diff --git a/Solutions/Dynamics 365/Data Connectors/template_Dynamics365.JSON b/DataConnectors/Dynamics365Activity/template_Dynamics365.JSON similarity index 100% rename from Solutions/Dynamics 365/Data Connectors/template_Dynamics365.JSON rename to DataConnectors/Dynamics365Activity/template_Dynamics365.JSON diff --git a/Solutions/Dynamics 365/Analytic Rules/DynamicsEncryptionSettingsChanged.yaml b/Detections/Dynamics365Activity/DynamicsEncryptionSettingsChanged.yaml similarity index 100% rename from Solutions/Dynamics 365/Analytic Rules/DynamicsEncryptionSettingsChanged.yaml rename to Detections/Dynamics365Activity/DynamicsEncryptionSettingsChanged.yaml diff --git a/Solutions/Dynamics 365/Analytic Rules/MassExportOfDynamicstoExcel.yaml b/Detections/Dynamics365Activity/MassExportOfDynamicstoExcel.yaml similarity index 100% rename from Solutions/Dynamics 365/Analytic Rules/MassExportOfDynamicstoExcel.yaml rename to Detections/Dynamics365Activity/MassExportOfDynamicstoExcel.yaml diff --git a/Solutions/Dynamics 365/Analytic Rules/NewDynamicsAdminActivity.yaml b/Detections/Dynamics365Activity/NewDynamicsAdminActivity.yaml similarity index 100% rename from Solutions/Dynamics 365/Analytic Rules/NewDynamicsAdminActivity.yaml rename to Detections/Dynamics365Activity/NewDynamicsAdminActivity.yaml diff --git a/Solutions/Dynamics 365/Analytic Rules/NewDynamicsUserAgent.yaml b/Detections/Dynamics365Activity/NewDynamicsUserAgent.yaml similarity index 100% rename from Solutions/Dynamics 365/Analytic Rules/NewDynamicsUserAgent.yaml rename to Detections/Dynamics365Activity/NewDynamicsUserAgent.yaml diff --git a/Solutions/Dynamics 365/Analytic Rules/NewOfficeUserAgentinDynamics.yaml b/Detections/Dynamics365Activity/NewOfficeUserAgentinDynamics.yaml similarity index 100% rename from Solutions/Dynamics 365/Analytic Rules/NewOfficeUserAgentinDynamics.yaml rename to Detections/Dynamics365Activity/NewOfficeUserAgentinDynamics.yaml diff --git a/Solutions/Dynamics 365/Analytic Rules/UserBulkRetreivalOutsideNormalActivity.yaml b/Detections/Dynamics365Activity/UserBulkRetreivalOutsideNormalActivity.yaml similarity index 100% rename from Solutions/Dynamics 365/Analytic Rules/UserBulkRetreivalOutsideNormalActivity.yaml rename to Detections/Dynamics365Activity/UserBulkRetreivalOutsideNormalActivity.yaml diff --git a/Solutions/Dynamics 365/Hunting Queries/DynamicsActivityAfterAADAlert.yaml b/Hunting Queries/Dynamics365Activity/DynamicsActivityAfterAADAlert.yaml similarity index 100% rename from Solutions/Dynamics 365/Hunting Queries/DynamicsActivityAfterAADAlert.yaml rename to Hunting Queries/Dynamics365Activity/DynamicsActivityAfterAADAlert.yaml diff --git a/Solutions/Dynamics 365/Hunting Queries/DynamicsActivityAfterFailedLogons.yaml b/Hunting Queries/Dynamics365Activity/DynamicsActivityAfterFailedLogons.yaml similarity index 100% rename from Solutions/Dynamics 365/Hunting Queries/DynamicsActivityAfterFailedLogons.yaml rename to Hunting Queries/Dynamics365Activity/DynamicsActivityAfterFailedLogons.yaml diff --git a/Solutions/Dynamics 365/Data/Solution_Dynamics365.json b/Solutions/Dynamics 365/Data/Solution_Dynamics365.json deleted file mode 100644 index 94bb5bd4f6..0000000000 --- a/Solutions/Dynamics 365/Data/Solution_Dynamics365.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "Name": "Dynamics 365", - "Author": "Microsoft", - "Logo": "", - "Description": "The [Dynamics 365](https://dynamics.microsoft.com) continuous Threat Monitoring Solution for Microsoft Sentinel provides you with ability to collect Dynamics 365 CRM logs, gain visibility of activities within Dynamics 365 and analyze them to detect threats and malicious activities. You can view admin, user and support activities, as well as Microsoft Social Engagement logging events data in workbooks, use it to create custom alerts, and improve your investigation process. /r /n/n /r **Underlying Microsoft Technologies used:** /r/n/n/r This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:a. [Office 365 Management APIs](https://docs.microsoft.com/office/office-365-management-api/office-365-management-apis-overview)", - "Data Connectors": [ - "Data Connectors/template_Dynamics365.JSON" - ], - "Workbooks": [ - "Workbooks/Dynamics365Workbooks.json" - ], - "Analytic Rules": [ - "Analytic Rules/DynamicsEncryptionSettingsChanged.yaml", - "Analytic Rules/MassExportOfDynamicstoExcel.yaml", - "Analytic Rules/NewDynamicsAdminActivity.yaml", - "Analytic Rules/NewDynamicsUserAgent.yaml", - "Analytic Rules/NewOfficeUserAgentinDynamics.yaml", - "Analytic Rules/UserBulkRetreivalOutsideNormalActivity.yaml" - ], - "Hunting Queries": [ - "Hunting Queries/DynamicsActivityAfterAADAlert.yaml", - "Hunting Queries/DynamicsActivityAfterFailedLogons.yaml" - ], - "BasePath": "C:\\GitHub\\azure-Sentinel\\Solutions\\Dynamics 365", - "Version": "2.0.0", - "Metadata": "SolutionMetadata.json", - "TemplateSpec": true, - "Is1PConnector": true -} \ No newline at end of file diff --git a/Solutions/Dynamics 365/Package/2.0.0.zip b/Solutions/Dynamics 365/Package/2.0.0.zip deleted file mode 100644 index df1af64eb5..0000000000 Binary files a/Solutions/Dynamics 365/Package/2.0.0.zip and /dev/null differ diff --git a/Solutions/Dynamics 365/Package/createUiDefinition.json b/Solutions/Dynamics 365/Package/createUiDefinition.json deleted file mode 100644 index 1e84c02e2a..0000000000 --- a/Solutions/Dynamics 365/Package/createUiDefinition.json +++ /dev/null @@ -1,277 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", - "handler": "Microsoft.Azure.CreateUIDef", - "version": "0.1.2-preview", - "parameters": { - "config": { - "isWizard": false, - "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Dynamics 365](https://dynamics.microsoft.com) continuous Threat Monitoring Solution for Microsoft Sentinel provides you with ability to collect Dynamics 365 CRM logs, gain visibility of activities within Dynamics 365 and analyze them to detect threats and malicious activities. You can view admin, user and support activities, as well as Microsoft Social Engagement logging events data in workbooks, use it to create custom alerts, and improve your investigation process. \r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs::\r\n\n a. [Office 365 Management APIs](https://docs.microsoft.com/office/office-365-management-api/office-365-management-apis-overview)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 6, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", - "subscription": { - "resourceProviders": [ - "Microsoft.OperationsManagement/solutions", - "Microsoft.OperationalInsights/workspaces/providers/alertRules", - "Microsoft.Insights/workbooks", - "Microsoft.Logic/workflows" - ] - }, - "location": { - "metadata": { - "hidden": "Hiding location, we get it from the log analytics workspace" - }, - "visible": false - }, - "resourceGroup": { - "allowExisting": true - } - } - }, - "basics": [ - { - "name": "getLAWorkspace", - "type": "Microsoft.Solutions.ArmApiControl", - "toolTip": "This filters by workspaces that exist in the Resource Group selected", - "condition": "[greater(length(resourceGroup().name),0)]", - "request": { - "method": "GET", - "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" - } - }, - { - "name": "workspace", - "type": "Microsoft.Common.DropDown", - "label": "Workspace", - "placeholder": "Select a workspace", - "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", - "constraints": { - "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", - "required": true - }, - "visible": true - } - ], - "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the data connector for ingesting Dynamics 365 CRM logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, - { - "name": "workbooks", - "label": "Workbooks", - "subLabel": { - "preValidation": "Configure the workbooks", - "postValidation": "Done" - }, - "bladeTitle": "Workbooks", - "elements": [ - { - "name": "workbooks-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs workbook to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." - } - }, - { - "name": "workbooks-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" - } - } - } - ] - }, - { - "name": "analytics", - "label": "Analytics", - "subLabel": { - "preValidation": "Configure the analytics", - "postValidation": "Done" - }, - "bladeTitle": "Analytics", - "elements": [ - { - "name": "analytics-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." - } - }, - { - "name": "analytics-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" - } - } - }, - { - "name": "analytic1", - "type": "Microsoft.Common.Section", - "label": "Dynamics Encryption Settings Changed", - "elements": [ - { - "name": "analytic1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query looks for changes to the Data Encryption settings for Dynamics 365.\nReference: https://docs.microsoft.com/microsoft-365/compliance/office-365-encryption-in-microsoft-dynamics-365" - } - } - ] - }, - { - "name": "analytic2", - "type": "Microsoft.Common.Section", - "label": "Mass Export of Dynamics 365 Records to Excel", - "elements": [ - { - "name": "analytic2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The query detects user exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user." - } - } - ] - }, - { - "name": "analytic3", - "type": "Microsoft.Common.Section", - "label": "New Dynamics 365 Admin Activity", - "elements": [ - { - "name": "analytic3-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before." - } - } - ] - }, - { - "name": "analytic4", - "type": "Microsoft.Common.Section", - "label": "New Dynamics 365 User Agent", - "elements": [ - { - "name": "analytic4-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Detects users accessing Dynamics from a User Agent that has not been seen the 14 days. Has configurable filter for known good user agents such as PowerApps. Also includes optional section to exclude User Agents to indicate a browser being used." - } - } - ] - }, - { - "name": "analytic5", - "type": "Microsoft.Common.Section", - "label": "New Office User Agent in Dynamics 365", - "elements": [ - { - "name": "analytic5-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Detects users accessing Dynamics from a User Agent that has not been seen in any Office 365 workloads in the last 7 days. Has configurable filter for known good user agents such as PowerApps." - } - } - ] - }, - { - "name": "analytic6", - "type": "Microsoft.Common.Section", - "label": "Dynamics 365 - User Bulk Retrieval Outside Normal Activity", - "elements": [ - { - "name": "analytic6-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query detects users retrieving significantly more records from Dynamics 365 than they have in the past 2 weeks. This could indicate potentially unauthorized access to data within Dynamics 365." - } - } - ] - } - ] - }, - { - "name": "huntingqueries", - "label": "Hunting Queries", - "bladeTitle": "Hunting Queries", - "elements": [ - { - "name": "huntingqueries-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. " - } - }, - { - "name": "huntingqueries-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/hunting" - } - } - }, - { - "name": "huntingquery1", - "type": "Microsoft.Common.Section", - "label": "Dynamics 365 Activity After Azure AD Alerts", - "elements": [ - { - "name": "huntingquery1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This hunting query looks for users conducting Dynamics 365 activity shortly after Azn Azure AD Identity Protection alert for that user. The query only looks for users not seen before or conducting Dynamics activity not previously seen. It depends on the Dynamics365 data connector and Dynamics365Activity data type and Dynamics365 parser." - } - } - ] - }, - { - "name": "huntingquery2", - "type": "Microsoft.Common.Section", - "label": "Dynamics 365 Activity After Failed Logons", - "elements": [ - { - "name": "huntingquery2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This hunting query looks for users conducting Dynamics 365 activity shortly after a number of failed logons. Use this to look for potential post brute force activity. Adjust the threshold figure based on false positive rate. It depends on the Dynamics365 data connector and Dynamics365Activity data type and Dynamics365 parser." - } - } - ] - } - ] - } - ], - "outputs": { - "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", - "location": "[location()]", - "workspace": "[basics('workspace')]" - } - } -} diff --git a/Solutions/Dynamics 365/Package/mainTemplate.json b/Solutions/Dynamics 365/Package/mainTemplate.json deleted file mode 100644 index 1052afdab2..0000000000 --- a/Solutions/Dynamics 365/Package/mainTemplate.json +++ /dev/null @@ -1,1281 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "author": "Microsoft", - "comments": "Solution template for Dynamics 365" - }, - "parameters": { - "location": { - "type": "string", - "minLength": 1, - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" - } - }, - "workspace-location": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" - } - }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" - } - }, - "workbook1-name": { - "type": "string", - "defaultValue": "Dynamics365Workbooks", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - } - }, - "variables": { - "solutionId": "azuresentinel.azure-sentinel-solution-dynamics365", - "_solutionId": "[variables('solutionId')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "uiConfigId1": "Dynamics365", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "Dynamics365", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", - "dataConnectorVersion1": "1.0.0", - "workbookVersion1": "1.0.0", - "workbookContentId1": "Dynamics365Workbooks", - "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", - "_workbookContentId1": "[variables('workbookContentId1')]", - "analyticRuleVersion1": "1.0.0", - "analyticRulecontentId1": "b185ac23-dc27-4573-8192-1134c7a95f4f", - "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]", - "analyticRuleVersion2": "1.0.0", - "analyticRulecontentId2": "05eca115-c4b5-48e4-ba6e-07db57695be2", - "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]", - "analyticRuleVersion3": "1.0.0", - "analyticRulecontentId3": "e147e4dc-849c-49e9-9e8b-db4581951ff4", - "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]", - "analyticRuleVersion4": "1.0.0", - "analyticRulecontentId4": "8ec3a7f9-9f55-4be3-aeb6-9188f91b278e", - "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]", - "analyticRuleVersion5": "1.0.0", - "analyticRulecontentId5": "572f3951-5fa3-4e42-9640-fe194d859419", - "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]", - "analyticRuleVersion6": "1.0.0", - "analyticRulecontentId6": "93a25f10-593d-4c57-a752-a8a75f031425", - "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]", - "huntingQueryVersion1": "1.0.0", - "huntingQuerycontentId1": "7498594f-e3a7-4e02-9280-a07be9cfd38a", - "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", - "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]", - "huntingQueryVersion2": "1.0.0", - "huntingQuerycontentId2": "0ea22925-998d-42ea-9ff6-0c32af4ff835", - "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", - "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]" - }, - "resources": [ - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "Dynamics 365 data connector with template", - "displayName": "Dynamics 365 template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" - ], - "properties": { - "description": "Dynamics 365 data connector with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "StaticUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "Dynamics365", - "publisher": "Microsoft", - "descriptionMarkdown": "The Dynamics 365 Common Data Service (CDS) activities connector provides insight into admin, user, and support activities, as well as Microsoft Social Engagement logging events. By connecting Dynamics 365 CRM logs into Microsoft Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Dynamics365", - "baseQuery": "Dynamics365Activity\n| where OfficeWorkload == \"CRM\"" - } - ], - "connectivityCriterias": [ - { - "type": "SentinelKinds", - "value": [ - "Dynamics365" - ] - } - ], - "dataTypes": [ - { - "name": "Dynamics365Activity", - "lastDataReceivedQuery": "Dynamics365Activity\n| where OfficeWorkload == \"CRM\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Dynamics 365", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Dynamics 365", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "StaticUI", - "properties": { - "connectorUiConfig": { - "title": "Dynamics365", - "publisher": "Microsoft", - "descriptionMarkdown": "The Dynamics 365 Common Data Service (CDS) activities connector provides insight into admin, user, and support activities, as well as Microsoft Social Engagement logging events. By connecting Dynamics 365 CRM logs into Microsoft Sentinel, you can view this data in workbooks, use it to create custom alerts, and improve your investigation process.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Dynamics365", - "baseQuery": "Dynamics365Activity\n| where OfficeWorkload == \"CRM\"" - } - ], - "dataTypes": [ - { - "name": "Dynamics365Activity", - "lastDataReceivedQuery": "Dynamics365Activity\n| where OfficeWorkload == \"CRM\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "SentinelKinds", - "value": [ - "Dynamics365" - ] - } - ], - "id": "[variables('_uiConfigId1')]" - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('workbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, - "properties": { - "description": "Dynamics 365 Workbook with template", - "displayName": "Dynamics 365 workbook template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" - ], - "properties": { - "description": "Dynamics365WorkbooksWorkbook Workbook with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId1')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "This workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data." - }, - "properties": { - "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Dynamics 365 Workbook\\n---\\n\\nThis workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data. This workbook is separated into 5 distinct sections and within each section there are several queries and visualizations. Many of the queries build on data from previous queries so may not appear if no data is present.\\n\\nTo begin select the desired TimeRange to filter the data to the timeframe you want to focus on. Note if you have a large amount of Dynamics 365 data queries may timeout with a large time range, if this is the case simply select a smaller time range.: \"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"412a09a0-64ae-4614-aec6-cbfc9273b82b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 32\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"ae90d1dc-20da-4948-80da-127b210bf152\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Record Retrieval Events\",\"subTarget\":\"1\",\"style\":\"link\"},{\"id\":\"a1862467-36e9-4191-89ee-0a7479ec6114\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Record Deletion Events\",\"subTarget\":\"2\",\"style\":\"link\"},{\"id\":\"06df36ec-4c5b-456d-b5d3-45fcd4662c6b\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Record Export Events\",\"subTarget\":\"3\",\"style\":\"link\"},{\"id\":\"5bb7d870-a9d8-4905-a7c5-41b94c89edf4\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Email Events\",\"subTarget\":\"4\",\"style\":\"link\"},{\"id\":\"fa9a364b-0ffc-4023-a7cc-087345da4ba8\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Other Events\",\"subTarget\":\"5\",\"style\":\"link\"}]},\"name\":\"links - 34\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Record Retrieval Events\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Dynamics365Activity\\n| extend Message = split(OriginalObjectId, ' ')[0]\\n| where Message =~ \\\"RetrieveMultiple\\\"\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| union (\\n Dynamics365Activity\\n | extend Message = split(OriginalObjectId, ' ')[0]\\n | where Message =~ \\\"Retrieve\\\" \\n | extend QueryCount = double(1))\\n| make-series TotalRetrieves=sum(QueryCount) on TimeGenerated from startofday(ago(30d)) to startofday(ago(0d)) step 1h by UserId\\n| extend (baseline) = series_decompose(TotalRetrieves)\\n| extend (anomalies, baseline) = series_decompose_anomalies(TotalRetrieves, 3, -1, 'linefit')\",\"size\":0,\"title\":\"Total record retrievals by users - {TimeRange:label}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"TimeGenerated\",\"parameterName\":\"RetTime\"},{\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"75\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"This timeline shows a break down of anomolies in data retrieval sizes by all users. Look for spikes that might indicate suspicious activity by users in terms of accessing records.\\r\\n\\r\\n
\\r\\nThe table below shows the 10 users with the largest number of data retrievals in the timeframe. This may help indicate which users are the cause of the anomolies. To filter subcequent views by a particular user simply select a user from the list. If no user is selected queries will show data from all users.\",\"style\":\"info\"},\"customWidth\":\"25\",\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Dynamics365Activity\\r\\n| extend Message = split(OriginalObjectId, ' ')[0]\\r\\n| where Message =~ \\\"RetrieveMultiple\\\"\\r\\n| extend numQueryCount = todouble(QueryResults)\\r\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n| union (\\r\\n Dynamics365Activity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n | where Message =~ \\\"Retrieve\\\" \\r\\n | extend QueryCount = double(1))\\r\\n| summarize TotalRecords = sum(QueryCount) by UserId\\r\\n| sort by TotalRecords desc\\r\\n| take 10\",\"size\":4,\"title\":\"Users with largest total record retrievals - {TimeRange:label}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserId\",\"exportParameterName\":\"RetUser\",\"exportDefaultValue\":\"all users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UserId\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalRecords\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDynamics365Activity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"RetrieveMultiple\\\"\\r\\n | where UserId =~ '{RetUser}' or '{RetUser}' == \\\"all users\\\"\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n | where QueryCount < 1000000\\r\\n\\t| union (Dynamics365Activity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t     | where Message =~ \\\"Retrieve\\\"\\r\\n | where UserId =~ '{RetUser}' \\r\\n \\t | extend QueryCount = double(1))\\r\\n\\t| summarize sum(QueryCount) by bin(TimeGenerated, 1h)\",\"size\":1,\"title\":\"Timeline of Retrievals by {RetUser:label}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"query - 23\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Dynamics365Activity\\r\\n| where Message contains \\\"Retrieve\\\"\\r\\n| where UserId =~ '{RetUser}' or '{RetUser}' == \\\"all users\\\"\\r\\n\",\"size\":1,\"title\":\"Retrievals by {RetUser}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"chartSettings\":{\"showMetrics\":false}},\"conditionalVisibility\":{\"parameterName\":\"TimeBrush\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 23 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" Dynamics365Activity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"RetrieveMultiple\\\"\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n\\t| union (Dynamics365Activity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t      | where Message =~ \\\"Retrieve\\\" \\r\\n | extend QueryCount = double(1))\\r\\n| extend IPAddress = tostring(split(ClientIP, ':')[0])\\r\\n| summarize TotalRecords = sum(QueryCount) by IPAddress\\r\\n| sort by TotalRecords desc\\r\\n| take 10\\r\\n| project IPAddress, TotalRecords\",\"size\":1,\"title\":\"Total record retrievals by IP address - {TimeRange:label} - Top 10\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"IPAddress\",\"exportParameterName\":\"RetIP\",\"exportDefaultValue\":\"all IP addresses\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"IPAddress\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalRecords\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"As with the user retrieval events previously this section shows the top 10 IP addresses with the largest number of record retrievals. \\r\\n\\r\\nSelect an IP address in oder to filter subcequent fields by that IP.\",\"style\":\"info\"},\"customWidth\":\"30\",\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDynamics365Activity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"RetrieveMultiple\\\"\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n\\t| union (Dynamics365Activity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t     | where Message =~ \\\"Retrieve\\\" \\r\\n | extend QueryCount = double(1))\\r\\n| extend IPAddress = tostring(split(ClientIP, ':')[0])\\r\\n| where IPAddress == '{RetIP}' or '{RetIP}' == \\\"all IP addresses\\\"\\r\\n| summarize sum(QueryCount) by bin(TimeGenerated, 1h)\",\"size\":1,\"title\":\"Timeline of Retreivals by {RetIP:label}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"query - 24\"}]},\"conditionalVisibility\":{\"parameterName\":\"view_tab\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Retrieval Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Record Deletions\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section include details on users deleting records within Dynamics 365. \\r\\n\\r\\nThe first timeline show anomalies within the total number of records deleted by users. Subcequent sections highlight the User and IP addresses associated with the largest number of record deletions. Selecting records in these results will show additional results filtered to that user or IP address.\",\"style\":\"info\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDynamics365Activity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"Delete\\\"\\r\\n\\t| make-series TotalDeletes=count() on TimeGenerated from startofday(ago(30d)) to startofday(ago(0d)) step 1h by UserId\\r\\n\\t| extend (baseline) = series_decompose(TotalDeletes)\\r\\n| extend (anomalies, baseline) = series_decompose_anomalies(TotalDeletes, 3, -1, 'linefit')\",\"size\":0,\"title\":\"Record deletions - {TimeRange:label}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Dynamics365Activity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"Delete\\\"\\r\\n | summarize count() by UserId\\r\\n | sort by count_ desc\\r\\n | take 10\\r\\n\",\"size\":4,\"title\":\"Users with most record deletions - {TimeRange:label} - Top 10\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserId\",\"exportParameterName\":\"DeleteUserId\",\"exportDefaultValue\":\"all users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UserId\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Dynamics365Activity\\r\\n\\t| where Message =~ \\\"Delete\\\"\\r\\n | where UserId =~ '{DeleteUserId}'\\r\\n | summarize count() by bin(TimeGenerated, 1h)\",\"size\":1,\"title\":\"Deletes by {DeleteUserId:label}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"conditionalVisibility\":{\"parameterName\":\"DeleteUserId\",\"comparison\":\"isNotEqualTo\",\"value\":\"all users\"},\"name\":\"query - 22\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Dynamics365Activity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"Delete\\\"\\r\\n | summarize count() by tostring(split(ClientIP, ':')[0])\\r\\n | extend IPAddress = tostring(ClientIP_0)\\r\\n | sort by count_ desc\\r\\n | take 10\\r\\n \\r\\n\",\"size\":4,\"title\":\"Record deletions by IP address - {TimeRange:label} - Top 10\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"IPAddress\",\"exportParameterName\":\"DeleteIP\",\"exportDefaultValue\":\"all IP addresses\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"IPAddress\"},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"categorical\"}},\"showBorder\":false,\"sortCriteriaField\":\"count_\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Dynamics365Activity\\r\\n\\t| where Message =~ \\\"Delete\\\"\\r\\n | extend IPAddress = tostring(split(ClientIP, ':')[0])\\r\\n | where IPAddress == '{DeleteIP}' or '{DeleteIP}' == \\\"all IP addresses\\\"\\r\\n | summarize count() by bin(TimeGenerated, 1h)\\r\\n\\r\\n\",\"size\":1,\"title\":\"Deletions by {DeleteIP:label}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"conditionalVisibility\":{\"parameterName\":\"DeleteIP\",\"comparison\":\"isNotEqualTo\",\"value\":\"all IP addresses\"},\"name\":\"query - 22\"}]},\"conditionalVisibility\":{\"parameterName\":\"view_tab\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"Record Deletions\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Export Events\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section looks at records export from Dynamics 365. The first graph represents a timeseries of anomolies in the number of recrods being exported by all users.\\r\\n\\r\\nSubcequent sections look at the users exporting the largest number of records as well as the largest single export events.\",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDynamics365Activity\\r\\n\\t| where TimeGenerated > ago(30d)\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message contains 'ExportToExcel'\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n | where QueryCount < 1000000\\r\\n | make-series TotalExports=sum(QueryCount) on TimeGenerated from startofday(ago(30d)) to startofday(ago(0d)) step 1h by UserId\\r\\n\\t| extend (baseline) = series_decompose(TotalExports)\\r\\n\\t| extend (anomalies, baseline) = series_decompose_anomalies(TotalExports, 3, -1, 'linefit')\\r\\n\",\"size\":0,\"title\":\"Count of records exported to Excel - {TimeRange:label}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDynamics365Activity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message contains 'ExportToExcel'\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n | summarize TotalRecords = sum(QueryCount) by UserId\\r\\n | sort by TotalRecords desc\\r\\n | take 10\\r\\n\",\"size\":1,\"title\":\"Users with most record exports - {TimeRange:label}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserId\",\"exportParameterName\":\"ExportUser\",\"exportDefaultValue\":\"all users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UserId\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalRecords\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" Dynamics365Activity\\r\\n\\t| where Message contains 'ExportToExcel'\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n | extend IPAddress=split(ClientIP, ':')[0]\\r\\n | summarize by UserId, tostring(IPAddress), QueryCount\\r\\n | sort by QueryCount desc\\r\\n | take 10\\r\\n\",\"size\":0,\"title\":\"Largest exports - {TimeRange:label} - Top 10\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDynamics365Activity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message contains 'ExportToExcel'\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n | where UserId =~ '{ExportUser}'\\r\\n | summarize sum(QueryCount) by bin(TimeGenerated, 1h)\",\"size\":1,\"title\":\"Exports by {ExportUser:label}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"conditionalVisibility\":{\"parameterName\":\"ExportUser\",\"comparison\":\"isNotEqualTo\",\"value\":\"all users\"},\"name\":\"query - 25\"}]},\"conditionalVisibility\":{\"parameterName\":\"view_tab\",\"comparison\":\"isEqualTo\",\"value\":\"3\"},\"name\":\"Export Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Email Events\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section looks at emails sent by user via Dynamics 365, as with the other sections it starts be looking at anomolies in the total number of emails sent and then allows for drill downs into specific users to identify anomalous events.\",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Dynamics365Activity\\r\\n | where Message =~ \\\"SendEmail\\\"\\r\\n | make-series TotalEmails=count() on TimeGenerated from startofday(ago(30d)) to startofday(ago(0d)) step 1h by UserId\\r\\n | extend (baseline) = series_decompose(TotalEmails)\\r\\n | extend (anomalies, baseline) = series_decompose_anomalies(TotalEmails, 3, -1, 'linefit')\",\"size\":0,\"title\":\"Total emails sent - {TimeRange:label}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"query - 7\"},{\"type\":1,\"content\":{\"json\":\"Use this graph to look for spikes in email sent activity that occur outside the regular weekly pattern or occur outside expected working hours. You can then pivot on this data using query similar to:\\r\\n\\r\\n\\tDynamics365Activity\\r\\n \\t| where TimeGenerated between(datetime(SPIKETIME)..(datetime(SPIKETIME)+1h))\\r\\n \\t| where Message =~ \\\"SendEmail\\\"\"},\"name\":\"text - 28\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Dynamics365Activity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n     | where Message =~ \\\"SendEmail\\\"\\r\\n | summarize count() by UserId\\r\\n | sort by count_ desc\\r\\n | take 10\",\"size\":4,\"title\":\"Users with most sent emails - {TimeRange:label} - Top 10\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserId\",\"exportParameterName\":\"EmailUser\",\"exportDefaultValue\":\"all users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UserId\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"75\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"Select a user to see specific events related to that user.\",\"style\":\"info\"},\"customWidth\":\"25\",\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Dynamics365Activity\\r\\n\\t | where TimeGenerated > ago(30d)\\r\\n     | where Message =~ \\\"SendEmail\\\"\\r\\n | where UserId =~ '{EmailUser}'\\r\\n | summarize count() by bin(TimeGenerated, 1h)\",\"size\":1,\"title\":\"Emails by {EmailUser:label}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"conditionalVisibility\":{\"parameterName\":\"EmailUser\",\"comparison\":\"isEqualTo\"},\"name\":\"query - 27\"}]},\"conditionalVisibility\":{\"parameterName\":\"view_tab\",\"comparison\":\"isEqualTo\",\"value\":\"4\"},\"name\":\"Email Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Other Events\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section contains a number of other areas of interest from a threat hunting perspective. Selecting events in the queries shows additional data of interest.\",\"style\":\"info\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Dynamics365Activity\\r\\n\\t| where OriginalObjectId startswith \\\"GrantAccess\\\"\\r\\n\\t| where ClientIP != '127.0.0.1'\\r\\n\\t| join kind=leftanti (Dynamics365Activity\\r\\n\\t| where TimeGenerated between(ago(30d)..ago(7d))\\r\\n\\t| where OriginalObjectId startswith \\\"GrantAccess\\\")\\r\\non UserId\\r\\n| summarize by UserId\",\"size\":0,\"title\":\"New users observed in {TimeRange:label} - click to drill down\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserId\",\"exportParameterName\":\"NewUser\",\"exportDefaultValue\":\"all users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"UserId\",\"formatter\":1},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"33\",\"name\":\"query - 16\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Dynamics365Activity\\r\\n | summarize count() by UserAgent\\r\\n | sort by count_ asc\\r\\n | take 10\\r\\n | project UserAgent\",\"size\":0,\"title\":\"10 rarest user agents in the {TimeRange:label} - click to drill down\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserAgent\",\"exportParameterName\":\"RareUA\",\"exportDefaultValue\":\"all user agents\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UserAgent\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"33\",\"name\":\"query - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Dynamics365Activity\\r\\n\\t| where ClientIP != '127.0.0.1'\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n | extend Message = tostring(Message)\\r\\n\\t| join kind=leftanti (Dynamics365Activity\\r\\n\\t| where TimeGenerated between(ago(30d)..ago(7d))\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n | extend Message = tostring(Message))\\r\\non Message\\r\\n| summarize by Message\",\"size\":0,\"title\":\"New actions observed in {TimeRange:label} - click to drill down\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Message\",\"exportParameterName\":\"NewAction\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"query - 18\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Dynamics365Activity\\r\\n\\t| where ClientIP != '127.0.0.1'\\r\\n | where UserId =~ '{NewUser}'\\r\\n | project TimeGenerated, Message, ClientIP, UserAgent\",\"size\":0,\"title\":\"Activity by {NewUser:label}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"NewUser\",\"comparison\":\"isNotEqualTo\",\"value\":\"all users\"},\"showPin\":false,\"name\":\"query - 29\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Dynamics365Activity\\r\\n | where UserAgent =~ '{RareUA}'\\r\\n\",\"size\":0,\"title\":\"Activity by {RareUA:label}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"RareUA\",\"comparison\":\"isNotEqualTo\",\"value\":\"all user agents\"},\"showPin\":false,\"name\":\"query - 30\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Dynamics365Activity\\r\\n\\t| where ClientIP != '127.0.0.1'\\r\\n | where Message =~ '{NewAction}'\",\"size\":0,\"title\":\"{NewAction:label} activities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"NewAction\",\"comparison\":\"isNotEqualTo\",\"value\":\"All\"},\"name\":\"query - 31\"}]},\"conditionalVisibility\":{\"parameterName\":\"view_tab\",\"comparison\":\"isEqualTo\",\"value\":\"5\"},\"name\":\"Other Events\"}],\"fromTemplateId\":\"sentinel-UserWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", - "properties": { - "description": "@{workbookKey=Dynamics365Workbooks; logoFileName=DynamicsLogo.svg; description=This workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Dynamics365Workbooks; templateRelativePath=Dynamics365Workbooks.json; subtitle=; provider=Microsoft Sentinel Community}.description", - "parentId": "[variables('workbookId1')]", - "contentId": "[variables('_workbookContentId1')]", - "kind": "Workbook", - "version": "[variables('workbookVersion1')]", - "source": { - "kind": "Solution", - "name": "Dynamics 365", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "Dynamics365Activity", - "kind": "DataType" - }, - { - "contentId": "Dynamics365", - "kind": "DataConnector" - } - ] - } - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Dynamics 365 Analytics Rule 1 with template", - "displayName": "Dynamics 365 Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]" - ], - "properties": { - "description": "DynamicsEncryptionSettingsChanged_AnalyticalRules Analytics Rule with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId1')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query looks for changes to the Data Encryption settings for Dynamics 365.\nReference: https://docs.microsoft.com/microsoft-365/compliance/office-365-encryption-in-microsoft-dynamics-365", - "displayName": "Dynamics Encryption Settings Changed", - "enabled": false, - "query": "Dynamics365Activity\n| extend Message = tostring(split(OriginalObjectId, ' ')[0])\n| where Message =~ 'IsDataEncryptionActive'\n| project-reorder TimeGenerated, Message, UserId, ClientIP, InstanceUrl, UserAgent\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dynamics365", - "dataTypes": [ - "Dynamics365Activity" - ] - } - ], - "tactics": [ - "DefenseEvasion" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountCustomEntity", - "identifier": "FullName" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "IPCustomEntity", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", - "properties": { - "description": "Dynamics 365 Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", - "source": { - "kind": "Solution", - "name": "Dynamics 365", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Dynamics 365 Analytics Rule 2 with template", - "displayName": "Dynamics 365 Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]" - ], - "properties": { - "description": "MassExportOfDynamicstoExcel_AnalyticalRules Analytics Rule with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId2')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "The query detects user exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user.", - "displayName": "Mass Export of Dynamics 365 Records to Excel", - "enabled": false, - "query": "let baseline_time = 7d;\nlet detection_time = 1d;\nDynamics365Activity\n| where TimeGenerated between(ago(baseline_time)..ago(detection_time-1d))\n| where OriginalObjectId contains 'ExportToExcel'\n| extend numQueryCount = todouble(QueryResults)\n| extend QueryCount = iif(QueryResults contains \",\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\n| summarize sum(QueryCount) by UserId\n| extend HistoricalBaseline = sum_QueryCount\n| join (Dynamics365Activity\n| where TimeGenerated > ago(detection_time)\n| where OriginalObjectId contains 'ExportToExcel'\n| extend numQueryCount = todouble(QueryResults)\n| extend QueryCount = iif(QueryResults contains \",\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\n| summarize sum(QueryCount) by UserId\n| extend CurrentExportRate = sum_QueryCount) on UserId\n| where CurrentExportRate > HistoricalBaseline\n| project UserId, HistoricalBaseline, CurrentExportRate\n| join kind=inner(Dynamics365Activity\n| where TimeGenerated > ago(detection_time)\n| where OriginalObjectId contains 'ExportToExcel'\n| extend numQueryCount = todouble(QueryResults)\n| extend QueryCount = iif(QueryResults contains \",\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))) on UserId\n| project TimeGenerated, UserId, QueryCount, UserAgent, OriginalObjectId, ClientIP, HistoricalBaseline, CurrentExportRate, CorrelationId, CrmOrganizationUniqueName\n| summarize QuerySizes = make_set(QueryCount), MostRecentQuery = max(TimeGenerated), IPs = make_set(ClientIP), UserAgents = make_set(UserAgent) by UserId, CrmOrganizationUniqueName, HistoricalBaseline, CurrentExportRate\n| extend timestamp = MostRecentQuery, AccountCustomEntity = UserId\n", - "queryFrequency": "P1D", - "queryPeriod": "P7D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dynamics365", - "dataTypes": [ - "Dynamics365Activity" - ] - } - ], - "tactics": [ - "Collection" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountCustomEntity", - "identifier": "FullName" - } - ], - "entityType": "Account" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", - "properties": { - "description": "Dynamics 365 Analytics Rule 2", - "parentId": "[variables('analyticRuleId2')]", - "contentId": "[variables('_analyticRulecontentId2')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion2')]", - "source": { - "kind": "Solution", - "name": "Dynamics 365", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Dynamics 365 Analytics Rule 3 with template", - "displayName": "Dynamics 365 Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]" - ], - "properties": { - "description": "NewDynamicsAdminActivity_AnalyticalRules Analytics Rule with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion3')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId3')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before.", - "displayName": "New Dynamics 365 Admin Activity", - "enabled": false, - "query": "let baseline_time = 14d;\nlet detection_time = 1h;\nDynamics365Activity\n| where TimeGenerated between(ago(baseline_time)..ago(detection_time))\n| where UserType =~ 'admin'\n| extend Message = tostring(split(OriginalObjectId, ' ')[0])\n| summarize by UserId\n| join kind=rightanti\n(Dynamics365Activity\n| where TimeGenerated > ago(detection_time)\n| where UserType =~ 'admin')\non UserId\n| summarize Actions = make_set(Message), MostRecentAction = max(TimeGenerated), IPs=make_set(ClientIP), UserAgents = make_set(UserAgent) by UserId\n| extend timestamp = MostRecentAction, AccountCustomEntity = UserId\n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dynamics365", - "dataTypes": [ - "Dynamics365Activity" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountCustomEntity", - "identifier": "FullName" - } - ], - "entityType": "Account" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", - "properties": { - "description": "Dynamics 365 Analytics Rule 3", - "parentId": "[variables('analyticRuleId3')]", - "contentId": "[variables('_analyticRulecontentId3')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion3')]", - "source": { - "kind": "Solution", - "name": "Dynamics 365", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Dynamics 365 Analytics Rule 4 with template", - "displayName": "Dynamics 365 Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]" - ], - "properties": { - "description": "NewDynamicsUserAgent_AnalyticalRules Analytics Rule with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion4')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId4')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Detects users accessing Dynamics from a User Agent that has not been seen the 14 days. Has configurable filter for known good user agents such as PowerApps. Also includes optional section to exclude User Agents to indicate a browser being used.", - "displayName": "New Dynamics 365 User Agent", - "enabled": false, - "query": "let lookback = 14d;\nlet timeframe = 1d;\nlet user_accounts = \"(([a-zA-Z]{1,})\\\\.([a-zA-Z]{1,}))@.*\";\nlet known_useragents = dynamic([]);\nDynamics365Activity\n| where TimeGenerated between(ago(lookback)..ago(timeframe))\n| where isnotempty(UserAgent)\n| summarize by UserAgent, UserId\n| join kind = rightanti (Dynamics365Activity\n| where TimeGenerated > ago(timeframe)\n| where isnotempty(UserAgent)\n| where UserAgent !in~ (known_useragents)\n| where UserAgent !hasprefix \"azure-logic-apps\" and UserAgent !hasprefix \"PowerApps\"\n| where UserId matches regex user_accounts)\non UserAgent, UserId\n// Uncomment this section to exclude user agents with a rendering engine, indicating browsers.\n//| join kind = leftanti(\n//Dynamics365Activity\n//| where TimeGenerated between(ago(lookback)..ago(timeframe))\n//| where UserAgent has_any (\"Gecko\", \"WebKit\", \"Presto\", \"Trident\", \"EdgeHTML\", \"Blink\")) on UserAgent\n| summarize FirstSeen = min(TimeGenerated), IPs = make_set(ClientIP) by UserAgent, UserId\n| extend timestamp = FirstSeen, AccountCustomEntity = UserId\n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dynamics365", - "dataTypes": [ - "Dynamics365Activity" - ] - } - ], - "tactics": [ - "InitialAccess" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountCustomEntity", - "identifier": "FullName" - } - ], - "entityType": "Account" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", - "properties": { - "description": "Dynamics 365 Analytics Rule 4", - "parentId": "[variables('analyticRuleId4')]", - "contentId": "[variables('_analyticRulecontentId4')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion4')]", - "source": { - "kind": "Solution", - "name": "Dynamics 365", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Dynamics 365 Analytics Rule 5 with template", - "displayName": "Dynamics 365 Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]" - ], - "properties": { - "description": "NewOfficeUserAgentinDynamics_AnalyticalRules Analytics Rule with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion5')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId5')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Detects users accessing Dynamics from a User Agent that has not been seen in any Office 365 workloads in the last 7 days. Has configurable filter for known good user agents such as PowerApps.", - "displayName": "New Office User Agent in Dynamics 365", - "enabled": false, - "query": "let timeframe = 1h;\nlet lookback = 7d;\nlet known_useragents = dynamic([]);\nDynamics365Activity\n| where TimeGenerated > ago(timeframe)\n| extend Message = tostring(split(OriginalObjectId, ' ')[0])\n| where Message =~ \"UserSignIn\"\n| extend IPAddress = tostring(split(ClientIP, \":\")[0])\n| where isnotempty(UserAgent)\n// Exclude user agents with a render agent to reduce noise\n| where UserAgent has_any (\"Gecko\", \"WebKit\", \"Presto\", \"Trident\", \"EdgeHTML\", \"Blink\")\n| join kind=leftanti(\nOfficeActivity\n| where TimeGenerated > ago(lookback)\n| where UserAgent !in~ (known_useragents))\non UserAgent\n| summarize MostRecentActivity=max(TimeGenerated), IPs=make_set(IPAddress), Users=make_set(UserId), Actions=make_set(OriginalObjectId) by UserAgent\n| extend timestamp = MostRecentActivity\n", - "queryFrequency": "P1D", - "queryPeriod": "P7D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dynamics365", - "dataTypes": [ - "Dynamics365Activity" - ] - } - ], - "tactics": [ - "InitialAccess" - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", - "properties": { - "description": "Dynamics 365 Analytics Rule 5", - "parentId": "[variables('analyticRuleId5')]", - "contentId": "[variables('_analyticRulecontentId5')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion5')]", - "source": { - "kind": "Solution", - "name": "Dynamics 365", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName6')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Dynamics 365 Analytics Rule 6 with template", - "displayName": "Dynamics 365 Analytics Rule template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]" - ], - "properties": { - "description": "UserBulkRetreivalOutsideNormalActivity_AnalyticalRules Analytics Rule with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion6')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId6')]", - "apiVersion": "2022-04-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query detects users retrieving significantly more records from Dynamics 365 than they have in the past 2 weeks. This could indicate potentially unauthorized access to data within Dynamics 365.", - "displayName": "Dynamics 365 - User Bulk Retrieval Outside Normal Activity", - "enabled": false, - "query": "let baseline_time = 14d;\nlet detection_time = 1d;\nDynamics365Activity\n| where TimeGenerated between(ago(baseline_time)..ago(detection_time-1d))\n| extend Message = tostring(split(OriginalObjectId, ' ')[0])\n| where Message =~ \"RetrieveMultiple\"\n| extend numQueryCount = todouble(QueryResults)\n| extend QueryCount = iif(QueryResults contains \",\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\n| summarize sum(QueryCount) by UserId\n| extend HistoricalBaseline = sum_QueryCount\n| join (Dynamics365Activity\n| where TimeGenerated > ago(detection_time)\n| extend Message = tostring(split(OriginalObjectId, ' ')[0])\n| where Message =~ \"RetrieveMultiple\"\n| extend numQueryCount = todouble(QueryResults)\n| extend QueryCount = iif(QueryResults contains \",\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\n| summarize sum(QueryCount) by UserId\n| extend CurrentExportRate = sum_QueryCount) on UserId\n| where CurrentExportRate > HistoricalBaseline\n| project UserId, HistoricalBaseline, CurrentExportRate\n| join kind=inner(Dynamics365Activity\n| where TimeGenerated > ago(detection_time)\n| extend Message = tostring(split(OriginalObjectId, ' ')[0])\n| where Message =~ \"RetrieveMultiple\"\n| extend numQueryCount = todouble(QueryResults)\n| extend QueryCount = iif(QueryResults contains \",\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))) on UserId\n| project TimeGenerated, UserId, QueryCount, UserAgent, Message, ClientIP, HistoricalBaseline, CurrentExportRate, CorrelationId, CrmOrganizationUniqueName, Query\n| summarize QuerySizes = make_set(QueryCount), MostRecentQuery = max(TimeGenerated), IPs = make_set(ClientIP), UserAgents = make_set(UserAgent), make_set(Query) by UserId, CrmOrganizationUniqueName, HistoricalBaseline, CurrentExportRate\n| extend timestamp = MostRecentQuery, AccountCustomEntity = UserId\n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dynamics365", - "dataTypes": [ - "Dynamics365Activity" - ] - } - ], - "tactics": [ - "Collection" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountCustomEntity", - "identifier": "FullName" - } - ], - "entityType": "Account" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", - "properties": { - "description": "Dynamics 365 Analytics Rule 6", - "parentId": "[variables('analyticRuleId6')]", - "contentId": "[variables('_analyticRulecontentId6')]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion6')]", - "source": { - "kind": "Solution", - "name": "Dynamics 365", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2021-06-01", - "name": "[parameters('workspace')]", - "location": "[parameters('workspace-location')]", - "resources": [] - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Dynamics 365 Hunting Query 1 with template", - "displayName": "Dynamics 365 Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]" - ], - "properties": { - "description": "DynamicsActivityAfterAADAlert_HuntingQueries Hunting Query with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "Dynamics_365_Hunting_Query_1", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Dynamics 365 Activity After Azure AD Alerts", - "category": "Hunting Queries", - "query": "let match_window = 1h;\nlet analysis_window = 1d;\nlet lookback_window = 7d;\nSecurityAlert\n| where TimeGenerated > ago(analysis_window)\n| where ProviderName == 'IPC'\n| extend UserName = tostring(parse_json(ExtendedProperties).[\"User Account\"])\n| extend UserName = tolower(UserName)\n| extend TimeKey = bin(TimeGenerated, match_window)\n| join kind=inner(Dynamics365Activity\n| where TimeGenerated > ago(analysis_window)\n| extend UserName = tolower(UserId)\n| extend TimeKey = bin(TimeGenerated, match_window))\non UserName, TimeKey\n| join kind=leftanti(Dynamics365Activity\n| where TimeGenerated between(ago(lookback_window)..ago(analysis_window))\n| extend UserName = tolower(UserId))\non UserName, OriginalObjectId\n| summarize Actions = make_set(OriginalObjectId), MostRecentAction = max(TimeGenerated1), IPs = make_set(split(tostring(ClientIP), ':')[0]), AADAlerts=make_set(Description), MostRecentAlert = max(TimeGenerated) by UserName\n| extend timestamp = MostRecentAction, AccountCustomEntity = UserName\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "This hunting query looks for users conducting Dynamics 365 activity shortly after Azn Azure AD Identity Protection alert for that user. The query only looks for users not seen before or conducting Dynamics activity not previously seen." - }, - { - "name": "tactics", - "value": "InitialAccess" - }, - { - "name": "techniques", - "value": "T1078" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", - "properties": { - "description": "Dynamics 365 Hunting Query 1", - "parentId": "[variables('huntingQueryId1')]", - "contentId": "[variables('_huntingQuerycontentId1')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion1')]", - "source": { - "kind": "Solution", - "name": "Dynamics 365", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Dynamics 365 Hunting Query 2 with template", - "displayName": "Dynamics 365 Hunting Query template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]" - ], - "properties": { - "description": "DynamicsActivityAfterFailedLogons_HuntingQueries Hunting Query with template version 2.0.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", - "name": "Dynamics_365_Hunting_Query_2", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Dynamics 365 Activity After Failed Logons", - "category": "Hunting Queries", - "query": "let threshold = 10;\nSigninLogs\n| where ResultType in (\"50125\", \"50140\", \"70043\", \"70044\")\n| summarize count() by IPAddress\n| where count_ >= threshold\n| join (Dynamics365Activity\n| extend IPAddress = tostring(split(ClientIP, \":\")[0]))\non IPAddress\n| project-rename FailedLogonCount = count_\n| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "This hunting query looks for users conducting Dynamics 365 activity shortly after a number of failed logons. Use this to look for potential post brute force activity. Adjust the threshold figure based on false positive rate." - }, - { - "name": "tactics", - "value": "InitialAccess" - }, - { - "name": "techniques", - "value": "T1078" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", - "properties": { - "description": "Dynamics 365 Hunting Query 2", - "parentId": "[variables('huntingQueryId2')]", - "contentId": "[variables('_huntingQuerycontentId2')]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion2')]", - "source": { - "kind": "Solution", - "name": "Dynamics 365", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "2.0.0", - "kind": "Solution", - "contentSchemaVersion": "2.0.0", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "Dynamics 365", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId1')]", - "version": "[variables('workbookVersion1')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId1')]", - "version": "[variables('analyticRuleVersion1')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId2')]", - "version": "[variables('analyticRuleVersion2')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId3')]", - "version": "[variables('analyticRuleVersion3')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId4')]", - "version": "[variables('analyticRuleVersion4')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId5')]", - "version": "[variables('analyticRuleVersion5')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId6')]", - "version": "[variables('analyticRuleVersion6')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId1')]", - "version": "[variables('huntingQueryVersion1')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId2')]", - "version": "[variables('huntingQueryVersion2')]" - } - ] - }, - "firstPublishDate": "2022-05-24", - "providers": [ - "Microsoft" - ], - "categories": { - "domains": [ - "Cloud Provider", - "IT Operations", - "Storage" - ] - } - }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" - } - ], - "outputs": {} -} diff --git a/Solutions/Dynamics 365/SolutionMetadata.json b/Solutions/Dynamics 365/SolutionMetadata.json deleted file mode 100644 index 9fc9d736df..0000000000 --- a/Solutions/Dynamics 365/SolutionMetadata.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "publisherId": "azuresentinel", - "offerId": "azure-sentinel-solution-dynamics365", - "firstPublishDate": "2022-05-24", - "providers": ["Microsoft"], - "categories": { - "domains": [ "Cloud Provider","IT Operations","Storage"] - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } -} \ No newline at end of file diff --git a/Solutions/Dynamics 365/Workbooks/Dynamics365Workbooks.json b/Workbooks/Dynamics365Workbooks.json similarity index 100% rename from Solutions/Dynamics 365/Workbooks/Dynamics365Workbooks.json rename to Workbooks/Dynamics365Workbooks.json diff --git a/Solutions/Dynamics 365/Workbooks/Images/Preview/Dynamics365WorkbookBlack.png b/Workbooks/Images/Preview/Dynamics365WorkbookBlack.png similarity index 100% rename from Solutions/Dynamics 365/Workbooks/Images/Preview/Dynamics365WorkbookBlack.png rename to Workbooks/Images/Preview/Dynamics365WorkbookBlack.png diff --git a/Solutions/Dynamics 365/Workbooks/Images/Preview/Dynamics365WorkbookWhite.png b/Workbooks/Images/Preview/Dynamics365WorkbookWhite.png similarity index 100% rename from Solutions/Dynamics 365/Workbooks/Images/Preview/Dynamics365WorkbookWhite.png rename to Workbooks/Images/Preview/Dynamics365WorkbookWhite.png