Package Creation For Dynamic 365

This commit is contained in:
v-spadarthi 2022-05-25 03:57:03 +05:30
Родитель b592e2ed9e
Коммит b13b976808
12 изменённых файлов: 1687 добавлений и 0 удалений

Просмотреть файл

@ -4,6 +4,7 @@ description: |
'This query looks for changes to the Data Encryption settings for Dynamics 365. 'This query looks for changes to the Data Encryption settings for Dynamics 365.
Reference: https://docs.microsoft.com/microsoft-365/compliance/office-365-encryption-in-microsoft-dynamics-365' Reference: https://docs.microsoft.com/microsoft-365/compliance/office-365-encryption-in-microsoft-dynamics-365'
severity: Medium severity: Medium
status: Available
requiredDataConnectors: requiredDataConnectors:
- connectorId: Dynamics365 - connectorId: Dynamics365
dataTypes: dataTypes:

Просмотреть файл

@ -3,6 +3,7 @@ name: Mass Export of Dynamics 365 Records to Excel
description: | description: |
'The query detects user exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user.' 'The query detects user exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user.'
severity: Medium severity: Medium
status: Available
requiredDataConnectors: requiredDataConnectors:
- connectorId: Dynamics365 - connectorId: Dynamics365
dataTypes: dataTypes:

Просмотреть файл

@ -3,6 +3,7 @@ name: New Dynamics 365 Admin Activity
description: | description: |
'Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before.' 'Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before.'
severity: Low severity: Low
status: Available
requiredDataConnectors: requiredDataConnectors:
- connectorId: Dynamics365 - connectorId: Dynamics365
dataTypes: dataTypes:

Просмотреть файл

@ -3,6 +3,7 @@ name: New Dynamics 365 User Agent
description: | description: |
'Detects users accessing Dynamics from a User Agent that has not been seen the 14 days. Has configurable filter for known good user agents such as PowerApps. Also includes optional section to exclude User Agents to indicate a browser being used.' 'Detects users accessing Dynamics from a User Agent that has not been seen the 14 days. Has configurable filter for known good user agents such as PowerApps. Also includes optional section to exclude User Agents to indicate a browser being used.'
severity: Low severity: Low
status: Available
requiredDataConnectors: requiredDataConnectors:
- connectorId: Dynamics365 - connectorId: Dynamics365
dataTypes: dataTypes:

Просмотреть файл

@ -3,6 +3,7 @@ name: New Office User Agent in Dynamics 365
description: | description: |
'Detects users accessing Dynamics from a User Agent that has not been seen in any Office 365 workloads in the last 7 days. Has configurable filter for known good user agents such as PowerApps.' 'Detects users accessing Dynamics from a User Agent that has not been seen in any Office 365 workloads in the last 7 days. Has configurable filter for known good user agents such as PowerApps.'
severity: Low severity: Low
status: Available
requiredDataConnectors: requiredDataConnectors:
- connectorId: Dynamics365 - connectorId: Dynamics365
dataTypes: dataTypes:

Просмотреть файл

@ -3,6 +3,7 @@ name: Dynamics 365 - User Bulk Retrieval Outside Normal Activity
description: | description: |
'This query detects users retrieving significantly more records from Dynamics 365 than they have in the past 2 weeks. This could indicate potentially unauthorized access to data within Dynamics 365.' 'This query detects users retrieving significantly more records from Dynamics 365 than they have in the past 2 weeks. This could indicate potentially unauthorized access to data within Dynamics 365.'
severity: Medium severity: Medium
status: Available
requiredDataConnectors: requiredDataConnectors:
- connectorId: Dynamics365 - connectorId: Dynamics365
dataTypes: dataTypes:

Просмотреть файл

@ -0,0 +1,79 @@
{
"id": "Dynamics365",
"title": "Dynamics365",
"publisher": "Microsoft",
"descriptionMarkdown": "The Dynamics 365 Common Data Service (CDS) activities connector provides insight into admin, user, and support activities, as well as Microsoft Social Engagement logging events. By connecting Dynamics 365 CRM logs into Microsoft Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.",
"logo": "DynamicsLogo.svg",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "Dynamics365",
"baseQuery": "Dynamics365Activity\n| where OfficeWorkload == \"CRM\""
}
],
"sampleQueries": [
{
"description": "Dynamics365 logs",
"query": "Dynamics365Activity\n| where OfficeWorkload == \"CRM\"\n | sort by TimeGenerated"
}
],
"dataTypes": [
{
"name": "Dynamics365Activity",
"lastDataReceivedQuery": "Dynamics365Activity\n| where OfficeWorkload == \"CRM\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "SentinelKinds",
"value": [
"Dynamics365"
]
}
],
"availability": {
"status": 2,
"isPreview": false,
"availableInDoDCloud": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
}
],
"customs": [
{
"name": "Tenant Permissions",
"description": "'Security Administrator' or 'Global Administrator' on the workspace's tenant."
},
{
"name": "License",
"description": "[Microsoft Dynamics 365 production license](https://docs.microsoft.com/office365/servicedescriptions/microsoft-dynamics-365-online-service-description) (This connector is available for production environments only, not for sandbox). Also, a Microsoft 365 Enterprise [E3 or E5](https://docs.microsoft.com/power-platform/admin/enable-use-comprehensive-auditing#requirements) subscription is required for Activity Logging."
}
]
},
"instructionSteps": [
{
"description": "Connect [Dynamics 365 CRM](https://aka.ms/Sentinel/Dynamics365) activity logs to your Microsoft Sentinel workspace.",
"instructions": [
{
"parameters": {
"connectorKind": "Dynamics365",
"title": "Dynamics365",
"enable": true
},
"type": "SentinelResourceProvider"
}
]
}
]
}

Просмотреть файл

@ -0,0 +1,29 @@
{
"Name": "Dynamics 365",
"Author": "Microsoft",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/DynamicsLogo.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [Dynamics 365](https://dynamics.microsoft.com) continuous Threat Monitoring Solution for Microsoft Sentinel provides you with ability to collect Dynamics 365 CRM logs, gain visibility of activities within Dynamics 365 and analyze them to detect threats and malicious activities. You can view admin, user and support activities, as well as Microsoft Social Engagement logging events data in workbooks, use it to create custom alerts, and improve your investigation process. /r /n/n /r **Underlying Microsoft Technologies used:** /r/n/n/r This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:a. [Office 365 Management APIs](https://docs.microsoft.com/office/office-365-management-api/office-365-management-apis-overview)",
"Data Connectors": [
"Data Connectors/template_Dynamics365.JSON"
],
"Workbooks": [
"Workbooks/Dynamics365Workbooks.json"
],
"Analytic Rules": [
"Analytic Rules/DynamicsEncryptionSettingsChanged.yaml",
"Analytic Rules/MassExportOfDynamicstoExcel.yaml",
"Analytic Rules/NewDynamicsAdminActivity.yaml",
"Analytic Rules/NewDynamicsUserAgent.yaml",
"Analytic Rules/NewOfficeUserAgentinDynamics.yaml",
"Analytic Rules/UserBulkRetreivalOutsideNormalActivity.yaml"
],
"Hunting Queries": [
"Hunting Queries/DynamicsActivityAfterAADAlert.yaml",
"Hunting Queries/DynamicsActivityAfterFailedLogons.yaml"
],
"BasePath": "C:\\GitHub\\azure-Sentinel\\Solutions\\Dynamics 365",
"Version": "2.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": true
}

Двоичные данные
Solutions/Dynamics 365/Package/2.0.0.zip Normal file

Двоичный файл не отображается.

Просмотреть файл

@ -0,0 +1,277 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/DynamicsLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Dynamics 365](https://dynamics.microsoft.com) continuous Threat Monitoring Solution for Microsoft Sentinel provides you with ability to collect Dynamics 365 CRM logs, gain visibility of activities within Dynamics 365 and analyze them to detect threats and malicious activities. You can view admin, user and support activities, as well as Microsoft Social Engagement logging events data in workbooks, use it to create custom alerts, and improve your investigation process. \r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs::\r\n\n a. [Office 365 Management APIs](https://docs.microsoft.com/office/office-365-management-api/office-365-management-apis-overview)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 6, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "dataconnectors",
"label": "Data Connectors",
"bladeTitle": "Data Connectors",
"elements": [
{
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the data connector for ingesting Dynamics 365 CRM logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
"name": "dataconnectors-link2",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more about connecting data sources",
"uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
}
}
}
]
},
{
"name": "workbooks",
"label": "Workbooks",
"subLabel": {
"preValidation": "Configure the workbooks",
"postValidation": "Done"
},
"bladeTitle": "Workbooks",
"elements": [
{
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs workbook to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
}
},
{
"name": "workbooks-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
}
}
}
]
},
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
}
},
{
"name": "analytics-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Dynamics Encryption Settings Changed",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query looks for changes to the Data Encryption settings for Dynamics 365.\nReference: https://docs.microsoft.com/microsoft-365/compliance/office-365-encryption-in-microsoft-dynamics-365"
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "Mass Export of Dynamics 365 Records to Excel",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "The query detects user exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "New Dynamics 365 Admin Activity",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before."
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "New Dynamics 365 User Agent",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects users accessing Dynamics from a User Agent that has not been seen the 14 days. Has configurable filter for known good user agents such as PowerApps. Also includes optional section to exclude User Agents to indicate a browser being used."
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "New Office User Agent in Dynamics 365",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "Detects users accessing Dynamics from a User Agent that has not been seen in any Office 365 workloads in the last 7 days. Has configurable filter for known good user agents such as PowerApps."
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "Dynamics 365 - User Bulk Retrieval Outside Normal Activity",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query detects users retrieving significantly more records from Dynamics 365 than they have in the past 2 weeks. This could indicate potentially unauthorized access to data within Dynamics 365."
}
}
]
}
]
},
{
"name": "huntingqueries",
"label": "Hunting Queries",
"bladeTitle": "Hunting Queries",
"elements": [
{
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
}
},
{
"name": "huntingqueries-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/hunting"
}
}
},
{
"name": "huntingquery1",
"type": "Microsoft.Common.Section",
"label": "Dynamics 365 Activity After Azure AD Alerts",
"elements": [
{
"name": "huntingquery1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query looks for users conducting Dynamics 365 activity shortly after Azn Azure AD Identity Protection alert for that user. The query only looks for users not seen before or conducting Dynamics activity not previously seen. It depends on the Dynamics365 data connector and Dynamics365Activity data type and Dynamics365 parser."
}
}
]
},
{
"name": "huntingquery2",
"type": "Microsoft.Common.Section",
"label": "Dynamics 365 Activity After Failed Logons",
"elements": [
{
"name": "huntingquery2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This hunting query looks for users conducting Dynamics 365 activity shortly after a number of failed logons. Use this to look for potential post brute force activity. Adjust the threshold figure based on false positive rate. It depends on the Dynamics365 data connector and Dynamics365Activity data type and Dynamics365 parser."
}
}
]
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -0,0 +1,15 @@
{
"publisherId": "azuresentinel",
"offerId": "azure-sentinel-solution-dynamics365",
"firstPublishDate": "2022-05-24",
"providers": ["Microsoft"],
"categories": {
"domains": [ "Cloud Provider","IT Operations","Storage"]
},
"support": {
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
}
}