detection.wiki

Detection rules › Kusto

Dataverse - New sign-in from an unauthorized domain

Status
available
Severity
medium
Time window
14d
Group by
ClientIp, InstanceUrl, UserId
Source
github.com/Azure/Azure-Sentinel

Identifies Dataverse sign-in activity originating from users with UPN suffixes that have not been seen previously in the last 14 days and are not present on a predefined list of authorized domains. Common internal Power Platform system users are excluded by default.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1078 Valid Accounts, T1133 External Remote Services, T1190 Exploit Public-Facing Application

Rule body kusto

id: 4c1c9aee-8e44-4bb9-bd53-f3e7d6761282
kind: Scheduled
name: Dataverse - New sign-in from an unauthorized domain
description: Identifies Dataverse sign-in activity originating from users with UPN
  suffixes that have not been seen previously in the last 14 days and are not present
  on a predefined list of authorized domains. Common internal Power Platform system
  users are excluded by default.
severity: Medium
status: Available
requiredDataConnectors:
  - connectorId: Dataverse
    dataTypes:
      - DataverseActivity
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
relevantTechniques:
  - T1078
  - T1190
  - T1133
query: |
  // Allow list of UPN suffixes allowed by the organization.
  let allowed_domains = dynamic([
      'onmicrosoft.com',
      'microsoft.com'
      ]);
  // All list of users allowed by the organization
  let allowed_users = dynamic([
      'user1@mydomain.com',
      'user2@mydomain.com'
      ]);
  let query_frequency = 1h;
  let query_lookback = 14d;
  let historical_users = DataverseActivity
      | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))
      | where Message == 'UserSignIn'
      | summarize by UserId;
  DataverseActivity
  | where TimeGenerated >= ago (query_frequency)
  | where Message == 'UserSignIn'
  | join kind=leftanti (historical_users) on UserId
  | summarize FirstEvent = min(TimeGenerated), LastEvent = max(TimeGenerated) by UserId, ClientIp, InstanceUrl
  | where isnotempty(ClientIp)
  | extend CloudAppId = int(32780)
  | extend AccountName = tostring(split(UserId, '@')[0])
  | extend UPNSuffix = tostring(split(UserId, '@')[1])
  | where UPNSuffix !in (allowed_domains) and UserId !in (allowed_users)
  | project
      FirstEvent,
      LastEvent,
      UserId,
      ClientIp,
      InstanceUrl,
      AccountName,
      UPNSuffix,
      CloudAppId
eventGroupingSettings:
  aggregationKind: SingleAlert
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: Name
        columnName: AccountName
      - identifier: UPNSuffix
        columnName: UPNSuffix
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: ClientIp
  - entityType: CloudApplication
    fieldMappings:
      - identifier: AppId
        columnName: CloudAppId
      - identifier: InstanceName
        columnName: InstanceUrl
alertDetailsOverride:
  alertDisplayNameFormat: Dataverse - Unauthorized sign-in activity
  alertDescriptionFormat: New user sign-in activity was detected in {{InstanceUrl}}
    originating from user {{UserId}}. This user's UPN suffix is not on the authorized
    list of domains.
version: 3.2.0

Stages and Predicates

Parameters

let query_frequency = 1h;
let query_lookback = 14d;

Let binding: allowed_domains

let allowed_domains = dynamic([
    'onmicrosoft.com',
    'microsoft.com'
    ]);

Let binding: allowed_users

let allowed_users = dynamic([
    'user1@mydomain.com',
    'user2@mydomain.com'
    ]);

Let binding: historical_users

let historical_users = DataverseActivity
    | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))
    | where Message == 'UserSignIn'
    | summarize by UserId;

Derived from query_frequency, query_lookback.

Stage 1: source

DataverseActivity

Stage 2: where

| where TimeGenerated >= ago (query_frequency)

Stage 3: where

| where Message == 'UserSignIn'

Stage 4: join (negated)

| join kind=leftanti (historical_users) on UserId

Stage 5: summarize

| summarize FirstEvent = min(TimeGenerated), LastEvent = max(TimeGenerated) by UserId, ClientIp, InstanceUrl

Stage 6: where

| where isnotempty(ClientIp)

Stage 7: extend (3 consecutive steps)

| extend CloudAppId = int(32780)
| extend AccountName = tostring(split(UserId, '@')[0])
| extend UPNSuffix = tostring(split(UserId, '@')[1])

Stage 8: where

| where UPNSuffix !in (allowed_domains) and UserId !in (allowed_users)

References allowed_domains, allowed_users (defined above).

Stage 9: project

| project
    FirstEvent,
    LastEvent,
    UserId,
    ClientIp,
    InstanceUrl,
    AccountName,
    UPNSuffix,
    CloudAppId

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

FieldKindExcluded values
MessageeqUserSignIn
UPNSuffixinmicrosoft.com, onmicrosoft.com
UserIdinuser1@mydomain.com, user2@mydomain.com

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
ClientIpis_not_null
  • (no value, null check)
Messageeq
  • UserSignIn transforms: cased corpus 6 (kusto 6)

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
AccountNameproject
ClientIpproject
CloudAppIdproject
FirstEventproject
InstanceUrlproject
LastEventproject
UPNSuffixproject
UserIdproject