Dataverse - Login by a sensitive privileged user
| Id | f327816b-9328-4b17-9290-a02adc2f4928 |
| Rulename | Dataverse - Login by a sensitive privileged user |
| Description | Identifies Dataverse and Dynamics 365 logons by sensitive users. |
| Severity | High |
| Tactics | InitialAccess CredentialAccess PrivilegeEscalation |
| Techniques | T1133 T1190 T1078 T1212 |
| Required data connectors | Dataverse |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login by a sensitive privileged user.yaml |
| Version | 3.2.0 |
| Arm template | f327816b-9328-4b17-9290-a02adc2f4928.json |
# Sensitive users are marked in the VIP Users watchlist using the Tags field.
# Enter the tags values to monitor
let monitored_tags = dynamic(["DataverseSensitive"]);
let query_frequency = 1h;
let sensitive_users = MSBizAppsVIPUsers()
| where Tags in (monitored_tags);
sensitive_users
| join kind=inner (DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message == "UserSignIn")
on $left.UserPrincipalName == $right.UserId
| summarize FirstSeen = arg_max(TimeGenerated, *) by UserId
| extend
CloudAppId = int(32780),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
| project
FirstSeen,
UserId,
ClientIp,
UserAgent,
InstanceUrl,
CloudAppId,
AccountName,
UPNSuffix
kind: Scheduled
triggerOperator: gt
name: Dataverse - Login by a sensitive privileged user
queryFrequency: 1h
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: CloudApplication
fieldMappings:
- identifier: AppId
columnName: CloudAppId
- identifier: InstanceName
columnName: InstanceUrl
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIp
queryPeriod: 14d
id: f327816b-9328-4b17-9290-a02adc2f4928
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login by a sensitive privileged user.yaml
relevantTechniques:
- T1133
- T1190
- T1078
- T1212
tactics:
- InitialAccess
- CredentialAccess
- PrivilegeEscalation
alertDetailsOverride:
alertDescriptionFormat: A user marked as sensitive for Dataverse in the VIPUsers watchlist signed in at {{InstanceUrl}}.
alertDisplayNameFormat: 'Dataverse - Sensitive user logged in in at {{InstanceUrl}} '
version: 3.2.0
severity: High
description: Identifies Dataverse and Dynamics 365 logons by sensitive users.
query: |
# Sensitive users are marked in the VIP Users watchlist using the Tags field.
# Enter the tags values to monitor
let monitored_tags = dynamic(["DataverseSensitive"]);
let query_frequency = 1h;
let sensitive_users = MSBizAppsVIPUsers()
| where Tags in (monitored_tags);
sensitive_users
| join kind=inner (DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message == "UserSignIn")
on $left.UserPrincipalName == $right.UserId
| summarize FirstSeen = arg_max(TimeGenerated, *) by UserId
| extend
CloudAppId = int(32780),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
| project
FirstSeen,
UserId,
ClientIp,
UserAgent,
InstanceUrl,
CloudAppId,
AccountName,
UPNSuffix
eventGroupingSettings:
aggregationKind: SingleAlert
status: Available
requiredDataConnectors:
- connectorId: Dataverse
dataTypes:
- DataverseActivity