Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Dataverse - TI map URL to DataverseActivity

Back
Idd88a0e22-3b6a-40c2-af28-c064b44d03b7
RulenameDataverse - TI map URL to DataverseActivity
DescriptionIdentifies a match in DataverseActivity from any URL IOC from Microsoft Sentinel Threat Intelligence.
SeverityMedium
TacticsInitialAccess
Execution
Persistence
TechniquesT1566
T1456
T1474
T0819
T0865
T0862
T0863
T1204
T1574
T0873
Required data connectorsDataverse
MicrosoftDefenderThreatIntelligence
ThreatIntelligence
ThreatIntelligenceTaxii
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - TI map URL to DataverseActivity.yaml
Version3.2.0
Arm templated88a0e22-3b6a-40c2-af28-c064b44d03b7.json
Deploy To Azure
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| where Active == true
| where isnotempty(Url)
| join kind=innerunique (
    DataverseActivity
    | where TimeGenerated >= ago(dt_lookBack)
    | where Message in ("Create", "Update")
    | where isnotempty(Fields) and Fields has "http"
    | extend
        ExtractedUrls = extract_all("(http[s]?://(?:[a-zA-Z\\.-]|[0-9])+)", tostring(Fields)),
        DataverseActivity_TimeGenerated = TimeGenerated
    | mv-expand Url = ExtractedUrls
    | project
        DataverseActivity_TimeGenerated,
        tostring(Url),
        UserId,
        ClientIp,
        InstanceUrl,
        EntityName
    )
    on Url
| where DataverseActivity_TimeGenerated < ExpirationDateTime
| summarize DataverseActivity_TimeGenerated  = arg_max(DataverseActivity_TimeGenerated, *) by IndicatorId, Url
| extend
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    DataverseActivity_TimeGenerated,
    Description,
    ActivityGroupNames,
    IndicatorId,
    ThreatType,
    ExpirationDateTime,
    ConfidenceScore,
    UserId,
    ClientIp,
    InstanceUrl,
    CloudAppId,
    AccountName,
    UPNSuffix,
    Url
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIp
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: Url
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
  - identifier: InstanceName
    columnName: InstanceUrl
queryFrequency: 1h
name: Dataverse - TI map URL to DataverseActivity
alertDetailsOverride:
  alertDisplayNameFormat: Dataverse - TI match on URL in {{InstanceUrl}}
  alertDescriptionFormat: Malicous IP {{Url}} was found in {{InstanceUrl}}. Associated user is {{UserId}}
kind: Scheduled
tactics:
- InitialAccess
- Execution
- Persistence
triggerThreshold: 0
query: |
  let dt_lookBack = 1h;
  let ioc_lookBack = 14d;
  ThreatIntelligenceIndicator
  | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
  | where Active == true
  | where isnotempty(Url)
  | join kind=innerunique (
      DataverseActivity
      | where TimeGenerated >= ago(dt_lookBack)
      | where Message in ("Create", "Update")
      | where isnotempty(Fields) and Fields has "http"
      | extend
          ExtractedUrls = extract_all("(http[s]?://(?:[a-zA-Z\\.-]|[0-9])+)", tostring(Fields)),
          DataverseActivity_TimeGenerated = TimeGenerated
      | mv-expand Url = ExtractedUrls
      | project
          DataverseActivity_TimeGenerated,
          tostring(Url),
          UserId,
          ClientIp,
          InstanceUrl,
          EntityName
      )
      on Url
  | where DataverseActivity_TimeGenerated < ExpirationDateTime
  | summarize DataverseActivity_TimeGenerated  = arg_max(DataverseActivity_TimeGenerated, *) by IndicatorId, Url
  | extend
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      DataverseActivity_TimeGenerated,
      Description,
      ActivityGroupNames,
      IndicatorId,
      ThreatType,
      ExpirationDateTime,
      ConfidenceScore,
      UserId,
      ClientIp,
      InstanceUrl,
      CloudAppId,
      AccountName,
      UPNSuffix,
      Url  
relevantTechniques:
- T1566
- T1456
- T1474
- T0819
- T0865
- T0862
- T0863
- T1204
- T1574
- T0873
triggerOperator: gt
queryPeriod: 14d
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - TI map URL to DataverseActivity.yaml
severity: Medium
status: Available
id: d88a0e22-3b6a-40c2-af28-c064b44d03b7
requiredDataConnectors:
- connectorId: Dataverse
  dataTypes:
  - DataverseActivity
- connectorId: ThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: MicrosoftDefenderThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: ThreatIntelligenceTaxii
  dataTypes:
  - ThreatIntelligenceIndicator
- connectorId: MicrosoftDefenderThreatIntelligence
  dataTypes:
  - ThreatIntelligenceIndicator
version: 3.2.0
description: Identifies a match in DataverseActivity from any URL IOC from Microsoft Sentinel Threat Intelligence.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d88a0e22-3b6a-40c2-af28-c064b44d03b7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d88a0e22-3b6a-40c2-af28-c064b44d03b7')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Malicous IP {{Url}} was found in {{InstanceUrl}}. Associated user is {{UserId}}",
          "alertDisplayNameFormat": "Dataverse - TI match on URL in {{InstanceUrl}}"
        },
        "alertRuleTemplateName": "d88a0e22-3b6a-40c2-af28-c064b44d03b7",
        "customDetails": null,
        "description": "Identifies a match in DataverseActivity from any URL IOC from Microsoft Sentinel Threat Intelligence.",
        "displayName": "Dataverse - TI map URL to DataverseActivity",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - TI map URL to DataverseActivity.yaml",
        "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(Url)\n| join kind=innerunique (\n    DataverseActivity\n    | where TimeGenerated >= ago(dt_lookBack)\n    | where Message in (\"Create\", \"Update\")\n    | where isnotempty(Fields) and Fields has \"http\"\n    | extend\n        ExtractedUrls = extract_all(\"(http[s]?://(?:[a-zA-Z\\\\.-]|[0-9])+)\", tostring(Fields)),\n        DataverseActivity_TimeGenerated = TimeGenerated\n    | mv-expand Url = ExtractedUrls\n    | project\n        DataverseActivity_TimeGenerated,\n        tostring(Url),\n        UserId,\n        ClientIp,\n        InstanceUrl,\n        EntityName\n    )\n    on Url\n| where DataverseActivity_TimeGenerated < ExpirationDateTime\n| summarize DataverseActivity_TimeGenerated  = arg_max(DataverseActivity_TimeGenerated, *) by IndicatorId, Url\n| extend\n    CloudAppId = int(32780),\n    AccountName = tostring(split(UserId, '@')[0]),\n    UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n    DataverseActivity_TimeGenerated,\n    Description,\n    ActivityGroupNames,\n    IndicatorId,\n    ThreatType,\n    ExpirationDateTime,\n    ConfidenceScore,\n    UserId,\n    ClientIp,\n    InstanceUrl,\n    CloudAppId,\n    AccountName,\n    UPNSuffix,\n    Url\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "InitialAccess",
          "Persistence"
        ],
        "techniques": [
          "T1204",
          "T1566",
          "T1574"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}