Detection rules › Kusto
Dataverse - Bulk record ownership re-assignment or sharing
Identifies individual record ownership changes including sharing of records with other users/teams or re-assignment of ownership exceeding a pre-defined threshold.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1548 Abuse Elevation Control Mechanism |
Rule body kusto
id: 6e480329-84bc-409a-b97b-22e8102af3ca
kind: Scheduled
name: Dataverse - Bulk record ownership re-assignment or sharing
description: Identifies individual record ownership changes including sharing of records
with other users/teams or re-assignment of ownership exceeding a pre-defined threshold.
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: Dataverse
dataTypes:
- DataverseActivity
queryFrequency: 1h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1548
query: |
// Set threshold for number of shared/assigned records
let detection_threshold = 100;
let query_frequency = 1h;
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message in ("ModifyAccess", "Assign", "GrantAccess")
| summarize
FirstEvent = min(TimeGenerated),
LastEvent = max(TimeGenerated),
Events = count()
by UserId, Message, InstanceUrl, ClientIp
| where Events > detection_threshold
| extend
CloudAppId = int(32780),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
| project
FirstEvent,
LastEvent,
Message,
Events,
UserId,
ClientIp,
InstanceUrl,
CloudAppId,
AccountName,
UPNSuffix
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIp
- entityType: CloudApplication
fieldMappings:
- identifier: AppId
columnName: CloudAppId
- identifier: InstanceName
columnName: InstanceUrl
alertDetailsOverride:
alertDisplayNameFormat: Dataverse - High number of record access modification events
detected
alertDescriptionFormat: '{{Events}} events of type {{Message}} detected in {{InstanceUrl}}
could indicate suspicious or malicious activity.'
version: 3.2.0
Stages and Predicates
Parameters
let detection_threshold = 100;
let query_frequency = 1h;
Stage 1: source
DataverseActivity
Stage 2: where
| where TimeGenerated >= ago(query_frequency)
Stage 3: where
| where Message in ("ModifyAccess", "Assign", "GrantAccess")
Stage 4: summarize
| summarize
FirstEvent = min(TimeGenerated),
LastEvent = max(TimeGenerated),
Events = count()
by UserId, Message, InstanceUrl, ClientIp
Stage 5: where
| where Events > detection_threshold
Stage 6: extend
| extend
CloudAppId = int(32780),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
Stage 7: project
| project
FirstEvent,
LastEvent,
Message,
Events,
UserId,
ClientIp,
InstanceUrl,
CloudAppId,
AccountName,
UPNSuffix
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
AccountName | project |
ClientIp | project |
CloudAppId | project |
Events | project |
FirstEvent | project |
InstanceUrl | project |
LastEvent | project |
Message | project |
UPNSuffix | project |
UserId | project |