Dataverse - Activity after failed logons

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This hunting query looks for users conducting Dataverse/Dynamics 365 activity shortly after a number of failed logons. Use this to look for potential post brute force activity. Adjust the threshold figure based on false positive rate.

Attribute Value
Type Hunting Query
Solution Microsoft Business Applications
ID dafcc598-2987-4aa0-947e-7d0449677689
Tactics InitialAccess
Techniques T1078, T1190, T1078.004
Required Connectors Dataverse, AzureActiveDirectory
Source View on GitHub

Tables Used

This content item queries data from the following tables:

Table Transformations Ingestion API Lake-Only
DataverseActivity ?
SigninLogs ?

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Hunting Queries · Back to Microsoft Business Applications