FO - Bank account change following network alias reassignment
| Id | dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64 |
| Rulename | F&O - Bank account change following network alias reassignment |
| Description | Identifies changes to user accounts where the network alias was modified to a new value. Shortly afterwards, the updated alias is used to update a bank account number. |
| Severity | Low |
| Tactics | CredentialAccess LateralMovement PrivilegeEscalation |
| Techniques | T1556 T0859 T1078 |
| Required data connectors | Dynamics365Finance |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Bank account change following network alias reassignment.yaml |
| Version | 3.2.0 |
| Arm template | dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64.json |
let query_frequency = 15m;
FinanceOperationsActivity_CL
| where LogType == "Update" and TableName == "UserInfo"
| extend UserId = tostring(parse_json(tostring(FormattedData.["03::id"])).NewData)
| extend NetworkAlias = parse_json(tostring(FormattedData.networkAlias))
| extend
CurrentAlias = tostring(NetworkAlias.NewData),
PreviousAlias = tostring(NetworkAlias.OldData)
| where CurrentAlias != PreviousAlias
| extend
AliasUpdated = LogCreatedDateTime,
AliasChangedBy = Username
| join kind=inner(FinanceOperationsActivity_CL
| where TimeGenerated >= ago (query_frequency)
| where LogType == "Update" and TableName == "BankAccountTable"
| extend AccountId = tostring(parse_json(tostring(FormattedData.AccountID)).NewData)
| extend AccountNum = parse_json(tostring(FormattedData.AccountNum))
| extend
CurrentAccountNum = tostring(AccountNum.NewData),
OldAccountNum = tostring(AccountNum.OldData)
| where CurrentAccountNum != OldAccountNum
| extend BankUpdated = LogCreatedDateTime)
on $left.UserId == $right.Username
| where BankUpdated > AliasUpdated
| extend
FinOpsAppId = 32780,
AccountName = tostring(split(CurrentAlias, "@")[0]),
UPNSuffix = tostring(split(CurrentAlias, "@")[1])
| project
AliasUpdated,
AliasChangedBy,
Username,
AccountId,
CurrentAccountNum,
OldAccountNum,
CurrentAlias,
PreviousAlias,
FinOpsAppId,
AccountName,
UPNSuffix
query: |
let query_frequency = 15m;
FinanceOperationsActivity_CL
| where LogType == "Update" and TableName == "UserInfo"
| extend UserId = tostring(parse_json(tostring(FormattedData.["03::id"])).NewData)
| extend NetworkAlias = parse_json(tostring(FormattedData.networkAlias))
| extend
CurrentAlias = tostring(NetworkAlias.NewData),
PreviousAlias = tostring(NetworkAlias.OldData)
| where CurrentAlias != PreviousAlias
| extend
AliasUpdated = LogCreatedDateTime,
AliasChangedBy = Username
| join kind=inner(FinanceOperationsActivity_CL
| where TimeGenerated >= ago (query_frequency)
| where LogType == "Update" and TableName == "BankAccountTable"
| extend AccountId = tostring(parse_json(tostring(FormattedData.AccountID)).NewData)
| extend AccountNum = parse_json(tostring(FormattedData.AccountNum))
| extend
CurrentAccountNum = tostring(AccountNum.NewData),
OldAccountNum = tostring(AccountNum.OldData)
| where CurrentAccountNum != OldAccountNum
| extend BankUpdated = LogCreatedDateTime)
on $left.UserId == $right.Username
| where BankUpdated > AliasUpdated
| extend
FinOpsAppId = 32780,
AccountName = tostring(split(CurrentAlias, "@")[0]),
UPNSuffix = tostring(split(CurrentAlias, "@")[1])
| project
AliasUpdated,
AliasChangedBy,
Username,
AccountId,
CurrentAccountNum,
OldAccountNum,
CurrentAlias,
PreviousAlias,
FinOpsAppId,
AccountName,
UPNSuffix
description: Identifies changes to user accounts where the network alias was modified to a new value. Shortly afterwards, the updated alias is used to update a bank account number.
triggerOperator: gt
triggerThreshold: 0
queryPeriod: 1d
queryFrequency: 15m
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AliasChangedBy
identifier: FullName
- entityType: Account
fieldMappings:
- columnName: AccountName
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
- entityType: Account
fieldMappings:
- columnName: Username
identifier: FullName
name: F&O - Bank account change following network alias reassignment
status: Available
id: dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64
tactics:
- CredentialAccess
- LateralMovement
- PrivilegeEscalation
eventGroupingSettings:
aggregationKind: SingleAlert
kind: Scheduled
requiredDataConnectors:
- connectorId: Dynamics365Finance
dataTypes:
- FinanceOperationsActivity_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Bank account change following network alias reassignment.yaml
alertDetailsOverride:
alertDisplayNameFormat: F&O - Suspicious bank account changes
alertDescriptionFormat: A user account alias was reassigned for {{Username}} by {{AliasChangedBy}} and shortly afterwards, bank account {{AccountId}} was modified.
version: 3.2.0
severity: Low
relevantTechniques:
- T1556
- T0859
- T1078