Detection rules › Kusto
Dataverse - Login by a sensitive privileged user
Identifies Dataverse and Dynamics 365 logons by sensitive users.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078 Valid Accounts, T1133 External Remote Services, T1190 Exploit Public-Facing Application |
| Privilege Escalation | T1078 Valid Accounts |
| Credential Access | T1212 Exploitation for Credential Access |
Rule body kusto
id: f327816b-9328-4b17-9290-a02adc2f4928
kind: Scheduled
name: Dataverse - Login by a sensitive privileged user
description: Identifies Dataverse and Dynamics 365 logons by sensitive users.
severity: High
status: Available
requiredDataConnectors:
- connectorId: Dataverse
dataTypes:
- DataverseActivity
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- CredentialAccess
- PrivilegeEscalation
relevantTechniques:
- T1133
- T1190
- T1078
- T1212
query: |
# Sensitive users are marked in the VIP Users watchlist using the Tags field.
# Enter the tags values to monitor
let monitored_tags = dynamic(["DataverseSensitive"]);
let query_frequency = 1h;
let sensitive_users = MSBizAppsVIPUsers()
| where Tags in (monitored_tags);
sensitive_users
| join kind=inner (DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message == "UserSignIn")
on $left.UserPrincipalName == $right.UserId
| summarize FirstSeen = arg_max(TimeGenerated, *) by UserId
| extend
CloudAppId = int(32780),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
| project
FirstSeen,
UserId,
ClientIp,
UserAgent,
InstanceUrl,
CloudAppId,
AccountName,
UPNSuffix
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: CloudApplication
fieldMappings:
- identifier: AppId
columnName: CloudAppId
- identifier: InstanceName
columnName: InstanceUrl
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIp
alertDetailsOverride:
alertDisplayNameFormat: 'Dataverse - Sensitive user logged in in at {{InstanceUrl}} '
alertDescriptionFormat: A user marked as sensitive for Dataverse in the VIPUsers
watchlist signed in at {{InstanceUrl}}.
version: 3.2.0
Stages and Predicates
Parameters
let monitored_tags = dynamic(["DataverseSensitive"]);
let query_frequency = 1h;
The stages below define let sensitive_users (the rule's main pipeline source).
Stage 1: source
MSBizAppsVIPUsers()
Stage 2: where
| where Tags in (monitored_tags)
The stages below run on sensitive_users (the outer pipeline).
Stage 3: join
sensitive_users
| join kind=inner (DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message == "UserSignIn")
on $left.UserPrincipalName == $right.UserId
Stage 4: summarize
| summarize FirstSeen = arg_max(TimeGenerated, *) by UserId
Stage 5: extend
| extend
CloudAppId = int(32780),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
Stage 6: project
| project
FirstSeen,
UserId,
ClientIp,
UserAgent,
InstanceUrl,
CloudAppId,
AccountName,
UPNSuffix
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
AccountName | project |
ClientIp | project |
CloudAppId | project |
FirstSeen | project |
InstanceUrl | project |
UPNSuffix | project |
UserAgent | project |
UserId | project |