Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Dataverse - Login by a sensitive privileged user

Dataverse - Login by a sensitive privileged user

Back
Idf327816b-9328-4b17-9290-a02adc2f4928
RulenameDataverse - Login by a sensitive privileged user
DescriptionIdentifies Dataverse and Dynamics 365 logons by sensitive users.
SeverityHigh
TacticsInitialAccess
CredentialAccess
PrivilegeEscalation
TechniquesT1133
T1190
T1078
T1212
Required data connectorsDataverse
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login by a sensitive privileged user.yaml
Version3.2.0
Arm templatef327816b-9328-4b17-9290-a02adc2f4928.json
Deploy To Azure
# Sensitive users are marked in the VIP Users watchlist using the Tags field.
# Enter the tags values to monitor
let monitored_tags = dynamic(["DataverseSensitive"]);
let query_frequency = 1h;
let sensitive_users = MSBizAppsVIPUsers()
    | where Tags in (monitored_tags);
sensitive_users
| join kind=inner (DataverseActivity
    | where TimeGenerated >= ago(query_frequency)
    | where Message == "UserSignIn")
    on $left.UserPrincipalName == $right.UserId
| summarize FirstSeen = arg_max(TimeGenerated, *) by UserId
| extend
    CloudAppId = int(32780),
    AccountName = tostring(split(UserId, '@')[0]),
    UPNSuffix = tostring(split(UserId, '@')[1])
| project
    FirstSeen,
    UserId,
    ClientIp,
    UserAgent,
    InstanceUrl,
    CloudAppId,
    AccountName,
    UPNSuffix

triggerThreshold: 0
alertDetailsOverride:
  alertDisplayNameFormat: 'Dataverse - Sensitive user logged in in at {{InstanceUrl}} '
  alertDescriptionFormat: A user marked as sensitive for Dataverse in the VIPUsers watchlist signed in at {{InstanceUrl}}.
requiredDataConnectors:
- connectorId: Dataverse
  dataTypes:
  - DataverseActivity
severity: High
queryFrequency: 1h
id: f327816b-9328-4b17-9290-a02adc2f4928
relevantTechniques:
- T1133
- T1190
- T1078
- T1212
queryPeriod: 14d
name: Dataverse - Login by a sensitive privileged user
status: Available
kind: Scheduled
tactics:
- InitialAccess
- CredentialAccess
- PrivilegeEscalation
triggerOperator: gt
version: 3.2.0
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: CloudApplication
  fieldMappings:
  - columnName: CloudAppId
    identifier: AppId
  - columnName: InstanceUrl
    identifier: InstanceName
- entityType: IP
  fieldMappings:
  - columnName: ClientIp
    identifier: Address
eventGroupingSettings:
  aggregationKind: SingleAlert
description: Identifies Dataverse and Dynamics 365 logons by sensitive users.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login by a sensitive privileged user.yaml
query: |
  # Sensitive users are marked in the VIP Users watchlist using the Tags field.
  # Enter the tags values to monitor
  let monitored_tags = dynamic(["DataverseSensitive"]);
  let query_frequency = 1h;
  let sensitive_users = MSBizAppsVIPUsers()
      | where Tags in (monitored_tags);
  sensitive_users
  | join kind=inner (DataverseActivity
      | where TimeGenerated >= ago(query_frequency)
      | where Message == "UserSignIn")
      on $left.UserPrincipalName == $right.UserId
  | summarize FirstSeen = arg_max(TimeGenerated, *) by UserId
  | extend
      CloudAppId = int(32780),
      AccountName = tostring(split(UserId, '@')[0]),
      UPNSuffix = tostring(split(UserId, '@')[1])
  | project
      FirstSeen,
      UserId,
      ClientIp,
      UserAgent,
      InstanceUrl,
      CloudAppId,
      AccountName,
      UPNSuffix  

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f327816b-9328-4b17-9290-a02adc2f4928')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f327816b-9328-4b17-9290-a02adc2f4928')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A user marked as sensitive for Dataverse in the VIPUsers watchlist signed in at {{InstanceUrl}}.",
          "alertDisplayNameFormat": "Dataverse - Sensitive user logged in in at {{InstanceUrl}} "
        },
        "alertRuleTemplateName": "f327816b-9328-4b17-9290-a02adc2f4928",
        "customDetails": null,
        "description": "Identifies Dataverse and Dynamics 365 logons by sensitive users.",
        "displayName": "Dataverse - Login by a sensitive privileged user",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              },
              {
                "columnName": "InstanceUrl",
                "identifier": "InstanceName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ClientIp",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Login by a sensitive privileged user.yaml",
        "query": "# Sensitive users are marked in the VIP Users watchlist using the Tags field.\n# Enter the tags values to monitor\nlet monitored_tags = dynamic([\"DataverseSensitive\"]);\nlet query_frequency = 1h;\nlet sensitive_users = MSBizAppsVIPUsers()\n    | where Tags in (monitored_tags);\nsensitive_users\n| join kind=inner (DataverseActivity\n    | where TimeGenerated >= ago(query_frequency)\n    | where Message == \"UserSignIn\")\n    on $left.UserPrincipalName == $right.UserId\n| summarize FirstSeen = arg_max(TimeGenerated, *) by UserId\n| extend\n    CloudAppId = int(32780),\n    AccountName = tostring(split(UserId, '@')[0]),\n    UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n    FirstSeen,\n    UserId,\n    ClientIp,\n    UserAgent,\n    InstanceUrl,\n    CloudAppId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "InitialAccess",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078",
          "T1133",
          "T1190",
          "T1212"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}