Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dataverse - TI map URL to DataverseActivity

Back
Idd88a0e22-3b6a-40c2-af28-c064b44d03b7
RulenameDataverse - TI map URL to DataverseActivity
DescriptionIdentifies a match in DataverseActivity from any URL IOC from Microsoft Sentinel Threat Intelligence.
SeverityMedium
TacticsInitialAccess
Execution
Persistence
TechniquesT1566
T1456
T1474
T0819
T0865
T0862
T0863
T1204
T1574
T0873
Required data connectorsDataverse
MicrosoftDefenderThreatIntelligence
ThreatIntelligence
ThreatIntelligenceTaxii
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - TI map URL to DataverseActivity.yaml
Version3.2.0
Arm templated88a0e22-3b6a-40c2-af28-c064b44d03b7.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true
| where isnotempty(Url)
| join kind=innerunique (
    DataverseActivity
    | where TimeGenerated >= ago(dt_lookBack)
    | where Message in ("Create", "Update")
    | where isnotempty(Fields) and Fields has "http"
    | extend
        ExtractedUrls = extract_all("(http[s]?://(?:[a-zA-Z\\.-]|[0-9])+)", tostring(Fields)),
        DataverseActivity_TimeGenerated = TimeGenerated
    | mv-expand Url = ExtractedUrls
    | project
        DataverseActivity_TimeGenerated,
        tostring(Url),
        UserId,
        ClientIp,
        InstanceUrl,
        EntityName
    )
    on Url
| where DataverseActivity_TimeGenerated < ExpirationDateTime
| summarize DataverseActivity_TimeGenerated  = arg_max(DataverseActivity_TimeGenerated, *) by IndicatorId, Url
| extend
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    DataverseActivity_TimeGenerated,
    Description,
    ActivityGroupNames,
    IndicatorId,
    ThreatType,
    ExpirationDateTime,
    ConfidenceScore,
    UserId,
    ClientIp,
    InstanceUrl,
    CloudAppId,
    AccountName,
    UPNSuffix,
    Url
relevantTechniques:
- T1566
- T1456
- T1474
- T0819
- T0865
- T0862
- T0863
- T1204
- T1574
- T0873
name: Dataverse - TI map URL to DataverseActivity
queryPeriod: 14d
triggerThreshold: 0
alertDetailsOverride:
  alertDescriptionFormat: Malicous IP {{Url}} was found in {{InstanceUrl}}. Associated user is {{UserId}}
  alertDisplayNameFormat: Dataverse - TI match on URL in {{InstanceUrl}}
id: d88a0e22-3b6a-40c2-af28-c064b44d03b7
eventGroupingSettings:
  aggregationKind: AlertPerResult
severity: Medium
requiredDataConnectors:
- dataTypes:
  - DataverseActivity
  connectorId: Dataverse
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceTaxii
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: MicrosoftDefenderThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligence
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: ThreatIntelligenceTaxii
- dataTypes:
  - ThreatIntelligenceIndicator
  connectorId: MicrosoftDefenderThreatIntelligence
description: Identifies a match in DataverseActivity from any URL IOC from Microsoft Sentinel Threat Intelligence.
version: 3.2.0
status: Available
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: ClientIp
    identifier: Address
- entityType: URL
  fieldMappings:
  - columnName: Url
    identifier: Url
- entityType: CloudApplication
  fieldMappings:
  - columnName: CloudAppId
    identifier: AppId
  - columnName: InstanceUrl
    identifier: InstanceName
tactics:
- InitialAccess
- Execution
- Persistence
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true
  | where isnotempty(Url)
  | join kind=innerunique (
      DataverseActivity
      | where TimeGenerated >= ago(dt_lookBack)
      | where Message in ("Create", "Update")
      | where isnotempty(Fields) and Fields has "http"
      | extend
          ExtractedUrls = extract_all("(http[s]?://(?:[a-zA-Z\\.-]|[0-9])+)", tostring(Fields)),
          DataverseActivity_TimeGenerated = TimeGenerated
      | mv-expand Url = ExtractedUrls
      | project
          DataverseActivity_TimeGenerated,
          tostring(Url),
          UserId,
          ClientIp,
          InstanceUrl,
          EntityName
      )
      on Url
  | where DataverseActivity_TimeGenerated < ExpirationDateTime
  | summarize DataverseActivity_TimeGenerated  = arg_max(DataverseActivity_TimeGenerated, *) by IndicatorId, Url
  | extend
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      DataverseActivity_TimeGenerated,
      Description,
      ActivityGroupNames,
      IndicatorId,
      ThreatType,
      ExpirationDateTime,
      ConfidenceScore,
      UserId,
      ClientIp,
      InstanceUrl,
      CloudAppId,
      AccountName,
      UPNSuffix,
      Url  
kind: Scheduled
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - TI map URL to DataverseActivity.yaml
queryFrequency: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d88a0e22-3b6a-40c2-af28-c064b44d03b7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d88a0e22-3b6a-40c2-af28-c064b44d03b7')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Malicous IP {{Url}} was found in {{InstanceUrl}}. Associated user is {{UserId}}",
          "alertDisplayNameFormat": "Dataverse - TI match on URL in {{InstanceUrl}}"
        },
        "alertRuleTemplateName": "d88a0e22-3b6a-40c2-af28-c064b44d03b7",
        "customDetails": null,
        "description": "Identifies a match in DataverseActivity from any URL IOC from Microsoft Sentinel Threat Intelligence.",
        "displayName": "Dataverse - TI map URL to DataverseActivity",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - TI map URL to DataverseActivity.yaml",
        "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(Url)\n| join kind=innerunique (\n    DataverseActivity\n    | where TimeGenerated >= ago(dt_lookBack)\n    | where Message in (\"Create\", \"Update\")\n    | where isnotempty(Fields) and Fields has \"http\"\n    | extend\n        ExtractedUrls = extract_all(\"(http[s]?://(?:[a-zA-Z\\\\.-]|[0-9])+)\", tostring(Fields)),\n        DataverseActivity_TimeGenerated = TimeGenerated\n    | mv-expand Url = ExtractedUrls\n    | project\n        DataverseActivity_TimeGenerated,\n        tostring(Url),\n        UserId,\n        ClientIp,\n        InstanceUrl,\n        EntityName\n    )\n    on Url\n| where DataverseActivity_TimeGenerated < ExpirationDateTime\n| summarize DataverseActivity_TimeGenerated  = arg_max(DataverseActivity_TimeGenerated, *) by IndicatorId, Url\n| extend\n    CloudAppId = int(32780),\n    AccountName = tostring(split(UserId, '@')[0]),\n    UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n    DataverseActivity_TimeGenerated,\n    Description,\n    ActivityGroupNames,\n    IndicatorId,\n    ThreatType,\n    ExpirationDateTime,\n    ConfidenceScore,\n    UserId,\n    ClientIp,\n    InstanceUrl,\n    CloudAppId,\n    AccountName,\n    UPNSuffix,\n    Url\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "InitialAccess",
          "Persistence"
        ],
        "techniques": [
          "T1204",
          "T1566",
          "T1574"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}