Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Dataverse - Mass record updates

Dataverse - Mass record updates

Back
Iddf577f0f-1d8a-4420-9057-a07f0edb15c8
RulenameDataverse - Mass record updates
DescriptionThis query detects mass record update changes in Dataverse and Dynamics 365, exceeding a pre-defined threshold.
SeverityMedium
TacticsImpact
TechniquesT1641
T1485
T1565
Required data connectorsDataverse
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass record updates.yaml
Version3.2.0
Arm templatedf577f0f-1d8a-4420-9057-a07f0edb15c8.json
Deploy To Azure
// Set threshold for number of updated records
let detection_threshold = 10000;
let query_frequency = 1h;
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message == "Update"
| summarize EventCount = count() by InstanceUrl, UserId, ClientIp, Message
| where EventCount > detection_threshold
| join kind=inner(
    DataverseActivity
    | where TimeGenerated >= ago(query_frequency))
    on InstanceUrl, UserId, ClientIp, Message
| mv-expand Fields
| summarize
    UpdatedFields = make_set(Fields.Name, 100),
    FirstEvent = min(TimeGenerated)
    by UserId, ClientIp, InstanceUrl, EventCount, EntityName
| extend Details = bag_pack("Entity", EntityName, "Count", EventCount, "FieldsUpdated", UpdatedFields)
| summarize
    TotalEvents = sum(EventCount),
    FirstEvent = min(FirstEvent),
    Details = make_list(Details, 100)
    by UserId, ClientIp, InstanceUrl
| extend
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    FirstEvent,
    UserId,
    ClientIp,
    TotalEvents,
    Details,
    InstanceUrl,
    CloudAppId,
    AccountName,
    UPNSuffix

alertDetailsOverride:
  alertDescriptionFormat: A total of {{TotalEvents}} records were updated by {{UserId}} , breaching the mass update threshold in {{InstanceUrl}} .
  alertDisplayNameFormat: 'Dataverse - Mass record changes detected in {{{InstanceUrl}} '
description: This query detects mass record update changes in Dataverse and Dynamics 365, exceeding a pre-defined threshold.
kind: Scheduled
tactics:
- Impact
requiredDataConnectors:
- connectorId: Dataverse
  dataTypes:
  - DataverseActivity
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Mass record updates.yaml
severity: Medium
name: Dataverse - Mass record updates
customDetails:
  Details: Details
triggerThreshold: 0
queryPeriod: 14d
query: |
  // Set threshold for number of updated records
  let detection_threshold = 10000;
  let query_frequency = 1h;
  DataverseActivity
  | where TimeGenerated >= ago(query_frequency)
  | where Message == "Update"
  | summarize EventCount = count() by InstanceUrl, UserId, ClientIp, Message
  | where EventCount > detection_threshold
  | join kind=inner(
      DataverseActivity
      | where TimeGenerated >= ago(query_frequency))
      on InstanceUrl, UserId, ClientIp, Message
  | mv-expand Fields
  | summarize
      UpdatedFields = make_set(Fields.Name, 100),
      FirstEvent = min(TimeGenerated)
      by UserId, ClientIp, InstanceUrl, EventCount, EntityName
  | extend Details = bag_pack("Entity", EntityName, "Count", EventCount, "FieldsUpdated", UpdatedFields)
  | summarize
      TotalEvents = sum(EventCount),
      FirstEvent = min(FirstEvent),
      Details = make_list(Details, 100)
      by UserId, ClientIp, InstanceUrl
  | extend
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      FirstEvent,
      UserId,
      ClientIp,
      TotalEvents,
      Details,
      InstanceUrl,
      CloudAppId,
      AccountName,
      UPNSuffix  
relevantTechniques:
- T1641
- T1485
- T1565
id: df577f0f-1d8a-4420-9057-a07f0edb15c8
queryFrequency: 1h
status: Available
version: 3.2.0
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: ClientIp
    identifier: Address
- entityType: CloudApplication
  fieldMappings:
  - columnName: CloudAppId
    identifier: AppId
  - columnName: InstanceUrl
    identifier: InstanceName