New Dynamics 365 Admin Activity

Back


Id	e147e4dc-849c-49e9-9e8b-db4581951ff4
Rulename	New Dynamics 365 Admin Activity
Description	Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before.
Severity	Low
Tactics	InitialAccess
Techniques	T1078
Required data connectors	Dynamics365
Kind	Scheduled
Query frequency	1d
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Dynamics365Activity/NewDynamicsAdminActivity.yaml
Version	1.0.1
Arm template	e147e4dc-849c-49e9-9e8b-db4581951ff4.json

KQL

let baseline_time = 14d;
let detection_time = 1h;
Dynamics365Activity
| where TimeGenerated between(ago(baseline_time)..ago(detection_time))
| where UserType =~ 'admin'
| extend Message = tostring(split(OriginalObjectId, ' ')[0])
| summarize by UserId
| join kind=rightanti
(Dynamics365Activity
| where TimeGenerated > ago(detection_time)
| where UserType =~ 'admin')
on UserId
| summarize Actions = make_set(Message), MostRecentAction = max(TimeGenerated), IPs=make_set(ClientIP), UserAgents = make_set(UserAgent) by UserId
| extend timestamp = MostRecentAction, AccountCustomEntity = UserId

YAML

name: New Dynamics 365 Admin Activity
query: |
  let baseline_time = 14d;
  let detection_time = 1h;
  Dynamics365Activity
  | where TimeGenerated between(ago(baseline_time)..ago(detection_time))
  | where UserType =~ 'admin'
  | extend Message = tostring(split(OriginalObjectId, ' ')[0])
  | summarize by UserId
  | join kind=rightanti
  (Dynamics365Activity
  | where TimeGenerated > ago(detection_time)
  | where UserType =~ 'admin')
  on UserId
  | summarize Actions = make_set(Message), MostRecentAction = max(TimeGenerated), IPs=make_set(ClientIP), UserAgents = make_set(UserAgent) by UserId
  | extend timestamp = MostRecentAction, AccountCustomEntity = UserId  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Dynamics365Activity/NewDynamicsAdminActivity.yaml
queryFrequency: 1d
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - Dynamics365Activity
  connectorId: Dynamics365
version: 1.0.1
status: Available
queryPeriod: 14d
id: e147e4dc-849c-49e9-9e8b-db4581951ff4
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
metadata:
  source:
    kind: Community
  author:
    name: Microsoft
  categories:
    domains:
    - Cloud Provider
    - IT Operations
    - Storage
  support:
    tier: Microsoft
relevantTechniques:
- T1078
severity: Low
description: |
    'Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before.'
kind: Scheduled
tactics:
- InitialAccess

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e147e4dc-849c-49e9-9e8b-db4581951ff4')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e147e4dc-849c-49e9-9e8b-db4581951ff4')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "New Dynamics 365 Admin Activity",
        "description": "'Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "let baseline_time = 14d;\nlet detection_time = 1h;\nDynamics365Activity\n| where TimeGenerated between(ago(baseline_time)..ago(detection_time))\n| where UserType =~ 'admin'\n| extend Message = tostring(split(OriginalObjectId, ' ')[0])\n| summarize by UserId\n| join kind=rightanti\n(Dynamics365Activity\n| where TimeGenerated > ago(detection_time)\n| where UserType =~ 'admin')\non UserId\n| summarize Actions = make_set(Message), MostRecentAction = max(TimeGenerated), IPs=make_set(ClientIP), UserAgents = make_set(UserAgent) by UserId\n| extend timestamp = MostRecentAction, AccountCustomEntity = UserId\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "alertRuleTemplateName": "e147e4dc-849c-49e9-9e8b-db4581951ff4",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/Dynamics365Activity/NewDynamicsAdminActivity.yaml"
      }
    }
  ]
}