Detection rules › Kusto
Dataverse - Organization settings modified
Identifies changes made at organization level in the Dataverse environment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1078 Valid Accounts |
Rule body kusto
id: a6f6b734-3db8-4259-a988-69e0b8eac0c2
kind: Scheduled
name: Dataverse - Organization settings modified
description: Identifies changes made at organization level in the Dataverse environment.
severity: Informational
status: Available
requiredDataConnectors:
- connectorId: Dataverse
dataTypes:
- DataverseActivity
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1078
query: |
let query_frequency = 1h;
DataverseActivity
| where TimeGenerated >= ago(query_frequency)
| where Message == "Update" and EntityName == "organization"
| mv-expand Fields
| extend FieldName = tostring(Fields.Name)
| extend Value = tostring(Fields.Value)
| where FieldName != "organizationid"
| lookup MSBizAppsOrgSettings on FieldName
| extend
CloudAppId = int(32780),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
| project
TimeGenerated,
UserId,
ClientIp,
FieldName,
Value,
DisplayName,
Description,
InstanceUrl,
CloudAppId,
AccountName,
UPNSuffix
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: UPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIp
- entityType: CloudApplication
fieldMappings:
- identifier: AppId
columnName: CloudAppId
- identifier: InstanceName
columnName: InstanceUrl
alertDetailsOverride:
alertDisplayNameFormat: 'Dataverse - {{DisplayName}} changed in {{InstanceUrl}} '
alertDescriptionFormat: 'Organization setting {{DisplayName}} : {{Description}}
changed by {{UserId}}'
version: 3.2.0
Stages and Predicates
Parameters
let query_frequency = 1h;
Stage 1: source
DataverseActivity
Stage 2: where
| where TimeGenerated >= ago(query_frequency)
Stage 3: where
| where Message == "Update" and EntityName == "organization"
Stage 4: mv-expand
| mv-expand Fields
Stage 5: extend
| extend FieldName = tostring(Fields.Name)
Stage 6: extend
| extend Value = tostring(Fields.Value)
Stage 7: where
| where FieldName != "organizationid"
Stage 8: kusto:lookup
| lookup MSBizAppsOrgSettings on FieldName
Stage 9: extend
| extend
CloudAppId = int(32780),
AccountName = tostring(split(UserId, '@')[0]),
UPNSuffix = tostring(split(UserId, '@')[1])
Stage 10: project
| project
TimeGenerated,
UserId,
ClientIp,
FieldName,
Value,
DisplayName,
Description,
InstanceUrl,
CloudAppId,
AccountName,
UPNSuffix
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EntityName | eq |
|
FieldName | ne |
|
Message | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field | Source |
|---|---|
AccountName | project |
ClientIp | project |
CloudAppId | project |
Description | project |
DisplayName | project |
FieldName | project |
InstanceUrl | project |
TimeGenerated | project |
UPNSuffix | project |
UserId | project |
Value | project |