FO - Bank account change following network alias reassignment
| Id | dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64 |
| Rulename | F&O - Bank account change following network alias reassignment |
| Description | Identifies changes to user accounts where the network alias was modified to a new value. Shortly afterwards, the updated alias is used to update a bank account number. |
| Severity | Low |
| Tactics | CredentialAccess LateralMovement PrivilegeEscalation |
| Techniques | T1556 T0859 T1078 |
| Required data connectors | Dynamics365Finance |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Bank account change following network alias reassignment.yaml |
| Version | 3.2.0 |
| Arm template | dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64.json |
let query_frequency = 15m;
FinanceOperationsActivity_CL
| where LogType == "Update" and TableName == "UserInfo"
| extend UserId = tostring(parse_json(tostring(FormattedData.["03::id"])).NewData)
| extend NetworkAlias = parse_json(tostring(FormattedData.networkAlias))
| extend
CurrentAlias = tostring(NetworkAlias.NewData),
PreviousAlias = tostring(NetworkAlias.OldData)
| where CurrentAlias != PreviousAlias
| extend
AliasUpdated = LogCreatedDateTime,
AliasChangedBy = Username
| join kind=inner(FinanceOperationsActivity_CL
| where TimeGenerated >= ago (query_frequency)
| where LogType == "Update" and TableName == "BankAccountTable"
| extend AccountId = tostring(parse_json(tostring(FormattedData.AccountID)).NewData)
| extend AccountNum = parse_json(tostring(FormattedData.AccountNum))
| extend
CurrentAccountNum = tostring(AccountNum.NewData),
OldAccountNum = tostring(AccountNum.OldData)
| where CurrentAccountNum != OldAccountNum
| extend BankUpdated = LogCreatedDateTime)
on $left.UserId == $right.Username
| where BankUpdated > AliasUpdated
| extend
FinOpsAppId = 32780,
AccountName = tostring(split(CurrentAlias, "@")[0]),
UPNSuffix = tostring(split(CurrentAlias, "@")[1])
| project
AliasUpdated,
AliasChangedBy,
Username,
AccountId,
CurrentAccountNum,
OldAccountNum,
CurrentAlias,
PreviousAlias,
FinOpsAppId,
AccountName,
UPNSuffix
relevantTechniques:
- T1556
- T0859
- T1078
name: F&O - Bank account change following network alias reassignment
queryPeriod: 1d
triggerThreshold: 0
alertDetailsOverride:
alertDescriptionFormat: A user account alias was reassigned for {{Username}} by {{AliasChangedBy}} and shortly afterwards, bank account {{AccountId}} was modified.
alertDisplayNameFormat: F&O - Suspicious bank account changes
id: dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64
eventGroupingSettings:
aggregationKind: SingleAlert
severity: Low
requiredDataConnectors:
- dataTypes:
- FinanceOperationsActivity_CL
connectorId: Dynamics365Finance
description: Identifies changes to user accounts where the network alias was modified to a new value. Shortly afterwards, the updated alias is used to update a bank account number.
version: 3.2.0
status: Available
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AliasChangedBy
identifier: FullName
- entityType: Account
fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
- entityType: Account
fieldMappings:
- columnName: Username
identifier: FullName
tactics:
- CredentialAccess
- LateralMovement
- PrivilegeEscalation
query: |
let query_frequency = 15m;
FinanceOperationsActivity_CL
| where LogType == "Update" and TableName == "UserInfo"
| extend UserId = tostring(parse_json(tostring(FormattedData.["03::id"])).NewData)
| extend NetworkAlias = parse_json(tostring(FormattedData.networkAlias))
| extend
CurrentAlias = tostring(NetworkAlias.NewData),
PreviousAlias = tostring(NetworkAlias.OldData)
| where CurrentAlias != PreviousAlias
| extend
AliasUpdated = LogCreatedDateTime,
AliasChangedBy = Username
| join kind=inner(FinanceOperationsActivity_CL
| where TimeGenerated >= ago (query_frequency)
| where LogType == "Update" and TableName == "BankAccountTable"
| extend AccountId = tostring(parse_json(tostring(FormattedData.AccountID)).NewData)
| extend AccountNum = parse_json(tostring(FormattedData.AccountNum))
| extend
CurrentAccountNum = tostring(AccountNum.NewData),
OldAccountNum = tostring(AccountNum.OldData)
| where CurrentAccountNum != OldAccountNum
| extend BankUpdated = LogCreatedDateTime)
on $left.UserId == $right.Username
| where BankUpdated > AliasUpdated
| extend
FinOpsAppId = 32780,
AccountName = tostring(split(CurrentAlias, "@")[0]),
UPNSuffix = tostring(split(CurrentAlias, "@")[1])
| project
AliasUpdated,
AliasChangedBy,
Username,
AccountId,
CurrentAccountNum,
OldAccountNum,
CurrentAlias,
PreviousAlias,
FinOpsAppId,
AccountName,
UPNSuffix
kind: Scheduled
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Bank account change following network alias reassignment.yaml
queryFrequency: 15m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "A user account alias was reassigned for {{Username}} by {{AliasChangedBy}} and shortly afterwards, bank account {{AccountId}} was modified.",
"alertDisplayNameFormat": "F&O - Suspicious bank account changes"
},
"alertRuleTemplateName": "dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64",
"customDetails": null,
"description": "Identifies changes to user accounts where the network alias was modified to a new value. Shortly afterwards, the updated alias is used to update a bank account number.",
"displayName": "F&O - Bank account change following network alias reassignment",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AliasChangedBy",
"identifier": "FullName"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "Username",
"identifier": "FullName"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Bank account change following network alias reassignment.yaml",
"query": "let query_frequency = 15m;\nFinanceOperationsActivity_CL\n| where LogType == \"Update\" and TableName == \"UserInfo\"\n| extend UserId = tostring(parse_json(tostring(FormattedData.[\"03::id\"])).NewData)\n| extend NetworkAlias = parse_json(tostring(FormattedData.networkAlias))\n| extend\n CurrentAlias = tostring(NetworkAlias.NewData),\n PreviousAlias = tostring(NetworkAlias.OldData)\n| where CurrentAlias != PreviousAlias\n| extend\n AliasUpdated = LogCreatedDateTime,\n AliasChangedBy = Username\n| join kind=inner(FinanceOperationsActivity_CL\n | where TimeGenerated >= ago (query_frequency)\n | where LogType == \"Update\" and TableName == \"BankAccountTable\"\n | extend AccountId = tostring(parse_json(tostring(FormattedData.AccountID)).NewData)\n | extend AccountNum = parse_json(tostring(FormattedData.AccountNum))\n | extend\n CurrentAccountNum = tostring(AccountNum.NewData),\n OldAccountNum = tostring(AccountNum.OldData)\n | where CurrentAccountNum != OldAccountNum\n | extend BankUpdated = LogCreatedDateTime)\n on $left.UserId == $right.Username\n| where BankUpdated > AliasUpdated\n| extend\n FinOpsAppId = 32780,\n AccountName = tostring(split(CurrentAlias, \"@\")[0]),\n UPNSuffix = tostring(split(CurrentAlias, \"@\")[1])\n| project\n AliasUpdated,\n AliasChangedBy,\n Username,\n AccountId,\n CurrentAccountNum,\n OldAccountNum,\n CurrentAlias,\n PreviousAlias,\n FinOpsAppId,\n AccountName,\n UPNSuffix\n",
"queryFrequency": "PT15M",
"queryPeriod": "P1D",
"severity": "Low",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess",
"LateralMovement",
"PrivilegeEscalation"
],
"techniques": [
"T1078",
"T1556"
],
"templateVersion": "3.2.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}