28-c064b44d03b7
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
  - DataverseActivity
  connectorId: Dataverse
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceTaxii
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: MicrosoftDefenderThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceTaxii
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: MicrosoftDefenderThreatIntelligence
name: Dataverse - TI map URL to DataverseActivity
version: 3.2.0
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true
  | where isnotempty(Url)
  | join kind=innerunique (
      DataverseActivity
      | where TimeGenerated >= ago(dt_lookBack)
      | where Message in ("Create", "Update")
      | where isnotempty(Fields) and Fields has "http"
      | extend
          ExtractedUrls = extract_all("(http[s]?://(?:[a-zA-Z\\.-]|[0-9])+)", tostring(Fields)),
          DataverseActivity_TimeGenerated = TimeGenerated
      | mv-expand Url = ExtractedUrls
      | project
          DataverseActivity_TimeGenerated,
          tostring(Url),
          UserId,
          ClientIp,
          InstanceUrl,
          EntityName
      )
      on Url
  | where DataverseActivity_TimeGenerated < ExpirationDateTime
  | summarize DataverseActivity_TimeGenerated  = arg_max(DataverseActivity_TimeGenerated, *) by IndicatorId, Url
  | extend
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      DataverseActivity_TimeGenerated,
      Description,
      ActivityGroupNames,
      IndicatorId,
      ThreatType,
      ExpirationDateTime,
      ConfidenceScore,
      UserId,
      ClientIp,
      InstanceUrl,
      CloudAppId,
      AccountName,
      UPNSuffix,
      Url  
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: ClientIp
  entityType: IP
- fieldMappings:
  - identifier: Url
    columnName: Url
  entityType: URL
- fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
  - identifier: InstanceName
    columnName: InstanceUrl
  entityType: CloudApplication
triggerThreshold: 0
alertDetailsOverride:
  alertDescriptionFormat: Malicous IP {{Url}} was found in {{InstanceUrl}}. Associated user is {{UserId}}
  alertDisplayNameFormat: Dataverse - TI match on URL in {{InstanceUrl}}
relevantTechniques:
- T1566
- T1456
- T1474
- T0819
- T0865
- T0862
- T0863
- T1204
- T1574
- T0873
tactics:
- InitialAccess
- Execution
- Persistence
kind: Scheduled
queryPeriod: 14d
queryFrequency: 1h
severity: Medium
triggerOperator: gt
status: Available
description: Identifies a match in DataverseActivity from any URL IOC from Microsoft Sentinel Threat Intelligence.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - TI map URL to DataverseActivity.yaml