Detection rules › Kusto
Dataverse - Audit logging disabled
Identifies a change in system audit configuration whereby audit logging is turned off.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562 Impair Defenses |
Rule body kusto
id: ea07523b-e6b8-469b-9e25-cdef1ae6fb45
kind: Scheduled
name: Dataverse - Audit logging disabled
description: Identifies a change in system audit configuration whereby audit logging
is turned off.
severity: Low
status: Available
requiredDataConnectors:
- connectorId: Dataverse
dataTypes:
- DataverseActivity
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
let query_frequency = 1h;
let audit_properties = dynamic(['isauditenabled', 'isuseraccessauditenabled','isreadauditenabled']);
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message in~ ("Update", "UpdateAuditSettings")
| where Fields has_any (audit_properties)
| mv-expand Fields
| extend AuditValue = Fields.Name, AuditEnabled = tobool(Fields.Value)
| where AuditValue in~ (audit_properties) and not (AuditEnabled)
| extend
CloudAppId = int(32780),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
| project
TimeGenerated,
UserId,
ClientIp,
OriginalObjectId,
AuditValue,
AuditEnabled,
InstanceUrl,
CloudAppId,
AccountName,
UPNSuffix
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIp
- entityType: CloudApplication
fieldMappings:
- identifier: AppId
columnName: CloudAppId
- identifier: InstanceName
columnName: InstanceUrl
alertDetailsOverride:
alertDisplayNameFormat: 'Dataverse - Audit logging was disabled in {{InstanceUrl}} '
alertDescriptionFormat: 'Audit settings changes were detected in {{InstanceUrl}}.
{{AuditValue}} enabled: was set to {{AuditEnabled}}.'
version: 3.2.1
Stages and Predicates
Parameters
let query_frequency = 1h;
let audit_properties = dynamic(['isauditenabled', 'isuseraccessauditenabled','isreadauditenabled']);
Stage 1: source
DataverseActivity
Stage 2: where
| where TimeGenerated >= ago(query_frequency)
Stage 3: where
| where Message in~ ("Update", "UpdateAuditSettings")
Stage 4: where
| where Fields has_any (audit_properties)
Stage 5: mv-expand
| mv-expand Fields
Stage 6: extend
| extend AuditValue = Fields.Name, AuditEnabled = tobool(Fields.Value)
Stage 7: where
| where AuditValue in~ (audit_properties) and not (AuditEnabled)
Stage 8: extend
| extend
CloudAppId = int(32780),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
Stage 9: project
| project
TimeGenerated,
UserId,
ClientIp,
OriginalObjectId,
AuditValue,
AuditEnabled,
InstanceUrl,
CloudAppId,
AccountName,
UPNSuffix
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
AuditValue | in |
|
Fields | match |
|
Message | in |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
AccountName | project |
AuditEnabled | project |
AuditValue | project |
ClientIp | project |
CloudAppId | project |
InstanceUrl | project |
OriginalObjectId | project |
TimeGenerated | project |
UPNSuffix | project |
UserId | project |