Dataverse - Login by a sensitive privileged user

Back


Id	f327816b-9328-4b17-9290-a02adc2f4928
Rulename	Dataverse - Login by a sensitive privileged user
Description	Identifies Dataverse and Dynamics 365 logons by sensitive users.
Severity	High
Tactics	InitialAccess CredentialAccess PrivilegeEscalation
Techniques	T1133 T1190 T1078 T1212
Required data connectors	Dataverse
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login by a sensitive privileged user.yaml
Version	3.2.0
Arm template	f327816b-9328-4b17-9290-a02adc2f4928.json

KQL

# Sensitive users are marked in the VIP Users watchlist using the Tags field.
# Enter the tags values to monitor
let monitored_tags = dynamic(["DataverseSensitive"]);
let query_frequency = 1h;
let sensitive_users = MSBizAppsVIPUsers()
    | where Tags in (monitored_tags);
sensitive_users
| join kind=inner (DataverseActivity
    | where TimeGenerated >= ago(query_frequency)
    | where Message == "UserSignIn")
    on $left.UserPrincipalName == $right.UserId
| summarize FirstSeen = arg_max(TimeGenerated, *) by UserId
| extend
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    FirstSeen,
    UserId,
    ClientIp,
    UserAgent,
    InstanceUrl,
    CloudAppId,
    AccountName,
    UPNSuffix

YAML

queryPeriod: 14d
id: f327816b-9328-4b17-9290-a02adc2f4928
relevantTechniques:
- T1133
- T1190
- T1078
- T1212
triggerOperator: gt
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: CloudAppId
    identifier: AppId
  - columnName: InstanceUrl
    identifier: InstanceName
  entityType: CloudApplication
- fieldMappings:
  - columnName: ClientIp
    identifier: Address
  entityType: IP
query: |
  # Sensitive users are marked in the VIP Users watchlist using the Tags field.
  # Enter the tags values to monitor
  let monitored_tags = dynamic(["DataverseSensitive"]);
  let query_frequency = 1h;
  let sensitive_users = MSBizAppsVIPUsers()
      | where Tags in (monitored_tags);
  sensitive_users
  | join kind=inner (DataverseActivity
      | where TimeGenerated >= ago(query_frequency)
      | where Message == "UserSignIn")
      on $left.UserPrincipalName == $right.UserId
  | summarize FirstSeen = arg_max(TimeGenerated, *) by UserId
  | extend
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      FirstSeen,
      UserId,
      ClientIp,
      UserAgent,
      InstanceUrl,
      CloudAppId,
      AccountName,
      UPNSuffix  
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login by a sensitive privileged user.yaml
queryFrequency: 1h
requiredDataConnectors:
- dataTypes:
  - DataverseActivity
  connectorId: Dataverse
eventGroupingSettings:
  aggregationKind: SingleAlert
name: Dataverse - Login by a sensitive privileged user
version: 3.2.0
description: Identifies Dataverse and Dynamics 365 logons by sensitive users.
alertDetailsOverride:
  alertDisplayNameFormat: 'Dataverse - Sensitive user logged in in at {{InstanceUrl}} '
  alertDescriptionFormat: A user marked as sensitive for Dataverse in the VIPUsers watchlist signed in at {{InstanceUrl}}.
tactics:
- InitialAccess
- CredentialAccess
- PrivilegeEscalation
severity: High
status: Available

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f327816b-9328-4b17-9290-a02adc2f4928')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f327816b-9328-4b17-9290-a02adc2f4928')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A user marked as sensitive for Dataverse in the VIPUsers watchlist signed in at {{InstanceUrl}}.",
          "alertDisplayNameFormat": "Dataverse - Sensitive user logged in in at {{InstanceUrl}} "
        },
        "alertRuleTemplateName": "f327816b-9328-4b17-9290-a02adc2f4928",
        "customDetails": null,
        "description": "Identifies Dataverse and Dynamics 365 logons by sensitive users.",
        "displayName": "Dataverse - Login by a sensitive privileged user",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIp",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login by a sensitive privileged user.yaml",
        "query": "# Sensitive users are marked in the VIP Users watchlist using the Tags field.\n# Enter the tags values to monitor\nlet monitored_tags = dynamic([\"DataverseSensitive\"]);\nlet query_frequency = 1h;\nlet sensitive_users = MSBizAppsVIPUsers()\n    | where Tags in (monitored_tags);\nsensitive_users\n| join kind=inner (DataverseActivity\n    | where TimeGenerated >= ago(query_frequency)\n    | where Message == \"UserSignIn\")\n    on $left.UserPrincipalName == $right.UserId\n| summarize FirstSeen = arg_max(TimeGenerated, *) by UserId\n| extend\n    CloudAppId = int(32780),\n    AccountName = tostring(split(UserId, '@')[0]),\n    UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n    FirstSeen,\n    UserId,\n    ClientIp,\n    UserAgent,\n    InstanceUrl,\n    CloudAppId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "InitialAccess",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078",
          "T1133",
          "T1190",
          "T1212"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}