diff --git a/Solutions/Microsoft Business Applications/Package/3.2.0.zip b/Solutions/Microsoft Business Applications/Package/3.2.0.zip index edab0045ec5..84fbdbfc395 100644 Binary files a/Solutions/Microsoft Business Applications/Package/3.2.0.zip and b/Solutions/Microsoft Business Applications/Package/3.2.0.zip differ diff --git a/Solutions/Microsoft Business Applications/Package/createUiDefinition.json b/Solutions/Microsoft Business Applications/Package/createUiDefinition.json index b601f5411df..e8cfd840669 100644 --- a/Solutions/Microsoft Business Applications/Package/createUiDefinition.json +++ b/Solutions/Microsoft Business Applications/Package/createUiDefinition.json @@ -1,1041 +1,1041 @@ { - "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", - "handler": "Microsoft.Azure.CreateUIDef", - "version": "0.1.2-preview", - "parameters": { - "config": { - "isWizard": false, - "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Business%20Applications/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nMicrosoft Power Platform provides a wide range of tools for citizen developers to build, run and manage low-code and no-code applications quickly, simply and at scale. With that, it also introduces a concern around the risk of security vulnerabilities introduced by citizen developers, some of whom may lack the security awareness of traditional pro-dev community. To counter this, early threat detection is crucial and can complement preventative guardrails to enable frictionless productivity while minimizing cyber risk.\n\nThe Microsoft Sentinel solution for Microsoft Power Platform allows customers to monitor and detect various suspicious or malicious activities in their Power Platform environments.\n\nIt collects activity logs from the different Power Platform components (Power Apps, Power Automate, Power Platform Connectors, Power Platform DLP, Dataverse) as well as the Power Platform inventory data and analyzes those activity logs to detect threats and suspicious activities such as: Power Apps execution from unauthorized geographies, suspicious data destruction by Power Apps, mass deletion of Power Apps, phishing attacks made possible through Power Apps, Power Automate flows activity by departing employees, Microsoft Power Platform connectors added to the an environment, and the update or removal of Microsoft Power Platform data loss prevention policies.\n\nDue to the integration of the Power Platform inventory data, in addition to the activity logs, the solution also allows customers to investigate the detected threats in a full human readable context and understand for example what the name of the suspicious app is, the name of Power Platform environment it belongs to, the details of the user who created or modified the suspicious app, the details of the users using the app, and more.\n\n**Important**\n\n- The Microsoft Sentinel Solution for Power Platform is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.\n\n- This solution is a premium offering. Pricing information will be available before the solution becomes generally available.\n\nPlease review the solution [documentation](https://learn.microsoft.com/azure/sentinel/business-applications/power-platform-solution-overview) to learn more about deploying, configuring and using this solution.\n\n**Data Connectors:** 1, **Parsers:** 5, **Workbooks:** 1, **Analytic Rules:** 49, **Hunting Queries:** 8, **Watchlists:** 1, **Playbooks:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", - "subscription": { - "resourceProviders": [ - "Microsoft.OperationsManagement/solutions", - "Microsoft.OperationalInsights/workspaces/providers/alertRules", - "Microsoft.Insights/workbooks", - "Microsoft.Logic/workflows" - ] - }, - "location": { - "metadata": { - "hidden": "Hiding location, we get it from the log analytics workspace" - }, - "visible": false - }, - "resourceGroup": { - "allowExisting": true - } - } - }, - "basics": [ - { - "name": "getLAWorkspace", - "type": "Microsoft.Solutions.ArmApiControl", - "toolTip": "This filters by workspaces that exist in the Resource Group selected", - "condition": "[greater(length(resourceGroup().name),0)]", - "request": { - "method": "GET", - "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" - } - }, - { - "name": "workspace", - "type": "Microsoft.Common.DropDown", - "label": "Workspace", - "placeholder": "Select a workspace", - "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", - "constraints": { - "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", - "required": true - }, - "visible": true - } - ], - "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Microsoft Business Applications. You can get Microsoft Business Applications data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, - { - "name": "workbooks", - "label": "Workbooks", - "subLabel": { - "preValidation": "Configure the workbooks", - "postValidation": "Done" - }, - "bladeTitle": "Workbooks", - "elements": [ - { - "name": "workbooks-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." - } - }, - { - "name": "workbooks-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" - } - } - }, - { - "name": "workbook1", - "type": "Microsoft.Common.Section", - "label": "Dynamics 365 Activity", - "elements": [ - { - "name": "workbook1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data." - } - } - ] - } - ] - }, - { - "name": "analytics", - "label": "Analytics", - "subLabel": { - "preValidation": "Configure the analytics", - "postValidation": "Done" - }, - "bladeTitle": "Analytics", - "elements": [ - { - "name": "analytics-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." - } - }, - { - "name": "analytics-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" - } - } - }, - { - "name": "analytic1", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Anomalous application user activity", - "elements": [ - { - "name": "analytic1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies anomalies in activity patterns of Dataverse application (non-interactive) users, based on activity falling outside the normal pattern of use." - } - } - ] - }, - { - "name": "analytic2", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Audit log data deletion", - "elements": [ - { - "name": "analytic2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies audit log data deletion activity in Dataverse." - } - } - ] - }, - { - "name": "analytic3", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Audit logging disabled", - "elements": [ - { - "name": "analytic3-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies a change in system audit configuration whereby audit logging is turned off." - } - } - ] - }, - { - "name": "analytic4", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Bulk record ownership re-assignment or sharing", - "elements": [ - { - "name": "analytic4-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies individual record ownership changes including sharing of records with other users/teams or re-assignment of ownership exceeding a pre-defined threshold." - } - } - ] - }, - { - "name": "analytic5", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Executable uploaded to SharePoint document management site", - "elements": [ - { - "name": "analytic5-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies executable files and scripts uploaded to SharePoint sites used for Dynamics document management, circumventing native file extension restrictions in Dataverse." - } - } - ] - }, - { - "name": "analytic6", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Export activity from terminated or notified employee", - "elements": [ - { - "name": "analytic6-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query identifies Dataverse export activity triggered by terminated, or employees about to leave the organization. This analytics rule uses the TerminatedEmployees watchlist template." - } - } - ] - }, - { - "name": "analytic7", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Guest user exfiltration following Power Platform defense impairment", - "elements": [ - { - "name": "analytic7-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies a chain of events starting with disablement of Power Platform tenant isolation and removal of an environment's access security group. These events are correlated with Dataverse exfiltration alerts associated with the impacted environment and recently created Microsoft Entra guest users.\n\nNote: Activate other Dataverse analytics rules with the MITRE tactic 'Exfiltration' before enabling this rule." - } - } - ] - }, - { - "name": "analytic8", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Hierarchy security manipulation", - "elements": [ - { - "name": "analytic8-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies suspicious behaviors in hierarchy security including:\n- Hierarchy security disabled.\n- User assigns themselves as a manager.\n- User assigns themselves to a monitored position." - } - } - ] - }, - { - "name": "analytic9", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Honeypot instance activity", - "elements": [ - { - "name": "analytic9-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies activities in a predefined Honeypot Dataverse instance. Alerts when either sign-in to the Honeypot is detected or when monitored Dataverse tables in the Honeypot are accessed.\n\nNote: Requires a dedicated Honeypot Dataverse instance in Power Platform with auditing enabled." - } - } - ] - }, - { - "name": "analytic10", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Login by a sensitive privileged user", - "elements": [ - { - "name": "analytic10-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies Dataverse and Dynamics 365 logons by sensitive users." - } - } - ] - }, - { - "name": "analytic11", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Login from IP in the block list", - "elements": [ - { - "name": "analytic11-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies Dataverse sign-in activity from IPv4 addresses which are on a predefined block list. Blocked network ranges are maintained in the NetworkAddresses watchlist template." - } - } - ] - }, - { - "name": "analytic12", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Login from IP not in the allow list", - "elements": [ - { - "name": "analytic12-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies logons from IPv4 addresses not matching IPv4 subnets maintained on an allow list. This analytics rule uses the NetworkAddresses watchlist template." - } - } - ] - }, - { - "name": "analytic13", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Malware found in SharePoint document management site", - "elements": [ - { - "name": "analytic13-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query identifies malware uploaded via Dynamics 365 document management or directly in SharePoint impacting Dataverse associated SharePoint sites." - } - } - ] - }, - { - "name": "analytic14", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Mass deletion of records", - "elements": [ - { - "name": "analytic14-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies large scale record delete operations based on a predefined threshold and also detects scheduled bulk deletion jobs." - } - } - ] - }, - { - "name": "analytic15", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Mass download from SharePoint document management", - "elements": [ - { - "name": "analytic15-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies mass download (in the last hour) of files from SharePoint sites configured for document management in Dynamics 365. This analytics rule utilizes the MSBizApps-Configuration watchlist to identify SharePoint sites used for Document Management." - } - } - ] - }, - { - "name": "analytic16", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Mass export of records to Excel", - "elements": [ - { - "name": "analytic16-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies users exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user. Large exports from users with no recent activity are identified using a predefined threshold." - } - } - ] - }, - { - "name": "analytic17", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Mass record updates", - "elements": [ - { - "name": "analytic17-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query detects mass record update changes in Dataverse and Dynamics 365, exceeding a pre-defined threshold." - } - } - ] - }, - { - "name": "analytic18", - "type": "Microsoft.Common.Section", - "label": "Dataverse - New Dataverse application user activity type", - "elements": [ - { - "name": "analytic18-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies new or previously unseen activity types associated with Dataverse application (non-interactive) user." - } - } - ] - }, - { - "name": "analytic19", - "type": "Microsoft.Common.Section", - "label": "Dataverse - New non-interactive identity granted access", - "elements": [ - { - "name": "analytic19-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies API level access grants, either via the delegated permissions of a Microsoft Entra application or direct assignment within Dataverse as an application user." - } - } - ] - }, - { - "name": "analytic20", - "type": "Microsoft.Common.Section", - "label": "Dataverse - New sign-in from an unauthorized domain", - "elements": [ - { - "name": "analytic20-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies Dataverse sign-in activity originating from users with UPN suffixes that have not been seen previously in the last 14 days and are not present on a predefined list of authorized domains. Common internal Power Platform system users are excluded by default." - } - } - ] - }, - { - "name": "analytic21", - "type": "Microsoft.Common.Section", - "label": "Dataverse - New user agent type that was not used before", - "elements": [ - { - "name": "analytic21-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies users accessing Dataverse from a User Agent that has not been seen in any Dataverse instance in the last 14 days." - } - } - ] - }, - { - "name": "analytic22", - "type": "Microsoft.Common.Section", - "label": "Dataverse - New user agent type that was not used with Office 365", - "elements": [ - { - "name": "analytic22-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies users accessing Dynamics with a User Agent that has not been seen in any Office 365 workloads in the last 14 days." - } - } - ] - }, - { - "name": "analytic23", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Organization settings modified", - "elements": [ - { - "name": "analytic23-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies changes made at organization level in the Dataverse environment." - } - } - ] - }, - { - "name": "analytic24", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Removal of blocked file extensions", - "elements": [ - { - "name": "analytic24-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies modifications to an environment's blocked file extensions and extracts the removed extension." + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Business%20Applications/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nMicrosoft Power Platform provides a wide range of tools for citizen developers to build, run and manage low-code and no-code applications quickly, simply and at scale. With that, it also introduces a concern around the risk of security vulnerabilities introduced by citizen developers, some of whom may lack the security awareness of traditional pro-dev community. To counter this, early threat detection is crucial and can complement preventative guardrails to enable frictionless productivity while minimizing cyber risk.\n\nThe Microsoft Sentinel solution for Microsoft Power Platform allows customers to monitor and detect various suspicious or malicious activities in their Power Platform environments.\n\nIt collects activity logs from the different Power Platform components (Power Apps, Power Automate, Power Platform Connectors, Power Platform DLP, Dataverse) as well as the Power Platform inventory data and analyzes those activity logs to detect threats and suspicious activities such as: Power Apps execution from unauthorized geographies, suspicious data destruction by Power Apps, mass deletion of Power Apps, phishing attacks made possible through Power Apps, Power Automate flows activity by departing employees, Microsoft Power Platform connectors added to the an environment, and the update or removal of Microsoft Power Platform data loss prevention policies.\n\nDue to the integration of the Power Platform inventory data, in addition to the activity logs, the solution also allows customers to investigate the detected threats in a full human readable context and understand for example what the name of the suspicious app is, the name of Power Platform environment it belongs to, the details of the user who created or modified the suspicious app, the details of the users using the app, and more.\n\n**Important**\n\n- The Microsoft Sentinel Solution for Power Platform is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.\n\n- This solution is a premium offering. Pricing information will be available before the solution becomes generally available.\n\nPlease review the solution [documentation](https://learn.microsoft.com/azure/sentinel/business-applications/power-platform-solution-overview) to learn more about deploying, configuring and using this solution.\n\n**Data Connectors:** 4, **Parsers:** 5, **Workbooks:** 1, **Analytic Rules:** 49, **Hunting Queries:** 8, **Watchlists:** 1, **Playbooks:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true } - } - ] - }, - { - "name": "analytic25", - "type": "Microsoft.Common.Section", - "label": "Dataverse - SharePoint document management site added or updated", - "elements": [ - { - "name": "analytic25-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies modifications of SharePoint document management integration. Document management allows storage of data located externally to Dataverse. Combine this analytics rule with the MSBizApps-Add-SharePointSite-To-Watchlist Playbook to automatically update the Dataverse-SharePointSites watchlist. This watchlist can be used to correlate events between Dataverse and SharePoint when using the Office 365 data connector." - } - } - ] - }, - { - "name": "analytic26", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Suspicious security role modifications", - "elements": [ - { - "name": "analytic26-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies an unusual pattern of events whereby a new role is created followed by the creator adding members to the role and subsequently removing the member or deleting the role after a short time period." - } - } - ] - }, - { - "name": "analytic27", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Suspicious use of TDS endpoint", - "elements": [ - { - "name": "analytic27-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies Dataverse TDS (Tabular Data Stream) protocol based queries where the source user or IP address has recent security alerts and the TDS protocol has not been used previously in the target environment." - } - } - ] - }, - { - "name": "analytic28", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Suspicious use of Web API", - "elements": [ - { - "name": "analytic28-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies sign-in across multiple Dataverse environments, breaching a predefined threshold, originating from a user with IP address that was used to sign-into the well known Microsoft Entra app registration." - } - } - ] - }, - { - "name": "analytic29", - "type": "Microsoft.Common.Section", - "label": "Dataverse - TI map IP to DataverseActivity", - "elements": [ - { - "name": "analytic29-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies a match in DataverseActivity from any IP IOC from Microsoft Sentinel Threat Intelligence." - } - } - ] - }, - { - "name": "analytic30", - "type": "Microsoft.Common.Section", - "label": "Dataverse - TI map URL to DataverseActivity", - "elements": [ - { - "name": "analytic30-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies a match in DataverseActivity from any URL IOC from Microsoft Sentinel Threat Intelligence." - } - } - ] - }, - { - "name": "analytic31", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Terminated employee exfiltration over email", - "elements": [ - { - "name": "analytic31-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query identifies Dataverse exfiltration via email by terminated employees." - } - } - ] - }, - { - "name": "analytic32", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Terminated employee exfiltration to USB drive", - "elements": [ - { - "name": "analytic32-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies files downloaded from Dataverse by departing or terminated employees which are copied to USB mounted drives." - } - } - ] - }, - { - "name": "analytic33", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Unusual sign-in following disabled IP address-based cookie binding protection", - "elements": [ - { - "name": "analytic33-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies previously unseen IP and user agents in a Dataverse instance following disabling of cookie binding protection. See https://docs.microsoft.com/power-platform/admin/block-cookie-replay-attack" - } - } - ] - }, - { - "name": "analytic34", - "type": "Microsoft.Common.Section", - "label": "Dataverse - User bulk retrieval outside normal activity", - "elements": [ - { - "name": "analytic34-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies users retrieving significantly more records from Dataverse than they have previously in the past 2 weeks." - } - } - ] - }, - { - "name": "analytic35", - "type": "Microsoft.Common.Section", - "label": "F&O - Bank account change following network alias reassignment", - "elements": [ - { - "name": "analytic35-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies changes to user accounts where the network alias was modified to a new value. Shortly afterwards, the updated alias is used to update a bank account number." - } - } - ] - }, - { - "name": "analytic36", - "type": "Microsoft.Common.Section", - "label": "F&O - Mass update or deletion of user records", - "elements": [ - { - "name": "analytic36-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies large delete or update operations on Finance & Operations user records based on predefined thresholds." - } - } - ] - }, - { - "name": "analytic37", - "type": "Microsoft.Common.Section", - "label": "F&O - Non-interactive account mapped to self or sensitive privileged user", - "elements": [ - { - "name": "analytic37-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies changes to Microsoft Entra client apps registered for Finance & Operations, specifically when a new client is mapped to a predefined list of sensitive privileged user accounts, or when a user associates a client app with their own account." - } - } - ] - }, - { - "name": "analytic38", - "type": "Microsoft.Common.Section", - "label": "F&O - Reverted bank account number modifications", - "elements": [ - { - "name": "analytic38-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later." - } - } - ] - }, - { - "name": "analytic39", - "type": "Microsoft.Common.Section", - "label": "F&O - Unusual sign-in activity using single factor authentication", - "elements": [ - { - "name": "analytic39-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies sucessful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from a Microsoft Entra trusted network location, or from geolocations seen previously in the last 14 days are excluded." - } - } - ] - }, - { - "name": "analytic40", - "type": "Microsoft.Common.Section", - "label": "Power Apps - App activity from unauthorized geo", - "elements": [ - { - "name": "analytic40-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies Power Apps activity from countries in a predefined list of unauthorized countries." - } - } - ] - }, - { - "name": "analytic41", - "type": "Microsoft.Common.Section", - "label": "Power Apps - Bulk sharing of Power Apps to newly created guest users", - "elements": [ - { - "name": "analytic41-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies unusual bulk sharing, based on a predefined threshold in the query, of Power Apps to newly created Microsoft Entra guest users." - } - } - ] - }, - { - "name": "analytic42", - "type": "Microsoft.Common.Section", - "label": "Power Apps - Multiple apps deleted", - "elements": [ - { - "name": "analytic42-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies mass delete activity where multiple Power Apps are deleted, matching a predefined threshold of total apps deleted or app delete events across multiple Power Platform environments." - } - } - ] - }, - { - "name": "analytic43", - "type": "Microsoft.Common.Section", - "label": "Power Apps - Multiple users access a malicious link after launching new app", - "elements": [ - { - "name": "analytic43-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies a chain of events, where a new Power App is created, followed by mulitple users launching the app within the detection window and clicking on the same malicious URL." - } - } - ] - }, - { - "name": "analytic44", - "type": "Microsoft.Common.Section", - "label": "Power Automate - Departing employee flow activity", - "elements": [ - { - "name": "analytic44-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies instances where an employee who has been notified or is already terminated, on the TerminatedEmployees watchlist, creates or modifies a Power Automate flow." - } - } - ] - }, - { - "name": "analytic45", - "type": "Microsoft.Common.Section", - "label": "Power Automate - Unusual bulk deletion of flow resources", - "elements": [ - { - "name": "analytic45-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies bulk deletion of Power Automate flows that exceed a predefined threshold defined in the query and deviate from activity patterns observed in the last 14 days." - } - } - ] - }, - { - "name": "analytic46", - "type": "Microsoft.Common.Section", - "label": "Power Platform - Account added to privileged Microsoft Entra roles", - "elements": [ - { - "name": "analytic46-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies changes to privileged directory roles impacting Power Platform:\n- Dynamics 365 Admins\n- Power Platform Admins\n- Fabric Admins" - } - } - ] - }, - { - "name": "analytic47", - "type": "Microsoft.Common.Section", - "label": "Power Platform - Connector added to a sensitive environment", - "elements": [ - { - "name": "analytic47-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies occurrences of new API connector creations within Power Platform, specifically targeting a predefined list of sensitive environments." - } - } - ] - }, - { - "name": "analytic48", - "type": "Microsoft.Common.Section", - "label": "Power Platform - DLP policy updated or removed", - "elements": [ - { - "name": "analytic48-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies changes to DLP policy, specifically policies which are updated or removed." - } - } - ] - }, - { - "name": "analytic49", - "type": "Microsoft.Common.Section", - "label": "Power Platform - Possibly compromised user accesses Power Platform services", - "elements": [ - { - "name": "analytic49-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Identifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center." - } - } - ] - } - ] - }, - { - "name": "huntingqueries", - "label": "Hunting Queries", - "bladeTitle": "Hunting Queries", - "elements": [ - { - "name": "huntingqueries-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. " - } - }, - { - "name": "huntingqueries-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/hunting" - } } - }, - { - "name": "huntingquery1", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Activity after Microsoft Entra alerts", - "elements": [ - { - "name": "huntingquery1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This hunting query looks for users conducting Dataverse/Dynamics 365 activity shortly after a Microsoft Entra Identity Protection alert for that user. The query only looks for users not seen before or conducting Dynamics activity not previously seen. This hunting query depends on Dataverse AzureActiveDirectoryIdentityProtection data connector (DataverseActivity SecurityAlert Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery2", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Activity after failed logons", - "elements": [ - { - "name": "huntingquery2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This hunting query looks for users conducting Dataverse/Dynamics 365 activity shortly after a number of failed logons. Use this to look for potential post brute force activity. Adjust the threshold figure based on false positive rate. This hunting query depends on Dataverse AzureActiveDirectory data connector (DataverseActivity SigninLogs Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery3", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Cross-environment data export activity", - "elements": [ - { - "name": "huntingquery3-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query searches for data export activity across a predetermined number of Dataverse instances. Data export activity across multiple environments could indicate suspicious activity as users typically work on a small number of environments. This hunting query depends on Dataverse data connector (DataverseActivity Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery4", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Dataverse export copied to USB devices", - "elements": [ - { - "name": "huntingquery4-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query uses XDR data from M365 Defender to detect files downloaded from a Dataverse instance and copied to USB drive. This hunting query depends on Dataverse MicrosoftThreatProtection data connector (DataverseActivity DeviceInfo DeviceEvents DeviceFileEvents Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery5", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Generic client app used to access production environments", - "elements": [ - { - "name": "huntingquery5-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query detects the use of the built-in \"Dynamics 365 Example Application\" to access production environments. This generic app can not be restricted by Azure AD authorization controls and could be abused to gain unauthorized access via Web API. This hunting query depends on Dataverse AzureActiveDirectory data connector (DataverseActivity SigninLogs Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery6", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Identity management activity outside of privileged directory role membership", - "elements": [ - { - "name": "huntingquery6-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query detects identity administration events in Dataverse/Dynamics 365 made by accounts which are not members of privileged directory roles 'Dynamics 365 Admins', 'Power Platform Admins' or 'Global Admins This hunting query depends on Dataverse IdentityInfo data connector (DataverseActivity IdentityInfo Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery7", - "type": "Microsoft.Common.Section", - "label": "Dataverse - Identity management changes without MFA", - "elements": [ - { - "name": "huntingquery7-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This query is used to show privileged identity administration operations in Dataverse made by accounts that signed in without using MFA This hunting query depends on Dataverse AzureActiveDirectory data connector (DataverseActivity SigninLogs Parser or Table)" - } - } - ] - }, - { - "name": "huntingquery8", - "type": "Microsoft.Common.Section", - "label": "Power Apps - Anomalous bulk sharing of Power App to newly created guest users", - "elements": [ - { - "name": "huntingquery8-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The query detects anomalous attempts to perform bulk sharing of Power App to newly created guest users. This hunting query depends on PowerPlatformAdmin AzureActiveDirectory data connector (PowerPlatformAdminActivity AuditLogs Parser or Table)" - } - } - ] - } - ] - }, - { - "name": "watchlists", - "label": "Watchlists", - "subLabel": { - "preValidation": "Configure the watchlists", - "postValidation": "Done" }, - "bladeTitle": "Watchlists", - "elements": [ - { - "name": "watchlists-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Microsoft Sentinel watchlists enable the collection of data from external data sources for correlation with the events in your Microsoft Sentinel environment. Once created, you can use watchlists in your search, detection rules, threat hunting, and response playbooks. Watchlists are stored in your Microsoft Sentinel workspace as name-value pairs and are cached for optimal query performance and low latency. Once deployment is successful, the installed watchlists will be available in the Watchlists blade under 'My Watchlists'.", - "link": { - "label": "Learn more", - "uri": "https://aka.ms/sentinelwatchlists" - } - } - }, - { - "name": "watchlist1", - "type": "Microsoft.Common.Section", - "label": "MSBizApps-Configuration", - "elements": [ - { - "name": "watchlist1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "Configuration for Microsoft Business Applications solution" + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" } - } - ] - } - ] - }, - { - "name": "playbooks", - "label": "Playbooks", - "subLabel": { - "preValidation": "Configure the playbooks", - "postValidation": "Done" - }, - "bladeTitle": "Playbooks", - "elements": [ - { - "name": "playbooks-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true } - }, - { - "name": "playbooks-link", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more", - "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" - } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Microsoft Business Applications. You can get Microsoft Business Applications data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "Dynamics 365 Activity", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data." + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Anomalous application user activity", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies anomalies in activity patterns of Dataverse application (non-interactive) users, based on activity falling outside the normal pattern of use." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Audit log data deletion", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies audit log data deletion activity in Dataverse." + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Audit logging disabled", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a change in system audit configuration whereby audit logging is turned off." + } + } + ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Bulk record ownership re-assignment or sharing", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies individual record ownership changes including sharing of records with other users/teams or re-assignment of ownership exceeding a pre-defined threshold." + } + } + ] + }, + { + "name": "analytic5", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Executable uploaded to SharePoint document management site", + "elements": [ + { + "name": "analytic5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies executable files and scripts uploaded to SharePoint sites used for Dynamics document management, circumventing native file extension restrictions in Dataverse." + } + } + ] + }, + { + "name": "analytic6", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Export activity from terminated or notified employee", + "elements": [ + { + "name": "analytic6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query identifies Dataverse export activity triggered by terminated, or employees about to leave the organization. This analytics rule uses the TerminatedEmployees watchlist template." + } + } + ] + }, + { + "name": "analytic7", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Guest user exfiltration following Power Platform defense impairment", + "elements": [ + { + "name": "analytic7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a chain of events starting with disablement of Power Platform tenant isolation and removal of an environment's access security group. These events are correlated with Dataverse exfiltration alerts associated with the impacted environment and recently created Microsoft Entra guest users.\n\nNote: Activate other Dataverse analytics rules with the MITRE tactic 'Exfiltration' before enabling this rule." + } + } + ] + }, + { + "name": "analytic8", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Hierarchy security manipulation", + "elements": [ + { + "name": "analytic8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies suspicious behaviors in hierarchy security including:\n- Hierarchy security disabled.\n- User assigns themselves as a manager.\n- User assigns themselves to a monitored position." + } + } + ] + }, + { + "name": "analytic9", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Honeypot instance activity", + "elements": [ + { + "name": "analytic9-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies activities in a predefined Honeypot Dataverse instance. Alerts when either sign-in to the Honeypot is detected or when monitored Dataverse tables in the Honeypot are accessed.\n\nNote: Requires a dedicated Honeypot Dataverse instance in Power Platform with auditing enabled." + } + } + ] + }, + { + "name": "analytic10", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Login by a sensitive privileged user", + "elements": [ + { + "name": "analytic10-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies Dataverse and Dynamics 365 logons by sensitive users." + } + } + ] + }, + { + "name": "analytic11", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Login from IP in the block list", + "elements": [ + { + "name": "analytic11-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies Dataverse sign-in activity from IPv4 addresses which are on a predefined block list. Blocked network ranges are maintained in the NetworkAddresses watchlist template." + } + } + ] + }, + { + "name": "analytic12", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Login from IP not in the allow list", + "elements": [ + { + "name": "analytic12-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies logons from IPv4 addresses not matching IPv4 subnets maintained on an allow list. This analytics rule uses the NetworkAddresses watchlist template." + } + } + ] + }, + { + "name": "analytic13", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Malware found in SharePoint document management site", + "elements": [ + { + "name": "analytic13-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query identifies malware uploaded via Dynamics 365 document management or directly in SharePoint impacting Dataverse associated SharePoint sites." + } + } + ] + }, + { + "name": "analytic14", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Mass deletion of records", + "elements": [ + { + "name": "analytic14-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies large scale record delete operations based on a predefined threshold and also detects scheduled bulk deletion jobs." + } + } + ] + }, + { + "name": "analytic15", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Mass download from SharePoint document management", + "elements": [ + { + "name": "analytic15-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies mass download (in the last hour) of files from SharePoint sites configured for document management in Dynamics 365. This analytics rule utilizes the MSBizApps-Configuration watchlist to identify SharePoint sites used for Document Management." + } + } + ] + }, + { + "name": "analytic16", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Mass export of records to Excel", + "elements": [ + { + "name": "analytic16-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies users exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user. Large exports from users with no recent activity are identified using a predefined threshold." + } + } + ] + }, + { + "name": "analytic17", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Mass record updates", + "elements": [ + { + "name": "analytic17-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query detects mass record update changes in Dataverse and Dynamics 365, exceeding a pre-defined threshold." + } + } + ] + }, + { + "name": "analytic18", + "type": "Microsoft.Common.Section", + "label": "Dataverse - New Dataverse application user activity type", + "elements": [ + { + "name": "analytic18-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies new or previously unseen activity types associated with Dataverse application (non-interactive) user." + } + } + ] + }, + { + "name": "analytic19", + "type": "Microsoft.Common.Section", + "label": "Dataverse - New non-interactive identity granted access", + "elements": [ + { + "name": "analytic19-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies API level access grants, either via the delegated permissions of a Microsoft Entra application or direct assignment within Dataverse as an application user." + } + } + ] + }, + { + "name": "analytic20", + "type": "Microsoft.Common.Section", + "label": "Dataverse - New sign-in from an unauthorized domain", + "elements": [ + { + "name": "analytic20-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies Dataverse sign-in activity originating from users with UPN suffixes that have not been seen previously in the last 14 days and are not present on a predefined list of authorized domains. Common internal Power Platform system users are excluded by default." + } + } + ] + }, + { + "name": "analytic21", + "type": "Microsoft.Common.Section", + "label": "Dataverse - New user agent type that was not used before", + "elements": [ + { + "name": "analytic21-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies users accessing Dataverse from a User Agent that has not been seen in any Dataverse instance in the last 14 days." + } + } + ] + }, + { + "name": "analytic22", + "type": "Microsoft.Common.Section", + "label": "Dataverse - New user agent type that was not used with Office 365", + "elements": [ + { + "name": "analytic22-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies users accessing Dynamics with a User Agent that has not been seen in any Office 365 workloads in the last 14 days." + } + } + ] + }, + { + "name": "analytic23", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Organization settings modified", + "elements": [ + { + "name": "analytic23-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies changes made at organization level in the Dataverse environment." + } + } + ] + }, + { + "name": "analytic24", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Removal of blocked file extensions", + "elements": [ + { + "name": "analytic24-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies modifications to an environment's blocked file extensions and extracts the removed extension." + } + } + ] + }, + { + "name": "analytic25", + "type": "Microsoft.Common.Section", + "label": "Dataverse - SharePoint document management site added or updated", + "elements": [ + { + "name": "analytic25-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies modifications of SharePoint document management integration. Document management allows storage of data located externally to Dataverse. Combine this analytics rule with the MSBizApps-Add-SharePointSite-To-Watchlist Playbook to automatically update the Dataverse-SharePointSites watchlist. This watchlist can be used to correlate events between Dataverse and SharePoint when using the Office 365 data connector." + } + } + ] + }, + { + "name": "analytic26", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Suspicious security role modifications", + "elements": [ + { + "name": "analytic26-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies an unusual pattern of events whereby a new role is created followed by the creator adding members to the role and subsequently removing the member or deleting the role after a short time period." + } + } + ] + }, + { + "name": "analytic27", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Suspicious use of TDS endpoint", + "elements": [ + { + "name": "analytic27-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies Dataverse TDS (Tabular Data Stream) protocol based queries where the source user or IP address has recent security alerts and the TDS protocol has not been used previously in the target environment." + } + } + ] + }, + { + "name": "analytic28", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Suspicious use of Web API", + "elements": [ + { + "name": "analytic28-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies sign-in across multiple Dataverse environments, breaching a predefined threshold, originating from a user with IP address that was used to sign-into the well known Microsoft Entra app registration." + } + } + ] + }, + { + "name": "analytic29", + "type": "Microsoft.Common.Section", + "label": "Dataverse - TI map IP to DataverseActivity", + "elements": [ + { + "name": "analytic29-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match in DataverseActivity from any IP IOC from Microsoft Sentinel Threat Intelligence." + } + } + ] + }, + { + "name": "analytic30", + "type": "Microsoft.Common.Section", + "label": "Dataverse - TI map URL to DataverseActivity", + "elements": [ + { + "name": "analytic30-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a match in DataverseActivity from any URL IOC from Microsoft Sentinel Threat Intelligence." + } + } + ] + }, + { + "name": "analytic31", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Terminated employee exfiltration over email", + "elements": [ + { + "name": "analytic31-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query identifies Dataverse exfiltration via email by terminated employees." + } + } + ] + }, + { + "name": "analytic32", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Terminated employee exfiltration to USB drive", + "elements": [ + { + "name": "analytic32-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies files downloaded from Dataverse by departing or terminated employees which are copied to USB mounted drives." + } + } + ] + }, + { + "name": "analytic33", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Unusual sign-in following disabled IP address-based cookie binding protection", + "elements": [ + { + "name": "analytic33-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies previously unseen IP and user agents in a Dataverse instance following disabling of cookie binding protection. See https://docs.microsoft.com/power-platform/admin/block-cookie-replay-attack" + } + } + ] + }, + { + "name": "analytic34", + "type": "Microsoft.Common.Section", + "label": "Dataverse - User bulk retrieval outside normal activity", + "elements": [ + { + "name": "analytic34-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies users retrieving significantly more records from Dataverse than they have previously in the past 2 weeks." + } + } + ] + }, + { + "name": "analytic35", + "type": "Microsoft.Common.Section", + "label": "F&O - Bank account change following network alias reassignment", + "elements": [ + { + "name": "analytic35-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies changes to user accounts where the network alias was modified to a new value. Shortly afterwards, the updated alias is used to update a bank account number." + } + } + ] + }, + { + "name": "analytic36", + "type": "Microsoft.Common.Section", + "label": "F&O - Mass update or deletion of user records", + "elements": [ + { + "name": "analytic36-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies large delete or update operations on Finance & Operations user records based on predefined thresholds." + } + } + ] + }, + { + "name": "analytic37", + "type": "Microsoft.Common.Section", + "label": "F&O - Non-interactive account mapped to self or sensitive privileged user", + "elements": [ + { + "name": "analytic37-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies changes to Microsoft Entra client apps registered for Finance & Operations, specifically when a new client is mapped to a predefined list of sensitive privileged user accounts, or when a user associates a client app with their own account." + } + } + ] + }, + { + "name": "analytic38", + "type": "Microsoft.Common.Section", + "label": "F&O - Reverted bank account number modifications", + "elements": [ + { + "name": "analytic38-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later." + } + } + ] + }, + { + "name": "analytic39", + "type": "Microsoft.Common.Section", + "label": "F&O - Unusual sign-in activity using single factor authentication", + "elements": [ + { + "name": "analytic39-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies sucessful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from a Microsoft Entra trusted network location, or from geolocations seen previously in the last 14 days are excluded." + } + } + ] + }, + { + "name": "analytic40", + "type": "Microsoft.Common.Section", + "label": "Power Apps - App activity from unauthorized geo", + "elements": [ + { + "name": "analytic40-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies Power Apps activity from countries in a predefined list of unauthorized countries." + } + } + ] + }, + { + "name": "analytic41", + "type": "Microsoft.Common.Section", + "label": "Power Apps - Bulk sharing of Power Apps to newly created guest users", + "elements": [ + { + "name": "analytic41-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies unusual bulk sharing, based on a predefined threshold in the query, of Power Apps to newly created Microsoft Entra guest users." + } + } + ] + }, + { + "name": "analytic42", + "type": "Microsoft.Common.Section", + "label": "Power Apps - Multiple apps deleted", + "elements": [ + { + "name": "analytic42-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies mass delete activity where multiple Power Apps are deleted, matching a predefined threshold of total apps deleted or app delete events across multiple Power Platform environments." + } + } + ] + }, + { + "name": "analytic43", + "type": "Microsoft.Common.Section", + "label": "Power Apps - Multiple users access a malicious link after launching new app", + "elements": [ + { + "name": "analytic43-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies a chain of events, where a new Power App is created, followed by mulitple users launching the app within the detection window and clicking on the same malicious URL." + } + } + ] + }, + { + "name": "analytic44", + "type": "Microsoft.Common.Section", + "label": "Power Automate - Departing employee flow activity", + "elements": [ + { + "name": "analytic44-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies instances where an employee who has been notified or is already terminated, on the TerminatedEmployees watchlist, creates or modifies a Power Automate flow." + } + } + ] + }, + { + "name": "analytic45", + "type": "Microsoft.Common.Section", + "label": "Power Automate - Unusual bulk deletion of flow resources", + "elements": [ + { + "name": "analytic45-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies bulk deletion of Power Automate flows that exceed a predefined threshold defined in the query and deviate from activity patterns observed in the last 14 days." + } + } + ] + }, + { + "name": "analytic46", + "type": "Microsoft.Common.Section", + "label": "Power Platform - Account added to privileged Microsoft Entra roles", + "elements": [ + { + "name": "analytic46-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies changes to privileged directory roles impacting Power Platform:\n- Dynamics 365 Admins\n- Power Platform Admins\n- Fabric Admins" + } + } + ] + }, + { + "name": "analytic47", + "type": "Microsoft.Common.Section", + "label": "Power Platform - Connector added to a sensitive environment", + "elements": [ + { + "name": "analytic47-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies occurrences of new API connector creations within Power Platform, specifically targeting a predefined list of sensitive environments." + } + } + ] + }, + { + "name": "analytic48", + "type": "Microsoft.Common.Section", + "label": "Power Platform - DLP policy updated or removed", + "elements": [ + { + "name": "analytic48-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies changes to DLP policy, specifically policies which are updated or removed." + } + } + ] + }, + { + "name": "analytic49", + "type": "Microsoft.Common.Section", + "label": "Power Platform - Possibly compromised user accesses Power Platform services", + "elements": [ + { + "name": "analytic49-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Identifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center." + } + } + ] + } + ] + }, + { + "name": "huntingqueries", + "label": "Hunting Queries", + "bladeTitle": "Hunting Queries", + "elements": [ + { + "name": "huntingqueries-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. " + } + }, + { + "name": "huntingqueries-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/hunting" + } + } + }, + { + "name": "huntingquery1", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Activity after Microsoft Entra alerts", + "elements": [ + { + "name": "huntingquery1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This hunting query looks for users conducting Dataverse/Dynamics 365 activity shortly after a Microsoft Entra Identity Protection alert for that user. The query only looks for users not seen before or conducting Dynamics activity not previously seen. This hunting query depends on Dataverse AzureActiveDirectoryIdentityProtection data connector (DataverseActivity SecurityAlert Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery2", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Activity after failed logons", + "elements": [ + { + "name": "huntingquery2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This hunting query looks for users conducting Dataverse/Dynamics 365 activity shortly after a number of failed logons. Use this to look for potential post brute force activity. Adjust the threshold figure based on false positive rate. This hunting query depends on Dataverse AzureActiveDirectory data connector (DataverseActivity SigninLogs Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery3", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Cross-environment data export activity", + "elements": [ + { + "name": "huntingquery3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query searches for data export activity across a predetermined number of Dataverse instances. Data export activity across multiple environments could indicate suspicious activity as users typically work on a small number of environments. This hunting query depends on Dataverse data connector (DataverseActivity Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery4", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Dataverse export copied to USB devices", + "elements": [ + { + "name": "huntingquery4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query uses XDR data from M365 Defender to detect files downloaded from a Dataverse instance and copied to USB drive. This hunting query depends on Dataverse MicrosoftThreatProtection data connector (DataverseActivity DeviceInfo DeviceEvents DeviceFileEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery5", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Generic client app used to access production environments", + "elements": [ + { + "name": "huntingquery5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query detects the use of the built-in \"Dynamics 365 Example Application\" to access production environments. This generic app can not be restricted by Azure AD authorization controls and could be abused to gain unauthorized access via Web API. This hunting query depends on Dataverse AzureActiveDirectory data connector (DataverseActivity SigninLogs Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery6", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Identity management activity outside of privileged directory role membership", + "elements": [ + { + "name": "huntingquery6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query detects identity administration events in Dataverse/Dynamics 365 made by accounts which are not members of privileged directory roles 'Dynamics 365 Admins', 'Power Platform Admins' or 'Global Admins This hunting query depends on Dataverse IdentityInfo data connector (DataverseActivity IdentityInfo Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery7", + "type": "Microsoft.Common.Section", + "label": "Dataverse - Identity management changes without MFA", + "elements": [ + { + "name": "huntingquery7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query is used to show privileged identity administration operations in Dataverse made by accounts that signed in without using MFA This hunting query depends on Dataverse AzureActiveDirectory data connector (DataverseActivity SigninLogs Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery8", + "type": "Microsoft.Common.Section", + "label": "Power Apps - Anomalous bulk sharing of Power App to newly created guest users", + "elements": [ + { + "name": "huntingquery8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "The query detects anomalous attempts to perform bulk sharing of Power App to newly created guest users. This hunting query depends on PowerPlatformAdmin AzureActiveDirectory data connector (PowerPlatformAdminActivity AuditLogs Parser or Table)" + } + } + ] + } + ] + }, + { + "name": "watchlists", + "label": "Watchlists", + "subLabel": { + "preValidation": "Configure the watchlists", + "postValidation": "Done" + }, + "bladeTitle": "Watchlists", + "elements": [ + { + "name": "watchlists-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Microsoft Sentinel watchlists enable the collection of data from external data sources for correlation with the events in your Microsoft Sentinel environment. Once created, you can use watchlists in your search, detection rules, threat hunting, and response playbooks. Watchlists are stored in your Microsoft Sentinel workspace as name-value pairs and are cached for optimal query performance and low latency. Once deployment is successful, the installed watchlists will be available in the Watchlists blade under 'My Watchlists'.", + "link": { + "label": "Learn more", + "uri": "https://aka.ms/sentinelwatchlists" + } + } + }, + { + "name": "watchlist1", + "type": "Microsoft.Common.Section", + "label": "MSBizApps-Configuration", + "elements": [ + { + "name": "watchlist1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Configuration for Microsoft Business Applications solution" + } + } + ] + } + ] + }, + { + "name": "playbooks", + "label": "Playbooks", + "subLabel": { + "preValidation": "Configure the playbooks", + "postValidation": "Done" + }, + "bladeTitle": "Playbooks", + "elements": [ + { + "name": "playbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." + } + }, + { + "name": "playbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + } + ] } - } - ] - } - ], - "outputs": { - "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", - "location": "[location()]", - "workspace": "[basics('workspace')]" + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } } - } -} +} \ No newline at end of file diff --git a/Solutions/Microsoft Business Applications/Package/mainTemplate.json b/Solutions/Microsoft Business Applications/Package/mainTemplate.json index b91dddab106..2d61fea23b4 100644 --- a/Solutions/Microsoft Business Applications/Package/mainTemplate.json +++ b/Solutions/Microsoft Business Applications/Package/mainTemplate.json @@ -1,13336 +1,14620 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "author": "Microsoft", - "comments": "Solution template for Microsoft Business Applications" - }, - "parameters": { - "location": { - "type": "string", - "minLength": 1, - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" - } - }, - "workspace-location": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" - } - }, - "workspace": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "resource group name where Microsoft Sentinel is setup" - } - }, - "subscription": { - "type": "string", - "defaultValue": "[last(split(subscription().id, '/'))]", - "metadata": { - "description": "subscription id where Microsoft Sentinel is setup" - } - }, - "workbook1-name": { - "type": "string", - "defaultValue": "Dynamics 365 Activity", - "minLength": 1, - "metadata": { - "description": "Name for the workbook" - } - }, - "watchlist1-id": { - "type": "string", - "defaultValue": "MSBizApps-Configuration", - "minLength": 1, - "metadata": { - "description": "Unique id for the watchlist" - } - } - }, - "variables": { - "_solutionName": "Microsoft Business Applications", - "_solutionVersion": "3.2.0", - "solutionId": "sentinel4dynamics365.powerplatform", - "_solutionId": "[variables('solutionId')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "dataConnectorCCPVersion": "1.0.0", - "_dataConnectorContentIdConnectorDefinition1": "Dynamics365Finance", - "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", - "_dataConnectorContentIdConnections1": "Dynamics365FinanceConnections", - "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]", - "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", - "blanks": "[replace('b', 'b', '')]", - "TemplateEmptyObject": "[json('{}')]", - "workbookVersion1": "1.0.4", - "workbookContentId1": "Dynamics365Activity", - "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", - "_workbookContentId1": "[variables('workbookContentId1')]", - "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", - "analyticRuleObject1": { - "analyticRuleVersion1": "3.2.0", - "_analyticRulecontentId1": "0820da12-e895-417f-9175-7c256fcfb33e", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0820da12-e895-417f-9175-7c256fcfb33e')]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0820da12-e895-417f-9175-7c256fcfb33e')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0820da12-e895-417f-9175-7c256fcfb33e','-', '3.2.0')))]" - }, - "analyticRuleObject2": { - "analyticRuleVersion2": "3.2.0", - "_analyticRulecontentId2": "f1634822-b7e9-44f5-95ac-fa4a04f14513", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f1634822-b7e9-44f5-95ac-fa4a04f14513')]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f1634822-b7e9-44f5-95ac-fa4a04f14513')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f1634822-b7e9-44f5-95ac-fa4a04f14513','-', '3.2.0')))]" - }, - "analyticRuleObject3": { - "analyticRuleVersion3": "3.2.0", - "_analyticRulecontentId3": "ea07523b-e6b8-469b-9e25-cdef1ae6fb45", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ea07523b-e6b8-469b-9e25-cdef1ae6fb45')]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ea07523b-e6b8-469b-9e25-cdef1ae6fb45')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ea07523b-e6b8-469b-9e25-cdef1ae6fb45','-', '3.2.0')))]" - }, - "analyticRuleObject4": { - "analyticRuleVersion4": "3.2.0", - "_analyticRulecontentId4": "6e480329-84bc-409a-b97b-22e8102af3ca", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6e480329-84bc-409a-b97b-22e8102af3ca')]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6e480329-84bc-409a-b97b-22e8102af3ca')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6e480329-84bc-409a-b97b-22e8102af3ca','-', '3.2.0')))]" - }, - "analyticRuleObject5": { - "analyticRuleVersion5": "3.2.0", - "_analyticRulecontentId5": "ba5e608f-7879-4927-8b0d-a9948b4fe6f3", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ba5e608f-7879-4927-8b0d-a9948b4fe6f3')]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ba5e608f-7879-4927-8b0d-a9948b4fe6f3')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ba5e608f-7879-4927-8b0d-a9948b4fe6f3','-', '3.2.0')))]" - }, - "analyticRuleObject6": { - "analyticRuleVersion6": "3.2.0", - "_analyticRulecontentId6": "0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b')]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b','-', '3.2.0')))]" - }, - "analyticRuleObject7": { - "analyticRuleVersion7": "3.2.0", - "_analyticRulecontentId7": "39efbf4b-b347-4cc7-895e-99a868bf29ea", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '39efbf4b-b347-4cc7-895e-99a868bf29ea')]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('39efbf4b-b347-4cc7-895e-99a868bf29ea')))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','39efbf4b-b347-4cc7-895e-99a868bf29ea','-', '3.2.0')))]" - }, - "analyticRuleObject8": { - "analyticRuleVersion8": "3.2.0", - "_analyticRulecontentId8": "2df0adf5-92a8-4ee0-a123-3eb5be1eed02", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2df0adf5-92a8-4ee0-a123-3eb5be1eed02')]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2df0adf5-92a8-4ee0-a123-3eb5be1eed02')))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2df0adf5-92a8-4ee0-a123-3eb5be1eed02','-', '3.2.0')))]" - }, - "analyticRuleObject9": { - "analyticRuleVersion9": "3.2.0", - "_analyticRulecontentId9": "11650b85-d8cc-49c4-8c04-a8a739635983", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '11650b85-d8cc-49c4-8c04-a8a739635983')]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('11650b85-d8cc-49c4-8c04-a8a739635983')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','11650b85-d8cc-49c4-8c04-a8a739635983','-', '3.2.0')))]" - }, - "analyticRuleObject10": { - "analyticRuleVersion10": "3.2.0", - "_analyticRulecontentId10": "f327816b-9328-4b17-9290-a02adc2f4928", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f327816b-9328-4b17-9290-a02adc2f4928')]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f327816b-9328-4b17-9290-a02adc2f4928')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f327816b-9328-4b17-9290-a02adc2f4928','-', '3.2.0')))]" - }, - "analyticRuleObject11": { - "analyticRuleVersion11": "3.2.0", - "_analyticRulecontentId11": "666fef96-1bb8-4abf-ad72-e5cb49561381", - "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '666fef96-1bb8-4abf-ad72-e5cb49561381')]", - "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('666fef96-1bb8-4abf-ad72-e5cb49561381')))]", - "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','666fef96-1bb8-4abf-ad72-e5cb49561381','-', '3.2.0')))]" - }, - "analyticRuleObject12": { - "analyticRuleVersion12": "3.2.0", - "_analyticRulecontentId12": "81c693fe-f6c4-4352-bc10-3526f6e22637", - "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '81c693fe-f6c4-4352-bc10-3526f6e22637')]", - "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('81c693fe-f6c4-4352-bc10-3526f6e22637')))]", - "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','81c693fe-f6c4-4352-bc10-3526f6e22637','-', '3.2.0')))]" - }, - "analyticRuleObject13": { - "analyticRuleVersion13": "3.2.0", - "_analyticRulecontentId13": "2e3878bb-d519-43aa-9992-ea069df099e4", - "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2e3878bb-d519-43aa-9992-ea069df099e4')]", - "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2e3878bb-d519-43aa-9992-ea069df099e4')))]", - "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2e3878bb-d519-43aa-9992-ea069df099e4','-', '3.2.0')))]" - }, - "analyticRuleObject14": { - "analyticRuleVersion14": "3.2.0", - "_analyticRulecontentId14": "716cf6d4-97ad-407b-923e-6790083acb58", - "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '716cf6d4-97ad-407b-923e-6790083acb58')]", - "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('716cf6d4-97ad-407b-923e-6790083acb58')))]", - "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','716cf6d4-97ad-407b-923e-6790083acb58','-', '3.2.0')))]" - }, - "analyticRuleObject15": { - "analyticRuleVersion15": "3.2.0", - "_analyticRulecontentId15": "95e02f1b-5886-4043-8f0e-a42e6e23330f", - "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '95e02f1b-5886-4043-8f0e-a42e6e23330f')]", - "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('95e02f1b-5886-4043-8f0e-a42e6e23330f')))]", - "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','95e02f1b-5886-4043-8f0e-a42e6e23330f','-', '3.2.0')))]" - }, - "analyticRuleObject16": { - "analyticRuleVersion16": "3.2.0", - "_analyticRulecontentId16": "57000f0d-ff5d-4166-94b6-aa5fb62b16ec", - "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '57000f0d-ff5d-4166-94b6-aa5fb62b16ec')]", - "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('57000f0d-ff5d-4166-94b6-aa5fb62b16ec')))]", - "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','57000f0d-ff5d-4166-94b6-aa5fb62b16ec','-', '3.2.0')))]" - }, - "analyticRuleObject17": { - "analyticRuleVersion17": "3.2.0", - "_analyticRulecontentId17": "df577f0f-1d8a-4420-9057-a07f0edb15c8", - "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'df577f0f-1d8a-4420-9057-a07f0edb15c8')]", - "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('df577f0f-1d8a-4420-9057-a07f0edb15c8')))]", - "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','df577f0f-1d8a-4420-9057-a07f0edb15c8','-', '3.2.0')))]" - }, - "analyticRuleObject18": { - "analyticRuleVersion18": "3.2.0", - "_analyticRulecontentId18": "5c768e7d-7e5e-4d57-80d4-3f50c96fbf70", - "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5c768e7d-7e5e-4d57-80d4-3f50c96fbf70')]", - "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5c768e7d-7e5e-4d57-80d4-3f50c96fbf70')))]", - "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5c768e7d-7e5e-4d57-80d4-3f50c96fbf70','-', '3.2.0')))]" - }, - "analyticRuleObject19": { - "analyticRuleVersion19": "3.2.0", - "_analyticRulecontentId19": "682e230c-e5da-4085-8666-701d1f1be7de", - "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '682e230c-e5da-4085-8666-701d1f1be7de')]", - "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('682e230c-e5da-4085-8666-701d1f1be7de')))]", - "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','682e230c-e5da-4085-8666-701d1f1be7de','-', '3.2.0')))]" - }, - "analyticRuleObject20": { - "analyticRuleVersion20": "3.2.0", - "_analyticRulecontentId20": "4c1c9aee-8e44-4bb9-bd53-f3e7d6761282", - "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4c1c9aee-8e44-4bb9-bd53-f3e7d6761282')]", - "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4c1c9aee-8e44-4bb9-bd53-f3e7d6761282')))]", - "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4c1c9aee-8e44-4bb9-bd53-f3e7d6761282','-', '3.2.0')))]" - }, - "analyticRuleObject21": { - "analyticRuleVersion21": "3.2.0", - "_analyticRulecontentId21": "34a5d79b-8f9a-420c-aa64-7f4d262ac29a", - "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '34a5d79b-8f9a-420c-aa64-7f4d262ac29a')]", - "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('34a5d79b-8f9a-420c-aa64-7f4d262ac29a')))]", - "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','34a5d79b-8f9a-420c-aa64-7f4d262ac29a','-', '3.2.0')))]" - }, - "analyticRuleObject22": { - "analyticRuleVersion22": "3.2.0", - "_analyticRulecontentId22": "094b3c0a-1f63-42f7-9535-c8c7b7198328", - "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '094b3c0a-1f63-42f7-9535-c8c7b7198328')]", - "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('094b3c0a-1f63-42f7-9535-c8c7b7198328')))]", - "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','094b3c0a-1f63-42f7-9535-c8c7b7198328','-', '3.2.0')))]" - }, - "analyticRuleObject23": { - "analyticRuleVersion23": "3.2.0", - "_analyticRulecontentId23": "a6f6b734-3db8-4259-a988-69e0b8eac0c2", - "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a6f6b734-3db8-4259-a988-69e0b8eac0c2')]", - "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a6f6b734-3db8-4259-a988-69e0b8eac0c2')))]", - "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a6f6b734-3db8-4259-a988-69e0b8eac0c2','-', '3.2.0')))]" - }, - "analyticRuleObject24": { - "analyticRuleVersion24": "3.2.0", - "_analyticRulecontentId24": "1b1061be-2595-4492-af6d-1c8a5fc9576d", - "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1b1061be-2595-4492-af6d-1c8a5fc9576d')]", - "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1b1061be-2595-4492-af6d-1c8a5fc9576d')))]", - "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1b1061be-2595-4492-af6d-1c8a5fc9576d','-', '3.2.0')))]" - }, - "analyticRuleObject25": { - "analyticRuleVersion25": "3.2.0", - "_analyticRulecontentId25": "c4c3510a-0ee0-4561-9835-47882ffa7f46", - "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c4c3510a-0ee0-4561-9835-47882ffa7f46')]", - "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c4c3510a-0ee0-4561-9835-47882ffa7f46')))]", - "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c4c3510a-0ee0-4561-9835-47882ffa7f46','-', '3.2.0')))]" - }, - "analyticRuleObject26": { - "analyticRuleVersion26": "3.2.0", - "_analyticRulecontentId26": "e44a58b2-b63a-4eb9-92da-85660d73495c", - "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e44a58b2-b63a-4eb9-92da-85660d73495c')]", - "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e44a58b2-b63a-4eb9-92da-85660d73495c')))]", - "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e44a58b2-b63a-4eb9-92da-85660d73495c','-', '3.2.0')))]" - }, - "analyticRuleObject27": { - "analyticRuleVersion27": "3.2.0", - "_analyticRulecontentId27": "d875af10-6bb9-4d6a-a6e4-78439a98bf4b", - "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd875af10-6bb9-4d6a-a6e4-78439a98bf4b')]", - "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d875af10-6bb9-4d6a-a6e4-78439a98bf4b')))]", - "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d875af10-6bb9-4d6a-a6e4-78439a98bf4b','-', '3.2.0')))]" - }, - "analyticRuleObject28": { - "analyticRuleVersion28": "3.2.0", - "_analyticRulecontentId28": "8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86", - "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86')]", - "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86')))]", - "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86','-', '3.2.0')))]" - }, - "analyticRuleObject29": { - "analyticRuleVersion29": "3.2.0", - "_analyticRulecontentId29": "56d5aa0c-d871-4167-ba13-61c2f0fd17bf", - "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '56d5aa0c-d871-4167-ba13-61c2f0fd17bf')]", - "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('56d5aa0c-d871-4167-ba13-61c2f0fd17bf')))]", - "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','56d5aa0c-d871-4167-ba13-61c2f0fd17bf','-', '3.2.0')))]" - }, - "analyticRuleObject30": { - "analyticRuleVersion30": "3.2.0", - "_analyticRulecontentId30": "d88a0e22-3b6a-40c2-af28-c064b44d03b7", - "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd88a0e22-3b6a-40c2-af28-c064b44d03b7')]", - "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d88a0e22-3b6a-40c2-af28-c064b44d03b7')))]", - "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d88a0e22-3b6a-40c2-af28-c064b44d03b7','-', '3.2.0')))]" - }, - "analyticRuleObject31": { - "analyticRuleVersion31": "3.2.0", - "_analyticRulecontentId31": "de039242-47e0-43fa-84d7-b6be24305349", - "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'de039242-47e0-43fa-84d7-b6be24305349')]", - "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('de039242-47e0-43fa-84d7-b6be24305349')))]", - "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','de039242-47e0-43fa-84d7-b6be24305349','-', '3.2.0')))]" - }, - "analyticRuleObject32": { - "analyticRuleVersion32": "3.2.0", - "_analyticRulecontentId32": "c5e75cb6-cea0-49c2-a998-da414035aac1", - "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c5e75cb6-cea0-49c2-a998-da414035aac1')]", - "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c5e75cb6-cea0-49c2-a998-da414035aac1')))]", - "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c5e75cb6-cea0-49c2-a998-da414035aac1','-', '3.2.0')))]" - }, - "analyticRuleObject33": { - "analyticRuleVersion33": "3.2.0", - "_analyticRulecontentId33": "d7c9549c-7246-4555-8e53-d7b0db546764", - "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd7c9549c-7246-4555-8e53-d7b0db546764')]", - "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d7c9549c-7246-4555-8e53-d7b0db546764')))]", - "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d7c9549c-7246-4555-8e53-d7b0db546764','-', '3.2.0')))]" - }, - "analyticRuleObject34": { - "analyticRuleVersion34": "3.2.0", - "_analyticRulecontentId34": "08cb7ffc-59c6-4e7d-88e0-327371c9431b", - "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '08cb7ffc-59c6-4e7d-88e0-327371c9431b')]", - "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('08cb7ffc-59c6-4e7d-88e0-327371c9431b')))]", - "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','08cb7ffc-59c6-4e7d-88e0-327371c9431b','-', '3.2.0')))]" - }, - "analyticRuleObject35": { - "analyticRuleVersion35": "3.2.0", - "_analyticRulecontentId35": "dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64", - "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64')]", - "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64')))]", - "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64','-', '3.2.0')))]" - }, - "analyticRuleObject36": { - "analyticRuleVersion36": "3.2.0", - "_analyticRulecontentId36": "5ab00fbb-ba2c-44dc-b02e-f119639b9a11", - "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5ab00fbb-ba2c-44dc-b02e-f119639b9a11')]", - "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5ab00fbb-ba2c-44dc-b02e-f119639b9a11')))]", - "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5ab00fbb-ba2c-44dc-b02e-f119639b9a11','-', '3.2.0')))]" - }, - "analyticRuleObject37": { - "analyticRuleVersion37": "3.2.0", - "_analyticRulecontentId37": "5b7cc7f9-fe54-4138-9fb0-d650807345d3", - "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5b7cc7f9-fe54-4138-9fb0-d650807345d3')]", - "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5b7cc7f9-fe54-4138-9fb0-d650807345d3')))]", - "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b7cc7f9-fe54-4138-9fb0-d650807345d3','-', '3.2.0')))]" - }, - "analyticRuleObject38": { - "analyticRuleVersion38": "3.2.0", - "_analyticRulecontentId38": "44b1021c-d517-4b7a-9ba6-a91eab94e632", - "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '44b1021c-d517-4b7a-9ba6-a91eab94e632')]", - "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('44b1021c-d517-4b7a-9ba6-a91eab94e632')))]", - "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','44b1021c-d517-4b7a-9ba6-a91eab94e632','-', '3.2.0')))]" - }, - "analyticRuleObject39": { - "analyticRuleVersion39": "3.2.0", - "_analyticRulecontentId39": "919e939f-95e2-4978-846e-13a721c89ea1", - "analyticRuleId39": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '919e939f-95e2-4978-846e-13a721c89ea1')]", - "analyticRuleTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('919e939f-95e2-4978-846e-13a721c89ea1')))]", - "_analyticRulecontentProductId39": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','919e939f-95e2-4978-846e-13a721c89ea1','-', '3.2.0')))]" - }, - "analyticRuleObject40": { - "analyticRuleVersion40": "3.2.0", - "_analyticRulecontentId40": "7ec1e61d-f3b7-4f40-bb1a-357a63913c23", - "analyticRuleId40": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7ec1e61d-f3b7-4f40-bb1a-357a63913c23')]", - "analyticRuleTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7ec1e61d-f3b7-4f40-bb1a-357a63913c23')))]", - "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7ec1e61d-f3b7-4f40-bb1a-357a63913c23','-', '3.2.0')))]" - }, - "analyticRuleObject41": { - "analyticRuleVersion41": "3.2.0", - "_analyticRulecontentId41": "943acfa0-9285-4eb0-a9c0-42e36177ef19", - "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '943acfa0-9285-4eb0-a9c0-42e36177ef19')]", - "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('943acfa0-9285-4eb0-a9c0-42e36177ef19')))]", - "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','943acfa0-9285-4eb0-a9c0-42e36177ef19','-', '3.2.0')))]" - }, - "analyticRuleObject42": { - "analyticRuleVersion42": "3.2.0", - "_analyticRulecontentId42": "ed88638d-8627-4c20-ba08-67c13807a9b1", - "analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ed88638d-8627-4c20-ba08-67c13807a9b1')]", - "analyticRuleTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ed88638d-8627-4c20-ba08-67c13807a9b1')))]", - "_analyticRulecontentProductId42": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ed88638d-8627-4c20-ba08-67c13807a9b1','-', '3.2.0')))]" - }, - "analyticRuleObject43": { - "analyticRuleVersion43": "3.2.0", - "_analyticRulecontentId43": "4bd7e93a-0646-4e02-8dcb-aa16d16618f4", - "analyticRuleId43": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4bd7e93a-0646-4e02-8dcb-aa16d16618f4')]", - "analyticRuleTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4bd7e93a-0646-4e02-8dcb-aa16d16618f4')))]", - "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4bd7e93a-0646-4e02-8dcb-aa16d16618f4','-', '3.2.0')))]" - }, - "analyticRuleObject44": { - "analyticRuleVersion44": "3.2.0", - "_analyticRulecontentId44": "b1e11b8c-545a-4dea-a912-0008e160d183", - "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b1e11b8c-545a-4dea-a912-0008e160d183')]", - "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b1e11b8c-545a-4dea-a912-0008e160d183')))]", - "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b1e11b8c-545a-4dea-a912-0008e160d183','-', '3.2.0')))]" - }, - "analyticRuleObject45": { - "analyticRuleVersion45": "3.2.0", - "_analyticRulecontentId45": "56cb646e-56a0-4f0e-8866-9bc1dd15da78", - "analyticRuleId45": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '56cb646e-56a0-4f0e-8866-9bc1dd15da78')]", - "analyticRuleTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('56cb646e-56a0-4f0e-8866-9bc1dd15da78')))]", - "_analyticRulecontentProductId45": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','56cb646e-56a0-4f0e-8866-9bc1dd15da78','-', '3.2.0')))]" - }, - "analyticRuleObject46": { - "analyticRuleVersion46": "3.2.0", - "_analyticRulecontentId46": "71d829d6-eb50-4a17-8a64-655fae8d71e1", - "analyticRuleId46": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '71d829d6-eb50-4a17-8a64-655fae8d71e1')]", - "analyticRuleTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('71d829d6-eb50-4a17-8a64-655fae8d71e1')))]", - "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','71d829d6-eb50-4a17-8a64-655fae8d71e1','-', '3.2.0')))]" - }, - "analyticRuleObject47": { - "analyticRuleVersion47": "3.2.0", - "_analyticRulecontentId47": "886a5655-3d12-42f1-8927-4095789c575e", - "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '886a5655-3d12-42f1-8927-4095789c575e')]", - "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('886a5655-3d12-42f1-8927-4095789c575e')))]", - "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','886a5655-3d12-42f1-8927-4095789c575e','-', '3.2.0')))]" - }, - "analyticRuleObject48": { - "analyticRuleVersion48": "3.2.0", - "_analyticRulecontentId48": "1b2e6172-85c5-417a-90c3-7cc80cb787f5", - "analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1b2e6172-85c5-417a-90c3-7cc80cb787f5')]", - "analyticRuleTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1b2e6172-85c5-417a-90c3-7cc80cb787f5')))]", - "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1b2e6172-85c5-417a-90c3-7cc80cb787f5','-', '3.2.0')))]" - }, - "analyticRuleObject49": { - "analyticRuleVersion49": "3.0.0", - "_analyticRulecontentId49": "54d48840-1c64-4399-afee-ad39a069118d", - "analyticRuleId49": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '54d48840-1c64-4399-afee-ad39a069118d')]", - "analyticRuleTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('54d48840-1c64-4399-afee-ad39a069118d')))]", - "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','54d48840-1c64-4399-afee-ad39a069118d','-', '3.0.0')))]" - }, - "huntingQueryObject1": { - "huntingQueryVersion1": "3.2.0", - "_huntingQuerycontentId1": "428c3d41-e441-4244-994e-b059d6316bc4", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('428c3d41-e441-4244-994e-b059d6316bc4')))]" - }, - "huntingQueryObject2": { - "huntingQueryVersion2": "3.2.0", - "_huntingQuerycontentId2": "dafcc598-2987-4aa0-947e-7d0449677689", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('dafcc598-2987-4aa0-947e-7d0449677689')))]" - }, - "huntingQueryObject3": { - "huntingQueryVersion3": "3.2.0", - "_huntingQuerycontentId3": "74a48db8-dc1d-414e-9709-39fa3f8a2246", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('74a48db8-dc1d-414e-9709-39fa3f8a2246')))]" - }, - "huntingQueryObject4": { - "huntingQueryVersion4": "3.2.0", - "_huntingQuerycontentId4": "f9658e11-e277-4a65-8f91-2cb94cf7497c", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f9658e11-e277-4a65-8f91-2cb94cf7497c')))]" - }, - "huntingQueryObject5": { - "huntingQueryVersion5": "3.2.0", - "_huntingQuerycontentId5": "90bcbd4e-e8b5-4a5d-9fe6-d0f9f0220b4a", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('90bcbd4e-e8b5-4a5d-9fe6-d0f9f0220b4a')))]" - }, - "huntingQueryObject6": { - "huntingQueryVersion6": "3.2.0", - "_huntingQuerycontentId6": "c7e6e48a-0514-4989-bc90-4a3c9207ede1", - "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('c7e6e48a-0514-4989-bc90-4a3c9207ede1')))]" - }, - "huntingQueryObject7": { - "huntingQueryVersion7": "3.2.0", - "_huntingQuerycontentId7": "385234b7-d96c-4dc3-9c0e-ceb46048d487", - "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('385234b7-d96c-4dc3-9c0e-ceb46048d487')))]" - }, - "huntingQueryObject8": { - "huntingQueryVersion8": "3.2.0", - "_huntingQuerycontentId8": "169428be-5ed0-4230-9103-c83df89c789a", - "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('169428be-5ed0-4230-9103-c83df89c789a')))]" - }, - "Dataverse-Add-SharePoint-Site": "Dataverse-Add-SharePoint-Site", - "_Dataverse-Add-SharePoint-Site": "[variables('Dataverse-Add-SharePoint-Site')]", - "playbookVersion1": "1.0", - "playbookContentId1": "Dataverse-Add-SharePoint-Site", - "_playbookContentId1": "[variables('playbookContentId1')]", - "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", - "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", - "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", - "Dataverse-Blocklist-Add-User-AlertTrigger": "Dataverse-Blocklist-Add-User-AlertTrigger", - "_Dataverse-Blocklist-Add-User-AlertTrigger": "[variables('Dataverse-Blocklist-Add-User-AlertTrigger')]", - "playbookVersion2": "1.0", - "playbookContentId2": "Dataverse-Blocklist-Add-User-AlertTrigger", - "_playbookContentId2": "[variables('playbookContentId2')]", - "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", - "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", - "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", - "Dataverse-Blocklist-Add-User-Via-Outlook": "Dataverse-Blocklist-Add-User-Via-Outlook", - "_Dataverse-Blocklist-Add-User-Via-Outlook": "[variables('Dataverse-Blocklist-Add-User-Via-Outlook')]", - "playbookVersion3": "1.0", - "playbookContentId3": "Dataverse-Blocklist-Add-User-Via-Outlook", - "_playbookContentId3": "[variables('playbookContentId3')]", - "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", - "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", - "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", - "Dataverse-Blocklist-Add-User-Via-Teams": "Dataverse-Blocklist-Add-User-Via-Teams", - "_Dataverse-Blocklist-Add-User-Via-Teams": "[variables('Dataverse-Blocklist-Add-User-Via-Teams')]", - "playbookVersion4": "1.0", - "playbookContentId4": "Dataverse-Blocklist-Add-User-Via-Teams", - "_playbookContentId4": "[variables('playbookContentId4')]", - "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", - "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]", - "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", - "Dataverse-Blocklist-Add-User": "Dataverse-Blocklist-Add-User", - "_Dataverse-Blocklist-Add-User": "[variables('Dataverse-Blocklist-Add-User')]", - "playbookVersion5": "1.0", - "playbookContentId5": "Dataverse-Blocklist-Add-User", - "_playbookContentId5": "[variables('playbookContentId5')]", - "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", - "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]", - "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", - "Dataverse-Blocklist-Remove-User-AlertTrigger": "Dataverse-Blocklist-Remove-User-AlertTrigger", - "_Dataverse-Blocklist-Remove-User-AlertTrigger": "[variables('Dataverse-Blocklist-Remove-User-AlertTrigger')]", - "playbookVersion6": "1.0", - "playbookContentId6": "Dataverse-Blocklist-Remove-User-AlertTrigger", - "_playbookContentId6": "[variables('playbookContentId6')]", - "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]", - "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]", - "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]", - "Dataverse-Send-Manager-Notification": "Dataverse-Send-Manager-Notification", - "_Dataverse-Send-Manager-Notification": "[variables('Dataverse-Send-Manager-Notification')]", - "playbookVersion7": "1.0", - "playbookContentId7": "Dataverse-Send-Manager-Notification", - "_playbookContentId7": "[variables('playbookContentId7')]", - "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]", - "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]", - "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]", - "MSBizApps-Incident-From-Alert-Teams": "MSBizApps-Incident-From-Alert-Teams", - "_MSBizApps-Incident-From-Alert-Teams": "[variables('MSBizApps-Incident-From-Alert-Teams')]", - "playbookVersion8": "1.0", - "playbookContentId8": "MSBizApps-Incident-From-Alert-Teams", - "_playbookContentId8": "[variables('playbookContentId8')]", - "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]", - "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]", - "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]", - "parserObject1": { - "_parserName1": "[concat(parameters('workspace'),'/','DataverseSharePointSites')]", - "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'DataverseSharePointSites')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('DataverseSharePointSites-Parser')))]", - "parserVersion1": "3.2.0", - "parserContentId1": "DataverseSharePointSites-Parser" - }, - "parserObject2": { - "_parserName2": "[concat(parameters('workspace'),'/','MSBizAppsNetworkAddresses')]", - "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsNetworkAddresses')]", - "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MSBizAppsNetworkAddresses-Parser')))]", - "parserVersion2": "3.2.0", - "parserContentId2": "MSBizAppsNetworkAddresses-Parser" - }, - "parserObject3": { - "_parserName3": "[concat(parameters('workspace'),'/','MSBizAppsOrgSettings')]", - "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsOrgSettings')]", - "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MSBizAppsOrgSettings-Parser')))]", - "parserVersion3": "3.2.0", - "parserContentId3": "MSBizAppsOrgSettings-Parser" - }, - "parserObject4": { - "_parserName4": "[concat(parameters('workspace'),'/','MSBizAppsTerminatedEmployees')]", - "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsTerminatedEmployees')]", - "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MSBizAppsTerminatedEmployees-Parser')))]", - "parserVersion4": "3.0.1", - "parserContentId4": "MSBizAppsTerminatedEmployees-Parser" - }, - "parserObject5": { - "_parserName5": "[concat(parameters('workspace'),'/','MSBizAppsVIPUsers')]", - "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsVIPUsers')]", - "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MSBizAppsVIPUsers-Parser')))]", - "parserVersion5": "3.2.0", - "parserContentId5": "MSBizAppsVIPUsers-Parser" - }, - "MSBizApps-Configuration": "MSBizApps-Configuration", - "_MSBizApps-Configuration": "[variables('MSBizApps-Configuration')]", - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", - "displayName": "Dynamics 365 Finance and Operations", - "contentKind": "DataConnector", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorCCPVersion')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", - "apiVersion": "2022-09-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", - "location": "[parameters('workspace-location')]", - "kind": "Customizable", - "properties": { - "connectorUiConfig": { - "id": "Dynamics365Finance", - "title": "Dynamics 365 Finance and Operations", - "publisher": "Microsoft", - "logo": "Dynamics365.svg", - "descriptionMarkdown": "Dynamics 365 for Finance and Operations is a comprehensive Enterprise Resource Planning (ERP) solution that combines financial and operational capabilities to help businesses manage their day-to-day operations. It offers a range of features that enable businesses to streamline workflows, automate tasks, and gain insights into operational performance.\n\nThe Dynamics 365 Finance and Operations data connector ingests Dynamics 365 Finance and Operations admin activities and audit logs as well as user business process and application activities logs into Microsoft Sentinel.", - "graphQueriesTableName": "FinanceOperationsActivity_CL", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "{{graphQueriesTableName}}", - "baseQuery": "{{graphQueriesTableName}}" - } - ], - "sampleQueries": [ - { - "description": "Finance and Operations Audited Tables", - "query": "{{graphQueriesTableName}}\n | summarize by TableName" - } - ], - "dataTypes": [ - { - "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriteria": [ - { - "type": "HasDataConnectors" - } - ], - "availability": { - "isPreview": true - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "Read and Write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft Entra app registration", - "description": "Application client ID and secret used to access Dynamics 365 Finance and Operations." - } - ] - }, - "instructionSteps": [ - { - "description": ">Connectivity to Finance and Operations requires a Microsoft Entra app registration (client ID and secret). You'll also need the Microsoft Entra tenant ID and the Finance Operations Organization URL." - }, - { - "description": "To enable data collection, create a role in Dynamics 365 Finance and Operations with permissions to view the Database Log entity. Assign this role to a dedicated Finance and Operations user, mapped to the client ID of a Microsoft Entra app registration. Follow these steps to complete the process:" - }, - { - "title": "Step 1 - Microsoft Entra app registration", - "description": "1. Navigate to the [Microsoft Entra portal](https://entra.microsoft.com). \n2. Under Applications, click on **App Registrations** and create a new app registration (leave all defaults).\n3. Open the new app registration and create a new secret.\n4. Retain the **Tenant ID**, **Application (client) ID**, and **Client secret** for later use." - }, - { - "title": "Step 2 - Create a role for data collection in Finance and Operations", - "description": "1. In the Finance and Operations portal, navigate to **Workspaces > System administration** and click **Security Configuration**\n2. Under **Roles** click **Create new** and give the new role a name e.g. Database Log Viewer.\n3. Select the new role in the list of roles and click **Privileges** and than **Add references**.\n4. Select **Database log Entity View** from the list of privileges.\n5. Click on **Unpublished objects** and then **Publish all** to publish the role." - }, - { - "title": "Step 3 - Create a user for data collection in Finance and Operations", - "description": "1. In the Finance and Operations portal, navigate to **Modules > System administration** and click **Users**\n2. Create a new user and assign the role created in the previous step to the user." - }, - { - "title": "Step 4 - Register the Microsoft Entra app in Finance and Operations", - "description": "1. In the F&O portal, navigate to **System administration > Setup > Microsoft Entra applications** (Azure Active Directory applications)\n2. Create a new entry in the table. In the **Client Id** field, enter the application ID of the app registered in Step 1.\n3. In the **Name** field, enter a name for the application.\n4. In the **User ID** field, select the user ID created in the previous step." - }, - { - "description": "Connect using client credentials", - "title": "Connect events from Dyanmics 365 Finance and Operations to Microsoft Sentinel", - "instructions": [ - { - "type": "ContextPane", - "parameters": { - "contextPaneType": "DataConnectorsContextPane", - "label": "Add environment", - "isPrimary": true, - "title": "Dynamics 365 Finance and Operations connection", - "instructionSteps": [ - { - "title": "Environment details", - "instructions": [ - { - "type": "Textbox", - "parameters": { - "label": "Microsoft Entra tenant ID.", - "placeholder": "Tenant ID (GUID)", - "type": "text", - "name": "tenantId" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "App registration client ID", - "placeholder": "Finance and Operations client ID", - "type": "text", - "name": "clientId" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "App registration client secret", - "placeholder": "Finance and Operations client secret", - "type": "password", - "name": "clientSecret" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "Finance and Operations organization URL", - "placeholder": "https://dynamics-dev.axcloud.dynamics.com", - "type": "text", - "name": "auditHost" - } - } - ] - } - ] - } - } - ] - }, - { - "title": "Organizations", - "description": "Each row represents an Finance and Operations connection", - "instructions": [ - { - "type": "DataConnectorsGrid", - "parameters": { - "mapping": [ - { - "columnName": "Environment URL", - "columnValue": "properties.request.apiEndpoint" - } - ], - "menuItems": [ - "DeleteConnector" - ] - } - } - ] - } - ] - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", - "apiVersion": "2022-01-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", - "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorCCPVersion')]", - "source": { - "sourceId": "[variables('_solutionId')]", - "name": "[variables('_solutionName')]", - "kind": "Solution" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - }, - "dependencies": { - "criteria": [ - { - "version": "[variables('dataConnectorCCPVersion')]", - "contentId": "[variables('_dataConnectorContentIdConnections1')]", - "kind": "ResourcesDataConnector" - } - ] - } - } - }, - { - "name": "FinOps-DCR", - "apiVersion": "2022-06-01", - "type": "Microsoft.Insights/dataCollectionRules", - "location": "[parameters('workspace-location')]", - "kind": "[variables('blanks')]", - "properties": { - "streamDeclarations": { - "Custom-FinanceOperationsActivity_CL": { - "columns": [ - { - "name": "dataAreaId", - "type": "string" - }, - { - "name": "InstanceName", - "type": "string" - }, - { - "name": "LogCreatedDateTime", - "type": "datetime" - }, - { - "name": "LogType", - "type": "string" - }, - { - "name": "TableName", - "type": "string" - }, - { - "name": "Username", - "type": "string" - }, - { - "name": "Description", - "type": "string" - }, - { - "name": "Data", - "type": "dynamic" - }, - { - "name": "FormattedData", - "type": "string" - }, - { - "name": "NewData", - "type": "string" - }, - { - "name": "LogCreatedBy", - "type": "string" - }, - { - "name": "LogCreatedTransactionId", - "type": "string" - }, - { - "name": "LogDataAreaId", - "type": "string" - }, - { - "name": "LogPartition", - "type": "long" - }, - { - "name": "LogRecId", - "type": "long" - }, - { - "name": "SequenceNumber", - "type": "int" - }, - { - "name": "TableIdNumber", - "type": "int" - }, - { - "name": "TableRecId", - "type": "long" - }, - { - "name": "TableRecVersion", - "type": "int" - } - ] - } - }, - "dataSources": "[variables('TemplateEmptyObject')]", - "destinations": { - "logAnalytics": [ - { - "workspaceResourceId": "[variables('workspaceResourceId')]", - "name": "clv2ws1" - } - ] - }, - "dataFlows": [ - { - "streams": [ - "Custom-FinanceOperationsActivity_CL" - ], - "destinations": [ - "clv2ws1" - ], - "transformKql": "source | extend TimeGenerated = now() | project-away dataAreaId, NewData", - "outputStream": "Custom-FinanceOperationsActivity_CL" - } - ], - "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]" - } - }, - { - "name": "FinanceOperationsActivity_CL", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/tables", - "location": "[parameters('workspace-location')]", - "kind": null, - "properties": { - "schema": { - "name": "FinanceOperationsActivity_CL", - "columns": [ - { - "name": "TimeGenerated", - "type": "datetime" - }, - { - "name": "InstanceName", - "type": "string" - }, - { - "name": "LogCreatedDateTime", - "type": "datetime" - }, - { - "name": "LogType", - "type": "string" - }, - { - "name": "TableName", - "type": "string" - }, - { - "name": "Username", - "type": "string" - }, - { - "name": "Description", - "type": "string" - }, - { - "name": "Data", - "type": "dynamic" - }, - { - "name": "FormattedData", - "type": "dynamic" - }, - { - "name": "LogCreatedBy", - "type": "string" - }, - { - "name": "LogCreatedTransactionId", - "type": "string" - }, - { - "name": "LogDataAreaId", - "type": "string" - }, - { - "name": "LogPartition", - "type": "long" - }, - { - "name": "LogRecId", - "type": "long" - }, - { - "name": "SequenceNumber", - "type": "int" - }, - { - "name": "TableIdNumber", - "type": "int" - }, - { - "name": "TableRecId", - "type": "long" - }, - { - "name": "TableRecVersion", - "type": "int" - } - ] - } - } + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Microsoft", + "comments": "Solution template for Microsoft Business Applications" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "version": "[variables('dataConnectorCCPVersion')]" - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", - "apiVersion": "2022-09-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", - "location": "[parameters('workspace-location')]", - "kind": "Customizable", - "properties": { - "connectorUiConfig": { - "id": "Dynamics365Finance", - "title": "Dynamics 365 Finance and Operations", - "publisher": "Microsoft", - "logo": "Dynamics365.svg", - "descriptionMarkdown": "Dynamics 365 for Finance and Operations is a comprehensive Enterprise Resource Planning (ERP) solution that combines financial and operational capabilities to help businesses manage their day-to-day operations. It offers a range of features that enable businesses to streamline workflows, automate tasks, and gain insights into operational performance.\n\nThe Dynamics 365 Finance and Operations data connector ingests Dynamics 365 Finance and Operations admin activities and audit logs as well as user business process and application activities logs into Microsoft Sentinel.", - "graphQueriesTableName": "FinanceOperationsActivity_CL", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "{{graphQueriesTableName}}", - "baseQuery": "{{graphQueriesTableName}}" + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" } - ], - "sampleQueries": [ - { - "description": "Finance and Operations Audited Tables", - "query": "{{graphQueriesTableName}}\n | summarize by TableName" + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } - ], - "dataTypes": [ - { - "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + "resourceGroupName": { + "defaultValue": "[resourceGroup().name]", + "type": "String", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" } - ], - "connectivityCriteria": [ - { - "type": "HasDataConnectors" + }, + "subscription": { + "defaultValue": "[last(split(subscription().id, '/'))]", + "type": "String", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" } - ], - "availability": { - "isPreview": true - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "Read and Write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft Entra app registration", - "description": "Application client ID and secret used to access Dynamics 365 Finance and Operations." - } - ] - }, - "instructionSteps": [ - { - "description": ">Connectivity to Finance and Operations requires a Microsoft Entra app registration (client ID and secret). You'll also need the Microsoft Entra tenant ID and the Finance Operations Organization URL." - }, - { - "description": "To enable data collection, create a role in Dynamics 365 Finance and Operations with permissions to view the Database Log entity. Assign this role to a dedicated Finance and Operations user, mapped to the client ID of a Microsoft Entra app registration. Follow these steps to complete the process:" - }, - { - "title": "Step 1 - Microsoft Entra app registration", - "description": "1. Navigate to the [Microsoft Entra portal](https://entra.microsoft.com). \n2. Under Applications, click on **App Registrations** and create a new app registration (leave all defaults).\n3. Open the new app registration and create a new secret.\n4. Retain the **Tenant ID**, **Application (client) ID**, and **Client secret** for later use." - }, - { - "title": "Step 2 - Create a role for data collection in Finance and Operations", - "description": "1. In the Finance and Operations portal, navigate to **Workspaces > System administration** and click **Security Configuration**\n2. Under **Roles** click **Create new** and give the new role a name e.g. Database Log Viewer.\n3. Select the new role in the list of roles and click **Privileges** and than **Add references**.\n4. Select **Database log Entity View** from the list of privileges.\n5. Click on **Unpublished objects** and then **Publish all** to publish the role." - }, - { - "title": "Step 3 - Create a user for data collection in Finance and Operations", - "description": "1. In the Finance and Operations portal, navigate to **Modules > System administration** and click **Users**\n2. Create a new user and assign the role created in the previous step to the user." - }, - { - "title": "Step 4 - Register the Microsoft Entra app in Finance and Operations", - "description": "1. In the F&O portal, navigate to **System administration > Setup > Microsoft Entra applications** (Azure Active Directory applications)\n2. Create a new entry in the table. In the **Client Id** field, enter the application ID of the app registered in Step 1.\n3. In the **Name** field, enter a name for the application.\n4. In the **User ID** field, select the user ID created in the previous step." - }, - { - "description": "Connect using client credentials", - "title": "Connect events from Dyanmics 365 Finance and Operations to Microsoft Sentinel", - "instructions": [ - { - "type": "ContextPane", - "parameters": { - "contextPaneType": "DataConnectorsContextPane", - "label": "Add environment", - "isPrimary": true, - "title": "Dynamics 365 Finance and Operations connection", - "instructionSteps": [ - { - "title": "Environment details", - "instructions": [ - { - "type": "Textbox", - "parameters": { - "label": "Microsoft Entra tenant ID.", - "placeholder": "Tenant ID (GUID)", - "type": "text", - "name": "tenantId" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "App registration client ID", - "placeholder": "Finance and Operations client ID", - "type": "text", - "name": "clientId" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "App registration client secret", - "placeholder": "Finance and Operations client secret", - "type": "password", - "name": "clientSecret" - } - }, - { - "type": "Textbox", - "parameters": { - "label": "Finance and Operations organization URL", - "placeholder": "https://dynamics-dev.axcloud.dynamics.com", - "type": "text", - "name": "auditHost" - } - } - ] - } - ] - } - } - ] - }, - { - "title": "Organizations", - "description": "Each row represents an Finance and Operations connection", - "instructions": [ - { - "type": "DataConnectorsGrid", - "parameters": { - "mapping": [ - { - "columnName": "Environment URL", - "columnValue": "properties.request.apiEndpoint" - } - ], - "menuItems": [ - "DeleteConnector" - ] - } - } - ] + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Dynamics 365 Activity", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" } - ] - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", - "apiVersion": "2022-01-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", - "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorCCPVersion')]", - "source": { - "sourceId": "[variables('_solutionId')]", - "name": "[variables('_solutionName')]", - "kind": "Solution" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - }, - "dependencies": { - "criteria": [ - { - "version": "[variables('dataConnectorCCPVersion')]", - "contentId": "[variables('_dataConnectorContentIdConnections1')]", - "kind": "ResourcesDataConnector" + }, + "watchlist1-id": { + "type": "string", + "defaultValue": "MSBizApps-Configuration", + "minLength": 1, + "metadata": { + "description": "Unique id for the watchlist" } - ] } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "contentId": "[variables('_dataConnectorContentIdConnections1')]", - "displayName": "Dynamics 365 Finance and Operations", - "contentKind": "ResourcesDataConnector", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorCCPVersion')]", - "parameters": { - "connectorDefinitionName": { - "defaultValue": "Dynamics 365 Finance and Operations", - "type": "string", - "minLength": 1 - }, - "workspace": { - "defaultValue": "[parameters('workspace')]", - "type": "string" - }, - "dcrConfig": { - "defaultValue": { - "dataCollectionEndpoint": "data collection Endpoint", - "dataCollectionRuleImmutableId": "data collection rule immutableId" - }, - "type": "object" - }, - "tenantId": { - "defaultValue": "tenantId", - "type": "string", - "minLength": 1 - }, - "clientId": { - "defaultValue": "clientId", - "type": "string", - "minLength": 1 - }, - "clientSecret": { - "defaultValue": "clientSecret", - "type": "string", - "minLength": 1 - }, - "auditHost": { - "defaultValue": "auditHost", - "type": "string", - "minLength": 1 - } - }, - "variables": { - "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]" - }, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]", - "apiVersion": "2022-01-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]", - "contentId": "[variables('_dataConnectorContentIdConnections1')]", - "kind": "ResourcesDataConnector", - "version": "[variables('dataConnectorCCPVersion')]", - "source": { - "sourceId": "[variables('_solutionId')]", - "name": "[variables('_solutionName')]", - "kind": "Solution" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', '{{innerWorkspace}}/Microsoft.SecurityInsights/D365_{{instanceName}}')]", - "apiVersion": "2023-02-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "RestApiPoller", - "properties": { - "connectorDefinitionName": "Dynamics365Finance", - "dcrConfig": { - "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", - "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", - "streamName": "Custom-FinanceOperationsActivity_CL" - }, - "dataType": "FinanceOperationsActivity_CL", - "addOnAttributes": { - "InstanceName": "[[parameters('auditHost')]" - }, - "auth": { - "type": "OAuth2", - "ClientSecret": "[[parameters('clientSecret')]", - "ClientId": "[[parameters('clientId')]", - "GrantType": "client_credentials", - "TokenEndpoint": "[[concat('https://login.', 'microsoftonline.com/', parameters('tenantId'), '/oauth2/v2.0/token')]", - "TokenEndpointHeaders": { - "Content-Type": "application/x-www-form-urlencoded" - }, - "TokenEndpointQueryParameters": {}, - "Scope": "[[concat(parameters('auditHost'), '/.default')]" - }, - "request": { - "apiEndpoint": "[[concat(parameters('auditHost'), '/data/DatabaseLogs')]", - "queryWindowInMin": 10, - "httpMethod": "Get", - "retryCount": 3, - "timeoutInSeconds": 60, - "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", - "queryParameters": { - "$filter": "LogCreatedDateTime gt {_QueryWindowStartTime} and LogCreatedDateTime le {_QueryWindowEndTime}", - "cross-company": "true" - }, - "headers": { - "Accept": "application/json;odata.metadata=none", - "User-Agent": "Scuba" - } - }, - "response": { - "eventsJsonPaths": [ - "$.value" - ] - }, - "paging": { - "pagingType": "LinkHeader", - "linkHeaderTokenJsonPath": "$.['@odata.nextLink']" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "version": "[variables('dataConnectorCCPVersion')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('workbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dynamics365Activity Workbook with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId1')]", - "location": "[parameters('workspace-location')]", - "kind": "shared", - "apiVersion": "2021-08-01", - "metadata": { - "description": "This workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data." - }, - "properties": { - "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Dynamics 365 Workbook\\n---\\n\\nThis workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data. This workbook is separated into 5 distinct sections and within each section there are several queries and visualizations. Many of the queries build on data from previous queries so may not appear if no data is present.\\n\\nTo begin select the desired TimeRange to filter the data to the timeframe you want to focus on. Note if you have a large amount of Dynamics 365 data queries may timeout with a large time range, if this is the case simply select a smaller time range.: \"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"412a09a0-64ae-4614-aec6-cbfc9273b82b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 32\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"ae90d1dc-20da-4948-80da-127b210bf152\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Record Retrieval Events\",\"subTarget\":\"1\",\"style\":\"link\"},{\"id\":\"a1862467-36e9-4191-89ee-0a7479ec6114\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Record Deletion Events\",\"subTarget\":\"2\",\"style\":\"link\"},{\"id\":\"06df36ec-4c5b-456d-b5d3-45fcd4662c6b\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Record Export Events\",\"subTarget\":\"3\",\"style\":\"link\"},{\"id\":\"5bb7d870-a9d8-4905-a7c5-41b94c89edf4\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Email Events\",\"subTarget\":\"4\",\"style\":\"link\"},{\"id\":\"fa9a364b-0ffc-4023-a7cc-087345da4ba8\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Other Events\",\"subTarget\":\"5\",\"style\":\"link\"}]},\"name\":\"links - 34\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Record Retrieval Events\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\n| extend Message = split(OriginalObjectId, ' ')[0]\\n| where Message =~ \\\"RetrieveMultiple\\\"\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| union (\\n DataverseActivity\\n | extend Message = split(OriginalObjectId, ' ')[0]\\n | where Message =~ \\\"Retrieve\\\" \\n | extend QueryCount = double(1))\\n| make-series TotalRetrieves=sum(QueryCount) on TimeGenerated from startofday(ago(30d)) to startofday(ago(0d)) step 1h by UserId\\n| extend (baseline) = series_decompose(TotalRetrieves)\\n| extend (anomalies, baseline) = series_decompose_anomalies(TotalRetrieves, 3, -1, 'linefit')\",\"size\":0,\"title\":\"Total record retrievals by users - {TimeRange:label}\",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"TimeGenerated\",\"parameterName\":\"RetTime\"},{\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"75\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"This timeline shows a break down of anomolies in data retrieval sizes by all users. Look for spikes that might indicate suspicious activity by users in terms of accessing records.\\r\\n\\r\\n
\\r\\nThe table below shows the 10 users with the largest number of data retrievals in the timeframe. This may help indicate which users are the cause of the anomolies. To filter subcequent views by a particular user simply select a user from the list. If no user is selected queries will show data from all users.\",\"style\":\"info\"},\"customWidth\":\"25\",\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n| extend Message = split(OriginalObjectId, ' ')[0]\\r\\n| where Message =~ \\\"RetrieveMultiple\\\"\\r\\n| extend numQueryCount = todouble(QueryResults)\\r\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n| union (\\r\\n DataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n | where Message =~ \\\"Retrieve\\\" \\r\\n | extend QueryCount = double(1))\\r\\n| summarize TotalRecords = sum(QueryCount) by UserId\\r\\n| sort by TotalRecords desc\\r\\n| take 10\",\"size\":4,\"title\":\"Users with largest total record retrievals - {TimeRange:label}\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserId\",\"exportParameterName\":\"RetUser\",\"exportDefaultValue\":\"all users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UserId\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalRecords\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"RetrieveMultiple\\\"\\r\\n | where UserId =~ '{RetUser}' or '{RetUser}' == \\\"all users\\\"\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n | where QueryCount < 1000000\\r\\n\\t| union (DataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t | where Message =~ \\\"Retrieve\\\"\\r\\n | where UserId =~ '{RetUser}' \\r\\n \\t | extend QueryCount = double(1))\\r\\n\\t| summarize sum(QueryCount) by bin(TimeGenerated, 1h)\",\"size\":1,\"title\":\"Timeline of Retrievals by {RetUser:label}\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"query - 23\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n| where Message contains \\\"Retrieve\\\"\\r\\n| where UserId =~ '{RetUser}' or '{RetUser}' == \\\"all users\\\"\\r\\n\",\"size\":1,\"title\":\"Retrievals by {RetUser}\",\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"chartSettings\":{\"showMetrics\":false}},\"conditionalVisibility\":{\"parameterName\":\"TimeBrush\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 23 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" DataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"RetrieveMultiple\\\"\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n\\t| union (DataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t | where Message =~ \\\"Retrieve\\\" \\r\\n | extend QueryCount = double(1))\\r\\n| extend IPAddress = tostring(split(ClientIp, ':')[0])\\r\\n| summarize TotalRecords = sum(QueryCount) by IPAddress\\r\\n| sort by TotalRecords desc\\r\\n| take 10\\r\\n| project IPAddress, TotalRecords\",\"size\":1,\"title\":\"Total record retrievals by IP address - {TimeRange:label} - Top 10\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"IPAddress\",\"exportParameterName\":\"RetIP\",\"exportDefaultValue\":\"all IP addresses\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"IPAddress\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalRecords\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"As with the user retrieval events previously this section shows the top 10 IP addresses with the largest number of record retrievals. \\r\\n\\r\\nSelect an IP address in oder to filter subcequent fields by that IP.\",\"style\":\"info\"},\"customWidth\":\"30\",\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"RetrieveMultiple\\\"\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n\\t| union (DataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t | where Message =~ \\\"Retrieve\\\" \\r\\n | extend QueryCount = double(1))\\r\\n| extend IPAddress = tostring(split(ClientIp, ':')[0])\\r\\n| where IPAddress == '{RetIP}' or '{RetIP}' == \\\"all IP addresses\\\"\\r\\n| summarize sum(QueryCount) by bin(TimeGenerated, 1h)\",\"size\":1,\"title\":\"Timeline of Retreivals by {RetIP:label}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"query - 24\"}]},\"conditionalVisibility\":{\"parameterName\":\"view_tab\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Retrieval Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Record Deletions\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section include details on users deleting records within Dynamics 365. \\r\\n\\r\\nThe first timeline show anomalies within the total number of records deleted by users. Subcequent sections highlight the User and IP addresses associated with the largest number of record deletions. Selecting records in these results will show additional results filtered to that user or IP address.\",\"style\":\"info\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"Delete\\\"\\r\\n\\t| make-series TotalDeletes=count() on TimeGenerated from startofday(ago(30d)) to startofday(ago(0d)) step 1h by UserId\\r\\n\\t| extend (baseline) = series_decompose(TotalDeletes)\\r\\n| extend (anomalies, baseline) = series_decompose_anomalies(TotalDeletes, 3, -1, 'linefit')\",\"size\":0,\"title\":\"Record deletions - {TimeRange:label}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"Delete\\\"\\r\\n | summarize count() by UserId\\r\\n | sort by count_ desc\\r\\n | take 10\\r\\n\",\"size\":4,\"title\":\"Users with most record deletions - {TimeRange:label} - Top 10\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserId\",\"exportParameterName\":\"DeleteUserId\",\"exportDefaultValue\":\"all users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UserId\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n\\t| where Message =~ \\\"Delete\\\"\\r\\n | where UserId =~ '{DeleteUserId}'\\r\\n | summarize count() by bin(TimeGenerated, 1h)\",\"size\":1,\"title\":\"Deletes by {DeleteUserId:label}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"conditionalVisibility\":{\"parameterName\":\"DeleteUserId\",\"comparison\":\"isNotEqualTo\",\"value\":\"all users\"},\"name\":\"query - 22\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"Delete\\\"\\r\\n | summarize count() by tostring(split(ClientIp, ':')[0])\\r\\n | extend IPAddress = tostring(ClientIp_0)\\r\\n | sort by count_ desc\\r\\n | take 10\\r\\n \\r\\n\",\"size\":4,\"title\":\"Record deletions by IP address - {TimeRange:label} - Top 10\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"IPAddress\",\"exportParameterName\":\"DeleteIP\",\"exportDefaultValue\":\"all IP addresses\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"IPAddress\"},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"categorical\"}},\"showBorder\":false,\"sortCriteriaField\":\"count_\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n\\t| where Message =~ \\\"Delete\\\"\\r\\n | extend IPAddress = tostring(split(ClientIp, ':')[0])\\r\\n | where IPAddress == '{DeleteIP}' or '{DeleteIP}' == \\\"all IP addresses\\\"\\r\\n | summarize count() by bin(TimeGenerated, 1h)\\r\\n\\r\\n\",\"size\":1,\"title\":\"Deletions by {DeleteIP:label}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"conditionalVisibility\":{\"parameterName\":\"DeleteIP\",\"comparison\":\"isNotEqualTo\",\"value\":\"all IP addresses\"},\"name\":\"query - 22\"}]},\"conditionalVisibility\":{\"parameterName\":\"view_tab\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"Record Deletions\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Export Events\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section looks at records export from Dynamics 365. The first graph represents a timeseries of anomolies in the number of recrods being exported by all users.\\r\\n\\r\\nSubcequent sections look at the users exporting the largest number of records as well as the largest single export events.\",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDataverseActivity\\r\\n\\t| where TimeGenerated > ago(30d)\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message contains 'ExportToExcel'\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n | where QueryCount < 1000000\\r\\n | make-series TotalExports=sum(QueryCount) on TimeGenerated from startofday(ago(30d)) to startofday(ago(0d)) step 1h by UserId\\r\\n\\t| extend (baseline) = series_decompose(TotalExports)\\r\\n\\t| extend (anomalies, baseline) = series_decompose_anomalies(TotalExports, 3, -1, 'linefit')\\r\\n\",\"size\":0,\"title\":\"Count of records exported to Excel - {TimeRange:label}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message contains 'ExportToExcel'\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n | summarize TotalRecords = sum(QueryCount) by UserId\\r\\n | sort by TotalRecords desc\\r\\n | take 10\\r\\n\",\"size\":1,\"title\":\"Users with most record exports - {TimeRange:label}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserId\",\"exportParameterName\":\"ExportUser\",\"exportDefaultValue\":\"all users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UserId\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalRecords\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" DataverseActivity\\r\\n\\t| where Message contains 'ExportToExcel'\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n | extend IPAddress=split(ClientIp, ':')[0]\\r\\n | summarize by UserId, tostring(IPAddress), QueryCount\\r\\n | sort by QueryCount desc\\r\\n | take 10\\r\\n\",\"size\":0,\"title\":\"Largest exports - {TimeRange:label} - Top 10\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message contains 'ExportToExcel'\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n | where UserId =~ '{ExportUser}'\\r\\n | summarize sum(QueryCount) by bin(TimeGenerated, 1h)\",\"size\":1,\"title\":\"Exports by {ExportUser:label}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"conditionalVisibility\":{\"parameterName\":\"ExportUser\",\"comparison\":\"isNotEqualTo\",\"value\":\"all users\"},\"name\":\"query - 25\"}]},\"conditionalVisibility\":{\"parameterName\":\"view_tab\",\"comparison\":\"isEqualTo\",\"value\":\"3\"},\"name\":\"Export Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Email Events\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section looks at emails sent by user via Dynamics 365, as with the other sections it starts be looking at anomolies in the total number of emails sent and then allows for drill downs into specific users to identify anomalous events.\",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n | where Message =~ \\\"SendEmail\\\"\\r\\n | make-series TotalEmails=count() on TimeGenerated from startofday(ago(30d)) to startofday(ago(0d)) step 1h by UserId\\r\\n | extend (baseline) = series_decompose(TotalEmails)\\r\\n | extend (anomalies, baseline) = series_decompose_anomalies(TotalEmails, 3, -1, 'linefit')\",\"size\":0,\"title\":\"Total emails sent - {TimeRange:label}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"query - 7\"},{\"type\":1,\"content\":{\"json\":\"Use this graph to look for spikes in email sent activity that occur outside the regular weekly pattern or occur outside expected working hours. You can then pivot on this data using query similar to:\\r\\n\\r\\n\\tDataverseActivity\\r\\n \\t| where TimeGenerated between(datetime(SPIKETIME)..(datetime(SPIKETIME)+1h))\\r\\n \\t| where Message =~ \\\"SendEmail\\\"\"},\"name\":\"text - 28\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n | where Message =~ \\\"SendEmail\\\"\\r\\n | summarize count() by UserId\\r\\n | sort by count_ desc\\r\\n | take 10\",\"size\":4,\"title\":\"Users with most sent emails - {TimeRange:label} - Top 10\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserId\",\"exportParameterName\":\"EmailUser\",\"exportDefaultValue\":\"all users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UserId\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"75\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"Select a user to see specific events related to that user.\",\"style\":\"info\"},\"customWidth\":\"25\",\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n\\t | where TimeGenerated > ago(30d)\\r\\n | where Message =~ \\\"SendEmail\\\"\\r\\n | where UserId =~ '{EmailUser}'\\r\\n | summarize count() by bin(TimeGenerated, 1h)\",\"size\":1,\"title\":\"Emails by {EmailUser:label}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"conditionalVisibility\":{\"parameterName\":\"EmailUser\",\"comparison\":\"isEqualTo\"},\"name\":\"query - 27\"}]},\"conditionalVisibility\":{\"parameterName\":\"view_tab\",\"comparison\":\"isEqualTo\",\"value\":\"4\"},\"name\":\"Email Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Other Events\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section contains a number of other areas of interest from a threat hunting perspective. Selecting events in the queries shows additional data of interest.\",\"style\":\"info\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n\\t| where OriginalObjectId startswith \\\"GrantAccess\\\"\\r\\n\\t| where ClientIp != '127.0.0.1'\\r\\n\\t| join kind=leftanti (DataverseActivity\\r\\n\\t| where TimeGenerated between(ago(30d)..ago(7d))\\r\\n\\t| where OriginalObjectId startswith \\\"GrantAccess\\\")\\r\\non UserId\\r\\n| summarize by UserId\",\"size\":0,\"title\":\"New users observed in {TimeRange:label} - click to drill down\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserId\",\"exportParameterName\":\"NewUser\",\"exportDefaultValue\":\"all users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"UserId\",\"formatter\":1},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"33\",\"name\":\"query - 16\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n | summarize count() by UserAgent\\r\\n | sort by count_ asc\\r\\n | take 10\\r\\n | project UserAgent\",\"size\":0,\"title\":\"10 rarest user agents in the {TimeRange:label} - click to drill down\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserAgent\",\"exportParameterName\":\"RareUA\",\"exportDefaultValue\":\"all user agents\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UserAgent\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"33\",\"name\":\"query - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n\\t| where ClientIp != '127.0.0.1'\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n | extend Message = tostring(Message)\\r\\n\\t| join kind=leftanti (DataverseActivity\\r\\n\\t| where TimeGenerated between(ago(30d)..ago(7d))\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n | extend Message = tostring(Message))\\r\\non Message\\r\\n| summarize by Message\",\"size\":0,\"title\":\"New actions observed in {TimeRange:label} - click to drill down\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Message\",\"exportParameterName\":\"NewAction\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"query - 18\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n\\t| where ClientIp != '127.0.0.1'\\r\\n | where UserId =~ '{NewUser}'\\r\\n | project TimeGenerated, Message, ClientIp, UserAgent\",\"size\":0,\"title\":\"Activity by {NewUser:label}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"NewUser\",\"comparison\":\"isNotEqualTo\",\"value\":\"all users\"},\"showPin\":false,\"name\":\"query - 29\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n | where UserAgent =~ '{RareUA}'\\r\\n\",\"size\":0,\"title\":\"Activity by {RareUA:label}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"RareUA\",\"comparison\":\"isNotEqualTo\",\"value\":\"all user agents\"},\"showPin\":false,\"name\":\"query - 30\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n\\t| where ClientIp != '127.0.0.1'\\r\\n | where Message =~ '{NewAction}'\",\"size\":0,\"title\":\"{NewAction:label} activities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"NewAction\",\"comparison\":\"isNotEqualTo\",\"value\":\"All\"},\"name\":\"query - 31\"}]},\"conditionalVisibility\":{\"parameterName\":\"view_tab\",\"comparison\":\"isEqualTo\",\"value\":\"5\"},\"name\":\"Other Events\"}],\"isLocked\":false,\"fromTemplateId\":\"sentinel-Dynamics365Activity\"}\r\n", - "version": "1.0", - "sourceId": "[variables('workspaceResourceId')]", - "category": "sentinel" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", - "properties": { - "description": "@{workbookKey=Dynamics365Activity; logoFileName=DynamicsLogo.svg; description=This workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.4; title=Dynamics 365 Activity; templateRelativePath=Dynamics365Activity.json; subtitle=; provider=Microsoft}.description", - "parentId": "[variables('workbookId1')]", - "contentId": "[variables('_workbookContentId1')]", - "kind": "Workbook", - "version": "[variables('workbookVersion1')]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "contentId": "DataverseActivity", - "kind": "DataType" - }, - { - "contentId": "Dataverse", - "kind": "DataConnector" - } - ] - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_workbookContentId1')]", - "contentKind": "Workbook", - "displayName": "[parameters('workbook1-name')]", - "contentProductId": "[variables('_workbookcontentProductId1')]", - "id": "[variables('_workbookcontentProductId1')]", - "version": "[variables('workbookVersion1')]" - } }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Anomalous application user activity_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies anomalies in activity patterns of Dataverse application (non-interactive) users, based on activity falling outside the normal pattern of use.", - "displayName": "Dataverse - Anomalous application user activity", - "enabled": false, - "query": "let query_lookback = 14d;\nlet query_frequency = 5h;\nlet anomaly_threshold = 2.5;\nlet seasonality = -1;\nlet trend = 'linefit';\nlet step_duration = 5h;\nlet app_user_regex = \"^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\\\\.com$\";\nlet guid_regex = \"([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})\";\nlet application_users = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where UserId !endswith \"@onmicrosoft.com\" and UserId != \"Unknown\"\n | summarize by UserId\n | where split(UserId, \"@\")[1] matches regex app_user_regex;\nDataverseActivity\n| where TimeGenerated >= startofday(ago(query_lookback))\n| where UserId in (application_users)\n| where isnotempty(OriginalObjectId)\n| make-series TotalEvents = count() default=0 on TimeGenerated from startofday(ago(query_lookback)) to now() step step_duration by UserId, InstanceUrl, OriginalObjectId\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(TotalEvents, anomaly_threshold, seasonality, trend)\n| mv-expand\n TotalEvents to typeof(double),\n AnomalyTimeGenerated = TimeGenerated to typeof(datetime),\n Anomalies to typeof(double),\n Score to typeof(double),\n Baseline to typeof(long)\n| where Anomalies > 0\n| extend Details = bag_pack(\n \"TotalEvents\",\n TotalEvents,\n \"Anomalies\",\n Anomalies,\n \"Baseline\",\n Baseline,\n \"Score\",\n Score,\n \"OriginalObjectId\",\n OriginalObjectId\n )\n| summarize Details = make_set(Details, 100) by UserId, InstanceUrl, AnomalyTimeGenerated\n| extend\n CloudAppId = int(32780),\n AadUserId = extract(guid_regex, 1, tostring(split(UserId, \"@\")[0]))\n| project\n AnomalyTimeGenerated,\n UserId,\n AadUserId,\n InstanceUrl,\n Details,\n CloudAppId\n", - "queryFrequency": "PT5H", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" - ] - } - ], - "tactics": [ - "CredentialAccess", - "Execution", - "Persistence" - ], - "techniques": [ - "T1528", - "T1569", - "T0871", - "T0834", - "T0859" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AadUserId", - "identifier": "AadUserId" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "InstranceUrl": "InstanceUrl" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "Anomaly detected on {{UserId}} in {{InstanceUrl}}. Details: {{Details}}", - "alertDisplayNameFormat": "Dataverse - Non-interactive account anomaly detected in {{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 1", - "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Anomalous application user activity", - "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Audit log data deletion_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies audit log data deletion activity in Dataverse.", - "displayName": "Dataverse - Audit log data deletion", - "enabled": false, - "query": "let query_frequency = 1h;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message =~ 'DeleteRecordChangeHistory' or Message =~ 'DeleteAuditData'\n| extend CloudAppId = int(32780)\n| extend AccountName = tostring(split(UserId, \"@\")[0])\n| extend UPNSuffix = tostring(split(UserId, \"@\")[1])\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n UserAgent,\n Message,\n EntityName,\n InstanceUrl,\n AccountName,\n UPNSuffix,\n CloudAppId\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + "variables": { + "_solutionName": "Microsoft Business Applications", + "_solutionVersion": "3.2.0", + "solutionId": "sentinel4dynamics365.powerplatform", + "_solutionId": "[variables('solutionId')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "dataConnectorCCPVersion": "1.0.0", + "_dataConnectorContentIdConnectorDefinition1": "Dynamics365Finance", + "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", + "_dataConnectorContentIdConnections1": "Dynamics365FinanceConnections", + "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]", + "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "blanks": "[replace('b', 'b', '')]", + "TemplateEmptyObject": "[json('{}')]", + "workbookVersion1": "1.0.4", + "workbookContentId1": "Dynamics365Activity", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "analyticRuleObject1": { + "analyticRuleVersion1": "3.2.0", + "_analyticRulecontentId1": "0820da12-e895-417f-9175-7c256fcfb33e", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0820da12-e895-417f-9175-7c256fcfb33e')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0820da12-e895-417f-9175-7c256fcfb33e')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0820da12-e895-417f-9175-7c256fcfb33e','-', '3.2.0')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "3.2.0", + "_analyticRulecontentId2": "f1634822-b7e9-44f5-95ac-fa4a04f14513", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f1634822-b7e9-44f5-95ac-fa4a04f14513')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f1634822-b7e9-44f5-95ac-fa4a04f14513')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f1634822-b7e9-44f5-95ac-fa4a04f14513','-', '3.2.0')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "3.2.0", + "_analyticRulecontentId3": "ea07523b-e6b8-469b-9e25-cdef1ae6fb45", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ea07523b-e6b8-469b-9e25-cdef1ae6fb45')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ea07523b-e6b8-469b-9e25-cdef1ae6fb45')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ea07523b-e6b8-469b-9e25-cdef1ae6fb45','-', '3.2.0')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "3.2.0", + "_analyticRulecontentId4": "6e480329-84bc-409a-b97b-22e8102af3ca", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6e480329-84bc-409a-b97b-22e8102af3ca')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6e480329-84bc-409a-b97b-22e8102af3ca')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6e480329-84bc-409a-b97b-22e8102af3ca','-', '3.2.0')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "3.2.0", + "_analyticRulecontentId5": "ba5e608f-7879-4927-8b0d-a9948b4fe6f3", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ba5e608f-7879-4927-8b0d-a9948b4fe6f3')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ba5e608f-7879-4927-8b0d-a9948b4fe6f3')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ba5e608f-7879-4927-8b0d-a9948b4fe6f3','-', '3.2.0')))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "3.2.0", + "_analyticRulecontentId6": "0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0881b209-62c9-4b15-9f9a-e0c1d1b1eb7b','-', '3.2.0')))]" + }, + "analyticRuleObject7": { + "analyticRuleVersion7": "3.2.0", + "_analyticRulecontentId7": "39efbf4b-b347-4cc7-895e-99a868bf29ea", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '39efbf4b-b347-4cc7-895e-99a868bf29ea')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('39efbf4b-b347-4cc7-895e-99a868bf29ea')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','39efbf4b-b347-4cc7-895e-99a868bf29ea','-', '3.2.0')))]" + }, + "analyticRuleObject8": { + "analyticRuleVersion8": "3.2.0", + "_analyticRulecontentId8": "2df0adf5-92a8-4ee0-a123-3eb5be1eed02", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2df0adf5-92a8-4ee0-a123-3eb5be1eed02')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2df0adf5-92a8-4ee0-a123-3eb5be1eed02')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2df0adf5-92a8-4ee0-a123-3eb5be1eed02','-', '3.2.0')))]" + }, + "analyticRuleObject9": { + "analyticRuleVersion9": "3.2.0", + "_analyticRulecontentId9": "11650b85-d8cc-49c4-8c04-a8a739635983", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '11650b85-d8cc-49c4-8c04-a8a739635983')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('11650b85-d8cc-49c4-8c04-a8a739635983')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','11650b85-d8cc-49c4-8c04-a8a739635983','-', '3.2.0')))]" + }, + "analyticRuleObject10": { + "analyticRuleVersion10": "3.2.0", + "_analyticRulecontentId10": "f327816b-9328-4b17-9290-a02adc2f4928", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f327816b-9328-4b17-9290-a02adc2f4928')]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f327816b-9328-4b17-9290-a02adc2f4928')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f327816b-9328-4b17-9290-a02adc2f4928','-', '3.2.0')))]" + }, + "analyticRuleObject11": { + "analyticRuleVersion11": "3.2.0", + "_analyticRulecontentId11": "666fef96-1bb8-4abf-ad72-e5cb49561381", + "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '666fef96-1bb8-4abf-ad72-e5cb49561381')]", + "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('666fef96-1bb8-4abf-ad72-e5cb49561381')))]", + "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','666fef96-1bb8-4abf-ad72-e5cb49561381','-', '3.2.0')))]" + }, + "analyticRuleObject12": { + "analyticRuleVersion12": "3.2.0", + "_analyticRulecontentId12": "81c693fe-f6c4-4352-bc10-3526f6e22637", + "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '81c693fe-f6c4-4352-bc10-3526f6e22637')]", + "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('81c693fe-f6c4-4352-bc10-3526f6e22637')))]", + "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','81c693fe-f6c4-4352-bc10-3526f6e22637','-', '3.2.0')))]" + }, + "analyticRuleObject13": { + "analyticRuleVersion13": "3.2.0", + "_analyticRulecontentId13": "2e3878bb-d519-43aa-9992-ea069df099e4", + "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2e3878bb-d519-43aa-9992-ea069df099e4')]", + "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2e3878bb-d519-43aa-9992-ea069df099e4')))]", + "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2e3878bb-d519-43aa-9992-ea069df099e4','-', '3.2.0')))]" + }, + "analyticRuleObject14": { + "analyticRuleVersion14": "3.2.0", + "_analyticRulecontentId14": "716cf6d4-97ad-407b-923e-6790083acb58", + "analyticRuleId14": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '716cf6d4-97ad-407b-923e-6790083acb58')]", + "analyticRuleTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('716cf6d4-97ad-407b-923e-6790083acb58')))]", + "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','716cf6d4-97ad-407b-923e-6790083acb58','-', '3.2.0')))]" + }, + "analyticRuleObject15": { + "analyticRuleVersion15": "3.2.0", + "_analyticRulecontentId15": "95e02f1b-5886-4043-8f0e-a42e6e23330f", + "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '95e02f1b-5886-4043-8f0e-a42e6e23330f')]", + "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('95e02f1b-5886-4043-8f0e-a42e6e23330f')))]", + "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','95e02f1b-5886-4043-8f0e-a42e6e23330f','-', '3.2.0')))]" + }, + "analyticRuleObject16": { + "analyticRuleVersion16": "3.2.0", + "_analyticRulecontentId16": "57000f0d-ff5d-4166-94b6-aa5fb62b16ec", + "analyticRuleId16": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '57000f0d-ff5d-4166-94b6-aa5fb62b16ec')]", + "analyticRuleTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('57000f0d-ff5d-4166-94b6-aa5fb62b16ec')))]", + "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','57000f0d-ff5d-4166-94b6-aa5fb62b16ec','-', '3.2.0')))]" + }, + "analyticRuleObject17": { + "analyticRuleVersion17": "3.2.0", + "_analyticRulecontentId17": "df577f0f-1d8a-4420-9057-a07f0edb15c8", + "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'df577f0f-1d8a-4420-9057-a07f0edb15c8')]", + "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('df577f0f-1d8a-4420-9057-a07f0edb15c8')))]", + "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','df577f0f-1d8a-4420-9057-a07f0edb15c8','-', '3.2.0')))]" + }, + "analyticRuleObject18": { + "analyticRuleVersion18": "3.2.0", + "_analyticRulecontentId18": "5c768e7d-7e5e-4d57-80d4-3f50c96fbf70", + "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5c768e7d-7e5e-4d57-80d4-3f50c96fbf70')]", + "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5c768e7d-7e5e-4d57-80d4-3f50c96fbf70')))]", + "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5c768e7d-7e5e-4d57-80d4-3f50c96fbf70','-', '3.2.0')))]" + }, + "analyticRuleObject19": { + "analyticRuleVersion19": "3.2.0", + "_analyticRulecontentId19": "682e230c-e5da-4085-8666-701d1f1be7de", + "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '682e230c-e5da-4085-8666-701d1f1be7de')]", + "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('682e230c-e5da-4085-8666-701d1f1be7de')))]", + "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','682e230c-e5da-4085-8666-701d1f1be7de','-', '3.2.0')))]" + }, + "analyticRuleObject20": { + "analyticRuleVersion20": "3.2.0", + "_analyticRulecontentId20": "4c1c9aee-8e44-4bb9-bd53-f3e7d6761282", + "analyticRuleId20": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4c1c9aee-8e44-4bb9-bd53-f3e7d6761282')]", + "analyticRuleTemplateSpecName20": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4c1c9aee-8e44-4bb9-bd53-f3e7d6761282')))]", + "_analyticRulecontentProductId20": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4c1c9aee-8e44-4bb9-bd53-f3e7d6761282','-', '3.2.0')))]" + }, + "analyticRuleObject21": { + "analyticRuleVersion21": "3.2.0", + "_analyticRulecontentId21": "34a5d79b-8f9a-420c-aa64-7f4d262ac29a", + "analyticRuleId21": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '34a5d79b-8f9a-420c-aa64-7f4d262ac29a')]", + "analyticRuleTemplateSpecName21": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('34a5d79b-8f9a-420c-aa64-7f4d262ac29a')))]", + "_analyticRulecontentProductId21": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','34a5d79b-8f9a-420c-aa64-7f4d262ac29a','-', '3.2.0')))]" + }, + "analyticRuleObject22": { + "analyticRuleVersion22": "3.2.0", + "_analyticRulecontentId22": "094b3c0a-1f63-42f7-9535-c8c7b7198328", + "analyticRuleId22": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '094b3c0a-1f63-42f7-9535-c8c7b7198328')]", + "analyticRuleTemplateSpecName22": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('094b3c0a-1f63-42f7-9535-c8c7b7198328')))]", + "_analyticRulecontentProductId22": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','094b3c0a-1f63-42f7-9535-c8c7b7198328','-', '3.2.0')))]" + }, + "analyticRuleObject23": { + "analyticRuleVersion23": "3.2.0", + "_analyticRulecontentId23": "a6f6b734-3db8-4259-a988-69e0b8eac0c2", + "analyticRuleId23": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a6f6b734-3db8-4259-a988-69e0b8eac0c2')]", + "analyticRuleTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a6f6b734-3db8-4259-a988-69e0b8eac0c2')))]", + "_analyticRulecontentProductId23": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a6f6b734-3db8-4259-a988-69e0b8eac0c2','-', '3.2.0')))]" + }, + "analyticRuleObject24": { + "analyticRuleVersion24": "3.2.0", + "_analyticRulecontentId24": "1b1061be-2595-4492-af6d-1c8a5fc9576d", + "analyticRuleId24": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1b1061be-2595-4492-af6d-1c8a5fc9576d')]", + "analyticRuleTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1b1061be-2595-4492-af6d-1c8a5fc9576d')))]", + "_analyticRulecontentProductId24": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1b1061be-2595-4492-af6d-1c8a5fc9576d','-', '3.2.0')))]" + }, + "analyticRuleObject25": { + "analyticRuleVersion25": "3.2.0", + "_analyticRulecontentId25": "c4c3510a-0ee0-4561-9835-47882ffa7f46", + "analyticRuleId25": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c4c3510a-0ee0-4561-9835-47882ffa7f46')]", + "analyticRuleTemplateSpecName25": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c4c3510a-0ee0-4561-9835-47882ffa7f46')))]", + "_analyticRulecontentProductId25": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c4c3510a-0ee0-4561-9835-47882ffa7f46','-', '3.2.0')))]" + }, + "analyticRuleObject26": { + "analyticRuleVersion26": "3.2.0", + "_analyticRulecontentId26": "e44a58b2-b63a-4eb9-92da-85660d73495c", + "analyticRuleId26": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e44a58b2-b63a-4eb9-92da-85660d73495c')]", + "analyticRuleTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e44a58b2-b63a-4eb9-92da-85660d73495c')))]", + "_analyticRulecontentProductId26": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e44a58b2-b63a-4eb9-92da-85660d73495c','-', '3.2.0')))]" + }, + "analyticRuleObject27": { + "analyticRuleVersion27": "3.2.0", + "_analyticRulecontentId27": "d875af10-6bb9-4d6a-a6e4-78439a98bf4b", + "analyticRuleId27": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd875af10-6bb9-4d6a-a6e4-78439a98bf4b')]", + "analyticRuleTemplateSpecName27": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d875af10-6bb9-4d6a-a6e4-78439a98bf4b')))]", + "_analyticRulecontentProductId27": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d875af10-6bb9-4d6a-a6e4-78439a98bf4b','-', '3.2.0')))]" + }, + "analyticRuleObject28": { + "analyticRuleVersion28": "3.2.0", + "_analyticRulecontentId28": "8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86", + "analyticRuleId28": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86')]", + "analyticRuleTemplateSpecName28": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86')))]", + "_analyticRulecontentProductId28": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8a6ecba2-ccfe-4c8c-b086-fa3e6ff7fa86','-', '3.2.0')))]" + }, + "analyticRuleObject29": { + "analyticRuleVersion29": "3.2.0", + "_analyticRulecontentId29": "56d5aa0c-d871-4167-ba13-61c2f0fd17bf", + "analyticRuleId29": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '56d5aa0c-d871-4167-ba13-61c2f0fd17bf')]", + "analyticRuleTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('56d5aa0c-d871-4167-ba13-61c2f0fd17bf')))]", + "_analyticRulecontentProductId29": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','56d5aa0c-d871-4167-ba13-61c2f0fd17bf','-', '3.2.0')))]" + }, + "analyticRuleObject30": { + "analyticRuleVersion30": "3.2.0", + "_analyticRulecontentId30": "d88a0e22-3b6a-40c2-af28-c064b44d03b7", + "analyticRuleId30": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd88a0e22-3b6a-40c2-af28-c064b44d03b7')]", + "analyticRuleTemplateSpecName30": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d88a0e22-3b6a-40c2-af28-c064b44d03b7')))]", + "_analyticRulecontentProductId30": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d88a0e22-3b6a-40c2-af28-c064b44d03b7','-', '3.2.0')))]" + }, + "analyticRuleObject31": { + "analyticRuleVersion31": "3.2.0", + "_analyticRulecontentId31": "de039242-47e0-43fa-84d7-b6be24305349", + "analyticRuleId31": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'de039242-47e0-43fa-84d7-b6be24305349')]", + "analyticRuleTemplateSpecName31": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('de039242-47e0-43fa-84d7-b6be24305349')))]", + "_analyticRulecontentProductId31": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','de039242-47e0-43fa-84d7-b6be24305349','-', '3.2.0')))]" + }, + "analyticRuleObject32": { + "analyticRuleVersion32": "3.2.0", + "_analyticRulecontentId32": "c5e75cb6-cea0-49c2-a998-da414035aac1", + "analyticRuleId32": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c5e75cb6-cea0-49c2-a998-da414035aac1')]", + "analyticRuleTemplateSpecName32": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c5e75cb6-cea0-49c2-a998-da414035aac1')))]", + "_analyticRulecontentProductId32": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c5e75cb6-cea0-49c2-a998-da414035aac1','-', '3.2.0')))]" + }, + "analyticRuleObject33": { + "analyticRuleVersion33": "3.2.0", + "_analyticRulecontentId33": "d7c9549c-7246-4555-8e53-d7b0db546764", + "analyticRuleId33": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd7c9549c-7246-4555-8e53-d7b0db546764')]", + "analyticRuleTemplateSpecName33": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d7c9549c-7246-4555-8e53-d7b0db546764')))]", + "_analyticRulecontentProductId33": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d7c9549c-7246-4555-8e53-d7b0db546764','-', '3.2.0')))]" + }, + "analyticRuleObject34": { + "analyticRuleVersion34": "3.2.0", + "_analyticRulecontentId34": "08cb7ffc-59c6-4e7d-88e0-327371c9431b", + "analyticRuleId34": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '08cb7ffc-59c6-4e7d-88e0-327371c9431b')]", + "analyticRuleTemplateSpecName34": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('08cb7ffc-59c6-4e7d-88e0-327371c9431b')))]", + "_analyticRulecontentProductId34": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','08cb7ffc-59c6-4e7d-88e0-327371c9431b','-', '3.2.0')))]" + }, + "analyticRuleObject35": { + "analyticRuleVersion35": "3.2.0", + "_analyticRulecontentId35": "dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64", + "analyticRuleId35": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64')]", + "analyticRuleTemplateSpecName35": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64')))]", + "_analyticRulecontentProductId35": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dccbdb5b-2ce7-4931-bfbe-f1ad6523ee64','-', '3.2.0')))]" + }, + "analyticRuleObject36": { + "analyticRuleVersion36": "3.2.0", + "_analyticRulecontentId36": "5ab00fbb-ba2c-44dc-b02e-f119639b9a11", + "analyticRuleId36": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5ab00fbb-ba2c-44dc-b02e-f119639b9a11')]", + "analyticRuleTemplateSpecName36": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5ab00fbb-ba2c-44dc-b02e-f119639b9a11')))]", + "_analyticRulecontentProductId36": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5ab00fbb-ba2c-44dc-b02e-f119639b9a11','-', '3.2.0')))]" + }, + "analyticRuleObject37": { + "analyticRuleVersion37": "3.2.0", + "_analyticRulecontentId37": "5b7cc7f9-fe54-4138-9fb0-d650807345d3", + "analyticRuleId37": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5b7cc7f9-fe54-4138-9fb0-d650807345d3')]", + "analyticRuleTemplateSpecName37": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5b7cc7f9-fe54-4138-9fb0-d650807345d3')))]", + "_analyticRulecontentProductId37": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b7cc7f9-fe54-4138-9fb0-d650807345d3','-', '3.2.0')))]" + }, + "analyticRuleObject38": { + "analyticRuleVersion38": "3.2.0", + "_analyticRulecontentId38": "44b1021c-d517-4b7a-9ba6-a91eab94e632", + "analyticRuleId38": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '44b1021c-d517-4b7a-9ba6-a91eab94e632')]", + "analyticRuleTemplateSpecName38": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('44b1021c-d517-4b7a-9ba6-a91eab94e632')))]", + "_analyticRulecontentProductId38": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','44b1021c-d517-4b7a-9ba6-a91eab94e632','-', '3.2.0')))]" + }, + "analyticRuleObject39": { + "analyticRuleVersion39": "3.2.0", + "_analyticRulecontentId39": "919e939f-95e2-4978-846e-13a721c89ea1", + "analyticRuleId39": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '919e939f-95e2-4978-846e-13a721c89ea1')]", + "analyticRuleTemplateSpecName39": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('919e939f-95e2-4978-846e-13a721c89ea1')))]", + "_analyticRulecontentProductId39": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','919e939f-95e2-4978-846e-13a721c89ea1','-', '3.2.0')))]" + }, + "analyticRuleObject40": { + "analyticRuleVersion40": "3.2.0", + "_analyticRulecontentId40": "7ec1e61d-f3b7-4f40-bb1a-357a63913c23", + "analyticRuleId40": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7ec1e61d-f3b7-4f40-bb1a-357a63913c23')]", + "analyticRuleTemplateSpecName40": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7ec1e61d-f3b7-4f40-bb1a-357a63913c23')))]", + "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7ec1e61d-f3b7-4f40-bb1a-357a63913c23','-', '3.2.0')))]" + }, + "analyticRuleObject41": { + "analyticRuleVersion41": "3.2.0", + "_analyticRulecontentId41": "943acfa0-9285-4eb0-a9c0-42e36177ef19", + "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '943acfa0-9285-4eb0-a9c0-42e36177ef19')]", + "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('943acfa0-9285-4eb0-a9c0-42e36177ef19')))]", + "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','943acfa0-9285-4eb0-a9c0-42e36177ef19','-', '3.2.0')))]" + }, + "analyticRuleObject42": { + "analyticRuleVersion42": "3.2.0", + "_analyticRulecontentId42": "ed88638d-8627-4c20-ba08-67c13807a9b1", + "analyticRuleId42": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ed88638d-8627-4c20-ba08-67c13807a9b1')]", + "analyticRuleTemplateSpecName42": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ed88638d-8627-4c20-ba08-67c13807a9b1')))]", + "_analyticRulecontentProductId42": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ed88638d-8627-4c20-ba08-67c13807a9b1','-', '3.2.0')))]" + }, + "analyticRuleObject43": { + "analyticRuleVersion43": "3.2.0", + "_analyticRulecontentId43": "4bd7e93a-0646-4e02-8dcb-aa16d16618f4", + "analyticRuleId43": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4bd7e93a-0646-4e02-8dcb-aa16d16618f4')]", + "analyticRuleTemplateSpecName43": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4bd7e93a-0646-4e02-8dcb-aa16d16618f4')))]", + "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4bd7e93a-0646-4e02-8dcb-aa16d16618f4','-', '3.2.0')))]" + }, + "analyticRuleObject44": { + "analyticRuleVersion44": "3.2.0", + "_analyticRulecontentId44": "b1e11b8c-545a-4dea-a912-0008e160d183", + "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b1e11b8c-545a-4dea-a912-0008e160d183')]", + "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b1e11b8c-545a-4dea-a912-0008e160d183')))]", + "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b1e11b8c-545a-4dea-a912-0008e160d183','-', '3.2.0')))]" + }, + "analyticRuleObject45": { + "analyticRuleVersion45": "3.2.0", + "_analyticRulecontentId45": "56cb646e-56a0-4f0e-8866-9bc1dd15da78", + "analyticRuleId45": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '56cb646e-56a0-4f0e-8866-9bc1dd15da78')]", + "analyticRuleTemplateSpecName45": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('56cb646e-56a0-4f0e-8866-9bc1dd15da78')))]", + "_analyticRulecontentProductId45": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','56cb646e-56a0-4f0e-8866-9bc1dd15da78','-', '3.2.0')))]" + }, + "analyticRuleObject46": { + "analyticRuleVersion46": "3.2.0", + "_analyticRulecontentId46": "71d829d6-eb50-4a17-8a64-655fae8d71e1", + "analyticRuleId46": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '71d829d6-eb50-4a17-8a64-655fae8d71e1')]", + "analyticRuleTemplateSpecName46": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('71d829d6-eb50-4a17-8a64-655fae8d71e1')))]", + "_analyticRulecontentProductId46": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','71d829d6-eb50-4a17-8a64-655fae8d71e1','-', '3.2.0')))]" + }, + "analyticRuleObject47": { + "analyticRuleVersion47": "3.2.0", + "_analyticRulecontentId47": "886a5655-3d12-42f1-8927-4095789c575e", + "analyticRuleId47": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '886a5655-3d12-42f1-8927-4095789c575e')]", + "analyticRuleTemplateSpecName47": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('886a5655-3d12-42f1-8927-4095789c575e')))]", + "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','886a5655-3d12-42f1-8927-4095789c575e','-', '3.2.0')))]" + }, + "analyticRuleObject48": { + "analyticRuleVersion48": "3.2.0", + "_analyticRulecontentId48": "1b2e6172-85c5-417a-90c3-7cc80cb787f5", + "analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1b2e6172-85c5-417a-90c3-7cc80cb787f5')]", + "analyticRuleTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1b2e6172-85c5-417a-90c3-7cc80cb787f5')))]", + "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1b2e6172-85c5-417a-90c3-7cc80cb787f5','-', '3.2.0')))]" + }, + "analyticRuleObject49": { + "analyticRuleVersion49": "3.0.0", + "_analyticRulecontentId49": "54d48840-1c64-4399-afee-ad39a069118d", + "analyticRuleId49": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '54d48840-1c64-4399-afee-ad39a069118d')]", + "analyticRuleTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('54d48840-1c64-4399-afee-ad39a069118d')))]", + "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','54d48840-1c64-4399-afee-ad39a069118d','-', '3.0.0')))]" + }, + "huntingQueryObject1": { + "huntingQueryVersion1": "3.2.0", + "_huntingQuerycontentId1": "428c3d41-e441-4244-994e-b059d6316bc4", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('428c3d41-e441-4244-994e-b059d6316bc4')))]" + }, + "huntingQueryObject2": { + "huntingQueryVersion2": "3.2.0", + "_huntingQuerycontentId2": "dafcc598-2987-4aa0-947e-7d0449677689", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('dafcc598-2987-4aa0-947e-7d0449677689')))]" + }, + "huntingQueryObject3": { + "huntingQueryVersion3": "3.2.0", + "_huntingQuerycontentId3": "74a48db8-dc1d-414e-9709-39fa3f8a2246", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('74a48db8-dc1d-414e-9709-39fa3f8a2246')))]" + }, + "huntingQueryObject4": { + "huntingQueryVersion4": "3.2.0", + "_huntingQuerycontentId4": "f9658e11-e277-4a65-8f91-2cb94cf7497c", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('f9658e11-e277-4a65-8f91-2cb94cf7497c')))]" + }, + "huntingQueryObject5": { + "huntingQueryVersion5": "3.2.0", + "_huntingQuerycontentId5": "90bcbd4e-e8b5-4a5d-9fe6-d0f9f0220b4a", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('90bcbd4e-e8b5-4a5d-9fe6-d0f9f0220b4a')))]" + }, + "huntingQueryObject6": { + "huntingQueryVersion6": "3.2.0", + "_huntingQuerycontentId6": "c7e6e48a-0514-4989-bc90-4a3c9207ede1", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('c7e6e48a-0514-4989-bc90-4a3c9207ede1')))]" + }, + "huntingQueryObject7": { + "huntingQueryVersion7": "3.2.0", + "_huntingQuerycontentId7": "385234b7-d96c-4dc3-9c0e-ceb46048d487", + "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('385234b7-d96c-4dc3-9c0e-ceb46048d487')))]" + }, + "huntingQueryObject8": { + "huntingQueryVersion8": "3.2.0", + "_huntingQuerycontentId8": "169428be-5ed0-4230-9103-c83df89c789a", + "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('169428be-5ed0-4230-9103-c83df89c789a')))]" + }, + "Dataverse-Add-SharePoint-Site": "Dataverse-Add-SharePoint-Site", + "_Dataverse-Add-SharePoint-Site": "[variables('Dataverse-Add-SharePoint-Site')]", + "playbookVersion1": "1.0", + "playbookContentId1": "Dataverse-Add-SharePoint-Site", + "_playbookContentId1": "[variables('playbookContentId1')]", + "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", + "Dataverse-Blocklist-Add-User-AlertTrigger": "Dataverse-Blocklist-Add-User-AlertTrigger", + "_Dataverse-Blocklist-Add-User-AlertTrigger": "[variables('Dataverse-Blocklist-Add-User-AlertTrigger')]", + "playbookVersion2": "1.0", + "playbookContentId2": "Dataverse-Blocklist-Add-User-AlertTrigger", + "_playbookContentId2": "[variables('playbookContentId2')]", + "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", + "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", + "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", + "Dataverse-Blocklist-Add-User-Via-Outlook": "Dataverse-Blocklist-Add-User-Via-Outlook", + "_Dataverse-Blocklist-Add-User-Via-Outlook": "[variables('Dataverse-Blocklist-Add-User-Via-Outlook')]", + "playbookVersion3": "1.0", + "playbookContentId3": "Dataverse-Blocklist-Add-User-Via-Outlook", + "_playbookContentId3": "[variables('playbookContentId3')]", + "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", + "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", + "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", + "Dataverse-Blocklist-Add-User-Via-Teams": "Dataverse-Blocklist-Add-User-Via-Teams", + "_Dataverse-Blocklist-Add-User-Via-Teams": "[variables('Dataverse-Blocklist-Add-User-Via-Teams')]", + "playbookVersion4": "1.0", + "playbookContentId4": "Dataverse-Blocklist-Add-User-Via-Teams", + "_playbookContentId4": "[variables('playbookContentId4')]", + "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", + "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]", + "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", + "Dataverse-Blocklist-Add-User": "Dataverse-Blocklist-Add-User", + "_Dataverse-Blocklist-Add-User": "[variables('Dataverse-Blocklist-Add-User')]", + "playbookVersion5": "1.0", + "playbookContentId5": "Dataverse-Blocklist-Add-User", + "_playbookContentId5": "[variables('playbookContentId5')]", + "playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]", + "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]", + "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]", + "Dataverse-Blocklist-Remove-User-AlertTrigger": "Dataverse-Blocklist-Remove-User-AlertTrigger", + "_Dataverse-Blocklist-Remove-User-AlertTrigger": "[variables('Dataverse-Blocklist-Remove-User-AlertTrigger')]", + "playbookVersion6": "1.0", + "playbookContentId6": "Dataverse-Blocklist-Remove-User-AlertTrigger", + "_playbookContentId6": "[variables('playbookContentId6')]", + "playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]", + "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]", + "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]", + "Dataverse-Send-Manager-Notification": "Dataverse-Send-Manager-Notification", + "_Dataverse-Send-Manager-Notification": "[variables('Dataverse-Send-Manager-Notification')]", + "playbookVersion7": "1.0", + "playbookContentId7": "Dataverse-Send-Manager-Notification", + "_playbookContentId7": "[variables('playbookContentId7')]", + "playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]", + "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]", + "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]", + "MSBizApps-Incident-From-Alert-Teams": "MSBizApps-Incident-From-Alert-Teams", + "_MSBizApps-Incident-From-Alert-Teams": "[variables('MSBizApps-Incident-From-Alert-Teams')]", + "playbookVersion8": "1.0", + "playbookContentId8": "MSBizApps-Incident-From-Alert-Teams", + "_playbookContentId8": "[variables('playbookContentId8')]", + "playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]", + "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]", + "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]", + "parserObject1": { + "_parserName1": "[concat(parameters('workspace'),'/','DataverseSharePointSites')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'DataverseSharePointSites')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('DataverseSharePointSites-Parser')))]", + "parserVersion1": "3.2.0", + "parserContentId1": "DataverseSharePointSites-Parser" + }, + "parserObject2": { + "_parserName2": "[concat(parameters('workspace'),'/','MSBizAppsNetworkAddresses')]", + "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsNetworkAddresses')]", + "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MSBizAppsNetworkAddresses-Parser')))]", + "parserVersion2": "3.2.0", + "parserContentId2": "MSBizAppsNetworkAddresses-Parser" + }, + "parserObject3": { + "_parserName3": "[concat(parameters('workspace'),'/','MSBizAppsOrgSettings')]", + "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsOrgSettings')]", + "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MSBizAppsOrgSettings-Parser')))]", + "parserVersion3": "3.2.0", + "parserContentId3": "MSBizAppsOrgSettings-Parser" + }, + "parserObject4": { + "_parserName4": "[concat(parameters('workspace'),'/','MSBizAppsTerminatedEmployees')]", + "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsTerminatedEmployees')]", + "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MSBizAppsTerminatedEmployees-Parser')))]", + "parserVersion4": "3.0.1", + "parserContentId4": "MSBizAppsTerminatedEmployees-Parser" + }, + "parserObject5": { + "_parserName5": "[concat(parameters('workspace'),'/','MSBizAppsVIPUsers')]", + "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsVIPUsers')]", + "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MSBizAppsVIPUsers-Parser')))]", + "parserVersion5": "3.2.0", + "parserContentId5": "MSBizAppsVIPUsers-Parser" + }, + "MSBizApps-Configuration": "MSBizApps-Configuration", + "_MSBizApps-Configuration": "[variables('MSBizApps-Configuration')]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]", + "dataConnectorVersion10": "1.0.0", + "dataConnectorVersionConnections10": "1.0.0", + "_uiConfigId10": "PowerAutomate", + "_dataConnectorContentId10": "PowerAutomate", + "dataConnectorTemplateNameConnectorDefinition10": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId10')))]", + "_dataConnectorContentIdConnections10": "PowerAutomateTemplateConnections", + "dataConnectorTemplateNameConnections10": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections10')))]", + "_dataConnectorcontentProductId10": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId10'),'-', variables('dataConnectorVersion10'))))]", + "dataConnectorDataCollectionRulePrefix10": "PP-Automate", + "_dataConnectorDataCollectionRulePrefix10": "[variables('dataConnectorDataCollectionRulePrefix10')]", + "dataConnectorVersion14": "1.0.0", + "dataConnectorVersionConnections14": "1.0.0", + "_uiConfigId14": "Dataverse", + "_dataConnectorContentId14": "Dataverse", + "dataConnectorTemplateNameConnectorDefinition14": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId14')))]", + "_dataConnectorContentIdConnections14": "DataverseTemplateConnections", + "dataConnectorTemplateNameConnections14": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections14')))]", + "_dataConnectorcontentProductId14": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId14'),'-', variables('dataConnectorVersion14'))))]", + "dataConnectorDataCollectionRulePrefix14": "PP-Dataverse", + "_dataConnectorDataCollectionRulePrefix14": "[variables('dataConnectorDataCollectionRulePrefix14')]", + "dataConnectorVersion15": "1.0.0", + "dataConnectorVersionConnections15": "1.0.0", + "_uiConfigId15": "PowerPlatformAdmin", + "_dataConnectorContentId15": "PowerPlatformAdmin", + "dataConnectorTemplateNameConnectorDefinition15": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId15')))]", + "_dataConnectorContentIdConnections15": "PowerPlatformAdminTemplateConnections", + "dataConnectorTemplateNameConnections15": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections15')))]", + "_dataConnectorcontentProductId15": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId15'),'-', variables('dataConnectorVersion15'))))]", + "dataConnectorDataCollectionRulePrefix15": "PP-Admin", + "_dataConnectorDataCollectionRulePrefix15": "[variables('dataConnectorDataCollectionRulePrefix15')]", + "destinationName": "clv2ws1", + "_destinationName": "[variables('destinationName')]", + "_workspaceResourceId": "[variables('workspaceResourceId')]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "displayName": "Dynamics 365 Finance and Operations", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "Dynamics365Finance", + "title": "Dynamics 365 Finance and Operations", + "publisher": "Microsoft", + "logo": "Dynamics365.svg", + "descriptionMarkdown": "Dynamics 365 for Finance and Operations is a comprehensive Enterprise Resource Planning (ERP) solution that combines financial and operational capabilities to help businesses manage their day-to-day operations. It offers a range of features that enable businesses to streamline workflows, automate tasks, and gain insights into operational performance.\n\nThe Dynamics 365 Finance and Operations data connector ingests Dynamics 365 Finance and Operations admin activities and audit logs as well as user business process and application activities logs into Microsoft Sentinel.", + "graphQueriesTableName": "FinanceOperationsActivity_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "{{graphQueriesTableName}}", + "baseQuery": "{{graphQueriesTableName}}" + } + ], + "sampleQueries": [ + { + "description": "Finance and Operations Audited Tables", + "query": "{{graphQueriesTableName}}\n | summarize by TableName" + } + ], + "dataTypes": [ + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft Entra app registration", + "description": "Application client ID and secret used to access Dynamics 365 Finance and Operations." + } + ] + }, + "instructionSteps": [ + { + "description": ">Connectivity to Finance and Operations requires a Microsoft Entra app registration (client ID and secret). You'll also need the Microsoft Entra tenant ID and the Finance Operations Organization URL." + }, + { + "description": "To enable data collection, create a role in Dynamics 365 Finance and Operations with permissions to view the Database Log entity. Assign this role to a dedicated Finance and Operations user, mapped to the client ID of a Microsoft Entra app registration. Follow these steps to complete the process:" + }, + { + "title": "Step 1 - Microsoft Entra app registration", + "description": "1. Navigate to the [Microsoft Entra portal](https://entra.microsoft.com). \n2. Under Applications, click on **App Registrations** and create a new app registration (leave all defaults).\n3. Open the new app registration and create a new secret.\n4. Retain the **Tenant ID**, **Application (client) ID**, and **Client secret** for later use." + }, + { + "title": "Step 2 - Create a role for data collection in Finance and Operations", + "description": "1. In the Finance and Operations portal, navigate to **Workspaces > System administration** and click **Security Configuration**\n2. Under **Roles** click **Create new** and give the new role a name e.g. Database Log Viewer.\n3. Select the new role in the list of roles and click **Privileges** and than **Add references**.\n4. Select **Database log Entity View** from the list of privileges.\n5. Click on **Unpublished objects** and then **Publish all** to publish the role." + }, + { + "title": "Step 3 - Create a user for data collection in Finance and Operations", + "description": "1. In the Finance and Operations portal, navigate to **Modules > System administration** and click **Users**\n2. Create a new user and assign the role created in the previous step to the user." + }, + { + "title": "Step 4 - Register the Microsoft Entra app in Finance and Operations", + "description": "1. In the F&O portal, navigate to **System administration > Setup > Microsoft Entra applications** (Azure Active Directory applications)\n2. Create a new entry in the table. In the **Client Id** field, enter the application ID of the app registered in Step 1.\n3. In the **Name** field, enter a name for the application.\n4. In the **User ID** field, select the user ID created in the previous step." + }, + { + "description": "Connect using client credentials", + "title": "Connect events from Dyanmics 365 Finance and Operations to Microsoft Sentinel", + "instructions": [ + { + "type": "ContextPane", + "parameters": { + "contextPaneType": "DataConnectorsContextPane", + "label": "Add environment", + "isPrimary": true, + "title": "Dynamics 365 Finance and Operations connection", + "instructionSteps": [ + { + "title": "Environment details", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Microsoft Entra tenant ID.", + "placeholder": "Tenant ID (GUID)", + "type": "text", + "name": "tenantId" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "App registration client ID", + "placeholder": "Finance and Operations client ID", + "type": "text", + "name": "clientId" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "App registration client secret", + "placeholder": "Finance and Operations client secret", + "type": "password", + "name": "clientSecret" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Finance and Operations organization URL", + "placeholder": "https://dynamics-dev.axcloud.dynamics.com", + "type": "text", + "name": "auditHost" + } + } + ] + } + ] + } + } + ] + }, + { + "title": "Organizations", + "description": "Each row represents an Finance and Operations connection", + "instructions": [ + { + "type": "DataConnectorsGrid", + "parameters": { + "mapping": [ + { + "columnName": "Environment URL", + "columnValue": "properties.request.apiEndpoint" + } + ], + "menuItems": [ + "DeleteConnector" + ] + } + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "FinOps-DCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "streamDeclarations": { + "Custom-FinanceOperationsActivity_CL": { + "columns": [ + { + "name": "dataAreaId", + "type": "string" + }, + { + "name": "InstanceName", + "type": "string" + }, + { + "name": "LogCreatedDateTime", + "type": "datetime" + }, + { + "name": "LogType", + "type": "string" + }, + { + "name": "TableName", + "type": "string" + }, + { + "name": "Username", + "type": "string" + }, + { + "name": "Description", + "type": "string" + }, + { + "name": "Data", + "type": "dynamic" + }, + { + "name": "FormattedData", + "type": "string" + }, + { + "name": "NewData", + "type": "string" + }, + { + "name": "LogCreatedBy", + "type": "string" + }, + { + "name": "LogCreatedTransactionId", + "type": "string" + }, + { + "name": "LogDataAreaId", + "type": "string" + }, + { + "name": "LogPartition", + "type": "long" + }, + { + "name": "LogRecId", + "type": "long" + }, + { + "name": "SequenceNumber", + "type": "int" + }, + { + "name": "TableIdNumber", + "type": "int" + }, + { + "name": "TableRecId", + "type": "long" + }, + { + "name": "TableRecVersion", + "type": "int" + } + ] + } + }, + "dataSources": "[variables('TemplateEmptyObject')]", + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-FinanceOperationsActivity_CL" + ], + "destinations": [ + "clv2ws1" + ], + "transformKql": "source | extend TimeGenerated = now() | project-away dataAreaId, NewData", + "outputStream": "Custom-FinanceOperationsActivity_CL" + } + ], + "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]" + } + }, + { + "name": "FinanceOperationsActivity_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "FinanceOperationsActivity_CL", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "InstanceName", + "type": "string" + }, + { + "name": "LogCreatedDateTime", + "type": "datetime" + }, + { + "name": "LogType", + "type": "string" + }, + { + "name": "TableName", + "type": "string" + }, + { + "name": "Username", + "type": "string" + }, + { + "name": "Description", + "type": "string" + }, + { + "name": "Data", + "type": "dynamic" + }, + { + "name": "FormattedData", + "type": "dynamic" + }, + { + "name": "LogCreatedBy", + "type": "string" + }, + { + "name": "LogCreatedTransactionId", + "type": "string" + }, + { + "name": "LogDataAreaId", + "type": "string" + }, + { + "name": "LogPartition", + "type": "long" + }, + { + "name": "LogRecId", + "type": "long" + }, + { + "name": "SequenceNumber", + "type": "int" + }, + { + "name": "TableIdNumber", + "type": "int" + }, + { + "name": "TableRecId", + "type": "long" + }, + { + "name": "TableRecVersion", + "type": "int" + } + ] + } + } + } ] - } - ], - "tactics": [ - "DefenseEvasion" - ], - "techniques": [ - "T1070" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "User {{UserId}} deleted audit log data in {{InstanceUrl}}. The message type is {{Message}}.", - "alertDisplayNameFormat": "Dataverse - Audit logs deleted in {{InstanceUrl}}" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 2", - "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Audit log data deletion", - "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Audit logging disabled_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a change in system audit configuration whereby audit logging is turned off.", - "displayName": "Dataverse - Audit logging disabled", - "enabled": false, - "query": "let query_frequency = 1h;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message =~ 'UpdateAuditSettings'\n| mv-expand Fields\n| extend AuditValue = Fields.Name, AuditEnabled = tobool(Fields.Value)\n| where not (AuditEnabled)\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n OriginalObjectId,\n AuditValue,\n AuditEnabled,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" - ] - } - ], - "tactics": [ - "DefenseEvasion" - ], - "techniques": [ - "T1562" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "Dynamics365Finance", + "title": "Dynamics 365 Finance and Operations", + "publisher": "Microsoft", + "logo": "Dynamics365.svg", + "descriptionMarkdown": "Dynamics 365 for Finance and Operations is a comprehensive Enterprise Resource Planning (ERP) solution that combines financial and operational capabilities to help businesses manage their day-to-day operations. It offers a range of features that enable businesses to streamline workflows, automate tasks, and gain insights into operational performance.\n\nThe Dynamics 365 Finance and Operations data connector ingests Dynamics 365 Finance and Operations admin activities and audit logs as well as user business process and application activities logs into Microsoft Sentinel.", + "graphQueriesTableName": "FinanceOperationsActivity_CL", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "{{graphQueriesTableName}}", + "baseQuery": "{{graphQueriesTableName}}" + } ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } + "sampleQueries": [ + { + "description": "Finance and Operations Audited Tables", + "query": "{{graphQueriesTableName}}\n | summarize by TableName" + } ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "Audit settings changes were detected in {{InstanceUrl}}. {{AuditValue}} enabled: was set to {{AuditEnabled}}.", - "alertDisplayNameFormat": "Dataverse - Audit logging was disabled in {{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 3", - "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Audit logging disabled", - "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Bulk record ownership re-assignment or sharing_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies individual record ownership changes including sharing of records with other users/teams or re-assignment of ownership exceeding a pre-defined threshold.", - "displayName": "Dataverse - Bulk record ownership re-assignment or sharing", - "enabled": false, - "query": "// Set threshold for number of shared/assigned records\nlet detection_threshold = 100;\nlet query_frequency = 1h;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message in (\"ModifyAccess\", \"Assign\", \"GrantAccess\")\n| summarize\n FirstEvent = min(TimeGenerated),\n LastEvent = max(TimeGenerated),\n Events = count()\n by UserId, Message, InstanceUrl, ClientIp\n| where Events > detection_threshold\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstEvent,\n LastEvent,\n Message,\n Events,\n UserId,\n ClientIp,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", "dataTypes": [ - "DataverseActivity" - ] - } - ], - "tactics": [ - "PrivilegeEscalation" - ], - "techniques": [ - "T1548" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } + { + "name": "{{graphQueriesTableName}}", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{Events}} events of type {{Message}} detected in {{InstanceUrl}} could indicate suspicious or malicious activity.", - "alertDisplayNameFormat": "Dataverse - High number of record access modification events detected" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 4", - "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Bulk record ownership re-assignment or sharing", - "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Executable uploaded to SharePoint document management site_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies executable files and scripts uploaded to SharePoint sites used for Dynamics document management, circumventing native file extension restrictions in Dataverse.", - "displayName": "Dataverse - Executable uploaded to SharePoint document management site", - "enabled": false, - "query": "let file_extensions = dynamic(['com', 'exe', 'bat', 'cmd', 'vbs', 'vbe', 'js', 'jse', 'wsf', 'wsh', 'msc', 'cpl', 'ps1', 'scr']);\nlet query_frequency = 1h;\nDataverseSharePointSites\n| join kind=inner (\n OfficeActivity\n | where TimeGenerated >= ago(query_frequency)\n | where OfficeWorkload == \"SharePoint\" and Operation == \"FileUploaded\")\n on $left.SharePointUrl == $right.Site_Url\n| where SourceFileExtension in (file_extensions)\n| extend\n CloudAppId = int(32780),\n SharePointId = int(20892),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n TimeGenerated,\n UserId,\n ClientIP,\n InstanceUrl,\n SourceFileName,\n SharePointUrl,\n CloudAppId,\n SharePointId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Office365", - "dataTypes": [ - "OfficeActivity (SharePoint)" + "availability": { + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft Entra app registration", + "description": "Application client ID and secret used to access Dynamics 365 Finance and Operations." + } + ] + }, + "instructionSteps": [ + { + "description": ">Connectivity to Finance and Operations requires a Microsoft Entra app registration (client ID and secret). You'll also need the Microsoft Entra tenant ID and the Finance Operations Organization URL." + }, + { + "description": "To enable data collection, create a role in Dynamics 365 Finance and Operations with permissions to view the Database Log entity. Assign this role to a dedicated Finance and Operations user, mapped to the client ID of a Microsoft Entra app registration. Follow these steps to complete the process:" + }, + { + "title": "Step 1 - Microsoft Entra app registration", + "description": "1. Navigate to the [Microsoft Entra portal](https://entra.microsoft.com). \n2. Under Applications, click on **App Registrations** and create a new app registration (leave all defaults).\n3. Open the new app registration and create a new secret.\n4. Retain the **Tenant ID**, **Application (client) ID**, and **Client secret** for later use." + }, + { + "title": "Step 2 - Create a role for data collection in Finance and Operations", + "description": "1. In the Finance and Operations portal, navigate to **Workspaces > System administration** and click **Security Configuration**\n2. Under **Roles** click **Create new** and give the new role a name e.g. Database Log Viewer.\n3. Select the new role in the list of roles and click **Privileges** and than **Add references**.\n4. Select **Database log Entity View** from the list of privileges.\n5. Click on **Unpublished objects** and then **Publish all** to publish the role." + }, + { + "title": "Step 3 - Create a user for data collection in Finance and Operations", + "description": "1. In the Finance and Operations portal, navigate to **Modules > System administration** and click **Users**\n2. Create a new user and assign the role created in the previous step to the user." + }, + { + "title": "Step 4 - Register the Microsoft Entra app in Finance and Operations", + "description": "1. In the F&O portal, navigate to **System administration > Setup > Microsoft Entra applications** (Azure Active Directory applications)\n2. Create a new entry in the table. In the **Client Id** field, enter the application ID of the app registered in Step 1.\n3. In the **Name** field, enter a name for the application.\n4. In the **User ID** field, select the user ID created in the previous step." + }, + { + "description": "Connect using client credentials", + "title": "Connect events from Dyanmics 365 Finance and Operations to Microsoft Sentinel", + "instructions": [ + { + "type": "ContextPane", + "parameters": { + "contextPaneType": "DataConnectorsContextPane", + "label": "Add environment", + "isPrimary": true, + "title": "Dynamics 365 Finance and Operations connection", + "instructionSteps": [ + { + "title": "Environment details", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Microsoft Entra tenant ID.", + "placeholder": "Tenant ID (GUID)", + "type": "text", + "name": "tenantId" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "App registration client ID", + "placeholder": "Finance and Operations client ID", + "type": "text", + "name": "clientId" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "App registration client secret", + "placeholder": "Finance and Operations client secret", + "type": "password", + "name": "clientSecret" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "Finance and Operations organization URL", + "placeholder": "https://dynamics-dev.axcloud.dynamics.com", + "type": "text", + "name": "auditHost" + } + } + ] + } + ] + } + } + ] + }, + { + "title": "Organizations", + "description": "Each row represents an Finance and Operations connection", + "instructions": [ + { + "type": "DataConnectorsGrid", + "parameters": { + "mapping": [ + { + "columnName": "Environment URL", + "columnValue": "properties.request.apiEndpoint" + } + ], + "menuItems": [ + "DeleteConnector" + ] + } + } + ] + } ] - } - ], - "tactics": [ - "Execution", - "Persistence" - ], - "techniques": [ - "T0863", - "T0873" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIP", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - }, - { - "fieldMappings": [ - { - "columnName": "SourceFileName", - "identifier": "Name" - } - ], - "entityType": "File" - }, - { - "fieldMappings": [ - { - "columnName": "SharePointId", - "identifier": "AppId" - }, - { - "columnName": "SharePointUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "Executable/script {{SourceFileName}} was uploaded by {{UserId}} in SharePoint site {{SharePointUrl}}", - "alertDisplayNameFormat": "Dataverse - Executable files uploaded in document management for {{InstanceUrl}}" } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 5", - "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" }, "author": { - "name": "Microsoft" + "name": "Microsoft" }, "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" + } + ] } - } } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Executable uploaded to SharePoint document management site", - "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Export activity from terminated or notified employee_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query identifies Dataverse export activity triggered by terminated, or employees about to leave the organization. This analytics rule uses the TerminatedEmployees watchlist template.", - "displayName": "Dataverse - Export activity from terminated or notified employee", - "enabled": false, - "query": "// Set a time period before employee terminatation date to search for export events\nlet termination_watch_period = 7d;\nlet query_frequency = 1h;\nlet exportEvents = dynamic(['ExportToExcel', 'ExportPdfDocument', 'ExportWordDocument', 'ExecutePowerBISql']);\nMSBizAppsTerminatedEmployees\n| where (UserState =~ \"Terminated\") or (UserState =~ \"Notified\" and TerminationDate <= startofday(now()) + termination_watch_period)\n| join kind=inner (DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message in (exportEvents))\n on $left.UserPrincipalName == $right.UserId\n| summarize\n FirstEvent = min(TimeGenerated),\n LastEvent = max(TimeGenerated),\n Event = make_set(Message, 4)\n by UserId, InstanceUrl, ClientIp, UserState\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstEvent,\n LastEvent,\n UserId,\n ClientIp,\n UserState,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "displayName": "Dynamics 365 Finance and Operations", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "connectorDefinitionName": { + "defaultValue": "Dynamics 365 Finance and Operations", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "tenantId": { + "defaultValue": "tenantId", + "type": "string", + "minLength": 1 + }, + "clientId": { + "defaultValue": "clientId", + "type": "string", + "minLength": 1 + }, + "clientSecret": { + "defaultValue": "clientSecret", + "type": "securestring", + "minLength": 1 + }, + "auditHost": { + "defaultValue": "auditHost", + "type": "string", + "minLength": 1 + }, + "innerWorkspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + } + }, + "variables": { + "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]", + "connectorName": "[[concat('D365_', guid(parameters('auditHost')))]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/',variables('connectorName'))]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "Dynamics365Finance", + "dcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "streamName": "Custom-FinanceOperationsActivity_CL" + }, + "dataType": "FinanceOperationsActivity_CL", + "addOnAttributes": { + "InstanceName": "[[parameters('auditHost')]" + }, + "auth": { + "type": "OAuth2", + "ClientSecret": "[[parameters('clientSecret')]", + "ClientId": "[[parameters('clientId')]", + "GrantType": "client_credentials", + "TokenEndpoint": "[[concat('https://login.', 'microsoftonline.com/', parameters('tenantId'), '/oauth2/v2.0/token')]", + "TokenEndpointHeaders": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "TokenEndpointQueryParameters": {}, + "Scope": "[[concat(parameters('auditHost'), '/.default')]" + }, + "request": { + "apiEndpoint": "[[concat(parameters('auditHost'), '/data/DatabaseLogs')]", + "queryWindowInMin": 10, + "httpMethod": "Get", + "retryCount": 3, + "timeoutInSeconds": 60, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "queryParameters": { + "$filter": "LogCreatedDateTime gt {_QueryWindowStartTime} and LogCreatedDateTime le {_QueryWindowEndTime}", + "cross-company": "true" + }, + "headers": { + "Accept": "application/json;odata.metadata=none", + "User-Agent": "Scuba" + } + }, + "response": { + "eventsJsonPaths": [ + "$.value" + ] + }, + "paging": { + "pagingType": "LinkHeader", + "linkHeaderTokenJsonPath": "$.['@odata.nextLink']" + } + } + } ] - } - ], - "tactics": [ - "Exfiltration" - ], - "techniques": [ - "T1567", - "T1048" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "Export events where employee state found matching {{UserState}} found in {{InstanceUrl}}.", - "alertDisplayNameFormat": "Dataverse - Export events detected from a terminated employee in {{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 6", - "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Export activity from terminated or notified employee", - "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Guest user exfiltration following Power Platform defense impairment_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a chain of events starting with disablement of Power Platform tenant isolation and removal of an environment's access security group. These events are correlated with Dataverse exfiltration alerts associated with the impacted environment and recently created Microsoft Entra guest users.\n\nNote: Activate other Dataverse analytics rules with the MITRE tactic 'Exfiltration' before enabling this rule.", - "displayName": "Dataverse - Guest user exfiltration following Power Platform defense impairment", - "enabled": false, - "query": "let query_lookback = 14d;\nlet query_frequncy = 1h;\nlet defense_evasion_events = PowerPlatformAdminActivity\n | where TimeGenerated >= ago(query_lookback)\n | where EventOriginalType == \"TenantIsolationOperation\"\n | mv-expand PropertyCollection\n | where PropertyCollection.Name == \"powerplatform.analytics.resource.tenant.isolation_policy.enabled\"\n | where PropertyCollection.Value == \"False\"\n | summarize\n TenantIsolationRemovalTimestamp = max(TimeGenerated)\n by SecurityDisablingUser = ActorName\n | join kind=inner (\n PowerPlatformAdminActivity\n | where TimeGenerated >= ago(query_lookback)\n | where EventOriginalType == \"EnvironmentPropertyChange\"\n | where PropertyCollection has \"Property: SecurityGroupId, Old Value: , New Value: \"\n | mv-expand PropertyCollection\n | extend\n GroupRemovalTimestamp = TimeGenerated,\n InstanceUrl = tostring(iif(PropertyCollection.Name == \"powerplatform.analytics.resource.environment.url\", PropertyCollection.Value, \"\")),\n EnvironmentId = tostring(iif(PropertyCollection.Name == \"powerplatform.analytics.resource.environment.name\", PropertyCollection.Value, \"\"))\n | summarize InstanceUrl = max(InstanceUrl), EnvironmentId = max(EnvironmentId) by GroupRemovalTimestamp, SecurityDisablingUser = ActorName)\n on SecurityDisablingUser\n | summarize\n GroupRemovalTimestamp = max(GroupRemovalTimestamp),\n TenantIsolationRemovalTimestamp = max(TenantIsolationRemovalTimestamp)\n by SecurityDisablingUser, InstanceUrl, EnvironmentId;\nlet exfiltration_alerts = SecurityAlert\n | where TimeGenerated >= ago(query_frequncy)\n | where Tactics has \"Exfiltration\"\n | where Entities has ('\"AppId\":32780')\n | mv-expand todynamic(Entities)\n | extend AlertUPN = iif(Entities.Type == \"account\", strcat(Entities.Name, \"@\", Entities.UPNSuffix), \"\")\n | extend InstanceUrl = tostring(iif(Entities.AppId == 32780, Entities.InstanceName, \"\"))\n | join kind=inner defense_evasion_events on InstanceUrl\n | where StartTime > TenantIsolationRemovalTimestamp and StartTime > GroupRemovalTimestamp\n | summarize InstanceUrl = max(InstanceUrl), AlertUPN = max(AlertUPN) by AlertName, SystemAlertId\n | extend AlertDetails = bag_pack(\"AlertName\", AlertName, \"SystemAlertId\", SystemAlertId)\n | summarize AlertDetails = make_set(AlertDetails, 100) by AlertUPN, InstanceUrl\n | join kind=inner (\n AuditLogs\n | where OperationName == \"Update user\"\n | where Identity == \"Microsoft Invitation Acceptance Portal\"\n | mv-expand TargetResources\n | extend ModifiedProperties = TargetResources.modifiedProperties\n | mv-expand ModifiedProperties\n | where ModifiedProperties.displayName == \"AcceptedAs\"\n | summarize RedeemTime = max(TimeGenerated) by GuestUser = tostring(parse_json(replace_regex(tostring(ModifiedProperties.newValue), \"\\\\r\", \"\"))[0]))\n on $left.AlertUPN == $right.GuestUser;\ndefense_evasion_events\n| join kind=inner exfiltration_alerts on InstanceUrl\n| extend\n AccountName = tostring(split(SecurityDisablingUser, \"@\")[0]),\n UPNSuffix = tostring(split(SecurityDisablingUser, \"@\")[1]),\n GuestAccountName = tostring(split(GuestUser, \"@\")[0]),\n GuestUPNSuffix = tostring(split(GuestUser, \"@\")[0]),\n DataverseId = 32780\n| project\n SecurityDisablingUser,\n GuestUser,\n AlertDetails,\n TenantIsolationRemovalTimestamp,\n GroupRemovalTimestamp,\n InstanceUrl,\n EnvironmentId,\n AccountName,\n UPNSuffix,\n GuestAccountName,\n GuestUPNSuffix,\n DataverseId\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "PowerPlatformAdmin", - "dataTypes": [ - "PowerPlatformAdminActivity" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" - ] - }, - { - "connectorId": "AzureActiveDirectoryIdentityProtection", - "dataTypes": [ - "SecurityAlert" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dynamics365Activity Workbook with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "This workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Dynamics 365 Workbook\\n---\\n\\nThis workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data. This workbook is separated into 5 distinct sections and within each section there are several queries and visualizations. Many of the queries build on data from previous queries so may not appear if no data is present.\\n\\nTo begin select the desired TimeRange to filter the data to the timeframe you want to focus on. Note if you have a large amount of Dynamics 365 data queries may timeout with a large time range, if this is the case simply select a smaller time range.: \"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"412a09a0-64ae-4614-aec6-cbfc9273b82b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 32\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"ae90d1dc-20da-4948-80da-127b210bf152\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Record Retrieval Events\",\"subTarget\":\"1\",\"style\":\"link\"},{\"id\":\"a1862467-36e9-4191-89ee-0a7479ec6114\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Record Deletion Events\",\"subTarget\":\"2\",\"style\":\"link\"},{\"id\":\"06df36ec-4c5b-456d-b5d3-45fcd4662c6b\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Record Export Events\",\"subTarget\":\"3\",\"style\":\"link\"},{\"id\":\"5bb7d870-a9d8-4905-a7c5-41b94c89edf4\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Email Events\",\"subTarget\":\"4\",\"style\":\"link\"},{\"id\":\"fa9a364b-0ffc-4023-a7cc-087345da4ba8\",\"cellValue\":\"view_tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Other Events\",\"subTarget\":\"5\",\"style\":\"link\"}]},\"name\":\"links - 34\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Record Retrieval Events\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\n| extend Message = split(OriginalObjectId, ' ')[0]\\n| where Message =~ \\\"RetrieveMultiple\\\"\\n| extend numQueryCount = todouble(QueryResults)\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\n| union (\\n DataverseActivity\\n | extend Message = split(OriginalObjectId, ' ')[0]\\n | where Message =~ \\\"Retrieve\\\" \\n | extend QueryCount = double(1))\\n| make-series TotalRetrieves=sum(QueryCount) on TimeGenerated from startofday(ago(30d)) to startofday(ago(0d)) step 1h by UserId\\n| extend (baseline) = series_decompose(TotalRetrieves)\\n| extend (anomalies, baseline) = series_decompose_anomalies(TotalRetrieves, 3, -1, 'linefit')\",\"size\":0,\"title\":\"Total record retrievals by users - {TimeRange:label}\",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"TimeGenerated\",\"parameterName\":\"RetTime\"},{\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true}},\"customWidth\":\"75\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"This timeline shows a break down of anomolies in data retrieval sizes by all users. Look for spikes that might indicate suspicious activity by users in terms of accessing records.\\r\\n\\r\\n
\\r\\nThe table below shows the 10 users with the largest number of data retrievals in the timeframe. This may help indicate which users are the cause of the anomolies. To filter subcequent views by a particular user simply select a user from the list. If no user is selected queries will show data from all users.\",\"style\":\"info\"},\"customWidth\":\"25\",\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n| extend Message = split(OriginalObjectId, ' ')[0]\\r\\n| where Message =~ \\\"RetrieveMultiple\\\"\\r\\n| extend numQueryCount = todouble(QueryResults)\\r\\n| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n| union (\\r\\n DataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n | where Message =~ \\\"Retrieve\\\" \\r\\n | extend QueryCount = double(1))\\r\\n| summarize TotalRecords = sum(QueryCount) by UserId\\r\\n| sort by TotalRecords desc\\r\\n| take 10\",\"size\":4,\"title\":\"Users with largest total record retrievals - {TimeRange:label}\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserId\",\"exportParameterName\":\"RetUser\",\"exportDefaultValue\":\"all users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UserId\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalRecords\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"RetrieveMultiple\\\"\\r\\n | where UserId =~ '{RetUser}' or '{RetUser}' == \\\"all users\\\"\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n | where QueryCount < 1000000\\r\\n\\t| union (DataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t | where Message =~ \\\"Retrieve\\\"\\r\\n | where UserId =~ '{RetUser}' \\r\\n \\t | extend QueryCount = double(1))\\r\\n\\t| summarize sum(QueryCount) by bin(TimeGenerated, 1h)\",\"size\":1,\"title\":\"Timeline of Retrievals by {RetUser:label}\",\"timeContextFromParameter\":\"TimeRange\",\"timeBrushParameterName\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"query - 23\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n| where Message contains \\\"Retrieve\\\"\\r\\n| where UserId =~ '{RetUser}' or '{RetUser}' == \\\"all users\\\"\\r\\n\",\"size\":1,\"title\":\"Retrievals by {RetUser}\",\"timeContextFromParameter\":\"TimeBrush\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"chartSettings\":{\"showMetrics\":false}},\"conditionalVisibility\":{\"parameterName\":\"TimeBrush\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 23 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" DataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"RetrieveMultiple\\\"\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n\\t| union (DataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t | where Message =~ \\\"Retrieve\\\" \\r\\n | extend QueryCount = double(1))\\r\\n| extend IPAddress = tostring(split(ClientIp, ':')[0])\\r\\n| summarize TotalRecords = sum(QueryCount) by IPAddress\\r\\n| sort by TotalRecords desc\\r\\n| take 10\\r\\n| project IPAddress, TotalRecords\",\"size\":1,\"title\":\"Total record retrievals by IP address - {TimeRange:label} - Top 10\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"IPAddress\",\"exportParameterName\":\"RetIP\",\"exportDefaultValue\":\"all IP addresses\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"IPAddress\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalRecords\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"As with the user retrieval events previously this section shows the top 10 IP addresses with the largest number of record retrievals. \\r\\n\\r\\nSelect an IP address in oder to filter subcequent fields by that IP.\",\"style\":\"info\"},\"customWidth\":\"30\",\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"RetrieveMultiple\\\"\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n\\t| union (DataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t | where Message =~ \\\"Retrieve\\\" \\r\\n | extend QueryCount = double(1))\\r\\n| extend IPAddress = tostring(split(ClientIp, ':')[0])\\r\\n| where IPAddress == '{RetIP}' or '{RetIP}' == \\\"all IP addresses\\\"\\r\\n| summarize sum(QueryCount) by bin(TimeGenerated, 1h)\",\"size\":1,\"title\":\"Timeline of Retreivals by {RetIP:label}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"query - 24\"}]},\"conditionalVisibility\":{\"parameterName\":\"view_tab\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Retrieval Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Record Deletions\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section include details on users deleting records within Dynamics 365. \\r\\n\\r\\nThe first timeline show anomalies within the total number of records deleted by users. Subcequent sections highlight the User and IP addresses associated with the largest number of record deletions. Selecting records in these results will show additional results filtered to that user or IP address.\",\"style\":\"info\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"Delete\\\"\\r\\n\\t| make-series TotalDeletes=count() on TimeGenerated from startofday(ago(30d)) to startofday(ago(0d)) step 1h by UserId\\r\\n\\t| extend (baseline) = series_decompose(TotalDeletes)\\r\\n| extend (anomalies, baseline) = series_decompose_anomalies(TotalDeletes, 3, -1, 'linefit')\",\"size\":0,\"title\":\"Record deletions - {TimeRange:label}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"Delete\\\"\\r\\n | summarize count() by UserId\\r\\n | sort by count_ desc\\r\\n | take 10\\r\\n\",\"size\":4,\"title\":\"Users with most record deletions - {TimeRange:label} - Top 10\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserId\",\"exportParameterName\":\"DeleteUserId\",\"exportDefaultValue\":\"all users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UserId\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n\\t| where Message =~ \\\"Delete\\\"\\r\\n | where UserId =~ '{DeleteUserId}'\\r\\n | summarize count() by bin(TimeGenerated, 1h)\",\"size\":1,\"title\":\"Deletes by {DeleteUserId:label}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"conditionalVisibility\":{\"parameterName\":\"DeleteUserId\",\"comparison\":\"isNotEqualTo\",\"value\":\"all users\"},\"name\":\"query - 22\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message =~ \\\"Delete\\\"\\r\\n | summarize count() by tostring(split(ClientIp, ':')[0])\\r\\n | extend IPAddress = tostring(ClientIp_0)\\r\\n | sort by count_ desc\\r\\n | take 10\\r\\n \\r\\n\",\"size\":4,\"title\":\"Record deletions by IP address - {TimeRange:label} - Top 10\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"IPAddress\",\"exportParameterName\":\"DeleteIP\",\"exportDefaultValue\":\"all IP addresses\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"IPAddress\"},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"categorical\"}},\"showBorder\":false,\"sortCriteriaField\":\"count_\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n\\t| where Message =~ \\\"Delete\\\"\\r\\n | extend IPAddress = tostring(split(ClientIp, ':')[0])\\r\\n | where IPAddress == '{DeleteIP}' or '{DeleteIP}' == \\\"all IP addresses\\\"\\r\\n | summarize count() by bin(TimeGenerated, 1h)\\r\\n\\r\\n\",\"size\":1,\"title\":\"Deletions by {DeleteIP:label}\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"conditionalVisibility\":{\"parameterName\":\"DeleteIP\",\"comparison\":\"isNotEqualTo\",\"value\":\"all IP addresses\"},\"name\":\"query - 22\"}]},\"conditionalVisibility\":{\"parameterName\":\"view_tab\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"Record Deletions\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Export Events\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section looks at records export from Dynamics 365. The first graph represents a timeseries of anomolies in the number of recrods being exported by all users.\\r\\n\\r\\nSubcequent sections look at the users exporting the largest number of records as well as the largest single export events.\",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDataverseActivity\\r\\n\\t| where TimeGenerated > ago(30d)\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message contains 'ExportToExcel'\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n | where QueryCount < 1000000\\r\\n | make-series TotalExports=sum(QueryCount) on TimeGenerated from startofday(ago(30d)) to startofday(ago(0d)) step 1h by UserId\\r\\n\\t| extend (baseline) = series_decompose(TotalExports)\\r\\n\\t| extend (anomalies, baseline) = series_decompose_anomalies(TotalExports, 3, -1, 'linefit')\\r\\n\",\"size\":0,\"title\":\"Count of records exported to Excel - {TimeRange:label}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message contains 'ExportToExcel'\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n | summarize TotalRecords = sum(QueryCount) by UserId\\r\\n | sort by TotalRecords desc\\r\\n | take 10\\r\\n\",\"size\":1,\"title\":\"Users with most record exports - {TimeRange:label}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserId\",\"exportParameterName\":\"ExportUser\",\"exportDefaultValue\":\"all users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UserId\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalRecords\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" DataverseActivity\\r\\n\\t| where Message contains 'ExportToExcel'\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n | extend IPAddress=split(ClientIp, ':')[0]\\r\\n | summarize by UserId, tostring(IPAddress), QueryCount\\r\\n | sort by QueryCount desc\\r\\n | take 10\\r\\n\",\"size\":0,\"title\":\"Largest exports - {TimeRange:label} - Top 10\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tDataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n\\t| where Message contains 'ExportToExcel'\\r\\n\\t| extend numQueryCount = todouble(QueryResults)\\r\\n\\t| extend QueryCount = iif(QueryResults contains \\\",\\\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\\r\\n\\t| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\\r\\n | where UserId =~ '{ExportUser}'\\r\\n | summarize sum(QueryCount) by bin(TimeGenerated, 1h)\",\"size\":1,\"title\":\"Exports by {ExportUser:label}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"conditionalVisibility\":{\"parameterName\":\"ExportUser\",\"comparison\":\"isNotEqualTo\",\"value\":\"all users\"},\"name\":\"query - 25\"}]},\"conditionalVisibility\":{\"parameterName\":\"view_tab\",\"comparison\":\"isEqualTo\",\"value\":\"3\"},\"name\":\"Export Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Email Events\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section looks at emails sent by user via Dynamics 365, as with the other sections it starts be looking at anomolies in the total number of emails sent and then allows for drill downs into specific users to identify anomalous events.\",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n | where Message =~ \\\"SendEmail\\\"\\r\\n | make-series TotalEmails=count() on TimeGenerated from startofday(ago(30d)) to startofday(ago(0d)) step 1h by UserId\\r\\n | extend (baseline) = series_decompose(TotalEmails)\\r\\n | extend (anomalies, baseline) = series_decompose_anomalies(TotalEmails, 3, -1, 'linefit')\",\"size\":0,\"title\":\"Total emails sent - {TimeRange:label}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"query - 7\"},{\"type\":1,\"content\":{\"json\":\"Use this graph to look for spikes in email sent activity that occur outside the regular weekly pattern or occur outside expected working hours. You can then pivot on this data using query similar to:\\r\\n\\r\\n\\tDataverseActivity\\r\\n \\t| where TimeGenerated between(datetime(SPIKETIME)..(datetime(SPIKETIME)+1h))\\r\\n \\t| where Message =~ \\\"SendEmail\\\"\"},\"name\":\"text - 28\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n | where Message =~ \\\"SendEmail\\\"\\r\\n | summarize count() by UserId\\r\\n | sort by count_ desc\\r\\n | take 10\",\"size\":4,\"title\":\"Users with most sent emails - {TimeRange:label} - Top 10\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserId\",\"exportParameterName\":\"EmailUser\",\"exportDefaultValue\":\"all users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UserId\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"75\",\"name\":\"query - 8\"},{\"type\":1,\"content\":{\"json\":\"Select a user to see specific events related to that user.\",\"style\":\"info\"},\"customWidth\":\"25\",\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n\\t | where TimeGenerated > ago(30d)\\r\\n | where Message =~ \\\"SendEmail\\\"\\r\\n | where UserId =~ '{EmailUser}'\\r\\n | summarize count() by bin(TimeGenerated, 1h)\",\"size\":1,\"title\":\"Emails by {EmailUser:label}\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showMetrics\":false}},\"conditionalVisibility\":{\"parameterName\":\"EmailUser\",\"comparison\":\"isEqualTo\"},\"name\":\"query - 27\"}]},\"conditionalVisibility\":{\"parameterName\":\"view_tab\",\"comparison\":\"isEqualTo\",\"value\":\"4\"},\"name\":\"Email Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Other Events\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section contains a number of other areas of interest from a threat hunting perspective. Selecting events in the queries shows additional data of interest.\",\"style\":\"info\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n\\t| where OriginalObjectId startswith \\\"GrantAccess\\\"\\r\\n\\t| where ClientIp != '127.0.0.1'\\r\\n\\t| join kind=leftanti (DataverseActivity\\r\\n\\t| where TimeGenerated between(ago(30d)..ago(7d))\\r\\n\\t| where OriginalObjectId startswith \\\"GrantAccess\\\")\\r\\non UserId\\r\\n| summarize by UserId\",\"size\":0,\"title\":\"New users observed in {TimeRange:label} - click to drill down\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserId\",\"exportParameterName\":\"NewUser\",\"exportDefaultValue\":\"all users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"UserId\",\"formatter\":1},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"33\",\"name\":\"query - 16\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n | summarize count() by UserAgent\\r\\n | sort by count_ asc\\r\\n | take 10\\r\\n | project UserAgent\",\"size\":0,\"title\":\"10 rarest user agents in the {TimeRange:label} - click to drill down\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"UserAgent\",\"exportParameterName\":\"RareUA\",\"exportDefaultValue\":\"all user agents\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"UserAgent\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"33\",\"name\":\"query - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n\\t| where ClientIp != '127.0.0.1'\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n | extend Message = tostring(Message)\\r\\n\\t| join kind=leftanti (DataverseActivity\\r\\n\\t| where TimeGenerated between(ago(30d)..ago(7d))\\r\\n | extend Message = split(OriginalObjectId, ' ')[0]\\r\\n | extend Message = tostring(Message))\\r\\non Message\\r\\n| summarize by Message\",\"size\":0,\"title\":\"New actions observed in {TimeRange:label} - click to drill down\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Message\",\"exportParameterName\":\"NewAction\",\"exportDefaultValue\":\"All\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"query - 18\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n\\t| where ClientIp != '127.0.0.1'\\r\\n | where UserId =~ '{NewUser}'\\r\\n | project TimeGenerated, Message, ClientIp, UserAgent\",\"size\":0,\"title\":\"Activity by {NewUser:label}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"NewUser\",\"comparison\":\"isNotEqualTo\",\"value\":\"all users\"},\"showPin\":false,\"name\":\"query - 29\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n | where UserAgent =~ '{RareUA}'\\r\\n\",\"size\":0,\"title\":\"Activity by {RareUA:label}\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"RareUA\",\"comparison\":\"isNotEqualTo\",\"value\":\"all user agents\"},\"showPin\":false,\"name\":\"query - 30\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DataverseActivity\\r\\n\\t| where ClientIp != '127.0.0.1'\\r\\n | where Message =~ '{NewAction}'\",\"size\":0,\"title\":\"{NewAction:label} activities\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"NewAction\",\"comparison\":\"isNotEqualTo\",\"value\":\"All\"},\"name\":\"query - 31\"}]},\"conditionalVisibility\":{\"parameterName\":\"view_tab\",\"comparison\":\"isEqualTo\",\"value\":\"5\"},\"name\":\"Other Events\"}],\"isLocked\":false,\"fromTemplateId\":\"sentinel-Dynamics365Activity\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=Dynamics365Activity; logoFileName=DynamicsLogo.svg; description=This workbook brings together queries and visualizations to assist you in identifying potential threats in your Dynamics 365 audit data.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.4; title=Dynamics 365 Activity; templateRelativePath=Dynamics365Activity.json; subtitle=; provider=Microsoft}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "DataverseActivity", + "kind": "DataType" + }, + { + "contentId": "Dataverse", + "kind": "DataConnector" + } + ] + } + } + } ] - } - ], - "tactics": [ - "DefenseEvasion", - "Exfiltration" - ], - "techniques": [ - "T1629", - "T1567" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "GuestAccountName", - "identifier": "Name" - }, - { - "columnName": "GuestUPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "DataverseId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" }, - "customDetails": { - "Environment": "EnvironmentId" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{SecurityDisablingUser}} disabled Power Platform tenant isolation and removed the security group used to control access to {{{InstanceUrl}}. Exfiltration alerts associated with guest users were then detected from user {{{GuestUser}}", - "alertDisplayNameFormat": "Dataverse - exfiltration alerts following defense impairment in {{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 7", - "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Guest user exfiltration following Power Platform defense impairment", - "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", - "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Hierarchy security manipulation_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies suspicious behaviors in hierarchy security including:\n- Hierarchy security disabled.\n- User assigns themselves as a manager.\n- User assigns themselves to a monitored position.", - "displayName": "Dataverse - Hierarchy security manipulation", - "enabled": false, - "query": "let monitored_position_ids = dynamic([\n // Enter a list of monitored position ID (guids)\n //\"79380ac5-da2a-ed11-9db1-000d3a58d546\"\n ]);\nlet query_frequency = 1h;\nlet security_disabled_events = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"Update\" and EntityName == \"organization\"\n | mv-expand Fields\n | where Fields.Name == \"ishierarchicalsecuritymodelenabled\"\n | where Fields.Value == \"False\"\n | extend Message = \"Hierarchy security has been disabled\"\n | project TimeGenerated, UserId, ClientIp, InstanceUrl, Message;\nlet assign_self_as_manager_events = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"Update\" and EntityName == \"systemuser\"\n | mv-expand Fields\n | where Fields.Name == \"parentsystemuserid\"\n | extend ModifiedManager = tostring(Fields.Value)\n | where SystemUserId == ModifiedManager\n | extend Message = \"User added self as manager of another user\";\nlet assign_self_to_position_events = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"Update\" and EntityName == \"systemuser\"\n | mv-expand Position = Fields\n | where Position.Name == \"positionid\" and tostring(Position.Value) in (monitored_position_ids)\n | mv-expand Target = Fields\n | where Target.Name == \"systemuserid\"\n | extend UserAssigned = tostring(Target.Value)\n | where SystemUserId == UserAssigned\n | extend\n Message = \"User assigned self to a monitored position\",\n PositionId = tostring(Position.Value);\nunion\n security_disabled_events,\n assign_self_as_manager_events,\n assign_self_to_position_events\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n InstanceUrl,\n Message,\n PositionId,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Anomalous application user activity_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies anomalies in activity patterns of Dataverse application (non-interactive) users, based on activity falling outside the normal pattern of use.", + "displayName": "Dataverse - Anomalous application user activity", + "enabled": false, + "query": "let query_lookback = 14d;\nlet query_frequency = 5h;\nlet anomaly_threshold = 2.5;\nlet seasonality = -1;\nlet trend = 'linefit';\nlet step_duration = 5h;\nlet app_user_regex = \"^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\\\\.com$\";\nlet guid_regex = \"([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})\";\nlet application_users = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where UserId !endswith \"@onmicrosoft.com\" and UserId != \"Unknown\"\n | summarize by UserId\n | where split(UserId, \"@\")[1] matches regex app_user_regex;\nDataverseActivity\n| where TimeGenerated >= startofday(ago(query_lookback))\n| where UserId in (application_users)\n| where isnotempty(OriginalObjectId)\n| make-series TotalEvents = count() default=0 on TimeGenerated from startofday(ago(query_lookback)) to now() step step_duration by UserId, InstanceUrl, OriginalObjectId\n| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(TotalEvents, anomaly_threshold, seasonality, trend)\n| mv-expand\n TotalEvents to typeof(double),\n AnomalyTimeGenerated = TimeGenerated to typeof(datetime),\n Anomalies to typeof(double),\n Score to typeof(double),\n Baseline to typeof(long)\n| where Anomalies > 0\n| extend Details = bag_pack(\n \"TotalEvents\",\n TotalEvents,\n \"Anomalies\",\n Anomalies,\n \"Baseline\",\n Baseline,\n \"Score\",\n Score,\n \"OriginalObjectId\",\n OriginalObjectId\n )\n| summarize Details = make_set(Details, 100) by UserId, InstanceUrl, AnomalyTimeGenerated\n| extend\n CloudAppId = int(32780),\n AadUserId = extract(guid_regex, 1, tostring(split(UserId, \"@\")[0]))\n| project\n AnomalyTimeGenerated,\n UserId,\n AadUserId,\n InstanceUrl,\n Details,\n CloudAppId\n", + "queryFrequency": "PT5H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "CredentialAccess", + "Execution", + "Persistence" + ], + "techniques": [ + "T1528", + "T1569", + "T0871", + "T0834", + "T0859" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AadUserId", + "identifier": "AadUserId" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "InstranceUrl": "InstanceUrl" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Anomaly detected on {{UserId}} in {{InstanceUrl}}. Details: {{Details}}", + "alertDisplayNameFormat": "Dataverse - Non-interactive account anomaly detected in {{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "PrivilegeEscalation" - ], - "techniques": [ - "T1548", - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{Message}}. Events detected for user {{UserId}}.", - "alertDisplayNameFormat": "Dataverse - Suspicious hierarchy security modifications in {{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 8", - "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Anomalous application user activity", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Hierarchy security manipulation", - "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", - "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Honeypot instance activity_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies activities in a predefined Honeypot Dataverse instance. Alerts when either sign-in to the Honeypot is detected or when monitored Dataverse tables in the Honeypot are accessed.\n\nNote: Requires a dedicated Honeypot Dataverse instance in Power Platform with auditing enabled.", - "displayName": "Dataverse - Honeypot instance activity", - "enabled": false, - "query": "let honeypot_dataverse_instances = dynamic([\"https://myinstance.crm.dynamics.com/\"]);\nlet honeypot_authorized_users = dynamic([\"scanner@mydomain.com\"]);\nlet monitored_dataverse_entities = dynamic([\"contact\", \"account\", \"opportunity\", \"lead\", \"competitor\"]);\nlet query_frequency = 1h;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where InstanceUrl in (honeypot_dataverse_instances)\n| where UserId !in (honeypot_authorized_users)\n| where UserId !endswith \"@onmicrosoft.com\"\n and UserId != \"Unknown\"\n and isnotempty(ClientIp)\n| where Message in (\"UserSignIn\") or EntityName in (monitored_dataverse_entities)\n| summarize\n TimeStart = min(TimeGenerated),\n TimeEnd = max(TimeGenerated),\n Entities = make_set(EntityName, 10),\n Messages = make_set(Message, 10)\n by UserId, ClientIp, InstanceUrl\n| extend Severity = iif(array_length(set_difference(Messages, dynamic([\"UserSignIn\"]))) > 0, \"Medium\", \"Low\")\n| extend CloudAppId = int(32780)\n| extend AccountName = tostring(split(UserId, '@')[0])\n| extend UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n TimeStart,\n TimeEnd,\n UserId,\n ClientIp,\n InstanceUrl,\n Messages,\n Entities,\n Severity,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Audit log data deletion_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies audit log data deletion activity in Dataverse.", + "displayName": "Dataverse - Audit log data deletion", + "enabled": false, + "query": "let query_frequency = 1h;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message =~ 'DeleteRecordChangeHistory' or Message =~ 'DeleteAuditData'\n| extend CloudAppId = int(32780)\n| extend AccountName = tostring(split(UserId, \"@\")[0])\n| extend UPNSuffix = tostring(split(UserId, \"@\")[1])\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n UserAgent,\n Message,\n EntityName,\n InstanceUrl,\n AccountName,\n UPNSuffix,\n CloudAppId\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "DefenseEvasion" + ], + "techniques": [ + "T1070" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "User {{UserId}} deleted audit log data in {{InstanceUrl}}. The message type is {{Message}}.", + "alertDisplayNameFormat": "Dataverse - Audit logs deleted in {{InstanceUrl}}" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Discovery", - "Exfiltration" - ], - "techniques": [ - "T1538", - "T1526", - "T1567" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" }, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{UserId}} from {{ClientIp}} was detected in the Dataverse honeypot instance: {{InstanceUrl}}", - "alertSeverityColumnName": "Severity", - "alertDisplayNameFormat": "Dataverse - Honeytoken activity detected in {{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 9", - "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Audit log data deletion", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Honeypot instance activity", - "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", - "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Login by a sensitive privileged user_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies Dataverse and Dynamics 365 logons by sensitive users.", - "displayName": "Dataverse - Login by a sensitive privileged user", - "enabled": false, - "query": "# Sensitive users are marked in the VIP Users watchlist using the Tags field.\n# Enter the tags values to monitor\nlet monitored_tags = dynamic([\"DataverseSensitive\"]);\nlet query_frequency = 1h;\nlet sensitive_users = MSBizAppsVIPUsers()\n | where Tags in (monitored_tags);\nsensitive_users\n| join kind=inner (DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"UserSignIn\")\n on $left.UserPrincipalName == $right.UserId\n| summarize FirstSeen = arg_max(TimeGenerated, *) by UserId\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstSeen,\n UserId,\n ClientIp,\n UserAgent,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Audit logging disabled_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a change in system audit configuration whereby audit logging is turned off.", + "displayName": "Dataverse - Audit logging disabled", + "enabled": false, + "query": "let query_frequency = 1h;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message =~ 'UpdateAuditSettings'\n| mv-expand Fields\n| extend AuditValue = Fields.Name, AuditEnabled = tobool(Fields.Value)\n| where not (AuditEnabled)\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n OriginalObjectId,\n AuditValue,\n AuditEnabled,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "DefenseEvasion" + ], + "techniques": [ + "T1562" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Audit settings changes were detected in {{InstanceUrl}}. {{AuditValue}} enabled: was set to {{AuditEnabled}}.", + "alertDisplayNameFormat": "Dataverse - Audit logging was disabled in {{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "InitialAccess", - "CredentialAccess", - "PrivilegeEscalation" - ], - "techniques": [ - "T1133", - "T1190", - "T1078", - "T1212" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "A user marked as sensitive for Dataverse in the VIPUsers watchlist signed in at {{InstanceUrl}}.", - "alertDisplayNameFormat": "Dataverse - Sensitive user logged in in at {{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 10", - "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Audit logging disabled", + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Login by a sensitive privileged user", - "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", - "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject11').analyticRuleTemplateSpecName11]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Login from IP in the block list_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject11')._analyticRulecontentId11]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies Dataverse sign-in activity from IPv4 addresses which are on a predefined block list. Blocked network ranges are maintained in the NetworkAddresses watchlist template.", - "displayName": "Dataverse - Login from IP in the block list", - "enabled": false, - "query": "// Use static IP address or CIDR list specified in the\n// NetworkAddresses watchlist (from watchlist template)\n// with tag \"BlockDataverse\"\nlet query_frequency = 1h;\nlet blocked_networks = MSBizAppsNetworkAddresses()\n | where Tags has \"BlockDataverse\"\n | summarize by IPSubnet;\nlet watchlist_entries_count = toscalar (blocked_networks\n | summarize count());\nDataverseActivity\n| where watchlist_entries_count > 0\n| where TimeGenerated >= ago(query_frequency)\n| where Message == \"UserSignIn\" and isnotempty(ClientIp)\n| summarize FirstEvent = arg_min(TimeGenerated, *) by UserId, ClientIp, InstanceUrl\n| evaluate ipv4_lookup(blocked_networks, ClientIp, IPSubnet)\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstEvent,\n UserId,\n ClientIp,\n Message,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Bulk record ownership re-assignment or sharing_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies individual record ownership changes including sharing of records with other users/teams or re-assignment of ownership exceeding a pre-defined threshold.", + "displayName": "Dataverse - Bulk record ownership re-assignment or sharing", + "enabled": false, + "query": "// Set threshold for number of shared/assigned records\nlet detection_threshold = 100;\nlet query_frequency = 1h;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message in (\"ModifyAccess\", \"Assign\", \"GrantAccess\")\n| summarize\n FirstEvent = min(TimeGenerated),\n LastEvent = max(TimeGenerated),\n Events = count()\n by UserId, Message, InstanceUrl, ClientIp\n| where Events > detection_threshold\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstEvent,\n LastEvent,\n Message,\n Events,\n UserId,\n ClientIp,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "PrivilegeEscalation" + ], + "techniques": [ + "T1548" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{Events}} events of type {{Message}} detected in {{InstanceUrl}} could indicate suspicious or malicious activity.", + "alertDisplayNameFormat": "Dataverse - High number of record access modification events detected" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 4", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133", - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "Sign-in activity by {{UserId}} in {{InstanceUrl}} was detected from an IP {{ClientIp}} on the block list.", - "alertDisplayNameFormat": "Dataverse - Login from IP in the block list at {{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject11').analyticRuleId11,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 11", - "parentId": "[variables('analyticRuleObject11').analyticRuleId11]", - "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject11').analyticRuleVersion11]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Bulk record ownership re-assignment or sharing", + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Login from IP in the block list", - "contentProductId": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", - "id": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", - "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject12').analyticRuleTemplateSpecName12]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Login from IP not in the allow list_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject12')._analyticRulecontentId12]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies logons from IPv4 addresses not matching IPv4 subnets maintained on an allow list. This analytics rule uses the NetworkAddresses watchlist template.", - "displayName": "Dataverse - Login from IP not in the allow list", - "enabled": false, - "query": "// Use static IP address or CIDR list specified in the\n// NetworkAddresses watchlist template with tag \"AllowDataverse\"\nlet allowed_networks = MSBizAppsNetworkAddresses()\n | where Tags has \"AllowDataverse\"\n | summarize by IPSubnet;\nlet query_frequency = 1h;\nlet watchlist_entries_count = toscalar (allowed_networks\n | summarize count());\nlet dataverse_signin_activity = materialize(\n DataverseActivity\n | where watchlist_entries_count > 0\n | where TimeGenerated >= ago (query_frequency)\n | where Message == \"UserSignIn\" and isnotempty(ClientIp)\n | summarize FirstEvent = arg_min(TimeGenerated, *) by UserId, ClientIp, InstanceUrl\n );\nlet authorized_ip_addresses = dataverse_signin_activity\n | evaluate ipv4_lookup(allowed_networks, ClientIp, IPSubnet);\ndataverse_signin_activity\n| join kind=leftanti(authorized_ip_addresses) on ClientIp\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstEvent,\n UserId,\n ClientIp,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Executable uploaded to SharePoint document management site_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies executable files and scripts uploaded to SharePoint sites used for Dynamics document management, circumventing native file extension restrictions in Dataverse.", + "displayName": "Dataverse - Executable uploaded to SharePoint document management site", + "enabled": false, + "query": "let file_extensions = dynamic(['com', 'exe', 'bat', 'cmd', 'vbs', 'vbe', 'js', 'jse', 'wsf', 'wsh', 'msc', 'cpl', 'ps1', 'scr']);\nlet query_frequency = 1h;\nDataverseSharePointSites\n| join kind=inner (\n OfficeActivity\n | where TimeGenerated >= ago(query_frequency)\n | where OfficeWorkload == \"SharePoint\" and Operation == \"FileUploaded\")\n on $left.SharePointUrl == $right.Site_Url\n| where SourceFileExtension in (file_extensions)\n| extend\n CloudAppId = int(32780),\n SharePointId = int(20892),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n TimeGenerated,\n UserId,\n ClientIP,\n InstanceUrl,\n SourceFileName,\n SharePointUrl,\n CloudAppId,\n SharePointId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Office365", + "dataTypes": [ + "OfficeActivity (SharePoint)" + ] + } + ], + "tactics": [ + "Execution", + "Persistence" + ], + "techniques": [ + "T0863", + "T0873" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIP", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + }, + { + "entityType": "File", + "fieldMappings": [ + { + "columnName": "SourceFileName", + "identifier": "Name" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "SharePointId", + "identifier": "AppId" + }, + { + "columnName": "SharePointUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Executable/script {{SourceFileName}} was uploaded by {{UserId}} in SharePoint site {{SharePointUrl}}", + "alertDisplayNameFormat": "Dataverse - Executable files uploaded in document management for {{InstanceUrl}}" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 5", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078", - "T1190", - "T1133" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "Sign-in activity detected in {{InstanceUrl}} from an IP {{ClientIp}} not on the allow list.", - "alertDisplayNameFormat": "Dataverse - Login from IP not on the allow list in {{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject12').analyticRuleId12,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 12", - "parentId": "[variables('analyticRuleObject12').analyticRuleId12]", - "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject12').analyticRuleVersion12]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Executable uploaded to SharePoint document management site", + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Login from IP not in the allow list", - "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", - "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", - "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject13').analyticRuleTemplateSpecName13]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Malware found in SharePoint document management site_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject13')._analyticRulecontentId13]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query identifies malware uploaded via Dynamics 365 document management or directly in SharePoint impacting Dataverse associated SharePoint sites.", - "displayName": "Dataverse - Malware found in SharePoint document management site", - "enabled": false, - "query": "let query_frequency = 15m;\n let malware_events = OfficeActivity\n | where OfficeWorkload == \"SharePoint\" and Operation == \"FileMalwareDetected\"\n | summarize by MalwareUserId = UserId, SourceFileName, Site_Url\n | join kind=inner (DataverseSharePointSites) on $left.Site_Url == $right.SharePointUrl;\n let file_upload_events = OfficeActivity\n | where OfficeWorkload == \"SharePoint\" and Operation == \"FileUploaded\"\n | project TimeGenerated, UserId, Site_Url, SourceFileName, ApplicationId, ClientIP;\n let d365_upload_events = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"UploadDocument\"\n | summarize by UserId, D365ClientIp = ClientIp;\n malware_events\n | join kind=inner (file_upload_events) on SourceFileName, Site_Url\n | lookup (d365_upload_events) on UserId\n | extend ClientIp = iif(ApplicationId == \"00000007-0000-0000-c000-000000000000\", D365ClientIp, ClientIP)\n | extend\n CloudAppId = int(32780),\n SharePointId = int(20892),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n | project\n TimeGenerated,\n UserId,\n ClientIp,\n InstanceUrl,\n SharePointUrl,\n SourceFileName,\n CloudAppId,\n SharePointId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" - ] - }, - { - "connectorId": "Office365", - "dataTypes": [ - "OfficeActivity (SharePoint)" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Export activity from terminated or notified employee_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query identifies Dataverse export activity triggered by terminated, or employees about to leave the organization. This analytics rule uses the TerminatedEmployees watchlist template.", + "displayName": "Dataverse - Export activity from terminated or notified employee", + "enabled": false, + "query": "// Set a time period before employee terminatation date to search for export events\nlet termination_watch_period = 7d;\nlet query_frequency = 1h;\nlet exportEvents = dynamic(['ExportToExcel', 'ExportPdfDocument', 'ExportWordDocument', 'ExecutePowerBISql']);\nMSBizAppsTerminatedEmployees\n| where (UserState =~ \"Terminated\") or (UserState =~ \"Notified\" and TerminationDate <= startofday(now()) + termination_watch_period)\n| join kind=inner (DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message in (exportEvents))\n on $left.UserPrincipalName == $right.UserId\n| summarize\n FirstEvent = min(TimeGenerated),\n LastEvent = max(TimeGenerated),\n Event = make_set(Message, 4)\n by UserId, InstanceUrl, ClientIp, UserState\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstEvent,\n LastEvent,\n UserId,\n ClientIp,\n UserState,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "Exfiltration" + ], + "techniques": [ + "T1567", + "T1048" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Export events where employee state found matching {{UserState}} found in {{InstanceUrl}}.", + "alertDisplayNameFormat": "Dataverse - Export events detected from a terminated employee in {{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 6", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Execution" - ], - "techniques": [ - "T1204" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "SourceFileName", - "identifier": "Name" - } - ], - "entityType": "File" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - }, - { - "fieldMappings": [ - { - "columnName": "SharePointId", - "identifier": "AppId" - }, - { - "columnName": "SharePointUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "A malicious file {{SourceFileName}} was found in SharePoint site {{SharePointUrl}}. The file was uploaded by {{UserId}}", - "alertDisplayNameFormat": "Dataverse - Malware was found in SharePoint document management site for {{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject13').analyticRuleId13,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 13", - "parentId": "[variables('analyticRuleObject13').analyticRuleId13]", - "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject13').analyticRuleVersion13]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Export activity from terminated or notified employee", + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Malware found in SharePoint document management site", - "contentProductId": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", - "id": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", - "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject14').analyticRuleTemplateSpecName14]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Mass deletion of records_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject14')._analyticRulecontentId14]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies large scale record delete operations based on a predefined threshold and also detects scheduled bulk deletion jobs.", - "displayName": "Dataverse - Mass deletion of records", - "enabled": false, - "query": "let mass_delete_threshold = 10000;\nlet query_frequency = 1d;\nlet delete_activities = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"Delete\";\nunion\n (\n delete_activities\n | summarize FirstEvent = min(TimeGenerated), TotalEvents = count() by UserId, InstanceUrl\n | where TotalEvents > mass_delete_threshold\n | join kind=inner (\n delete_activities\n | summarize DeleteCount = count() by UserId, InstanceUrl, ClientIp, EntityName)\n on UserId, InstanceUrl\n | extend Entities = bag_pack(\"Entity\", EntityName, \"Count\", DeleteCount)\n | summarize Details = make_set(Entities, 100), FirstEvent = min(FirstEvent) by UserId, InstanceUrl, ClientIp, TotalEvents\n ),\n (\n DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"BulkDelete\"\n | summarize FirstEvent = min(TimeGenerated), TotalEvents = count() by UserId, InstanceUrl, ClientIp\n | extend Details = todynamic(\"Bulk delete scheduled\")\n )\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstEvent,\n UserId,\n ClientIp,\n TotalEvents,\n Details,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Guest user exfiltration following Power Platform defense impairment_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a chain of events starting with disablement of Power Platform tenant isolation and removal of an environment's access security group. These events are correlated with Dataverse exfiltration alerts associated with the impacted environment and recently created Microsoft Entra guest users.\n\nNote: Activate other Dataverse analytics rules with the MITRE tactic 'Exfiltration' before enabling this rule.", + "displayName": "Dataverse - Guest user exfiltration following Power Platform defense impairment", + "enabled": false, + "query": "let query_lookback = 14d;\nlet query_frequncy = 1h;\nlet defense_evasion_events = PowerPlatformAdminActivity\n | where TimeGenerated >= ago(query_lookback)\n | where EventOriginalType == \"TenantIsolationOperation\"\n | mv-expand PropertyCollection\n | where PropertyCollection.Name == \"powerplatform.analytics.resource.tenant.isolation_policy.enabled\"\n | where PropertyCollection.Value == \"False\"\n | summarize\n TenantIsolationRemovalTimestamp = max(TimeGenerated)\n by SecurityDisablingUser = ActorName\n | join kind=inner (\n PowerPlatformAdminActivity\n | where TimeGenerated >= ago(query_lookback)\n | where EventOriginalType == \"EnvironmentPropertyChange\"\n | where PropertyCollection has \"Property: SecurityGroupId, Old Value: , New Value: \"\n | mv-expand PropertyCollection\n | extend\n GroupRemovalTimestamp = TimeGenerated,\n InstanceUrl = tostring(iif(PropertyCollection.Name == \"powerplatform.analytics.resource.environment.url\", PropertyCollection.Value, \"\")),\n EnvironmentId = tostring(iif(PropertyCollection.Name == \"powerplatform.analytics.resource.environment.name\", PropertyCollection.Value, \"\"))\n | summarize InstanceUrl = max(InstanceUrl), EnvironmentId = max(EnvironmentId) by GroupRemovalTimestamp, SecurityDisablingUser = ActorName)\n on SecurityDisablingUser\n | summarize\n GroupRemovalTimestamp = max(GroupRemovalTimestamp),\n TenantIsolationRemovalTimestamp = max(TenantIsolationRemovalTimestamp)\n by SecurityDisablingUser, InstanceUrl, EnvironmentId;\nlet exfiltration_alerts = SecurityAlert\n | where TimeGenerated >= ago(query_frequncy)\n | where Tactics has \"Exfiltration\"\n | where Entities has ('\"AppId\":32780')\n | mv-expand todynamic(Entities)\n | extend AlertUPN = iif(Entities.Type == \"account\", strcat(Entities.Name, \"@\", Entities.UPNSuffix), \"\")\n | extend InstanceUrl = tostring(iif(Entities.AppId == 32780, Entities.InstanceName, \"\"))\n | join kind=inner defense_evasion_events on InstanceUrl\n | where StartTime > TenantIsolationRemovalTimestamp and StartTime > GroupRemovalTimestamp\n | summarize InstanceUrl = max(InstanceUrl), AlertUPN = max(AlertUPN) by AlertName, SystemAlertId\n | extend AlertDetails = bag_pack(\"AlertName\", AlertName, \"SystemAlertId\", SystemAlertId)\n | summarize AlertDetails = make_set(AlertDetails, 100) by AlertUPN, InstanceUrl\n | join kind=inner (\n AuditLogs\n | where OperationName == \"Update user\"\n | where Identity == \"Microsoft Invitation Acceptance Portal\"\n | mv-expand TargetResources\n | extend ModifiedProperties = TargetResources.modifiedProperties\n | mv-expand ModifiedProperties\n | where ModifiedProperties.displayName == \"AcceptedAs\"\n | summarize RedeemTime = max(TimeGenerated) by GuestUser = tostring(parse_json(replace_regex(tostring(ModifiedProperties.newValue), \"\\\\r\", \"\"))[0]))\n on $left.AlertUPN == $right.GuestUser;\ndefense_evasion_events\n| join kind=inner exfiltration_alerts on InstanceUrl\n| extend\n AccountName = tostring(split(SecurityDisablingUser, \"@\")[0]),\n UPNSuffix = tostring(split(SecurityDisablingUser, \"@\")[1]),\n GuestAccountName = tostring(split(GuestUser, \"@\")[0]),\n GuestUPNSuffix = tostring(split(GuestUser, \"@\")[0]),\n DataverseId = 32780\n| project\n SecurityDisablingUser,\n GuestUser,\n AlertDetails,\n TenantIsolationRemovalTimestamp,\n GroupRemovalTimestamp,\n InstanceUrl,\n EnvironmentId,\n AccountName,\n UPNSuffix,\n GuestAccountName,\n GuestUPNSuffix,\n DataverseId\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "PowerPlatformAdmin", + "dataTypes": [ + "PowerPlatformAdminActivity" + ] + }, + { + "connectorId": "AzureActiveDirectory", + "dataTypes": [ + "AuditLogs" + ] + }, + { + "connectorId": "AzureActiveDirectoryIdentityProtection", + "dataTypes": [ + "SecurityAlert" + ] + } + ], + "tactics": [ + "DefenseEvasion", + "Exfiltration" + ], + "techniques": [ + "T1629", + "T1567" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "GuestAccountName", + "identifier": "Name" + }, + { + "columnName": "GuestUPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "DataverseId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "customDetails": { + "Environment": "EnvironmentId" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{SecurityDisablingUser}} disabled Power Platform tenant isolation and removed the security group used to control access to {{{InstanceUrl}}. Exfiltration alerts associated with guest users were then detected from user {{{GuestUser}}", + "alertDisplayNameFormat": "Dataverse - exfiltration alerts following defense impairment in {{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 7", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Impact" - ], - "techniques": [ - "T1485" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{UserId}} triggered the mass deletion detection with the following information: {{Details}}", - "alertDisplayNameFormat": "Dataverse - mass deletion or bulk deletion job detected in {{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject14').analyticRuleId14,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 14", - "parentId": "[variables('analyticRuleObject14').analyticRuleId14]", - "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject14').analyticRuleVersion14]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Guest user exfiltration following Power Platform defense impairment", + "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Mass deletion of records", - "contentProductId": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", - "id": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", - "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject15').analyticRuleTemplateSpecName15]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Mass download from SharePoint document management_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject15')._analyticRulecontentId15]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies mass download (in the last hour) of files from SharePoint sites configured for document management in Dynamics 365. This analytics rule utilizes the MSBizApps-Configuration watchlist to identify SharePoint sites used for Document Management.", - "displayName": "Dataverse - Mass download from SharePoint document management", - "enabled": false, - "query": "// Set threshold for number of downloaded files\nlet detection_threshold = 10000;\nlet query_frequency = 1h;\nDataverseSharePointSites\n| join kind=inner (\n OfficeActivity\n | where TimeGenerated >= ago(query_frequency)\n | where OfficeWorkload == \"SharePoint\" and Operation == \"FileDownloaded\")\n on $left.SharePointUrl == $right.Site_Url\n| summarize FileDownloadCount = count() by UserId, SharePointUrl, InstanceUrl, ClientIP\n| where FileDownloadCount > detection_threshold\n| extend\n CloudAppId = int(32780),\n SharePointId = int(20892),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n UserId,\n ClientIP,\n FileDownloadCount,\n SharePointUrl,\n InstanceUrl,\n CloudAppId,\n SharePointId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Office365", - "dataTypes": [ - "OfficeActivity (SharePoint)" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Hierarchy security manipulation_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies suspicious behaviors in hierarchy security including:\n- Hierarchy security disabled.\n- User assigns themselves as a manager.\n- User assigns themselves to a monitored position.", + "displayName": "Dataverse - Hierarchy security manipulation", + "enabled": false, + "query": "let monitored_position_ids = dynamic([\n // Enter a list of monitored position ID (guids)\n //\"79380ac5-da2a-ed11-9db1-000d3a58d546\"\n ]);\nlet query_frequency = 1h;\nlet security_disabled_events = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"Update\" and EntityName == \"organization\"\n | mv-expand Fields\n | where Fields.Name == \"ishierarchicalsecuritymodelenabled\"\n | where Fields.Value == \"False\"\n | extend Message = \"Hierarchy security has been disabled\"\n | project TimeGenerated, UserId, ClientIp, InstanceUrl, Message;\nlet assign_self_as_manager_events = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"Update\" and EntityName == \"systemuser\"\n | mv-expand Fields\n | where Fields.Name == \"parentsystemuserid\"\n | extend ModifiedManager = tostring(Fields.Value)\n | where SystemUserId == ModifiedManager\n | extend Message = \"User added self as manager of another user\";\nlet assign_self_to_position_events = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"Update\" and EntityName == \"systemuser\"\n | mv-expand Position = Fields\n | where Position.Name == \"positionid\" and tostring(Position.Value) in (monitored_position_ids)\n | mv-expand Target = Fields\n | where Target.Name == \"systemuserid\"\n | extend UserAssigned = tostring(Target.Value)\n | where SystemUserId == UserAssigned\n | extend\n Message = \"User assigned self to a monitored position\",\n PositionId = tostring(Position.Value);\nunion\n security_disabled_events,\n assign_self_as_manager_events,\n assign_self_to_position_events\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n InstanceUrl,\n Message,\n PositionId,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "PrivilegeEscalation" + ], + "techniques": [ + "T1548", + "T1078" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{Message}}. Events detected for user {{UserId}}.", + "alertDisplayNameFormat": "Dataverse - Suspicious hierarchy security modifications in {{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 8", + "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Exfiltration" - ], - "techniques": [ - "T1567" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIP", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - }, - { - "fieldMappings": [ - { - "columnName": "SharePointId", - "identifier": "AppId" - }, - { - "columnName": "SharePointUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" }, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{{FileDownloadCount}} files were downloaded from {{SharePointUrl}} by {{{UserId}}.", - "alertDisplayNameFormat": "Dataverse - Mass download detected from document management in {{{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject15').analyticRuleId15,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 15", - "parentId": "[variables('analyticRuleObject15').analyticRuleId15]", - "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject15').analyticRuleVersion15]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Hierarchy security manipulation", + "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Mass download from SharePoint document management", - "contentProductId": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", - "id": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", - "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject16').analyticRuleTemplateSpecName16]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Mass export of records to Excel_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject16')._analyticRulecontentId16]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies users exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user. Large exports from users with no recent activity are identified using a predefined threshold.", - "displayName": "Dataverse - Mass export of records to Excel", - "enabled": false, - "query": "// Set a mass export threshold for users who have no historical activity.\nlet mass_export_threshold = 10000;\nlet query_lookback = 14d;\nlet query_frequency = 1h;\nlet export_activity = DataverseActivity\n | where Message == \"ExportToExcel\"\n | extend QueryCount = iif(QueryResults has \",\", todouble(countof(tostring(QueryResults), ',') + 1), double(1));\nlet current_activity = export_activity\n | where TimeGenerated > ago(query_frequency)\n | extend RecordId = split(QueryResults, \",\")\n | summarize\n FirstEvent = min(TimeGenerated),\n CurrentExportRate = sum(QueryCount),\n SampleRecordIds = make_set(RecordId, 1000)\n by UserId, InstanceUrl;\nlet historical_activity = export_activity\n | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))\n | summarize HistoricalBaseline = sum(QueryCount) by HistoricalUserId = UserId, InstanceUrl;\ncurrent_activity\n| join kind=leftouter(historical_activity) on $left.UserId == $right.HistoricalUserId, InstanceUrl\n| extend BaselineThreshold = iif(isnotnull(HistoricalBaseline), HistoricalBaseline, todouble(mass_export_threshold))\n| where CurrentExportRate > BaselineThreshold\n| join kind=inner(export_activity\n | where TimeGenerated > ago(query_frequency)\n | summarize EntityCount = sum(QueryCount) by UserId, ClientIp, InstanceUrl, EntityName\n | extend Details = bag_pack(\"EntityName\", EntityName, \"EntityCount\", EntityCount)\n | summarize Details = make_set(Details, 100) by UserId, ClientIp, InstanceUrl)\n on UserId, InstanceUrl\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstEvent,\n UserId,\n ClientIp,\n BaselineThreshold,\n CurrentExportRate,\n Details,\n SampleRecordIds,\n InstanceUrl,\n AccountName,\n UPNSuffix,\n CloudAppId\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Honeypot instance activity_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies activities in a predefined Honeypot Dataverse instance. Alerts when either sign-in to the Honeypot is detected or when monitored Dataverse tables in the Honeypot are accessed.\n\nNote: Requires a dedicated Honeypot Dataverse instance in Power Platform with auditing enabled.", + "displayName": "Dataverse - Honeypot instance activity", + "enabled": false, + "query": "let honeypot_dataverse_instances = dynamic([\"https://myinstance.crm.dynamics.com/\"]);\nlet honeypot_authorized_users = dynamic([\"scanner@mydomain.com\"]);\nlet monitored_dataverse_entities = dynamic([\"contact\", \"account\", \"opportunity\", \"lead\", \"competitor\"]);\nlet query_frequency = 1h;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where InstanceUrl in (honeypot_dataverse_instances)\n| where UserId !in (honeypot_authorized_users)\n| where UserId !endswith \"@onmicrosoft.com\"\n and UserId != \"Unknown\"\n and isnotempty(ClientIp)\n| where Message in (\"UserSignIn\") or EntityName in (monitored_dataverse_entities)\n| summarize\n TimeStart = min(TimeGenerated),\n TimeEnd = max(TimeGenerated),\n Entities = make_set(EntityName, 10),\n Messages = make_set(Message, 10)\n by UserId, ClientIp, InstanceUrl\n| extend Severity = iif(array_length(set_difference(Messages, dynamic([\"UserSignIn\"]))) > 0, \"Medium\", \"Low\")\n| extend CloudAppId = int(32780)\n| extend AccountName = tostring(split(UserId, '@')[0])\n| extend UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n TimeStart,\n TimeEnd,\n UserId,\n ClientIp,\n InstanceUrl,\n Messages,\n Entities,\n Severity,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "Discovery", + "Exfiltration" + ], + "techniques": [ + "T1538", + "T1526", + "T1567" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{UserId}} from {{ClientIp}} was detected in the Dataverse honeypot instance: {{InstanceUrl}}", + "alertDisplayNameFormat": "Dataverse - Honeytoken activity detected in {{InstanceUrl}} ", + "alertSeverityColumnName": "Severity" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 9", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Exfiltration" - ], - "techniques": [ - "T1567" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "User {{UserId}} exported {{{CurrentExportRate}} records using the ExportToExcel function in Dataverse.", - "alertDisplayNameFormat": "Dataverse - mass export to Excel activity in {{{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject16').analyticRuleId16,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 16", - "parentId": "[variables('analyticRuleObject16').analyticRuleId16]", - "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject16').analyticRuleVersion16]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Honeypot instance activity", + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Mass export of records to Excel", - "contentProductId": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", - "id": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", - "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject17').analyticRuleTemplateSpecName17]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Mass record updates_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject17')._analyticRulecontentId17]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query detects mass record update changes in Dataverse and Dynamics 365, exceeding a pre-defined threshold.", - "displayName": "Dataverse - Mass record updates", - "enabled": false, - "query": "// Set threshold for number of updated records\nlet detection_threshold = 10000;\nlet query_frequency = 1h;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message == \"Update\"\n| summarize EventCount = count() by InstanceUrl, UserId, ClientIp, Message\n| where EventCount > detection_threshold\n| join kind=inner(\n DataverseActivity\n | where TimeGenerated >= ago(query_frequency))\n on InstanceUrl, UserId, ClientIp, Message\n| mv-expand Fields\n| summarize\n UpdatedFields = make_set(Fields.Name, 100),\n FirstEvent = min(TimeGenerated)\n by UserId, ClientIp, InstanceUrl, EventCount, EntityName\n| extend Details = bag_pack(\"Entity\", EntityName, \"Count\", EventCount, \"FieldsUpdated\", UpdatedFields)\n| summarize\n TotalEvents = sum(EventCount),\n FirstEvent = min(FirstEvent),\n Details = make_list(Details, 100)\n by UserId, ClientIp, InstanceUrl\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstEvent,\n UserId,\n ClientIp,\n TotalEvents,\n Details,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Login by a sensitive privileged user_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies Dataverse and Dynamics 365 logons by sensitive users.", + "displayName": "Dataverse - Login by a sensitive privileged user", + "enabled": false, + "query": "# Sensitive users are marked in the VIP Users watchlist using the Tags field.\n# Enter the tags values to monitor\nlet monitored_tags = dynamic([\"DataverseSensitive\"]);\nlet query_frequency = 1h;\nlet sensitive_users = MSBizAppsVIPUsers()\n | where Tags in (monitored_tags);\nsensitive_users\n| join kind=inner (DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"UserSignIn\")\n on $left.UserPrincipalName == $right.UserId\n| summarize FirstSeen = arg_max(TimeGenerated, *) by UserId\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstSeen,\n UserId,\n ClientIp,\n UserAgent,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "InitialAccess", + "CredentialAccess", + "PrivilegeEscalation" + ], + "techniques": [ + "T1133", + "T1190", + "T1078", + "T1212" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "A user marked as sensitive for Dataverse in the VIPUsers watchlist signed in at {{InstanceUrl}}.", + "alertDisplayNameFormat": "Dataverse - Sensitive user logged in in at {{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 10", + "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Impact" - ], - "techniques": [ - "T1641", - "T1485", - "T1565" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "Details": "Details" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "A total of {{TotalEvents}} records were updated by {{UserId}} , breaching the mass update threshold in {{InstanceUrl}} .", - "alertDisplayNameFormat": "Dataverse - Mass record changes detected in {{{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject17').analyticRuleId17,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 17", - "parentId": "[variables('analyticRuleObject17').analyticRuleId17]", - "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject17').analyticRuleVersion17]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Login by a sensitive privileged user", + "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Mass record updates", - "contentProductId": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", - "id": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", - "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject18').analyticRuleTemplateSpecName18]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - New Dataverse application user activity type_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject18')._analyticRulecontentId18]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies new or previously unseen activity types associated with Dataverse application (non-interactive) user.", - "displayName": "Dataverse - New Dataverse application user activity type", - "enabled": false, - "query": "let query_frequency = 1h;\nlet query_lookback = 14d;\nlet app_user_regex = \"^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\\\\.com$\";\nlet guid_regex = \"([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})\";\nlet application_users = DataverseActivity\n | where UserId !endswith \"@onmicrosoft.com\" and UserId != \"Unknown\"\n | summarize by UserId\n | where split(UserId, \"@\")[1] matches regex app_user_regex;\nlet historical_app_activity = application_users\n | join kind = inner (\n DataverseActivity\n | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))\n | summarize by UserId, EntityName, Message, InstanceUrl)\n on\n UserId;\nlet current_activity = application_users\n | join kind= inner (\n DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | summarize by UserId, EntityName, Message, InstanceUrl)\n on\n UserId;\ncurrent_activity\n| join kind = leftanti (historical_app_activity) on UserId, Message, EntityName, InstanceUrl\n| summarize NewActivities = make_set(strcat(Message, \" \", EntityName), 1000) by UserId, InstanceUrl\n| extend\n AadUserId = extract(guid_regex, 1, tostring(split(UserId, \"@\")[0])),\n CloudAppId = int(32780)\n| project\n UserId,\n NewActivities,\n InstanceUrl,\n AadUserId,\n CloudAppId\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject11').analyticRuleTemplateSpecName11]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Login from IP in the block list_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies Dataverse sign-in activity from IPv4 addresses which are on a predefined block list. Blocked network ranges are maintained in the NetworkAddresses watchlist template.", + "displayName": "Dataverse - Login from IP in the block list", + "enabled": false, + "query": "// Use static IP address or CIDR list specified in the\n// NetworkAddresses watchlist (from watchlist template)\n// with tag \"BlockDataverse\"\nlet query_frequency = 1h;\nlet blocked_networks = MSBizAppsNetworkAddresses()\n | where Tags has \"BlockDataverse\"\n | summarize by IPSubnet;\nlet watchlist_entries_count = toscalar (blocked_networks\n | summarize count());\nDataverseActivity\n| where watchlist_entries_count > 0\n| where TimeGenerated >= ago(query_frequency)\n| where Message == \"UserSignIn\" and isnotempty(ClientIp)\n| summarize FirstEvent = arg_min(TimeGenerated, *) by UserId, ClientIp, InstanceUrl\n| evaluate ipv4_lookup(blocked_networks, ClientIp, IPSubnet)\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstEvent,\n UserId,\n ClientIp,\n Message,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133", + "T1078" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Sign-in activity by {{UserId}} in {{InstanceUrl}} was detected from an IP {{ClientIp}} on the block list.", + "alertDisplayNameFormat": "Dataverse - Login from IP in the block list at {{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject11').analyticRuleId11,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 11", + "parentId": "[variables('analyticRuleObject11').analyticRuleId11]", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "CredentialAccess", - "Execution", - "PrivilegeEscalation" - ], - "techniques": [ - "T1635", - "T0871", - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AadUserId", - "identifier": "AadUserId" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{UserId}} generated new activities in {{InstanceUrl}} which had not been seen previously in the Dataverse.", - "alertDisplayNameFormat": "Dataverse - Unusual non-interactive account activity in {{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject18').analyticRuleId18,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 18", - "parentId": "[variables('analyticRuleObject18').analyticRuleId18]", - "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject18').analyticRuleVersion18]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Login from IP in the block list", + "contentProductId": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "id": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - New Dataverse application user activity type", - "contentProductId": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", - "id": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", - "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject19').analyticRuleTemplateSpecName19]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - New non-interactive identity granted access_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject19')._analyticRulecontentId19]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies API level access grants, either via the delegated permissions of a Microsoft Entra application or direct assignment within Dataverse as an application user.", - "displayName": "Dataverse - New non-interactive identity granted access", - "enabled": false, - "query": "let dataverse_app_id = \"00000007-0000-0000-c000-000000000000\";\nlet query_frequency = 1h;\nlet azure_ad_changes = AuditLogs\n | where TimeGenerated >= ago(query_frequency)\n | where OperationName =~ 'Update application'\n | where TargetResources has dataverse_app_id\n | extend TargetAppName = tostring(TargetResources[0].displayName)\n | extend TargetAppId = tostring(TargetResources[0].id)\n | extend UserId = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ClientIp = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n | extend NewData = tostring(parse_json(tostring(parse_json(TargetResources)[0].modifiedProperties))[0].newValue)\n | where NewData has dataverse_app_id;\nlet dataverse_changes = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where (Message == \"Create\" and EntityName == \"systemuser\" and parse_json(Fields)[0].Name == \"applicationid\")\n | extend TargetAppId = tostring(Fields[0].Value);\nunion azure_ad_changes, dataverse_changes\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n TargetAppName,\n TargetAppId,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Informational", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject12').analyticRuleTemplateSpecName12]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Login from IP not in the allow list_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies logons from IPv4 addresses not matching IPv4 subnets maintained on an allow list. This analytics rule uses the NetworkAddresses watchlist template.", + "displayName": "Dataverse - Login from IP not in the allow list", + "enabled": false, + "query": "// Use static IP address or CIDR list specified in the\n// NetworkAddresses watchlist template with tag \"AllowDataverse\"\nlet allowed_networks = MSBizAppsNetworkAddresses()\n | where Tags has \"AllowDataverse\"\n | summarize by IPSubnet;\nlet query_frequency = 1h;\nlet watchlist_entries_count = toscalar (allowed_networks\n | summarize count());\nlet dataverse_signin_activity = materialize(\n DataverseActivity\n | where watchlist_entries_count > 0\n | where TimeGenerated >= ago (query_frequency)\n | where Message == \"UserSignIn\" and isnotempty(ClientIp)\n | summarize FirstEvent = arg_min(TimeGenerated, *) by UserId, ClientIp, InstanceUrl\n );\nlet authorized_ip_addresses = dataverse_signin_activity\n | evaluate ipv4_lookup(allowed_networks, ClientIp, IPSubnet);\ndataverse_signin_activity\n| join kind=leftanti(authorized_ip_addresses) on ClientIp\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstEvent,\n UserId,\n ClientIp,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1078", + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Sign-in activity detected in {{InstanceUrl}} from an IP {{ClientIp}} not on the allow list.", + "alertDisplayNameFormat": "Dataverse - Login from IP not on the allow list in {{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject12').analyticRuleId12,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 12", + "parentId": "[variables('analyticRuleObject12').analyticRuleId12]", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Persistence", - "LateralMovement", - "PrivilegeEscalation" - ], - "techniques": [ - "T1098", - "T0859", - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "TargetAppId", - "identifier": "AadUserId" - } - ], - "entityType": "Account" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" }, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{UserId}} granted access to an Azure AD app {{{TargetAppName}}. Check to validate this access was authorized.", - "alertDisplayNameFormat": "Dataverse - new non-interactive access granted" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject19').analyticRuleId19,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 19", - "parentId": "[variables('analyticRuleObject19').analyticRuleId19]", - "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject19').analyticRuleVersion19]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Login from IP not in the allow list", + "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - New non-interactive identity granted access", - "contentProductId": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", - "id": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", - "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject20').analyticRuleTemplateSpecName20]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - New sign-in from an unauthorized domain_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject20')._analyticRulecontentId20]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies Dataverse sign-in activity originating from users with UPN suffixes that have not been seen previously in the last 14 days and are not present on a predefined list of authorized domains. Common internal Power Platform system users are excluded by default.", - "displayName": "Dataverse - New sign-in from an unauthorized domain", - "enabled": false, - "query": "// Allow list of UPN suffixes allowed by the organization.\nlet allowed_domains = dynamic([\n 'onmicrosoft.com',\n 'microsoft.com'\n ]);\n// All list of users allowed by the organization\nlet allowed_users = dynamic([\n 'user1@mydomain.com',\n 'user2@mydomain.com'\n ]);\nlet query_frequency = 1h;\nlet query_lookback = 14d;\nlet historical_users = DataverseActivity\n | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))\n | where Message == 'UserSignIn'\n | summarize by UserId;\nDataverseActivity\n| where TimeGenerated >= ago (query_frequency)\n| where Message == 'UserSignIn'\n| join kind=leftanti (historical_users) on UserId\n| summarize FirstEvent = min(TimeGenerated), LastEvent = max(TimeGenerated) by UserId, ClientIp, InstanceUrl\n| where isnotempty(ClientIp)\n| extend CloudAppId = int(32780)\n| extend AccountName = tostring(split(UserId, '@')[0])\n| extend UPNSuffix = tostring(split(UserId, '@')[1])\n| where UPNSuffix !in (allowed_domains) and UserId !in (allowed_users)\n| project\n FirstEvent,\n LastEvent,\n UserId,\n ClientIp,\n InstanceUrl,\n AccountName,\n UPNSuffix,\n CloudAppId\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject13').analyticRuleTemplateSpecName13]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Malware found in SharePoint document management site_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query identifies malware uploaded via Dynamics 365 document management or directly in SharePoint impacting Dataverse associated SharePoint sites.", + "displayName": "Dataverse - Malware found in SharePoint document management site", + "enabled": false, + "query": "let query_frequency = 15m;\n let malware_events = OfficeActivity\n | where OfficeWorkload == \"SharePoint\" and Operation == \"FileMalwareDetected\"\n | summarize by MalwareUserId = UserId, SourceFileName, Site_Url\n | join kind=inner (DataverseSharePointSites) on $left.Site_Url == $right.SharePointUrl;\n let file_upload_events = OfficeActivity\n | where OfficeWorkload == \"SharePoint\" and Operation == \"FileUploaded\"\n | project TimeGenerated, UserId, Site_Url, SourceFileName, ApplicationId, ClientIP;\n let d365_upload_events = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"UploadDocument\"\n | summarize by UserId, D365ClientIp = ClientIp;\n malware_events\n | join kind=inner (file_upload_events) on SourceFileName, Site_Url\n | lookup (d365_upload_events) on UserId\n | extend ClientIp = iif(ApplicationId == \"00000007-0000-0000-c000-000000000000\", D365ClientIp, ClientIP)\n | extend\n CloudAppId = int(32780),\n SharePointId = int(20892),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n | project\n TimeGenerated,\n UserId,\n ClientIp,\n InstanceUrl,\n SharePointUrl,\n SourceFileName,\n CloudAppId,\n SharePointId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + }, + { + "connectorId": "Office365", + "dataTypes": [ + "OfficeActivity (SharePoint)" + ] + } + ], + "tactics": [ + "Execution" + ], + "techniques": [ + "T1204" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "File", + "fieldMappings": [ + { + "columnName": "SourceFileName", + "identifier": "Name" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "SharePointId", + "identifier": "AppId" + }, + { + "columnName": "SharePointUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "A malicious file {{SourceFileName}} was found in SharePoint site {{SharePointUrl}}. The file was uploaded by {{UserId}}", + "alertDisplayNameFormat": "Dataverse - Malware was found in SharePoint document management site for {{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject13').analyticRuleId13,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 13", + "parentId": "[variables('analyticRuleObject13').analyticRuleId13]", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078", - "T1190", - "T1133" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "New user sign-in activity was detected in {{InstanceUrl}} originating from user {{UserId}}. This user's UPN suffix is not on the authorized list of domains.", - "alertDisplayNameFormat": "Dataverse - Unauthorized sign-in activity" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject20').analyticRuleId20,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 20", - "parentId": "[variables('analyticRuleObject20').analyticRuleId20]", - "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject20').analyticRuleVersion20]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Malware found in SharePoint document management site", + "contentProductId": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "id": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - New sign-in from an unauthorized domain", - "contentProductId": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", - "id": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", - "version": "[variables('analyticRuleObject20').analyticRuleVersion20]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject21').analyticRuleTemplateSpecName21]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - New user agent type that was not used before_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject21')._analyticRulecontentId21]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies users accessing Dataverse from a User Agent that has not been seen in any Dataverse instance in the last 14 days.", - "displayName": "Dataverse - New user agent type that was not used before", - "enabled": false, - "query": "let query_lookback = 14d;\nlet query_frequency = 1h;\nlet known_useragents = dynamic([\n // Enter known user agents to exclude.\n // example:\n // \"Agent1\", \"Agent2\", \"Agent3\"\n ]);\nDataverseActivity\n| where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))\n| where isnotempty(UserAgent)\n| summarize by UserAgent\n| join kind = rightanti (DataverseActivity\n | where TimeGenerated > ago(query_frequency)\n | where not (UserId has_any (\"@onmicrosoft.com\", \"@microsoft.com\", \"Unknown\"))\n | where isnotempty(UserAgent)\n | where UserAgent !in~ (known_useragents)\n | where UserAgent !hasprefix \"azure-logic-apps\" and UserAgent !hasprefix \"PowerApps\")\n on UserAgent\n// Exclude user agents with a render agent to reduce noise.\n| join kind = leftanti(\n DataverseActivity\n | where TimeGenerated > ago(query_frequency)\n | where UserAgent has_any (\"Gecko\", \"WebKit\", \"Presto\", \"Trident\", \"EdgeHTML\", \"Blink\"))\n on UserAgent\n| summarize\n FirstSeen = min(TimeGenerated),\n LatestIP = arg_max(ClientIp, TimeGenerated)\n by UserAgent, UserId, InstanceUrl\n| extend\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1]),\n CloudAppId = int(32780)\n| project\n FirstSeen,\n UserId,\n UserAgent,\n LatestIP,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject14').analyticRuleTemplateSpecName14]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Mass deletion of records_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies large scale record delete operations based on a predefined threshold and also detects scheduled bulk deletion jobs.", + "displayName": "Dataverse - Mass deletion of records", + "enabled": false, + "query": "let mass_delete_threshold = 10000;\nlet query_frequency = 1d;\nlet delete_activities = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"Delete\";\nunion\n (\n delete_activities\n | summarize FirstEvent = min(TimeGenerated), TotalEvents = count() by UserId, InstanceUrl\n | where TotalEvents > mass_delete_threshold\n | join kind=inner (\n delete_activities\n | summarize DeleteCount = count() by UserId, InstanceUrl, ClientIp, EntityName)\n on UserId, InstanceUrl\n | extend Entities = bag_pack(\"Entity\", EntityName, \"Count\", DeleteCount)\n | summarize Details = make_set(Entities, 100), FirstEvent = min(FirstEvent) by UserId, InstanceUrl, ClientIp, TotalEvents\n ),\n (\n DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"BulkDelete\"\n | summarize FirstEvent = min(TimeGenerated), TotalEvents = count() by UserId, InstanceUrl, ClientIp\n | extend Details = todynamic(\"Bulk delete scheduled\")\n )\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstEvent,\n UserId,\n ClientIp,\n TotalEvents,\n Details,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "Impact" + ], + "techniques": [ + "T1485" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{UserId}} triggered the mass deletion detection with the following information: {{Details}}", + "alertDisplayNameFormat": "Dataverse - mass deletion or bulk deletion job detected in {{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject14').analyticRuleId14,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 14", + "parentId": "[variables('analyticRuleObject14').analyticRuleId14]", + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "InitialAccess", - "DefenseEvasion" - ], - "techniques": [ - "T1078", - "T0866", - "T0819", - "T1036" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - }, - { - "fieldMappings": [ - { - "columnName": "LatestIP", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{UserId}} with new agent not seen previously in the Dataverse activity log.\nAgent: {{UserAgent}}\nLatest IP: {{LatestIP}}\n", - "alertDisplayNameFormat": "Dataverse - new user agent detected in {{{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject21').analyticRuleId21,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 21", - "parentId": "[variables('analyticRuleObject21').analyticRuleId21]", - "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject21').analyticRuleVersion21]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Mass deletion of records", + "contentProductId": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", + "id": "[variables('analyticRuleObject14')._analyticRulecontentProductId14]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - New user agent type that was not used before", - "contentProductId": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", - "id": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", - "version": "[variables('analyticRuleObject21').analyticRuleVersion21]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject22').analyticRuleTemplateSpecName22]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - New user agent type that was not used with Office 365_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject22')._analyticRulecontentId22]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies users accessing Dynamics with a User Agent that has not been seen in any Office 365 workloads in the last 14 days.", - "displayName": "Dataverse - New user agent type that was not used with Office 365", - "enabled": false, - "query": "let query_lookback = 14d;\nlet query_frequency = 1h;\nlet known_useragents = dynamic([\n // Enter known user agents to exclude.\n // example:\n // \"Agent1\", \"Agent2\", \"Agent3\"\n ]);\nDataverseActivity\n| where TimeGenerated > ago(query_frequency)\n| where not (UserId has_any (\"@onmicrosoft.com\", \"@microsoft.com\", \"Unknown\"))\n| where isnotempty(UserAgent)\n| where UserAgent !in~ (known_useragents)\n| where UserAgent !hasprefix \"azure-logic-apps\" and UserAgent !hasprefix \"PowerApps\"\n| join kind = leftanti (\n OfficeActivity\n | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))\n | where isnotempty(UserAgent)\n | summarize by UserAgent)\n on UserAgent\n// Exclude user agents with a render agent to reduce noise.\n| join kind = leftanti(\n DataverseActivity\n | where TimeGenerated > ago(query_frequency)\n | where UserAgent has_any (\"Gecko\", \"WebKit\", \"Presto\", \"Trident\", \"EdgeHTML\", \"Blink\"))\n on UserAgent\n| summarize\n FirstSeen = min(TimeGenerated),\n LatestIP = arg_max(ClientIp, TimeGenerated)\n by UserAgent, UserId, InstanceUrl\n| extend\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1]),\n CloudAppId = int(32780)\n| project\n FirstSeen,\n UserId,\n UserAgent,\n LatestIP,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject15').analyticRuleTemplateSpecName15]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Mass download from SharePoint document management_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies mass download (in the last hour) of files from SharePoint sites configured for document management in Dynamics 365. This analytics rule utilizes the MSBizApps-Configuration watchlist to identify SharePoint sites used for Document Management.", + "displayName": "Dataverse - Mass download from SharePoint document management", + "enabled": false, + "query": "// Set threshold for number of downloaded files\nlet detection_threshold = 10000;\nlet query_frequency = 1h;\nDataverseSharePointSites\n| join kind=inner (\n OfficeActivity\n | where TimeGenerated >= ago(query_frequency)\n | where OfficeWorkload == \"SharePoint\" and Operation == \"FileDownloaded\")\n on $left.SharePointUrl == $right.Site_Url\n| summarize FileDownloadCount = count() by UserId, SharePointUrl, InstanceUrl, ClientIP\n| where FileDownloadCount > detection_threshold\n| extend\n CloudAppId = int(32780),\n SharePointId = int(20892),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n UserId,\n ClientIP,\n FileDownloadCount,\n SharePointUrl,\n InstanceUrl,\n CloudAppId,\n SharePointId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Office365", + "dataTypes": [ + "OfficeActivity (SharePoint)" + ] + } + ], + "tactics": [ + "Exfiltration" + ], + "techniques": [ + "T1567" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIP", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "SharePointId", + "identifier": "AppId" + }, + { + "columnName": "SharePointUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{{FileDownloadCount}} files were downloaded from {{SharePointUrl}} by {{{UserId}}.", + "alertDisplayNameFormat": "Dataverse - Mass download detected from document management in {{{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject15').analyticRuleId15,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 15", + "parentId": "[variables('analyticRuleObject15').analyticRuleId15]", + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1190", - "T1133" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - } - ], - "entityType": "CloudApplication" - }, - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "LatestIP", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject22').analyticRuleId22,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 22", - "parentId": "[variables('analyticRuleObject22').analyticRuleId22]", - "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject22').analyticRuleVersion22]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Mass download from SharePoint document management", + "contentProductId": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", + "id": "[variables('analyticRuleObject15')._analyticRulecontentProductId15]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - New user agent type that was not used with Office 365", - "contentProductId": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]", - "id": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]", - "version": "[variables('analyticRuleObject22').analyticRuleVersion22]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject23').analyticRuleTemplateSpecName23]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Organization settings modified_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject23')._analyticRulecontentId23]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies changes made at organization level in the Dataverse environment.", - "displayName": "Dataverse - Organization settings modified", - "enabled": false, - "query": "let query_frequency = 1h;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message == \"Update\" and EntityName == \"organization\"\n| mv-expand Fields\n| extend FieldName = tostring(Fields.Name)\n| extend Value = tostring(Fields.Value)\n| where FieldName != \"organizationid\"\n| lookup MSBizAppsOrgSettings on FieldName\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n FieldName,\n Value,\n DisplayName,\n Description,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Informational", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject16').analyticRuleTemplateSpecName16]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Mass export of records to Excel_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies users exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user. Large exports from users with no recent activity are identified using a predefined threshold.", + "displayName": "Dataverse - Mass export of records to Excel", + "enabled": false, + "query": "// Set a mass export threshold for users who have no historical activity.\nlet mass_export_threshold = 10000;\nlet query_lookback = 14d;\nlet query_frequency = 1h;\nlet export_activity = DataverseActivity\n | where Message == \"ExportToExcel\"\n | extend QueryCount = iif(QueryResults has \",\", todouble(countof(tostring(QueryResults), ',') + 1), double(1));\nlet current_activity = export_activity\n | where TimeGenerated > ago(query_frequency)\n | extend RecordId = split(QueryResults, \",\")\n | summarize\n FirstEvent = min(TimeGenerated),\n CurrentExportRate = sum(QueryCount),\n SampleRecordIds = make_set(RecordId, 1000)\n by UserId, InstanceUrl;\nlet historical_activity = export_activity\n | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))\n | summarize HistoricalBaseline = sum(QueryCount) by HistoricalUserId = UserId, InstanceUrl;\ncurrent_activity\n| join kind=leftouter(historical_activity) on $left.UserId == $right.HistoricalUserId, InstanceUrl\n| extend BaselineThreshold = iif(isnotnull(HistoricalBaseline), HistoricalBaseline, todouble(mass_export_threshold))\n| where CurrentExportRate > BaselineThreshold\n| join kind=inner(export_activity\n | where TimeGenerated > ago(query_frequency)\n | summarize EntityCount = sum(QueryCount) by UserId, ClientIp, InstanceUrl, EntityName\n | extend Details = bag_pack(\"EntityName\", EntityName, \"EntityCount\", EntityCount)\n | summarize Details = make_set(Details, 100) by UserId, ClientIp, InstanceUrl)\n on UserId, InstanceUrl\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstEvent,\n UserId,\n ClientIp,\n BaselineThreshold,\n CurrentExportRate,\n Details,\n SampleRecordIds,\n InstanceUrl,\n AccountName,\n UPNSuffix,\n CloudAppId\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "Exfiltration" + ], + "techniques": [ + "T1567" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "User {{UserId}} exported {{{CurrentExportRate}} records using the ExportToExcel function in Dataverse.", + "alertDisplayNameFormat": "Dataverse - mass export to Excel activity in {{{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject16').analyticRuleId16,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 16", + "parentId": "[variables('analyticRuleObject16').analyticRuleId16]", + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Persistence" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "Organization setting {{DisplayName}} : {{Description}} changed by {{UserId}}", - "alertDisplayNameFormat": "Dataverse - {{DisplayName}} changed in {{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject23').analyticRuleId23,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 23", - "parentId": "[variables('analyticRuleObject23').analyticRuleId23]", - "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject23').analyticRuleVersion23]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Mass export of records to Excel", + "contentProductId": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", + "id": "[variables('analyticRuleObject16')._analyticRulecontentProductId16]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Organization settings modified", - "contentProductId": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]", - "id": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]", - "version": "[variables('analyticRuleObject23').analyticRuleVersion23]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject24').analyticRuleTemplateSpecName24]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Removal of blocked file extensions_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject24')._analyticRulecontentId24]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies modifications to an environment's blocked file extensions and extracts the removed extension.", - "displayName": "Dataverse - Removal of blocked file extensions", - "enabled": false, - "query": "let query_frequency = 1h;\nlet default_attachments = split('ade;adp;app;asa;ashx;asmx;asp;bas;bat;cdx;cer;chm;class;cmd;com;config;cpl;crt;csh;dll;exe;fxp;hlp;hta;htr;htw;ida;idc;idq;inf;ins;isp;its;jar;js;jse;ksh;lnk;mad;maf;mag;mam;maq;mar;mas;mat;mau;mav;maw;mda;mdb;mde;mdt;mdw;mdz;msc;msh;msh1;msh1xml;msh2;msh2xml;mshxml;msi;msp;mst;ops;pcd;pif;prf;prg;printer;pst;reg;rem;scf;scr;sct;shb;shs;shtm;shtml;soap;stm;tmp;url;vb;vbe;vbs;vsmacros;vss;vst;vsw;ws;wsc;wsf;wsh', \";\");\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message == \"Update\" and EntityName =~ 'organization'\n| mv-expand Fields\n| where Fields.Name == \"blockedattachments\"\n| extend\n UpdatedAttachments = split(tostring(Fields.Value), \";\"),\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| extend RemovedAttachments = set_difference(default_attachments, UpdatedAttachments)\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n InstanceUrl,\n RemovedAttachments,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject17').analyticRuleTemplateSpecName17]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Mass record updates_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query detects mass record update changes in Dataverse and Dynamics 365, exceeding a pre-defined threshold.", + "displayName": "Dataverse - Mass record updates", + "enabled": false, + "query": "// Set threshold for number of updated records\nlet detection_threshold = 10000;\nlet query_frequency = 1h;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message == \"Update\"\n| summarize EventCount = count() by InstanceUrl, UserId, ClientIp, Message\n| where EventCount > detection_threshold\n| join kind=inner(\n DataverseActivity\n | where TimeGenerated >= ago(query_frequency))\n on InstanceUrl, UserId, ClientIp, Message\n| mv-expand Fields\n| summarize\n UpdatedFields = make_set(Fields.Name, 100),\n FirstEvent = min(TimeGenerated)\n by UserId, ClientIp, InstanceUrl, EventCount, EntityName\n| extend Details = bag_pack(\"Entity\", EntityName, \"Count\", EventCount, \"FieldsUpdated\", UpdatedFields)\n| summarize\n TotalEvents = sum(EventCount),\n FirstEvent = min(FirstEvent),\n Details = make_list(Details, 100)\n by UserId, ClientIp, InstanceUrl\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstEvent,\n UserId,\n ClientIp,\n TotalEvents,\n Details,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "Impact" + ], + "techniques": [ + "T1641", + "T1485", + "T1565" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "Details": "Details" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "A total of {{TotalEvents}} records were updated by {{UserId}} , breaching the mass update threshold in {{InstanceUrl}} .", + "alertDisplayNameFormat": "Dataverse - Mass record changes detected in {{{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject17').analyticRuleId17,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 17", + "parentId": "[variables('analyticRuleObject17').analyticRuleId17]", + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "DefenseEvasion" - ], - "techniques": [ - "T1629" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{UserId}} modified environment blocked extensions list. {{UserId}} removed the following extensions {{RemovedAttachments}}.", - "alertDisplayNameFormat": "Dataverse - Blocked file extension removed in {{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject24').analyticRuleId24,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 24", - "parentId": "[variables('analyticRuleObject24').analyticRuleId24]", - "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject24').analyticRuleVersion24]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Mass record updates", + "contentProductId": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", + "id": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Removal of blocked file extensions", - "contentProductId": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]", - "id": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]", - "version": "[variables('analyticRuleObject24').analyticRuleVersion24]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject25').analyticRuleTemplateSpecName25]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - SharePoint document management site added or updated_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject25')._analyticRulecontentId25]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies modifications of SharePoint document management integration. Document management allows storage of data located externally to Dataverse. Combine this analytics rule with the MSBizApps-Add-SharePointSite-To-Watchlist Playbook to automatically update the Dataverse-SharePointSites watchlist. This watchlist can be used to correlate events between Dataverse and SharePoint when using the Office 365 data connector.", - "displayName": "Dataverse - SharePoint document management site added or updated", - "enabled": false, - "query": "let query_frequency = 1h;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message in (\"Create\", \"Update\") and EntityName == \"sharepointsite\"\n| mv-expand Fields\n| where Fields.Name == \"absoluteurl\"\n| extend\n SharePointAppId = int(20892),\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1]),\n SharePointUrl = tostring(Fields.Value)\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n Message,\n SharePointUrl,\n InstanceUrl,\n CloudAppId,\n SharePointAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Informational", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject18').analyticRuleTemplateSpecName18]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - New Dataverse application user activity type_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies new or previously unseen activity types associated with Dataverse application (non-interactive) user.", + "displayName": "Dataverse - New Dataverse application user activity type", + "enabled": false, + "query": "let query_frequency = 1h;\nlet query_lookback = 14d;\nlet app_user_regex = \"^[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}\\\\.com$\";\nlet guid_regex = \"([0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12})\";\nlet application_users = DataverseActivity\n | where UserId !endswith \"@onmicrosoft.com\" and UserId != \"Unknown\"\n | summarize by UserId\n | where split(UserId, \"@\")[1] matches regex app_user_regex;\nlet historical_app_activity = application_users\n | join kind = inner (\n DataverseActivity\n | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))\n | summarize by UserId, EntityName, Message, InstanceUrl)\n on\n UserId;\nlet current_activity = application_users\n | join kind= inner (\n DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | summarize by UserId, EntityName, Message, InstanceUrl)\n on\n UserId;\ncurrent_activity\n| join kind = leftanti (historical_app_activity) on UserId, Message, EntityName, InstanceUrl\n| summarize NewActivities = make_set(strcat(Message, \" \", EntityName), 1000) by UserId, InstanceUrl\n| extend\n AadUserId = extract(guid_regex, 1, tostring(split(UserId, \"@\")[0])),\n CloudAppId = int(32780)\n| project\n UserId,\n NewActivities,\n InstanceUrl,\n AadUserId,\n CloudAppId\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "CredentialAccess", + "Execution", + "PrivilegeEscalation" + ], + "techniques": [ + "T1635", + "T0871", + "T1078" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AadUserId", + "identifier": "AadUserId" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{UserId}} generated new activities in {{InstanceUrl}} which had not been seen previously in the Dataverse.", + "alertDisplayNameFormat": "Dataverse - Unusual non-interactive account activity in {{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject18').analyticRuleId18,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 18", + "parentId": "[variables('analyticRuleObject18').analyticRuleId18]", + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Exfiltration" - ], - "techniques": [ - "T1567", - "T1537" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - }, - { - "fieldMappings": [ - { - "columnName": "SharePointAppId", - "identifier": "AppId" - }, - { - "columnName": "SharePointUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{UserId}} made changes to document management in {{{InstanceUrl}}. Sharepoint site {{{SharePointUrl}} was added.", - "alertDisplayNameFormat": "Dataverse - Document management enabled or modified in {{{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject25').analyticRuleId25,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 25", - "parentId": "[variables('analyticRuleObject25').analyticRuleId25]", - "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject25').analyticRuleVersion25]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - New Dataverse application user activity type", + "contentProductId": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", + "id": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - SharePoint document management site added or updated", - "contentProductId": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]", - "id": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]", - "version": "[variables('analyticRuleObject25').analyticRuleVersion25]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject26').analyticRuleTemplateSpecName26]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Suspicious security role modifications_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject26')._analyticRulecontentId26]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies an unusual pattern of events whereby a new role is created followed by the creator adding members to the role and subsequently removing the member or deleting the role after a short time period.", - "displayName": "Dataverse - Suspicious security role modifications", - "enabled": false, - "query": "let role_create_watch_period = 2d;\nlet query_frequency = 1h;\nlet role_create_add_events= DataverseActivity\n | where Message == \"Create\" and EntityName == \"role\"\n | mv-expand Role = Fields\n | extend RoleName = Role.Value\n | where Role.Name == \"name\"\n | mv-expand Role = Fields\n | extend RoleCreateTime = TimeGenerated, RoleId = tostring(Role.Value)\n | where Role.Name == \"roleid\"\n | join kind=inner (\n DataverseActivity\n | where Message == \"Associate\" and EntityName == \"systemuser\"\n | mv-expand Role = Fields\n | where Role.Name == \"role\"\n | extend RoleMemberAddedTime = TimeGenerated, MemberAddedRoleId = tostring(Role.Value))\n on $left.RoleId == $right.MemberAddedRoleId, InstanceUrl, UserId\n | where RoleMemberAddedTime between (RoleCreateTime .. (RoleCreateTime + role_create_watch_period));\nlet remove_role_member_events = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"Disassociate\" and EntityName == \"systemuser\"\n | mv-expand Role = Fields\n | where Role.Name == \"role\"\n | extend ActionTime = TimeGenerated, MemberRemovedRoleId = tostring(Role.Value);\nlet role_delete_events = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"Delete\" and EntityName == \"role\"\n | extend DeletedRoleID = EntityId, Action = \"Role deleted within defined time window\"\n | project Action, ActionTime = TimeGenerated, UserId, ClientIp, DeletedRoleID, InstanceUrl;\nlet role_member_removals = role_create_add_events\n | join kind=inner (remove_role_member_events) on $left.RoleId == $right.MemberRemovedRoleId\n | where ActionTime between (RoleCreateTime .. (RoleCreateTime + role_create_watch_period))\n | extend Action = \"Role membership removed within defined time window\";\nlet role_deletions = role_create_add_events\n | join kind=inner (role_delete_events) on $left.RoleId == $right.DeletedRoleID\n | where ActionTime between (RoleCreateTime .. (RoleCreateTime + role_create_watch_period));\nunion isfuzzy=true role_member_removals, role_deletions\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n UserId,\n InstanceUrl,\n ClientIp,\n Action,\n RoleCreateTime,\n RoleName,\n ActionTime,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject19').analyticRuleTemplateSpecName19]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - New non-interactive identity granted access_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies API level access grants, either via the delegated permissions of a Microsoft Entra application or direct assignment within Dataverse as an application user.", + "displayName": "Dataverse - New non-interactive identity granted access", + "enabled": false, + "query": "let dataverse_app_id = \"00000007-0000-0000-c000-000000000000\";\nlet query_frequency = 1h;\nlet azure_ad_changes = AuditLogs\n | where TimeGenerated >= ago(query_frequency)\n | where OperationName =~ 'Update application'\n | where TargetResources has dataverse_app_id\n | extend TargetAppName = tostring(TargetResources[0].displayName)\n | extend TargetAppId = tostring(TargetResources[0].id)\n | extend UserId = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend ClientIp = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n | extend NewData = tostring(parse_json(tostring(parse_json(TargetResources)[0].modifiedProperties))[0].newValue)\n | where NewData has dataverse_app_id;\nlet dataverse_changes = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where (Message == \"Create\" and EntityName == \"systemuser\" and parse_json(Fields)[0].Name == \"applicationid\")\n | extend TargetAppId = tostring(Fields[0].Value);\nunion azure_ad_changes, dataverse_changes\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n TargetAppName,\n TargetAppId,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Informational", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + }, + { + "connectorId": "AzureActiveDirectory", + "dataTypes": [ + "AuditLogs" + ] + } + ], + "tactics": [ + "Persistence", + "LateralMovement", + "PrivilegeEscalation" + ], + "techniques": [ + "T1098", + "T0859", + "T1078" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "TargetAppId", + "identifier": "AadUserId" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{UserId}} granted access to an Azure AD app {{{TargetAppName}}. Check to validate this access was authorized.", + "alertDisplayNameFormat": "Dataverse - new non-interactive access granted" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject19').analyticRuleId19,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 19", + "parentId": "[variables('analyticRuleObject19').analyticRuleId19]", + "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject19').analyticRuleVersion19]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "PrivilegeEscalation" - ], - "techniques": [ - "T1404", - "T1626", - "T1548" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "The following action ocurred following role modifications changes in {{InstanceUrl}}: {{Action}}.", - "alertSeverityColumnName": "Severity", - "alertDisplayNameFormat": "Dataverse - suspicious role modifications in {{InstanceUrl}}" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject26').analyticRuleId26,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 26", - "parentId": "[variables('analyticRuleObject26').analyticRuleId26]", - "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject26').analyticRuleVersion26]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - New non-interactive identity granted access", + "contentProductId": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", + "id": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", + "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Suspicious security role modifications", - "contentProductId": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]", - "id": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]", - "version": "[variables('analyticRuleObject26').analyticRuleVersion26]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject27').analyticRuleTemplateSpecName27]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Suspicious use of TDS endpoint_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject27')._analyticRulecontentId27]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies Dataverse TDS (Tabular Data Stream) protocol based queries where the source user or IP address has recent security alerts and the TDS protocol has not been used previously in the target environment.", - "displayName": "Dataverse - Suspicious use of TDS endpoint", - "enabled": false, - "query": "let query_frequency = 1h;\nlet query_lookback = 14d;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message == 'ExecutePowerBISql'\n| summarize FirstEvent = min(TimeGenerated) by UserId, ClientIp, InstanceUrl\n| join kind=inner(\n DataverseActivity\n | where TimeGenerated >= ago(query_lookback)\n | where Message == 'ExecutePowerBISql'\n | summarize UniqueUsers = dcount(UserId, 4) by InstanceUrl)\n on InstanceUrl\n| where UniqueUsers == 1\n| join kind=inner (\n SecurityAlert\n | where Entities has ('\"Type\":\"ip\"')\n | project AlertName, SystemAlertId, Entities\n | mv-expand todynamic(Entities)\n | where Entities.Type == \"ip\"\n | extend IPAddress = tostring(Entities.Address)\n | summarize SystemAlerts = make_set(SystemAlertId, 100), Alerts = make_set(AlertName, 100) by IPAddress)\n on $left.ClientIp == $right.IPAddress\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| join kind = inner (\n SecurityAlert\n | where Entities has ('Type\":\"account\"')\n | project AlertName, SystemAlertId, Entities\n | mv-expand todynamic(Entities)\n | where Entities.Type == \"account\"\n | extend\n UPNSuffix = tostring(Entities.UPNSuffix),\n AccountName = tostring(Entities.Name)\n | summarize SystemAlerts = make_set(SystemAlertId, 100), Alerts = make_set(AlertName, 100) by AccountName, UPNSuffix\n | where isnotempty(AccountName) and isnotempty(UPNSuffix))\n on AccountName, UPNSuffix\n| summarize SystemAlerts = make_set(SystemAlerts, 100), Alerts = make_set(Alerts, 100) by FirstEvent, UserId, ClientIp, InstanceUrl, AccountName, UPNSuffix\n| extend CloudAppId = int(32780)\n| project\n FirstEvent,\n UserId,\n ClientIp,\n InstanceUrl,\n Alerts,\n SystemAlerts,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" - ] - }, - { - "connectorId": "AzureActiveDirectoryIdentityProtection", - "dataTypes": [ - "SecurityAlert" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject20').analyticRuleTemplateSpecName20]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - New sign-in from an unauthorized domain_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies Dataverse sign-in activity originating from users with UPN suffixes that have not been seen previously in the last 14 days and are not present on a predefined list of authorized domains. Common internal Power Platform system users are excluded by default.", + "displayName": "Dataverse - New sign-in from an unauthorized domain", + "enabled": false, + "query": "// Allow list of UPN suffixes allowed by the organization.\nlet allowed_domains = dynamic([\n 'onmicrosoft.com',\n 'microsoft.com'\n ]);\n// All list of users allowed by the organization\nlet allowed_users = dynamic([\n 'user1@mydomain.com',\n 'user2@mydomain.com'\n ]);\nlet query_frequency = 1h;\nlet query_lookback = 14d;\nlet historical_users = DataverseActivity\n | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))\n | where Message == 'UserSignIn'\n | summarize by UserId;\nDataverseActivity\n| where TimeGenerated >= ago (query_frequency)\n| where Message == 'UserSignIn'\n| join kind=leftanti (historical_users) on UserId\n| summarize FirstEvent = min(TimeGenerated), LastEvent = max(TimeGenerated) by UserId, ClientIp, InstanceUrl\n| where isnotempty(ClientIp)\n| extend CloudAppId = int(32780)\n| extend AccountName = tostring(split(UserId, '@')[0])\n| extend UPNSuffix = tostring(split(UserId, '@')[1])\n| where UPNSuffix !in (allowed_domains) and UserId !in (allowed_users)\n| project\n FirstEvent,\n LastEvent,\n UserId,\n ClientIp,\n InstanceUrl,\n AccountName,\n UPNSuffix,\n CloudAppId\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1078", + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "New user sign-in activity was detected in {{InstanceUrl}} originating from user {{UserId}}. This user's UPN suffix is not on the authorized list of domains.", + "alertDisplayNameFormat": "Dataverse - Unauthorized sign-in activity" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject20').analyticRuleId20,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 20", + "parentId": "[variables('analyticRuleObject20').analyticRuleId20]", + "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject20').analyticRuleVersion20]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Exfiltration", - "InitialAccess" - ], - "techniques": [ - "T1048", - "T1190" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" }, - "alertDetailsOverride": { - "alertDescriptionFormat": "The TDS endpoint was used to query Dataverse instance {{InstanceUrl}} . The use of this protocol was not seen previously and the following alerts were associated with the caller: {{Alerts}}", - "alertDisplayNameFormat": "Dataverse - Suspicious use of TDS endpoint in {{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject27').analyticRuleId27,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 27", - "parentId": "[variables('analyticRuleObject27').analyticRuleId27]", - "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject27').analyticRuleVersion27]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - New sign-in from an unauthorized domain", + "contentProductId": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", + "id": "[variables('analyticRuleObject20')._analyticRulecontentProductId20]", + "version": "[variables('analyticRuleObject20').analyticRuleVersion20]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Suspicious use of TDS endpoint", - "contentProductId": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]", - "id": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]", - "version": "[variables('analyticRuleObject27').analyticRuleVersion27]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject28').analyticRuleTemplateSpecName28]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Suspicious use of Web API_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject28')._analyticRulecontentId28]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies sign-in across multiple Dataverse environments, breaching a predefined threshold, originating from a user with IP address that was used to sign-into the well known Microsoft Entra app registration.", - "displayName": "Dataverse - Suspicious use of Web API", - "enabled": false, - "query": "let query_frequency = 1h;\nlet query_lookback = 24h;\n// AppID of the multi-tenant Dynamics 365 Example Client Application\nlet well_known_app_id = \"51f81489-12ee-4a9e-aaae-a2591f45987d\";\nlet environment_count_threshold = 10;\nSigninLogs\n| where TimeGenerated >= ago(query_lookback)\n// Comment out the line below to monitor activity from all Azure AD apps\n| where AppId == well_known_app_id\n| where ResourceIdentity == '00000007-0000-0000-c000-000000000000'\n| summarize FirstSeen = min(TimeGenerated) by AppId, UserPrincipalName, IPAddress, AppDisplayName\n| join kind=inner (\n DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"UserSignIn\")\n on $left.UserPrincipalName == $right.UserId, $left.IPAddress == $right.ClientIp\n| where TimeGenerated between (FirstSeen .. (FirstSeen + 2h))\n| summarize InstanceCount = dcount(InstanceUrl, 4), FirstSeen = min(FirstSeen) by UserId, ClientIp, InstanceUrl, AppDisplayName, AppId\n| where InstanceCount > environment_count_threshold\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstSeen,\n UserId,\n ClientIp,\n AppDisplayName,\n AppId,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject21').analyticRuleTemplateSpecName21]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - New user agent type that was not used before_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies users accessing Dataverse from a User Agent that has not been seen in any Dataverse instance in the last 14 days.", + "displayName": "Dataverse - New user agent type that was not used before", + "enabled": false, + "query": "let query_lookback = 14d;\nlet query_frequency = 1h;\nlet known_useragents = dynamic([\n // Enter known user agents to exclude.\n // example:\n // \"Agent1\", \"Agent2\", \"Agent3\"\n ]);\nDataverseActivity\n| where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))\n| where isnotempty(UserAgent)\n| summarize by UserAgent\n| join kind = rightanti (DataverseActivity\n | where TimeGenerated > ago(query_frequency)\n | where not (UserId has_any (\"@onmicrosoft.com\", \"@microsoft.com\", \"Unknown\"))\n | where isnotempty(UserAgent)\n | where UserAgent !in~ (known_useragents)\n | where UserAgent !hasprefix \"azure-logic-apps\" and UserAgent !hasprefix \"PowerApps\")\n on UserAgent\n// Exclude user agents with a render agent to reduce noise.\n| join kind = leftanti(\n DataverseActivity\n | where TimeGenerated > ago(query_frequency)\n | where UserAgent has_any (\"Gecko\", \"WebKit\", \"Presto\", \"Trident\", \"EdgeHTML\", \"Blink\"))\n on UserAgent\n| summarize\n FirstSeen = min(TimeGenerated),\n LatestIP = arg_max(ClientIp, TimeGenerated)\n by UserAgent, UserId, InstanceUrl\n| extend\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1]),\n CloudAppId = int(32780)\n| project\n FirstSeen,\n UserId,\n UserAgent,\n LatestIP,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "InitialAccess", + "DefenseEvasion" + ], + "techniques": [ + "T1078", + "T0866", + "T0819", + "T1036" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "LatestIP", + "identifier": "Address" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{UserId}} with new agent not seen previously in the Dataverse activity log.\nAgent: {{UserAgent}}\nLatest IP: {{LatestIP}}\n", + "alertDisplayNameFormat": "Dataverse - new user agent detected in {{{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject21').analyticRuleId21,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 21", + "parentId": "[variables('analyticRuleObject21').analyticRuleId21]", + "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject21').analyticRuleVersion21]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Execution", - "Exfiltration", - "Reconnaissance", - "Discovery" - ], - "techniques": [ - "T1106", - "T1567", - "T1595", - "T1526", - "T1580" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{UserId}} sign-in activity generated in {{InstanceUrl}}. The app used was a well known multi-tenant app not owned or registered by the organization.", - "alertDisplayNameFormat": "Dataverse - Suspicious Web API sign-in activity" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject28').analyticRuleId28,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 28", - "parentId": "[variables('analyticRuleObject28').analyticRuleId28]", - "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject28').analyticRuleVersion28]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - New user agent type that was not used before", + "contentProductId": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", + "id": "[variables('analyticRuleObject21')._analyticRulecontentProductId21]", + "version": "[variables('analyticRuleObject21').analyticRuleVersion21]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Suspicious use of Web API", - "contentProductId": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]", - "id": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]", - "version": "[variables('analyticRuleObject28').analyticRuleVersion28]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject29').analyticRuleTemplateSpecName29]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - TI map IP to DataverseActivity_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject29')._analyticRulecontentId29]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a match in DataverseActivity from any IP IOC from Microsoft Sentinel Threat Intelligence.", - "displayName": "Dataverse - TI map IP to DataverseActivity", - "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP)\n or isnotempty(EmailSourceIpAddress)\n or isnotempty(NetworkDestinationIP)\n or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n//Exclude local addresses, using the ipv4_is_private operator\n| where ipv4_is_private(TI_ipEntity) == false\n and TI_ipEntity !startswith \"fe80\"\n and TI_ipEntity !startswith \"::\"\n and TI_ipEntity !startswith \"127.\"\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n DataverseActivity\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(ClientIp)\n //Exclude local addresses, using the ipv4_is_private operator\n | where ipv4_is_private(ClientIp) == false\n and ClientIp !startswith \"fe80\"\n and ClientIp !startswith \"::\"\n and ClientIp !startswith \"127.\"\n // renaming time column so it is clear the log this came from\n | extend DataverseActivity_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.ClientIp\n| where DataverseActivity_TimeGenerated < ExpirationDateTime\n| summarize DataverseActivity_TimeGenerated = arg_max(DataverseActivity_TimeGenerated, *) by IndicatorId, ClientIp\n| project DataverseActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, ClientIp, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, InstanceUrl, UserId\n| extend\n timestamp = DataverseActivity_TimeGenerated,\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[0]),\n CloudAppId = int(32780)\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" - ] - }, - { - "connectorId": "ThreatIntelligence", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "ThreatIntelligenceTaxii", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "MicrosoftDefenderThreatIntelligence", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "ThreatIntelligence", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "ThreatIntelligenceTaxii", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "MicrosoftDefenderThreatIntelligence", - "dataTypes": [ - "ThreatIntelligenceIndicator" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject22').analyticRuleTemplateSpecName22]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - New user agent type that was not used with Office 365_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies users accessing Dynamics with a User Agent that has not been seen in any Office 365 workloads in the last 14 days.", + "displayName": "Dataverse - New user agent type that was not used with Office 365", + "enabled": false, + "query": "let query_lookback = 14d;\nlet query_frequency = 1h;\nlet known_useragents = dynamic([\n // Enter known user agents to exclude.\n // example:\n // \"Agent1\", \"Agent2\", \"Agent3\"\n ]);\nDataverseActivity\n| where TimeGenerated > ago(query_frequency)\n| where not (UserId has_any (\"@onmicrosoft.com\", \"@microsoft.com\", \"Unknown\"))\n| where isnotempty(UserAgent)\n| where UserAgent !in~ (known_useragents)\n| where UserAgent !hasprefix \"azure-logic-apps\" and UserAgent !hasprefix \"PowerApps\"\n| join kind = leftanti (\n OfficeActivity\n | where TimeGenerated between(ago(query_lookback) .. ago(query_frequency))\n | where isnotempty(UserAgent)\n | summarize by UserAgent)\n on UserAgent\n// Exclude user agents with a render agent to reduce noise.\n| join kind = leftanti(\n DataverseActivity\n | where TimeGenerated > ago(query_frequency)\n | where UserAgent has_any (\"Gecko\", \"WebKit\", \"Presto\", \"Trident\", \"EdgeHTML\", \"Blink\"))\n on UserAgent\n| summarize\n FirstSeen = min(TimeGenerated),\n LatestIP = arg_max(ClientIp, TimeGenerated)\n by UserAgent, UserId, InstanceUrl\n| extend\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1]),\n CloudAppId = int(32780)\n| project\n FirstSeen,\n UserId,\n UserAgent,\n LatestIP,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1190", + "T1133" + ], + "entityMappings": [ + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "LatestIP", + "identifier": "Address" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject22').analyticRuleId22,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 22", + "parentId": "[variables('analyticRuleObject22').analyticRuleId22]", + "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject22').analyticRuleVersion22]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "InitialAccess", - "LateralMovement", - "Discovery" - ], - "techniques": [ - "T1078", - "T1199", - "T1133", - "T0886", - "T0859", - "T1428", - "T1021", - "T1210", - "T1526", - "T1580" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "Url", - "identifier": "Url" - } - ], - "entityType": "URL" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "Malicous IP {{ClientIp}} was found in {{InstanceUrl}} . User affected is {{UserId}}", - "alertDisplayNameFormat": "Dataverse - TI map IP in {{InstanceUrl}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject29').analyticRuleId29,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 29", - "parentId": "[variables('analyticRuleObject29').analyticRuleId29]", - "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject29').analyticRuleVersion29]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - New user agent type that was not used with Office 365", + "contentProductId": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]", + "id": "[variables('analyticRuleObject22')._analyticRulecontentProductId22]", + "version": "[variables('analyticRuleObject22').analyticRuleVersion22]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - TI map IP to DataverseActivity", - "contentProductId": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]", - "id": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]", - "version": "[variables('analyticRuleObject29').analyticRuleVersion29]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject30').analyticRuleTemplateSpecName30]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - TI map URL to DataverseActivity_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject30')._analyticRulecontentId30]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a match in DataverseActivity from any URL IOC from Microsoft Sentinel Threat Intelligence.", - "displayName": "Dataverse - TI map URL to DataverseActivity", - "enabled": false, - "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(Url)\n| join kind=innerunique (\n DataverseActivity\n | where TimeGenerated >= ago(dt_lookBack)\n | where Message in (\"Create\", \"Update\")\n | where isnotempty(Fields) and Fields has \"http\"\n | extend\n ExtractedUrls = extract_all(\"(http[s]?://(?:[a-zA-Z\\\\.-]|[0-9])+)\", tostring(Fields)),\n DataverseActivity_TimeGenerated = TimeGenerated\n | mv-expand Url = ExtractedUrls\n | project\n DataverseActivity_TimeGenerated,\n tostring(Url),\n UserId,\n ClientIp,\n InstanceUrl,\n EntityName\n )\n on Url\n| where DataverseActivity_TimeGenerated < ExpirationDateTime\n| summarize DataverseActivity_TimeGenerated = arg_max(DataverseActivity_TimeGenerated, *) by IndicatorId, Url\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n DataverseActivity_TimeGenerated,\n Description,\n ActivityGroupNames,\n IndicatorId,\n ThreatType,\n ExpirationDateTime,\n ConfidenceScore,\n UserId,\n ClientIp,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix,\n Url\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" - ] - }, - { - "connectorId": "ThreatIntelligence", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "ThreatIntelligenceTaxii", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "MicrosoftDefenderThreatIntelligence", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "ThreatIntelligence", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "ThreatIntelligenceTaxii", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "MicrosoftDefenderThreatIntelligence", - "dataTypes": [ - "ThreatIntelligenceIndicator" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject23').analyticRuleTemplateSpecName23]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Organization settings modified_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies changes made at organization level in the Dataverse environment.", + "displayName": "Dataverse - Organization settings modified", + "enabled": false, + "query": "let query_frequency = 1h;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message == \"Update\" and EntityName == \"organization\"\n| mv-expand Fields\n| extend FieldName = tostring(Fields.Name)\n| extend Value = tostring(Fields.Value)\n| where FieldName != \"organizationid\"\n| lookup MSBizAppsOrgSettings on FieldName\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n FieldName,\n Value,\n DisplayName,\n Description,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Informational", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "Persistence" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Organization setting {{DisplayName}} : {{Description}} changed by {{UserId}}", + "alertDisplayNameFormat": "Dataverse - {{DisplayName}} changed in {{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject23').analyticRuleId23,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 23", + "parentId": "[variables('analyticRuleObject23').analyticRuleId23]", + "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject23').analyticRuleVersion23]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "InitialAccess", - "Execution", - "Persistence" - ], - "techniques": [ - "T1566", - "T1456", - "T1474", - "T0819", - "T0865", - "T0862", - "T0863", - "T1204", - "T1574", - "T0873" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "Url", - "identifier": "Url" - } - ], - "entityType": "URL" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "Malicous IP {{Url}} was found in {{InstanceUrl}}. Associated user is {{UserId}}", - "alertDisplayNameFormat": "Dataverse - TI match on URL in {{InstanceUrl}}" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject30').analyticRuleId30,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 30", - "parentId": "[variables('analyticRuleObject30').analyticRuleId30]", - "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject30').analyticRuleVersion30]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Organization settings modified", + "contentProductId": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]", + "id": "[variables('analyticRuleObject23')._analyticRulecontentProductId23]", + "version": "[variables('analyticRuleObject23').analyticRuleVersion23]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - TI map URL to DataverseActivity", - "contentProductId": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]", - "id": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]", - "version": "[variables('analyticRuleObject30').analyticRuleVersion30]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject31').analyticRuleTemplateSpecName31]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Terminated employee exfiltration over email_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject31')._analyticRulecontentId31]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "This query identifies Dataverse exfiltration via email by terminated employees.", - "displayName": "Dataverse - Terminated employee exfiltration over email", - "enabled": false, - "query": "// Note this detection relies upon the user's UPN matching their email address.\n// UEBA can provide more accurate data if enabled.\nlet query_frequency = 1h;\nlet allowed_destination_smtp_domains = dynamic([\n// Specify a list of recipient domains to exclude from alerting.\n// Example:\n// \"microsoft.com\", \"contoso.com\"\n ]);\nlet exfiltration_alert_users = SecurityAlert\n | where Tactics has 'Exfiltration' and Entities has_all ('account', '32780')\n | mv-expand DataverseEntities = todynamic(Entities)\n | where DataverseEntities.AppId == 32780\n | extend InstanceUrl = tostring(DataverseEntities.InstanceName)\n | mv-expand AccountEntities = todynamic(Entities)\n | where AccountEntities.Type == 'account'\n | extend\n AccountName = tostring(AccountEntities.Name),\n UPNSuffix = tostring(AccountEntities.UPNSuffix)\n | summarize InstanceUrls = make_set(InstanceUrl, 100) by AccountName, UPNSuffix\n | extend UserId = tolower(strcat(AccountName, \"@\", UPNSuffix));\nexfiltration_alert_users\n| join kind=inner (\n MSBizAppsTerminatedEmployees\n | project UserId = tolower(UserPrincipalName), NotificationDate\n | where startofday(NotificationDate) <= startofday(now()))\n // Uncomment the below KQL if UEBA is available to gain more accurate\n // email address data:\n // | join kind=leftouter (_ASIM_IdentityInfo) on $left.UserId == $right.Username\n // | extend UserId = iif(UserId == UserMailAddress or isempty(UserMailAddress), UserId, UserMailAddress))\n on UserId\n| join kind=inner (\n EmailEvents\n | where TimeGenerated >= ago (query_frequency)\n | where EmailDirection == \"Outbound\" and AttachmentCount > 0\n | extend RecipientDomain = tolower(split(RecipientEmailAddress, '@')[1])\n | where RecipientDomain !in (allowed_destination_smtp_domains)\n | summarize\n RecipientAddresses = make_set(RecipientEmailAddress, 1000),\n Subject = make_set(Subject, 1000)\n by SenderAddress = tolower(SenderMailFromAddress), SenderIPv4)\n on $left.UserId == $right.SenderAddress\n| mv-expand InstanceUrl = InstanceUrls to typeof(string)\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, \"@\")[0]),\n UPNSuffix = tostring(split(UserId, \"@\")[1])\n| project\n UserId,\n InstanceUrl,\n SenderIPv4,\n RecipientAddresses,\n Subject,\n AccountName,\n UPNSuffix,\n CloudAppId\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "EmailEvents" - ] - }, - { - "connectorId": "AzureActiveDirectoryIdentityProtection", - "dataTypes": [ - "SecurityAlert" - ] - }, - { - "connectorId": "IdentityInfo", - "dataTypes": [ - "IdentityInfo" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject24').analyticRuleTemplateSpecName24]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Removal of blocked file extensions_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies modifications to an environment's blocked file extensions and extracts the removed extension.", + "displayName": "Dataverse - Removal of blocked file extensions", + "enabled": false, + "query": "let query_frequency = 1h;\nlet default_attachments = split('ade;adp;app;asa;ashx;asmx;asp;bas;bat;cdx;cer;chm;class;cmd;com;config;cpl;crt;csh;dll;exe;fxp;hlp;hta;htr;htw;ida;idc;idq;inf;ins;isp;its;jar;js;jse;ksh;lnk;mad;maf;mag;mam;maq;mar;mas;mat;mau;mav;maw;mda;mdb;mde;mdt;mdw;mdz;msc;msh;msh1;msh1xml;msh2;msh2xml;mshxml;msi;msp;mst;ops;pcd;pif;prf;prg;printer;pst;reg;rem;scf;scr;sct;shb;shs;shtm;shtml;soap;stm;tmp;url;vb;vbe;vbs;vsmacros;vss;vst;vsw;ws;wsc;wsf;wsh', \";\");\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message == \"Update\" and EntityName =~ 'organization'\n| mv-expand Fields\n| where Fields.Name == \"blockedattachments\"\n| extend\n UpdatedAttachments = split(tostring(Fields.Value), \";\"),\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| extend RemovedAttachments = set_difference(default_attachments, UpdatedAttachments)\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n InstanceUrl,\n RemovedAttachments,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "DefenseEvasion" + ], + "techniques": [ + "T1629" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{UserId}} modified environment blocked extensions list. {{UserId}} removed the following extensions {{RemovedAttachments}}.", + "alertDisplayNameFormat": "Dataverse - Blocked file extension removed in {{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject24').analyticRuleId24,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 24", + "parentId": "[variables('analyticRuleObject24').analyticRuleId24]", + "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject24').analyticRuleVersion24]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Exfiltration" - ], - "techniques": [ - "T1639", - "T1567" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "SenderIPv4", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "Departing or terminated user {{UserId}} was found to send email to external domains not on the allowed list: {{RecipientAddresses}}", - "alertDisplayNameFormat": "Email attachment sent externally by terminated user following Dataverse exfiltration alerts" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject31').analyticRuleId31,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 31", - "parentId": "[variables('analyticRuleObject31').analyticRuleId31]", - "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject31').analyticRuleVersion31]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Removal of blocked file extensions", + "contentProductId": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]", + "id": "[variables('analyticRuleObject24')._analyticRulecontentProductId24]", + "version": "[variables('analyticRuleObject24').analyticRuleVersion24]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Terminated employee exfiltration over email", - "contentProductId": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]", - "id": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]", - "version": "[variables('analyticRuleObject31').analyticRuleVersion31]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject32').analyticRuleTemplateSpecName32]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Terminated employee exfiltration to USB drive_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject32')._analyticRulecontentId32]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies files downloaded from Dataverse by departing or terminated employees which are copied to USB mounted drives.", - "displayName": "Dataverse - Terminated employee exfiltration to USB drive", - "enabled": false, - "query": "let drive_mount_lookback = 14d;\nlet query_frequency = 1h;\nDataverseActivity\n| distinct InstanceUrl\n| join kind=inner (DeviceFileEvents\n | where TimeGenerated >= ago(query_frequency))\n on $left.InstanceUrl == $right.FileOriginUrl\n| join kind=inner (MSBizAppsTerminatedEmployees()) on $left.InitiatingProcessAccountUpn == $right.UserPrincipalName\n| join kind=inner (DeviceEvents\n | where TimeGenerated >= ago(drive_mount_lookback)\n | where ActionType == \"UsbDriveMounted\"\n | extend DriveLetter = tostring(AdditionalFields.DriveLetter)\n | summarize MountedDriveLetters = make_set(DriveLetter, 26) by DeviceId, DeviceName)\n on DeviceId\n| extend TargetDriveLetter = tostring(split(FolderPath, \"\\\\\")[0])\n| where set_has_element(MountedDriveLetters, TargetDriveLetter)\n| join kind=inner (DeviceInfo\n | summarize arg_max(TimeGenerated, DeviceId, PublicIP) by DeviceName)\n on DeviceId\n| project-rename\n UserId = UserPrincipalName\n| summarize LatestEvent = arg_max(TimeGenerated, *), Files = make_set(FileName, 100) by UserId, InstanceUrl\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n LatestEvent,\n UserId,\n PublicIP,\n Files,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "DeviceInfo", - "DeviceEvents", - "DeviceFileEvents" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject25').analyticRuleTemplateSpecName25]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - SharePoint document management site added or updated_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject25')._analyticRulecontentId25]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies modifications of SharePoint document management integration. Document management allows storage of data located externally to Dataverse. Combine this analytics rule with the MSBizApps-Add-SharePointSite-To-Watchlist Playbook to automatically update the Dataverse-SharePointSites watchlist. This watchlist can be used to correlate events between Dataverse and SharePoint when using the Office 365 data connector.", + "displayName": "Dataverse - SharePoint document management site added or updated", + "enabled": false, + "query": "let query_frequency = 1h;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message in (\"Create\", \"Update\") and EntityName == \"sharepointsite\"\n| mv-expand Fields\n| where Fields.Name == \"absoluteurl\"\n| extend\n SharePointAppId = int(20892),\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1]),\n SharePointUrl = tostring(Fields.Value)\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n Message,\n SharePointUrl,\n InstanceUrl,\n CloudAppId,\n SharePointAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Informational", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "Exfiltration" + ], + "techniques": [ + "T1567", + "T1537" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "SharePointAppId", + "identifier": "AppId" + }, + { + "columnName": "SharePointUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{UserId}} made changes to document management in {{{InstanceUrl}}. Sharepoint site {{{SharePointUrl}} was added.", + "alertDisplayNameFormat": "Dataverse - Document management enabled or modified in {{{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject25').analyticRuleId25,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 25", + "parentId": "[variables('analyticRuleObject25').analyticRuleId25]", + "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject25').analyticRuleVersion25]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Exfiltration" - ], - "techniques": [ - "T1052" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "PublicIP", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": {}, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{UserId}} , on the TerminatedUsers watchlist, was found to copy files to a USB mounted drive.", - "alertDisplayNameFormat": "Dataverse - terminated user copied files from {{InstanceUrl}} to USB" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject32').analyticRuleId32,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 32", - "parentId": "[variables('analyticRuleObject32').analyticRuleId32]", - "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject32').analyticRuleVersion32]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - SharePoint document management site added or updated", + "contentProductId": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]", + "id": "[variables('analyticRuleObject25')._analyticRulecontentProductId25]", + "version": "[variables('analyticRuleObject25').analyticRuleVersion25]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Terminated employee exfiltration to USB drive", - "contentProductId": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]", - "id": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]", - "version": "[variables('analyticRuleObject32').analyticRuleVersion32]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject33').analyticRuleTemplateSpecName33]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Unusual sign-in following disabled IP address-based cookie binding protection_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject33')._analyticRulecontentId33]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies previously unseen IP and user agents in a Dataverse instance following disabling of cookie binding protection. See https://docs.microsoft.com/power-platform/admin/block-cookie-replay-attack", - "displayName": "Dataverse - Unusual sign-in following disabled IP address-based cookie binding protection", - "enabled": false, - "query": "let query_frequency = 1h;\nlet query_lookback = 14d;\nlet cookie_lifetime = 24h;\nlet cookie_binding_disabled_events = DataverseActivity\n | where TimeGenerated >= ago(query_lookback)\n | where Message == \"Update\" and EntityName == \"organization\"\n | mv-expand Fields\n | where Fields.Name == \"enableipbasedcookiebinding\" and Fields.Value == 'False'\n | summarize CookieBindingDisabled = min(TimeGenerated) by CookieBindingDisabledBy = UserId, InstanceUrl;\nlet current_activity = cookie_binding_disabled_events\n | join kind=inner(DataverseActivity\n | where UserId !endswith \"@onmicrosoft.com\" and UserId !endswith \"@microsoft.com\"\n | where isnotempty(ClientIp) and isnotempty(UserAgent)\n | where TimeGenerated >= ago(query_frequency + cookie_lifetime)\n | summarize LatestEvent = arg_max(TimeGenerated, *) by UserId, ClientIp, InstanceUrl)\n on InstanceUrl;\nlet users_switched_ip = current_activity\n | summarize IPCount = count() by UserId, InstanceUrl\n | where IPCount > 1\n | join kind=inner (current_activity) on UserId, InstanceUrl\n | summarize arg_max(LatestEvent, *) by UserId, InstanceUrl;\nusers_switched_ip\n| join kind = inner (DataverseActivity\n | where TimeGenerated >= ago (query_lookback)\n | where UserId !endswith \"@onmicrosoft.com\" and UserId !endswith \"@microsoft.com\"\n | where isnotempty(ClientIp) and isnotempty(UserAgent)\n | project-rename\n HistoricalTime = TimeGenerated,\n HistoricalIP = ClientIp,\n HistoricalAgent = UserAgent)\n on UserId, InstanceUrl\n| where HistoricalTime >= ago(query_lookback) and HistoricalTime < LatestEvent\n| summarize\n HistoricalIPs = make_set(HistoricalIP, 100),\n HistoricalAgents = make_set(HistoricalAgent, 100)\n by\n UserId,\n UserAgent,\n ClientIp,\n InstanceUrl,\n LatestEvent,\n CookieBindingDisabled,\n CookieBindingDisabledBy\n| where (HistoricalIPs !has ClientIp) and (HistoricalAgents !has UserAgent)\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n LatestEvent,\n UserId,\n ClientIp,\n UserAgent,\n InstanceUrl,\n HistoricalIPs,\n HistoricalAgents,\n CookieBindingDisabled,\n CookieBindingDisabledBy,\n AccountName,\n UPNSuffix,\n CloudAppId\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject26').analyticRuleTemplateSpecName26]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Suspicious security role modifications_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject26')._analyticRulecontentId26]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies an unusual pattern of events whereby a new role is created followed by the creator adding members to the role and subsequently removing the member or deleting the role after a short time period.", + "displayName": "Dataverse - Suspicious security role modifications", + "enabled": false, + "query": "let role_create_watch_period = 2d;\nlet query_frequency = 1h;\nlet role_create_add_events= DataverseActivity\n | where Message == \"Create\" and EntityName == \"role\"\n | mv-expand Role = Fields\n | extend RoleName = Role.Value\n | where Role.Name == \"name\"\n | mv-expand Role = Fields\n | extend RoleCreateTime = TimeGenerated, RoleId = tostring(Role.Value)\n | where Role.Name == \"roleid\"\n | join kind=inner (\n DataverseActivity\n | where Message == \"Associate\" and EntityName == \"systemuser\"\n | mv-expand Role = Fields\n | where Role.Name == \"role\"\n | extend RoleMemberAddedTime = TimeGenerated, MemberAddedRoleId = tostring(Role.Value))\n on $left.RoleId == $right.MemberAddedRoleId, InstanceUrl, UserId\n | where RoleMemberAddedTime between (RoleCreateTime .. (RoleCreateTime + role_create_watch_period));\nlet remove_role_member_events = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"Disassociate\" and EntityName == \"systemuser\"\n | mv-expand Role = Fields\n | where Role.Name == \"role\"\n | extend ActionTime = TimeGenerated, MemberRemovedRoleId = tostring(Role.Value);\nlet role_delete_events = DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"Delete\" and EntityName == \"role\"\n | extend DeletedRoleID = EntityId, Action = \"Role deleted within defined time window\"\n | project Action, ActionTime = TimeGenerated, UserId, ClientIp, DeletedRoleID, InstanceUrl;\nlet role_member_removals = role_create_add_events\n | join kind=inner (remove_role_member_events) on $left.RoleId == $right.MemberRemovedRoleId\n | where ActionTime between (RoleCreateTime .. (RoleCreateTime + role_create_watch_period))\n | extend Action = \"Role membership removed within defined time window\";\nlet role_deletions = role_create_add_events\n | join kind=inner (role_delete_events) on $left.RoleId == $right.DeletedRoleID\n | where ActionTime between (RoleCreateTime .. (RoleCreateTime + role_create_watch_period));\nunion isfuzzy=true role_member_removals, role_deletions\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n UserId,\n InstanceUrl,\n ClientIp,\n Action,\n RoleCreateTime,\n RoleName,\n ActionTime,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "PrivilegeEscalation" + ], + "techniques": [ + "T1404", + "T1626", + "T1548" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "The following action ocurred following role modifications changes in {{InstanceUrl}}: {{Action}}.", + "alertDisplayNameFormat": "Dataverse - suspicious role modifications in {{InstanceUrl}}", + "alertSeverityColumnName": "Severity" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject26').analyticRuleId26,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 26", + "parentId": "[variables('analyticRuleObject26').analyticRuleId26]", + "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject26').analyticRuleVersion26]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "DefenseEvasion" - ], - "techniques": [ - "T1629" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientIp", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": {}, - "alertDetailsOverride": { - "alertDescriptionFormat": "IP address-based cookie binding was disabled by in {{InstanceUrl}}. Following this, sign-in events from new IP {{ClientIp}} for {{UserId}} were detected.", - "alertDisplayNameFormat": "Dataverse - Unusual sign-in after IP address-based cookie binding disabled" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject33').analyticRuleId33,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 33", - "parentId": "[variables('analyticRuleObject33').analyticRuleId33]", - "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject33').analyticRuleVersion33]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Suspicious security role modifications", + "contentProductId": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]", + "id": "[variables('analyticRuleObject26')._analyticRulecontentProductId26]", + "version": "[variables('analyticRuleObject26').analyticRuleVersion26]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - Unusual sign-in following disabled IP address-based cookie binding protection", - "contentProductId": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]", - "id": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]", - "version": "[variables('analyticRuleObject33').analyticRuleVersion33]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject34').analyticRuleTemplateSpecName34]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - User bulk retrieval outside normal activity_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject34')._analyticRulecontentId34]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies users retrieving significantly more records from Dataverse than they have previously in the past 2 weeks.", - "displayName": "Dataverse - User bulk retrieval outside normal activity", - "enabled": false, - "query": "let baseline_time = 14d;\nlet detection_time = 1d;\nDataverseActivity\n| where TimeGenerated between(ago(baseline_time) .. ago(detection_time - 1d))\n| where Message == \"RetrieveMultiple\"\n| extend numQueryCount = todouble(QueryResults)\n| extend QueryCount = iif(QueryResults contains \",\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\n| summarize sum(QueryCount) by UserId\n| extend HistoricalBaseline = sum_QueryCount\n| join kind=inner (\n DataverseActivity\n | where TimeGenerated > ago(detection_time)\n | where Message == \"RetrieveMultiple\"\n | extend numQueryCount = todouble(QueryResults)\n | extend QueryCount = iif(QueryResults contains \",\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\n | extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\n | summarize sum(QueryCount) by UserId\n | extend CurrentExportRate = sum_QueryCount)\n on UserId\n| where CurrentExportRate > HistoricalBaseline\n| project UserId, HistoricalBaseline, CurrentExportRate\n| join kind=inner(\n DataverseActivity\n | where TimeGenerated > ago(detection_time)\n | where Message == \"RetrieveMultiple\"\n | extend numQueryCount = todouble(QueryResults)\n | extend QueryCount = iif(QueryResults contains \",\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\n | extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1)))\n on UserId\n| summarize\n QuerySizes = make_set(QueryCount),\n MostRecentQuery = max(TimeGenerated),\n IPs = make_set(ClientIp),\n UserAgents = make_set(UserAgent),\n Entities = make_set(EntityName),\n Queries = make_set(Query)\n by UserId, InstanceUrl, HistoricalBaseline, CurrentExportRate\n| extend\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1]),\n CloudAppId = int(32780)\n| project\n MostRecentQuery,\n UserId,\n IPs,\n UserAgents,\n InstanceUrl,\n Queries,\n QuerySizes,\n Entities,\n HistoricalBaseline,\n CurrentExportRate,\n AccountName,\n UPNSuffix,\n CloudAppId\n", - "queryFrequency": "P1D", - "queryPeriod": "P14D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dataverse", - "dataTypes": [ - "DataverseActivity" - ] - } - ], - "tactics": [ - "Exfiltration" - ], - "techniques": [ - "T1048" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - }, - { - "columnName": "InstanceUrl", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": {}, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{UserId}} exported {{CurrentExportRate}} records, far beyond the historical baseline of {{{HistoricalBaseline}}.", - "alertDisplayNameFormat": "Dataverse - Bulk record retrieval outside of normal activity" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject34').analyticRuleId34,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 34", - "parentId": "[variables('analyticRuleObject34').analyticRuleId34]", - "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject34').analyticRuleVersion34]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", - "contentKind": "AnalyticsRule", - "displayName": "Dataverse - User bulk retrieval outside normal activity", - "contentProductId": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]", - "id": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]", - "version": "[variables('analyticRuleObject34').analyticRuleVersion34]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject35').analyticRuleTemplateSpecName35]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "F&O - Bank account change following network alias reassignment_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject35')._analyticRulecontentId35]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies changes to user accounts where the network alias was modified to a new value. Shortly afterwards, the updated alias is used to update a bank account number.", - "displayName": "F&O - Bank account change following network alias reassignment", - "enabled": false, - "query": "let query_frequency = 15m;\nFinanceOperationsActivity_CL\n| where LogType == \"Update\" and TableName == \"UserInfo\"\n| extend UserId = tostring(parse_json(tostring(FormattedData.[\"03::id\"])).NewData)\n| extend NetworkAlias = parse_json(tostring(FormattedData.networkAlias))\n| extend\n CurrentAlias = tostring(NetworkAlias.NewData),\n PreviousAlias = tostring(NetworkAlias.OldData)\n| where CurrentAlias != PreviousAlias\n| extend\n AliasUpdated = LogCreatedDateTime,\n AliasChangedBy = Username\n| join kind=inner(FinanceOperationsActivity_CL\n | where TimeGenerated >= ago (query_frequency)\n | where LogType == \"Update\" and TableName == \"BankAccountTable\"\n | extend AccountId = tostring(parse_json(tostring(FormattedData.AccountID)).NewData)\n | extend AccountNum = parse_json(tostring(FormattedData.AccountNum))\n | extend\n CurrentAccountNum = tostring(AccountNum.NewData),\n OldAccountNum = tostring(AccountNum.OldData)\n | where CurrentAccountNum != OldAccountNum\n | extend BankUpdated = LogCreatedDateTime)\n on $left.UserId == $right.Username\n| where BankUpdated > AliasUpdated\n| extend\n FinOpsAppId = 32780,\n AccountName = tostring(split(CurrentAlias, \"@\")[0]),\n UPNSuffix = tostring(split(CurrentAlias, \"@\")[1])\n| project\n AliasUpdated,\n AliasChangedBy,\n Username,\n AccountId,\n CurrentAccountNum,\n OldAccountNum,\n CurrentAlias,\n PreviousAlias,\n FinOpsAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT15M", - "queryPeriod": "P1D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dynamics365Finance", - "dataTypes": [ - "FinanceOperationsActivity_CL" - ] - } - ], - "tactics": [ - "CredentialAccess", - "LateralMovement", - "PrivilegeEscalation" - ], - "techniques": [ - "T1556", - "T0859", - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AliasChangedBy", - "identifier": "FullName" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "Username", - "identifier": "FullName" - } - ], - "entityType": "Account" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "A user account alias was reassigned for {{Username}} by {{AliasChangedBy}} and shortly afterwards, bank account {{AccountId}} was modified.", - "alertDisplayNameFormat": "F&O - Suspicious bank account changes" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject35').analyticRuleId35,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 35", - "parentId": "[variables('analyticRuleObject35').analyticRuleId35]", - "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject35').analyticRuleVersion35]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", - "contentKind": "AnalyticsRule", - "displayName": "F&O - Bank account change following network alias reassignment", - "contentProductId": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]", - "id": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]", - "version": "[variables('analyticRuleObject35').analyticRuleVersion35]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject36').analyticRuleTemplateSpecName36]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "F&O - Mass update or deletion of user records_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject36')._analyticRulecontentId36]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies large delete or update operations on Finance & Operations user records based on predefined thresholds.", - "displayName": "F&O - Mass update or deletion of user records", - "enabled": false, - "query": "// Set threshold for number of updated or deleted records\nlet update_detection_threshold = 50;\nlet deleted_detection_threshold = 10;\nFinanceOperationsActivity_CL\n| where TableName == \"UserInfo\" and LogType in (\"Update\", \"Delete\")\n| summarize\n TotalEvents = count(),\n StartTime = min(LogCreatedDateTime),\n EndTime = max(LogCreatedDateTime)\n by TableName, Username, LogType\n| where (LogType == \"Update\" and TotalEvents > update_detection_threshold) or (LogType == \"Delete\" and TotalEvents > deleted_detection_threshold)\n| extend FinOpsAppId = 32780\n| project StartTime, EndTime, Username, LogType, TableName, TotalEvents, FinOpsAppId\n", - "queryFrequency": "PT1H", - "queryPeriod": "PT1H", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dynamics365Finance", - "dataTypes": [ - "FinanceOperationsActivity_CL" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject27').analyticRuleTemplateSpecName27]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Suspicious use of TDS endpoint_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject27')._analyticRulecontentId27]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies Dataverse TDS (Tabular Data Stream) protocol based queries where the source user or IP address has recent security alerts and the TDS protocol has not been used previously in the target environment.", + "displayName": "Dataverse - Suspicious use of TDS endpoint", + "enabled": false, + "query": "let query_frequency = 1h;\nlet query_lookback = 14d;\nDataverseActivity\n| where TimeGenerated >= ago(query_frequency)\n| where Message == 'ExecutePowerBISql'\n| summarize FirstEvent = min(TimeGenerated) by UserId, ClientIp, InstanceUrl\n| join kind=inner(\n DataverseActivity\n | where TimeGenerated >= ago(query_lookback)\n | where Message == 'ExecutePowerBISql'\n | summarize UniqueUsers = dcount(UserId, 4) by InstanceUrl)\n on InstanceUrl\n| where UniqueUsers == 1\n| join kind=inner (\n SecurityAlert\n | where Entities has ('\"Type\":\"ip\"')\n | project AlertName, SystemAlertId, Entities\n | mv-expand todynamic(Entities)\n | where Entities.Type == \"ip\"\n | extend IPAddress = tostring(Entities.Address)\n | summarize SystemAlerts = make_set(SystemAlertId, 100), Alerts = make_set(AlertName, 100) by IPAddress)\n on $left.ClientIp == $right.IPAddress\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| join kind = inner (\n SecurityAlert\n | where Entities has ('Type\":\"account\"')\n | project AlertName, SystemAlertId, Entities\n | mv-expand todynamic(Entities)\n | where Entities.Type == \"account\"\n | extend\n UPNSuffix = tostring(Entities.UPNSuffix),\n AccountName = tostring(Entities.Name)\n | summarize SystemAlerts = make_set(SystemAlertId, 100), Alerts = make_set(AlertName, 100) by AccountName, UPNSuffix\n | where isnotempty(AccountName) and isnotempty(UPNSuffix))\n on AccountName, UPNSuffix\n| summarize SystemAlerts = make_set(SystemAlerts, 100), Alerts = make_set(Alerts, 100) by FirstEvent, UserId, ClientIp, InstanceUrl, AccountName, UPNSuffix\n| extend CloudAppId = int(32780)\n| project\n FirstEvent,\n UserId,\n ClientIp,\n InstanceUrl,\n Alerts,\n SystemAlerts,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + }, + { + "connectorId": "AzureActiveDirectoryIdentityProtection", + "dataTypes": [ + "SecurityAlert" + ] + } + ], + "tactics": [ + "Exfiltration", + "InitialAccess" + ], + "techniques": [ + "T1048", + "T1190" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "The TDS endpoint was used to query Dataverse instance {{InstanceUrl}} . The use of this protocol was not seen previously and the following alerts were associated with the caller: {{Alerts}}", + "alertDisplayNameFormat": "Dataverse - Suspicious use of TDS endpoint in {{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject27').analyticRuleId27,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 27", + "parentId": "[variables('analyticRuleObject27').analyticRuleId27]", + "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject27').analyticRuleVersion27]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Impact" - ], - "techniques": [ - "T1485", - "T1565", - "T1491" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "Username", - "identifier": "FullName" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "FinOpsAppId", - "identifier": "AppId" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{TotalEvents}} user records deleted in F&O by user {{Username}}", - "alertDisplayNameFormat": "F&O - many user account records deleted" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject36').analyticRuleId36,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 36", - "parentId": "[variables('analyticRuleObject36').analyticRuleId36]", - "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject36').analyticRuleVersion36]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Suspicious use of TDS endpoint", + "contentProductId": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]", + "id": "[variables('analyticRuleObject27')._analyticRulecontentProductId27]", + "version": "[variables('analyticRuleObject27').analyticRuleVersion27]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", - "contentKind": "AnalyticsRule", - "displayName": "F&O - Mass update or deletion of user records", - "contentProductId": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]", - "id": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]", - "version": "[variables('analyticRuleObject36').analyticRuleVersion36]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject37').analyticRuleTemplateSpecName37]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "F&O - Non-interactive account mapped to self or sensitive privileged user_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject37')._analyticRulecontentId37]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies changes to Microsoft Entra client apps registered for Finance & Operations, specifically when a new client is mapped to a predefined list of sensitive privileged user accounts, or when a user associates a client app with their own account.", - "displayName": "F&O - Non-interactive account mapped to self or sensitive privileged user", - "enabled": false, - "query": "// Add sensitive privilege accounts to the privileged_user_accounts variable.\n// Example: let privileged_user_accounts = dynamic([\"Admin1\", \"Admin\"]);\nlet privileged_user_accounts = dynamic([]);\nFinanceOperationsActivity_CL\n| where TableName == \"SysAADClientTable\" and LogType in (\"Insert\", \"Update\")\n| extend ClientId = tostring(parse_json(tostring(FormattedData.[\"03::AADClientId\"])).NewData)\n| extend User = parse_json(tostring(FormattedData.UserId))\n| extend\n MappedUser = tostring(User.NewData),\n PreviousUserId = tostring(User.OldData),\n TargetAppName = tostring(parse_json(tostring(FormattedData.Name)).NewData),\n FinOpsAppId = 32780\n| where MappedUser in (privileged_user_accounts) or LogCreatedBy == MappedUser\n| project\n LogCreatedDateTime,\n LogCreatedBy,\n LogType,\n TargetAppName,\n MappedUser,\n PreviousUserId,\n ClientId,\n FinOpsAppId\n", - "queryFrequency": "PT15M", - "queryPeriod": "PT15M", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dynamics365Finance", - "dataTypes": [ - "FinanceOperationsActivity_CL" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject28').analyticRuleTemplateSpecName28]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Suspicious use of Web API_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject28')._analyticRulecontentId28]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies sign-in across multiple Dataverse environments, breaching a predefined threshold, originating from a user with IP address that was used to sign-into the well known Microsoft Entra app registration.", + "displayName": "Dataverse - Suspicious use of Web API", + "enabled": false, + "query": "let query_frequency = 1h;\nlet query_lookback = 24h;\n// AppID of the multi-tenant Dynamics 365 Example Client Application\nlet well_known_app_id = \"51f81489-12ee-4a9e-aaae-a2591f45987d\";\nlet environment_count_threshold = 10;\nSigninLogs\n| where TimeGenerated >= ago(query_lookback)\n// Comment out the line below to monitor activity from all Azure AD apps\n| where AppId == well_known_app_id\n| where ResourceIdentity == '00000007-0000-0000-c000-000000000000'\n| summarize FirstSeen = min(TimeGenerated) by AppId, UserPrincipalName, IPAddress, AppDisplayName\n| join kind=inner (\n DataverseActivity\n | where TimeGenerated >= ago(query_frequency)\n | where Message == \"UserSignIn\")\n on $left.UserPrincipalName == $right.UserId, $left.IPAddress == $right.ClientIp\n| where TimeGenerated between (FirstSeen .. (FirstSeen + 2h))\n| summarize InstanceCount = dcount(InstanceUrl, 4), FirstSeen = min(FirstSeen) by UserId, ClientIp, InstanceUrl, AppDisplayName, AppId\n| where InstanceCount > environment_count_threshold\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstSeen,\n UserId,\n ClientIp,\n AppDisplayName,\n AppId,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + }, + { + "connectorId": "AzureActiveDirectory", + "dataTypes": [ + "SigninLogs" + ] + } + ], + "tactics": [ + "Execution", + "Exfiltration", + "Reconnaissance", + "Discovery" + ], + "techniques": [ + "T1106", + "T1567", + "T1595", + "T1526", + "T1580" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{UserId}} sign-in activity generated in {{InstanceUrl}}. The app used was a well known multi-tenant app not owned or registered by the organization.", + "alertDisplayNameFormat": "Dataverse - Suspicious Web API sign-in activity" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject28').analyticRuleId28,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 28", + "parentId": "[variables('analyticRuleObject28').analyticRuleId28]", + "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject28').analyticRuleVersion28]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "CredentialAccess", - "Persistence", - "PrivilegeEscalation" - ], - "techniques": [ - "T1556", - "T1098", - "T1136", - "T1078", - "T0859" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "LogCreatedBy", - "identifier": "FullName" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "ClientId", - "identifier": "AadUserId" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "FinOpsAppId", - "identifier": "AppId" - } - ], - "entityType": "CloudApplication" - }, - { - "fieldMappings": [ - { - "columnName": "MappedUser", - "identifier": "FullName" - } - ], - "entityType": "Account" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "User account {{LogCreatedBy}} mapped an Azure AD App to senstitive privileged user account {{MappedUser}}. The associated Azure AD client ID is {{ClientId}}", - "alertDisplayNameFormat": "F&O - Sensitive non-interactive user mapping detected" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject37').analyticRuleId37,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 37", - "parentId": "[variables('analyticRuleObject37').analyticRuleId37]", - "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject37').analyticRuleVersion37]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Suspicious use of Web API", + "contentProductId": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]", + "id": "[variables('analyticRuleObject28')._analyticRulecontentProductId28]", + "version": "[variables('analyticRuleObject28').analyticRuleVersion28]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", - "contentKind": "AnalyticsRule", - "displayName": "F&O - Non-interactive account mapped to self or sensitive privileged user", - "contentProductId": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]", - "id": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]", - "version": "[variables('analyticRuleObject37').analyticRuleVersion37]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject38').analyticRuleTemplateSpecName38]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "F&O - Reverted bank account number modifications_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject38')._analyticRulecontentId38]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later.", - "displayName": "F&O - Reverted bank account number modifications", - "enabled": false, - "query": "let detection_window = 24h;\nlet query_frequency = 15m;\nlet bank_changes = FinanceOperationsActivity_CL\n | where LogType == \"Update\" and TableName == \"BankAccountTable\"\n | extend AccountId = tostring(parse_json(tostring(FormattedData.AccountID)).NewData)\n | extend AccountNum = parse_json(tostring(FormattedData.AccountNum))\n | extend\n CurrentAccountNum = tostring(AccountNum.NewData),\n OldAccountNum = tostring(AccountNum.OldData)\n | where CurrentAccountNum != OldAccountNum;\nbank_changes\n| join kind=inner (bank_changes\n | where TimeGenerated >= ago(query_frequency)\n | project-rename UpdatedTime = LogCreatedDateTime, UpdatedAccount = CurrentAccountNum)\n on $left.OldAccountNum == $right.UpdatedAccount\n| where UpdatedTime between (LogCreatedDateTime .. (LogCreatedDateTime + detection_window))\n| extend FinOpsAppId = 32780\n| project\n TimeGenerated,\n LogCreatedDateTime,\n LogType,\n TableName,\n Username,\n AccountId,\n CurrentAccountNum,\n OldAccountNum,\n FinOpsAppId\n", - "queryFrequency": "PT15M", - "queryPeriod": "P1D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "Dynamics365Finance", - "dataTypes": [ - "FinanceOperationsActivity_CL" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject29').analyticRuleTemplateSpecName29]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - TI map IP to DataverseActivity_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject29')._analyticRulecontentId29]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in DataverseActivity from any IP IOC from Microsoft Sentinel Threat Intelligence.", + "displayName": "Dataverse - TI map IP to DataverseActivity", + "enabled": false, + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP)\n or isnotempty(EmailSourceIpAddress)\n or isnotempty(NetworkDestinationIP)\n or isnotempty(NetworkSourceIP)\n// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n//Exclude local addresses, using the ipv4_is_private operator\n| where ipv4_is_private(TI_ipEntity) == false\n and TI_ipEntity !startswith \"fe80\"\n and TI_ipEntity !startswith \"::\"\n and TI_ipEntity !startswith \"127.\"\n// using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique (\n DataverseActivity\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(ClientIp)\n //Exclude local addresses, using the ipv4_is_private operator\n | where ipv4_is_private(ClientIp) == false\n and ClientIp !startswith \"fe80\"\n and ClientIp !startswith \"::\"\n and ClientIp !startswith \"127.\"\n // renaming time column so it is clear the log this came from\n | extend DataverseActivity_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.ClientIp\n| where DataverseActivity_TimeGenerated < ExpirationDateTime\n| summarize DataverseActivity_TimeGenerated = arg_max(DataverseActivity_TimeGenerated, *) by IndicatorId, ClientIp\n| project DataverseActivity_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, ClientIp, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, InstanceUrl, UserId\n| extend\n timestamp = DataverseActivity_TimeGenerated,\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[0]),\n CloudAppId = int(32780)\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + }, + { + "connectorId": "ThreatIntelligence", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "ThreatIntelligenceTaxii", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "MicrosoftDefenderThreatIntelligence", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "ThreatIntelligence", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "ThreatIntelligenceTaxii", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "MicrosoftDefenderThreatIntelligence", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + } + ], + "tactics": [ + "InitialAccess", + "LateralMovement", + "Discovery" + ], + "techniques": [ + "T1078", + "T1199", + "T1133", + "T0886", + "T0859", + "T1428", + "T1021", + "T1210", + "T1526", + "T1580" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "columnName": "Url", + "identifier": "Url" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Malicous IP {{ClientIp}} was found in {{InstanceUrl}} . User affected is {{UserId}}", + "alertDisplayNameFormat": "Dataverse - TI map IP in {{InstanceUrl}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject29').analyticRuleId29,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 29", + "parentId": "[variables('analyticRuleObject29').analyticRuleId29]", + "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject29').analyticRuleVersion29]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Impact" - ], - "techniques": [ - "T1565", - "T1496", - "T0828", - "T0831" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "Username", - "identifier": "FullName" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "FinOpsAppId", - "identifier": "AppId" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "A suspicous bank account change was made in F&O, the bank account number was updated and then changed back to the orginal number a short time later. {{AccountId}} was changed by {{Username}}", - "alertDisplayNameFormat": "F&O - Suspicious bank account number changes" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject38').analyticRuleId38,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 38", - "parentId": "[variables('analyticRuleObject38').analyticRuleId38]", - "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject38').analyticRuleVersion38]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - TI map IP to DataverseActivity", + "contentProductId": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]", + "id": "[variables('analyticRuleObject29')._analyticRulecontentProductId29]", + "version": "[variables('analyticRuleObject29').analyticRuleVersion29]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", - "contentKind": "AnalyticsRule", - "displayName": "F&O - Reverted bank account number modifications", - "contentProductId": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]", - "id": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]", - "version": "[variables('analyticRuleObject38').analyticRuleVersion38]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject39').analyticRuleTemplateSpecName39]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "F&O - Unusual sign-in activity using single factor authentication_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject39')._analyticRulecontentId39]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies sucessful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from a Microsoft Entra trusted network location, or from geolocations seen previously in the last 14 days are excluded.", - "displayName": "F&O - Unusual sign-in activity using single factor authentication", - "enabled": false, - "query": "// Dynamics Lifecycle services: 913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0\n// Microsoft Dynamics ERP: 00000015-0000-0000-c000-000000000000\nlet appid_list = dynamic([\"913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0\", \"00000015-0000-0000-c000-000000000000\"]);\nlet query_frequency = 1h;\nlet query_lookback = 14d;\nlet historical_sign_in_activity = SigninLogs\n | where TimeGenerated between (ago(query_lookback) .. ago(query_frequency));\nlet historical_sign_in_locations = historical_sign_in_activity\n | summarize by Location;\nlet multifactor_sign_in_count = toscalar(historical_sign_in_activity\n | where AppId in (appid_list) and ResultType == 0\n | where AuthenticationRequirement == \"multiFactorAuthentication\"\n | summarize count());\nSigninLogs\n| where TimeGenerated >= ago(query_frequency)\n| where AppId in (appid_list) and ResultType == 0\n| where multifactor_sign_in_count > 0\n| where Location !in (historical_sign_in_locations)\n| where NetworkLocationDetails !has \"trustedNamedLocation\"\n| summarize by UserPrincipalName, AppDisplayName, IPAddress, Location\n| extend\n CloudAppId = 32780,\n AccountName = tostring(split(UserPrincipalName, \"@\")[0]),\n UPNSuffix = tostring(split(UserPrincipalName, \"@\")[1])\n| project\n UserPrincipalName,\n AppDisplayName,\n IPAddress,\n Location,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject30').analyticRuleTemplateSpecName30]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - TI map URL to DataverseActivity_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject30')._analyticRulecontentId30]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a match in DataverseActivity from any URL IOC from Microsoft Sentinel Threat Intelligence.", + "displayName": "Dataverse - TI map URL to DataverseActivity", + "enabled": false, + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true\n| where isnotempty(Url)\n| join kind=innerunique (\n DataverseActivity\n | where TimeGenerated >= ago(dt_lookBack)\n | where Message in (\"Create\", \"Update\")\n | where isnotempty(Fields) and Fields has \"http\"\n | extend\n ExtractedUrls = extract_all(\"(http[s]?://(?:[a-zA-Z\\\\.-]|[0-9])+)\", tostring(Fields)),\n DataverseActivity_TimeGenerated = TimeGenerated\n | mv-expand Url = ExtractedUrls\n | project\n DataverseActivity_TimeGenerated,\n tostring(Url),\n UserId,\n ClientIp,\n InstanceUrl,\n EntityName\n )\n on Url\n| where DataverseActivity_TimeGenerated < ExpirationDateTime\n| summarize DataverseActivity_TimeGenerated = arg_max(DataverseActivity_TimeGenerated, *) by IndicatorId, Url\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n DataverseActivity_TimeGenerated,\n Description,\n ActivityGroupNames,\n IndicatorId,\n ThreatType,\n ExpirationDateTime,\n ConfidenceScore,\n UserId,\n ClientIp,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix,\n Url\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + }, + { + "connectorId": "ThreatIntelligence", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "ThreatIntelligenceTaxii", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "MicrosoftDefenderThreatIntelligence", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "ThreatIntelligence", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "ThreatIntelligenceTaxii", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "MicrosoftDefenderThreatIntelligence", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + } + ], + "tactics": [ + "InitialAccess", + "Execution", + "Persistence" + ], + "techniques": [ + "T1566", + "T1456", + "T1474", + "T0819", + "T0865", + "T0862", + "T0863", + "T1204", + "T1574", + "T0873" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "columnName": "Url", + "identifier": "Url" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Malicous IP {{Url}} was found in {{InstanceUrl}}. Associated user is {{UserId}}", + "alertDisplayNameFormat": "Dataverse - TI match on URL in {{InstanceUrl}}" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject30').analyticRuleId30,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 30", + "parentId": "[variables('analyticRuleObject30').analyticRuleId30]", + "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject30').analyticRuleVersion30]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "CredentialAccess", - "InitialAccess" - ], - "techniques": [ - "T1552", - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "IPAddress", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "Successful sign in by {{UserPrincipalName}} to {{AppDisplayName}} from location {{Location}} which has not been seen before in the last 14 days.", - "alertDisplayNameFormat": "Dynamics 365 F&O - Unusual sign-in without multi-factor authentication" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject39').analyticRuleId39,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 39", - "parentId": "[variables('analyticRuleObject39').analyticRuleId39]", - "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject39').analyticRuleVersion39]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - TI map URL to DataverseActivity", + "contentProductId": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]", + "id": "[variables('analyticRuleObject30')._analyticRulecontentProductId30]", + "version": "[variables('analyticRuleObject30').analyticRuleVersion30]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", - "contentKind": "AnalyticsRule", - "displayName": "F&O - Unusual sign-in activity using single factor authentication", - "contentProductId": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]", - "id": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]", - "version": "[variables('analyticRuleObject39').analyticRuleVersion39]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject40').analyticRuleTemplateSpecName40]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Power Apps - App activity from unauthorized geo_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject40')._analyticRulecontentId40]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies Power Apps activity from countries in a predefined list of unauthorized countries.", - "displayName": "Power Apps - App activity from unauthorized geo", - "enabled": false, - "query": "let unauthorized_country_codes = dynamic([\n // Specify the disallowed two letter country codes\n // example: disallowed_country_codes = dynamic([\"RU\", \"KP\", \"IR\"])\n ]);\nlet query_frequency = 1h;\nlet query_lookback = 14d;\nlet powerapps_events = dynamic([\"LaunchPowerApp\", \"AppDlpEvaluationResultChange\", \"UpdatePowerApp\", \"PublishPowerApp\", \"RecordScopesConsent\", \"CreatePowerApp\", \"PowerAppPermissionEdited\", \"PowerAppPermissionDeleted\", \"ImportExistingCanvasApp\", \"DeletePowerApp\", \"ImportNewCanvasApp\", \"PromotePowerAppVersion\", \"RemoveHeroApp\", \"DeletePowerAppVersion\", \"PublishSolutionCanvasAppVersion\", \"AdminModifyAppPermissions\", \"AdminModifyAppOwner\", \"AdminQuarantineApp\", \"AdminDeleteApp\", \"AdminSetAppBypassConsent\", \"PatchPowerApp\"]);\nPowerPlatformAdminActivity\n| where TimeGenerated >= ago(query_frequency)\n| where EventOriginalType in (powerapps_events)\n| extend Properties = tostring(PropertyCollection)\n| extend SrcIpAddr = extract(@'\"enduser.ip_address\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| extend SrcIpAddr = iif(SrcIpAddr startswith '::ffff:', replace_string(SrcIpAddr, '::ffff:', ''), SrcIpAddr)\n| extend AppId = extract(@'\"powerplatform.analytics.resource.power_app.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| extend AppId = tolower(replace_string(AppId, '/providers/Microsoft.PowerApps/apps/', ''))\n| extend\n AppName = extract(@'\"powerplatform.analytics.resource.power_app.display_name\",\"Value\":\"([^\"]+)\"', 1, Properties),\n EnvironmentId = extract(@'\"powerplatform.analytics.resource.environment.id\",\"Value\":\"([^\"]+)\"', 1, Properties),\n EnvironmentName = extract(@'\"powerplatform.analytics.resource.environment.name\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| summarize FirstEvent = min(TimeGenerated) by ActorName, SrcIpAddr, AppName, AppId, EnvironmentId, EnvironmentName\n| join kind=inner (\n SigninLogs\n | where TimeGenerated >= ago(query_lookback)\n | where Location in (unauthorized_country_codes)\n | summarize by IPAddress, Location)\n on $left.SrcIpAddr == $right.IPAddress\n| extend\n PowerAppsEntityId = 27593,\n DataverseId = 32780,\n AccountName = tostring(split(ActorName, '@')[0]),\n UPNSuffix = tostring(split(ActorName, '@')[1])\n| project\n FirstEvent,\n ActorName,\n SrcIpAddr,\n Location,\n AppName,\n AppId,\n EnvironmentId,\n EnvironmentName,\n PowerAppsEntityId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "PowerPlatformAdmin", - "dataTypes": [ - "PowerPlatformAdminActivity" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject31').analyticRuleTemplateSpecName31]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Terminated employee exfiltration over email_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject31')._analyticRulecontentId31]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query identifies Dataverse exfiltration via email by terminated employees.", + "displayName": "Dataverse - Terminated employee exfiltration over email", + "enabled": false, + "query": "// Note this detection relies upon the user's UPN matching their email address.\n// UEBA can provide more accurate data if enabled.\nlet query_frequency = 1h;\nlet allowed_destination_smtp_domains = dynamic([\n// Specify a list of recipient domains to exclude from alerting.\n// Example:\n// \"microsoft.com\", \"contoso.com\"\n ]);\nlet exfiltration_alert_users = SecurityAlert\n | where Tactics has 'Exfiltration' and Entities has_all ('account', '32780')\n | mv-expand DataverseEntities = todynamic(Entities)\n | where DataverseEntities.AppId == 32780\n | extend InstanceUrl = tostring(DataverseEntities.InstanceName)\n | mv-expand AccountEntities = todynamic(Entities)\n | where AccountEntities.Type == 'account'\n | extend\n AccountName = tostring(AccountEntities.Name),\n UPNSuffix = tostring(AccountEntities.UPNSuffix)\n | summarize InstanceUrls = make_set(InstanceUrl, 100) by AccountName, UPNSuffix\n | extend UserId = tolower(strcat(AccountName, \"@\", UPNSuffix));\nexfiltration_alert_users\n| join kind=inner (\n MSBizAppsTerminatedEmployees\n | project UserId = tolower(UserPrincipalName), NotificationDate\n | where startofday(NotificationDate) <= startofday(now()))\n // Uncomment the below KQL if UEBA is available to gain more accurate\n // email address data:\n // | join kind=leftouter (_ASIM_IdentityInfo) on $left.UserId == $right.Username\n // | extend UserId = iif(UserId == UserMailAddress or isempty(UserMailAddress), UserId, UserMailAddress))\n on UserId\n| join kind=inner (\n EmailEvents\n | where TimeGenerated >= ago (query_frequency)\n | where EmailDirection == \"Outbound\" and AttachmentCount > 0\n | extend RecipientDomain = tolower(split(RecipientEmailAddress, '@')[1])\n | where RecipientDomain !in (allowed_destination_smtp_domains)\n | summarize\n RecipientAddresses = make_set(RecipientEmailAddress, 1000),\n Subject = make_set(Subject, 1000)\n by SenderAddress = tolower(SenderMailFromAddress), SenderIPv4)\n on $left.UserId == $right.SenderAddress\n| mv-expand InstanceUrl = InstanceUrls to typeof(string)\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, \"@\")[0]),\n UPNSuffix = tostring(split(UserId, \"@\")[1])\n| project\n UserId,\n InstanceUrl,\n SenderIPv4,\n RecipientAddresses,\n Subject,\n AccountName,\n UPNSuffix,\n CloudAppId\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "MicrosoftThreatProtection", + "dataTypes": [ + "EmailEvents" + ] + }, + { + "connectorId": "AzureActiveDirectoryIdentityProtection", + "dataTypes": [ + "SecurityAlert" + ] + }, + { + "connectorId": "IdentityInfo", + "dataTypes": [ + "IdentityInfo" + ] + } + ], + "tactics": [ + "Exfiltration" + ], + "techniques": [ + "T1639", + "T1567" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "SenderIPv4", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Departing or terminated user {{UserId}} was found to send email to external domains not on the allowed list: {{RecipientAddresses}}", + "alertDisplayNameFormat": "Email attachment sent externally by terminated user following Dataverse exfiltration alerts" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject31').analyticRuleId31,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 31", + "parentId": "[variables('analyticRuleObject31').analyticRuleId31]", + "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject31').analyticRuleVersion31]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1078" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "SrcIpAddr", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "PowerAppsEntityId", - "identifier": "AppId" - }, - { - "columnName": "AppName", - "identifier": "Name" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "customDetails": { - "App": "AppId", - "Environment": "EnvironmentId", - "EnvironmentName": "EnvironmentName" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "User {{ActorName}} activity associated with app {{AppName}} from an unauthorized geolocation: {{Location}}", - "alertDisplayNameFormat": "Power Apps activity from an unauthorized location" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject40').analyticRuleId40,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 40", - "parentId": "[variables('analyticRuleObject40').analyticRuleId40]", - "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject40').analyticRuleVersion40]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Terminated employee exfiltration over email", + "contentProductId": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]", + "id": "[variables('analyticRuleObject31')._analyticRulecontentProductId31]", + "version": "[variables('analyticRuleObject31').analyticRuleVersion31]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", - "contentKind": "AnalyticsRule", - "displayName": "Power Apps - App activity from unauthorized geo", - "contentProductId": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]", - "id": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]", - "version": "[variables('analyticRuleObject40').analyticRuleVersion40]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject41').analyticRuleTemplateSpecName41]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Power Apps - Bulk sharing of Power Apps to newly created guest users_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject41')._analyticRulecontentId41]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies unusual bulk sharing, based on a predefined threshold in the query, of Power Apps to newly created Microsoft Entra guest users.", - "displayName": "Power Apps - Bulk sharing of Power Apps to newly created guest users", - "enabled": false, - "query": "////////////\n// threshold = If the number of unique accounts that a power app is shared with is greater than\n// threshold than it'll trigger an alert. A threshold of 5 is good to start with.\n// However, if this is giving too many false positives, please adjust the threshold.\n////////////\nlet threshold = 5;\n////////////\n// Please replace the allowed_domains with a list of domains of your partners/sibling orgs\n// with whom you generally share power apps with. This will allow us to filter\n// legitimate bulk sharing attempts. Avoid using domains such as gmail, outlook, etc.\n///////////\nlet allowed_domains = pack_array(\"contoso.com\");\nlet query_frequency = 1h;\nlet query_lookback = 14d;\nPowerPlatformAdminActivity\n| where TimeGenerated >= ago(query_frequency)\n| where EventOriginalType == \"PowerAppPermissionEdited\"\n| extend Properties = tostring(PropertyCollection)\n| extend AppId = extract(@'\"powerplatform.analytics.resource.power_app.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| extend AppId = tolower(replace_string(AppId, '/providers/Microsoft.PowerApps/apps/', ''))\n| extend TargetPrincipalId = extract(@'\"targetuser.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| join kind=leftouter (\n AuditLogs\n | where ActivityDateTime >= ago(query_lookback)\n | where SourceSystem =~ \"Azure AD\" and OperationName == \"Invite external user\"\n | where Result =~ \"success\"\n | extend InvitedOrgEmail = tostring(parse_json(AdditionalDetails[5])['value'])\n | extend InvitedOrgDomain = tostring(split(InvitedOrgEmail, \"@\")[1])\n | where not(InvitedOrgDomain has_any(allowed_domains))\n | extend\n InvitedById = tostring(parse_json(InitiatedBy)['user']['id']),\n InvitedByUPN = tostring(parse_json(InitiatedBy)['user']['userPrincipalName']),\n InvitedEmail = tostring(parse_json(TargetResources[0])['userPrincipalName']),\n InvitedId = tostring(parse_json(TargetResources[0])['id'])\n | summarize by InvitedById, InvitedByUPN, InvitedEmail, InvitedId, InvitedOrgDomain)\n on $left.TargetPrincipalId == $right.InvitedId\n| where isnotempty(InvitedId)\n| summarize\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n TargetedUsersCount=dcount(TargetPrincipalId),\n TargetedObjectIds = make_set(TargetPrincipalId, 1000),\n InvitedDomains = make_set(InvitedOrgDomain, 1000),\n InvitedEmailAddresses = make_set(InvitedEmail, 1000)\n by AppId, InvitedById, InvitedByUPN\n| extend\n PowerAppsEntityId = 27593,\n AccountName = tostring(split(InvitedByUPN, '@')[0]),\n UPNSuffix = tostring(split(InvitedByUPN, '@')[1])\n| project\n StartTime,\n EndTime,\n InvitedByUPN,\n InvitedById,\n InvitedDomains,\n InvitedEmailAddresses,\n TargetedUsersCount,\n TargetedObjectIds,\n AppId,\n PowerAppsEntityId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "PowerPlatformAdmin", - "dataTypes": [ - "PowerPlatformAdminActivity" - ] - }, - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject32').analyticRuleTemplateSpecName32]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Terminated employee exfiltration to USB drive_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject32')._analyticRulecontentId32]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies files downloaded from Dataverse by departing or terminated employees which are copied to USB mounted drives.", + "displayName": "Dataverse - Terminated employee exfiltration to USB drive", + "enabled": false, + "query": "let drive_mount_lookback = 14d;\nlet query_frequency = 1h;\nDataverseActivity\n| distinct InstanceUrl\n| join kind=inner (DeviceFileEvents\n | where TimeGenerated >= ago(query_frequency))\n on $left.InstanceUrl == $right.FileOriginUrl\n| join kind=inner (MSBizAppsTerminatedEmployees()) on $left.InitiatingProcessAccountUpn == $right.UserPrincipalName\n| join kind=inner (DeviceEvents\n | where TimeGenerated >= ago(drive_mount_lookback)\n | where ActionType == \"UsbDriveMounted\"\n | extend DriveLetter = tostring(AdditionalFields.DriveLetter)\n | summarize MountedDriveLetters = make_set(DriveLetter, 26) by DeviceId, DeviceName)\n on DeviceId\n| extend TargetDriveLetter = tostring(split(FolderPath, \"\\\\\")[0])\n| where set_has_element(MountedDriveLetters, TargetDriveLetter)\n| join kind=inner (DeviceInfo\n | summarize arg_max(TimeGenerated, DeviceId, PublicIP) by DeviceName)\n on DeviceId\n| project-rename\n UserId = UserPrincipalName\n| summarize LatestEvent = arg_max(TimeGenerated, *), Files = make_set(FileName, 100) by UserId, InstanceUrl\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n LatestEvent,\n UserId,\n PublicIP,\n Files,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + }, + { + "connectorId": "MicrosoftThreatProtection", + "dataTypes": [ + "DeviceInfo", + "DeviceEvents", + "DeviceFileEvents" + ] + } + ], + "tactics": [ + "Exfiltration" + ], + "techniques": [ + "T1052" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "PublicIP", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": {}, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{UserId}} , on the TerminatedUsers watchlist, was found to copy files to a USB mounted drive.", + "alertDisplayNameFormat": "Dataverse - terminated user copied files from {{InstanceUrl}} to USB" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject32').analyticRuleId32,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 32", + "parentId": "[variables('analyticRuleObject32').analyticRuleId32]", + "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject32').analyticRuleVersion32]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "ResourceDevelopment", - "InitialAccess", - "LateralMovement" - ], - "techniques": [ - "T1587", - "T1566", - "T1534" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "PowerAppsEntityId", - "identifier": "AppId" - }, - { - "columnName": "AppId", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "customDetails": { - "PowerAppsApp": "AppId" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{InvitedByUPN}} shared an app with {{TargetedUsersCount}} recently added guest user accounts that are not on the list of allowed partner domains. List of domain s {{InvitedDomains}}", - "alertDisplayNameFormat": "Power Apps - app shared with recently created external guest accounts" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject41').analyticRuleId41,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 41", - "parentId": "[variables('analyticRuleObject41').analyticRuleId41]", - "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject41').analyticRuleVersion41]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Terminated employee exfiltration to USB drive", + "contentProductId": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]", + "id": "[variables('analyticRuleObject32')._analyticRulecontentProductId32]", + "version": "[variables('analyticRuleObject32').analyticRuleVersion32]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", - "contentKind": "AnalyticsRule", - "displayName": "Power Apps - Bulk sharing of Power Apps to newly created guest users", - "contentProductId": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]", - "id": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]", - "version": "[variables('analyticRuleObject41').analyticRuleVersion41]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject42').analyticRuleTemplateSpecName42]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Power Apps - Multiple apps deleted_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject42')._analyticRulecontentId42]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies mass delete activity where multiple Power Apps are deleted, matching a predefined threshold of total apps deleted or app delete events across multiple Power Platform environments.", - "displayName": "Power Apps - Multiple apps deleted", - "enabled": false, - "query": "let total_app_mass_delete_threshold = 25;\nlet cross_environment_delete_threshold = 10;\nlet query_frequency = 1h;\nlet app_delete_events = materialize(\n PowerPlatformAdminActivity\n | where TimeGenerated >= ago (query_frequency)\n | where EventOriginalType == \"DeletePowerApp\"\n | extend Properties = tostring(PropertyCollection)\n | extend AppId = extract(@'\"powerplatform.analytics.resource.power_app.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n | extend AppId = tolower(replace_string(AppId, '/providers/Microsoft.PowerApps/apps/', ''))\n | extend EnvironmentId = extract(@'\"powerplatform.analytics.resource.environment.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n );\napp_delete_events\n| summarize AppCount = count(), EnvCount = dcount(EnvironmentId) by ActorName\n| where AppCount >= total_app_mass_delete_threshold or EnvCount >= cross_environment_delete_threshold\n| join kind=inner app_delete_events on ActorName\n| summarize\n Apps = make_set(AppId, 1000),\n Environments = make_set(EnvironmentId, 1000),\n StartTime = min(TimeGenerated)\n by AppCount, EnvCount, ActorName\n| extend\n PowerAppsEntityId = 27593,\n DataverseId = 32780,\n AccountName = tostring(split(ActorName, '@')[0]),\n UPNSuffix = tostring(split(ActorName, '@')[1])\n| project\n StartTime,\n ActorName,\n AppCount,\n Apps,\n EnvCount,\n Environments,\n PowerAppsEntityId,\n DataverseId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P7D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "PowerPlatformAdmin", - "dataTypes": [ - "PowerPlatformAdminActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject33').analyticRuleTemplateSpecName33]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Unusual sign-in following disabled IP address-based cookie binding protection_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject33')._analyticRulecontentId33]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies previously unseen IP and user agents in a Dataverse instance following disabling of cookie binding protection. See https://docs.microsoft.com/power-platform/admin/block-cookie-replay-attack", + "displayName": "Dataverse - Unusual sign-in following disabled IP address-based cookie binding protection", + "enabled": false, + "query": "let query_frequency = 1h;\nlet query_lookback = 14d;\nlet cookie_lifetime = 24h;\nlet cookie_binding_disabled_events = DataverseActivity\n | where TimeGenerated >= ago(query_lookback)\n | where Message == \"Update\" and EntityName == \"organization\"\n | mv-expand Fields\n | where Fields.Name == \"enableipbasedcookiebinding\" and Fields.Value == 'False'\n | summarize CookieBindingDisabled = min(TimeGenerated) by CookieBindingDisabledBy = UserId, InstanceUrl;\nlet current_activity = cookie_binding_disabled_events\n | join kind=inner(DataverseActivity\n | where UserId !endswith \"@onmicrosoft.com\" and UserId !endswith \"@microsoft.com\"\n | where isnotempty(ClientIp) and isnotempty(UserAgent)\n | where TimeGenerated >= ago(query_frequency + cookie_lifetime)\n | summarize LatestEvent = arg_max(TimeGenerated, *) by UserId, ClientIp, InstanceUrl)\n on InstanceUrl;\nlet users_switched_ip = current_activity\n | summarize IPCount = count() by UserId, InstanceUrl\n | where IPCount > 1\n | join kind=inner (current_activity) on UserId, InstanceUrl\n | summarize arg_max(LatestEvent, *) by UserId, InstanceUrl;\nusers_switched_ip\n| join kind = inner (DataverseActivity\n | where TimeGenerated >= ago (query_lookback)\n | where UserId !endswith \"@onmicrosoft.com\" and UserId !endswith \"@microsoft.com\"\n | where isnotempty(ClientIp) and isnotempty(UserAgent)\n | project-rename\n HistoricalTime = TimeGenerated,\n HistoricalIP = ClientIp,\n HistoricalAgent = UserAgent)\n on UserId, InstanceUrl\n| where HistoricalTime >= ago(query_lookback) and HistoricalTime < LatestEvent\n| summarize\n HistoricalIPs = make_set(HistoricalIP, 100),\n HistoricalAgents = make_set(HistoricalAgent, 100)\n by\n UserId,\n UserAgent,\n ClientIp,\n InstanceUrl,\n LatestEvent,\n CookieBindingDisabled,\n CookieBindingDisabledBy\n| where (HistoricalIPs !has ClientIp) and (HistoricalAgents !has UserAgent)\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n LatestEvent,\n UserId,\n ClientIp,\n UserAgent,\n InstanceUrl,\n HistoricalIPs,\n HistoricalAgents,\n CookieBindingDisabled,\n CookieBindingDisabledBy,\n AccountName,\n UPNSuffix,\n CloudAppId\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "DefenseEvasion" + ], + "techniques": [ + "T1629" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIp", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": {}, + "alertDetailsOverride": { + "alertDescriptionFormat": "IP address-based cookie binding was disabled by in {{InstanceUrl}}. Following this, sign-in events from new IP {{ClientIp}} for {{UserId}} were detected.", + "alertDisplayNameFormat": "Dataverse - Unusual sign-in after IP address-based cookie binding disabled" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject33').analyticRuleId33,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 33", + "parentId": "[variables('analyticRuleObject33').analyticRuleId33]", + "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject33').analyticRuleVersion33]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Impact" - ], - "techniques": [ - "T1485", - "T0826" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "PowerAppsEntityId", - "identifier": "AppId" - } - ], - "entityType": "CloudApplication" - }, - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "customDetails": { - "EnvironmentsCount": "EnvCount", - "EnvironmentsImpacted": "Environments", - "AppDeleteCount": "AppCount", - "AppsDeleted": "Apps" }, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{AppCount}} apps were deleted in {{EnvCount}} environments by {{ActorName}} , exceeding the mass delete threshold.", - "alertDisplayNameFormat": "Power Apps - mass deletion of apps" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject42').analyticRuleId42,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 42", - "parentId": "[variables('analyticRuleObject42').analyticRuleId42]", - "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject42').analyticRuleVersion42]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - Unusual sign-in following disabled IP address-based cookie binding protection", + "contentProductId": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]", + "id": "[variables('analyticRuleObject33')._analyticRulecontentProductId33]", + "version": "[variables('analyticRuleObject33').analyticRuleVersion33]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", - "contentKind": "AnalyticsRule", - "displayName": "Power Apps - Multiple apps deleted", - "contentProductId": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]", - "id": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]", - "version": "[variables('analyticRuleObject42').analyticRuleVersion42]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject43').analyticRuleTemplateSpecName43]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Power Apps - Multiple users access a malicious link after launching new app_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject43')._analyticRulecontentId43]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies a chain of events, where a new Power App is created, followed by mulitple users launching the app within the detection window and clicking on the same malicious URL.", - "displayName": "Power Apps - Multiple users access a malicious link after launching new app", - "enabled": false, - "query": "// Define a threshold (distinct_user_launch_threshold) for\n// the minimum number of users who launched an app\n// to be in scope of this detection\nlet distinct_user_launch_threshold = 2;\n// Define a threshold for the minumum number of users\n// who clicked the same malicious link after launching the app\n// to be in scope of this detection\nlet distinct_user_url_click_threshold = 2;\nlet query_frequency = 1h;\nlet query_lookback = 14d;\nlet new_app_creation_activity = materialize(\n PowerPlatformAdminActivity\n | where TimeGenerated >= ago (query_lookback)\n | where EventOriginalType == \"CreatePowerApp\"\n | extend Properties = tostring(PropertyCollection)\n | extend SrcIpAddr = extract(@'\"enduser.ip_address\",\"Value\":\"([^\"]+)\"', 1, Properties)\n | extend SrcIpAddr = iif(SrcIpAddr startswith '::ffff:', replace_string(SrcIpAddr, '::ffff:', ''), SrcIpAddr)\n | extend AppId = extract(@'\"powerplatform.analytics.resource.power_app.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n | extend AppId = tolower(replace_string(AppId, '/providers/Microsoft.PowerApps/apps/', ''))\n | extend\n AppName = extract(@'\"powerplatform.analytics.resource.power_app.display_name\",\"Value\":\"([^\"]+)\"', 1, Properties),\n EnvironmentId = extract(@'\"powerplatform.analytics.resource.environment.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n | project-rename\n AppCreatedTime = TimeGenerated,\n AppCreator = ActorName,\n AppCreatorIpAddr = SrcIpAddr\n );\nlet distinct_apps = new_app_creation_activity\n | distinct AppName;\nlet new_app_launch_activity = materialize(\n new_app_creation_activity\n | join kind=inner (\n PowerPlatformAdminActivity\n | where TimeGenerated >= ago (query_lookback)\n | where EventOriginalType == \"LaunchPowerApp\"\n | where PropertyCollection has_any (distinct_apps)\n | extend Properties = tostring(PropertyCollection)\n | extend AppName = extract(@'\"powerplatform.analytics.resource.power_app.display_name\",\"Value\":\"([^\"]+)\"', 1, Properties)\n | summarize FirstAppLaunchTime = min(TimeGenerated) by ActorName, AppName)\n on AppName\n | where FirstAppLaunchTime > AppCreatedTime\n );\nlet new_app_launch_users = new_app_launch_activity\n | summarize LaunchCount = dcount(ActorName) by AppName\n | where LaunchCount > distinct_user_launch_threshold\n | join kind=inner new_app_launch_activity on AppName\n | summarize\n by\n ActorName,\n FirstAppLaunchTime,\n AppName,\n AppId,\n EnvironmentId,\n AppCreator,\n AppCreatorIpAddr;\nlet detected_urls = union isfuzzy=true\n (\n SecurityAlert\n | where TimeGenerated >= ago (query_lookback)\n | where Entities has_cs '\"Type\":\"url\"'\n | mv-expand todynamic(Entities)\n | where tostring(Entities.Type) == \"url\"\n | project Url = tostring(Entities.Url), Source = \"SecurityAlert\"\n ),\n (\n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(query_lookback)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(isnotempty(Url))\n | project Url, Source = \"ThreatIntelligence\"\n )\n | summarize by Url, Source;\nlet url_click_events = materialize(\n union isfuzzy=true\n (\n UrlClickEvents\n | where TimeGenerated >= ago(query_frequency)\n | where isnotempty(ThreatTypes)\n | join kind=inner (new_app_launch_users) on $left.AccountUpn == $right.ActorName\n | where TimeGenerated between (FirstAppLaunchTime .. (FirstAppLaunchTime + 1h))\n | summarize by ActorName, Url, Source = \"MicrosoftDefender\"\n ),\n (\n _Im_WebSession\n | where TimeGenerated >= ago(query_frequency)\n | join kind=inner (new_app_launch_users) on $left.SrcUsername == $right.ActorName\n | join kind=inner (detected_urls) on Url\n | where TimeGenerated between (FirstAppLaunchTime .. (FirstAppLaunchTime + 1h))\n | summarize by ActorName, Url, Source\n )\n );\nlet distinct_url_click_events_count = toscalar(\n url_click_events\n | summarize DistinctUserCount = dcount(ActorName) by Url\n | where DistinctUserCount > distinct_user_url_click_threshold\n | summarize sum(DistinctUserCount)\n );\nurl_click_events\n| summarize DistinctUserCount = dcount(ActorName) by Url\n| where DistinctUserCount >= distinct_user_url_click_threshold\n| join kind=inner url_click_events on Url\n| join kind=inner (new_app_launch_users) on ActorName\n| extend\n PowerAppsEntityId = 27593,\n DataverseId = 32780,\n AccountName = tostring(split(ActorName, '@')[0]),\n UPNSuffix = tostring(split(ActorName, '@')[1])\n| project\n FirstAppLaunchTime,\n AppCreator,\n AppName,\n AppId,\n ImpactedUser = ActorName,\n AccountName,\n UPNSuffix,\n EnvironmentId,\n Url,\n Source,\n PowerAppsEntityId\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "PowerPlatformAdmin", - "dataTypes": [ - "PowerPlatformAdminActivity" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "UrlClickEvents" - ] - }, - { - "connectorId": "ThreatIntelligence", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "ThreatIntelligenceTaxii", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "MicrosoftDefenderThreatIntelligence", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "ThreatIntelligence", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "ThreatIntelligenceTaxii", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "MicrosoftDefenderThreatIntelligence", - "dataTypes": [ - "ThreatIntelligenceIndicator" - ] - }, - { - "connectorId": "MicrosoftThreatProtection", - "dataTypes": [ - "UrlClickEvents" - ] - }, - { - "connectorId": "AzureActiveDirectoryIdentityProtection", - "dataTypes": [ - "SecurityAlert" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject34').analyticRuleTemplateSpecName34]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - User bulk retrieval outside normal activity_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject34')._analyticRulecontentId34]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies users retrieving significantly more records from Dataverse than they have previously in the past 2 weeks.", + "displayName": "Dataverse - User bulk retrieval outside normal activity", + "enabled": false, + "query": "let baseline_time = 14d;\nlet detection_time = 1d;\nDataverseActivity\n| where TimeGenerated between(ago(baseline_time) .. ago(detection_time - 1d))\n| where Message == \"RetrieveMultiple\"\n| extend numQueryCount = todouble(QueryResults)\n| extend QueryCount = iif(QueryResults contains \",\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\n| extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\n| summarize sum(QueryCount) by UserId\n| extend HistoricalBaseline = sum_QueryCount\n| join kind=inner (\n DataverseActivity\n | where TimeGenerated > ago(detection_time)\n | where Message == \"RetrieveMultiple\"\n | extend numQueryCount = todouble(QueryResults)\n | extend QueryCount = iif(QueryResults contains \",\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\n | extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1))\n | summarize sum(QueryCount) by UserId\n | extend CurrentExportRate = sum_QueryCount)\n on UserId\n| where CurrentExportRate > HistoricalBaseline\n| project UserId, HistoricalBaseline, CurrentExportRate\n| join kind=inner(\n DataverseActivity\n | where TimeGenerated > ago(detection_time)\n | where Message == \"RetrieveMultiple\"\n | extend numQueryCount = todouble(QueryResults)\n | extend QueryCount = iif(QueryResults contains \",\", todouble(countof(tostring(QueryResults), ',') + 1), numQueryCount)\n | extend QueryCount = iif(isnotempty(QueryCount), QueryCount, double(1)))\n on UserId\n| summarize\n QuerySizes = make_set(QueryCount),\n MostRecentQuery = max(TimeGenerated),\n IPs = make_set(ClientIp),\n UserAgents = make_set(UserAgent),\n Entities = make_set(EntityName),\n Queries = make_set(Query)\n by UserId, InstanceUrl, HistoricalBaseline, CurrentExportRate\n| extend\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1]),\n CloudAppId = int(32780)\n| project\n MostRecentQuery,\n UserId,\n IPs,\n UserAgents,\n InstanceUrl,\n Queries,\n QuerySizes,\n Entities,\n HistoricalBaseline,\n CurrentExportRate,\n AccountName,\n UPNSuffix,\n CloudAppId\n", + "queryFrequency": "P1D", + "queryPeriod": "P14D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dataverse", + "dataTypes": [ + "DataverseActivity" + ] + } + ], + "tactics": [ + "Exfiltration" + ], + "techniques": [ + "T1048" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + }, + { + "columnName": "InstanceUrl", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": {}, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{UserId}} exported {{CurrentExportRate}} records, far beyond the historical baseline of {{{HistoricalBaseline}}.", + "alertDisplayNameFormat": "Dataverse - Bulk record retrieval outside of normal activity" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject34').analyticRuleId34,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 34", + "parentId": "[variables('analyticRuleObject34').analyticRuleId34]", + "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject34').analyticRuleVersion34]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "InitialAccess" - ], - "techniques": [ - "T1189", - "T1566" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "PowerAppsEntityId", - "identifier": "AppId" - }, - { - "columnName": "AppName", - "identifier": "InstanceName" - } - ], - "entityType": "CloudApplication" - }, - { - "fieldMappings": [ - { - "columnName": "Url", - "identifier": "Url" - } - ], - "entityType": "URL" - }, - { - "fieldMappings": [ - { - "columnName": "AppCreator", - "identifier": "FullName" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - }, - { - "columnName": "AccountName", - "identifier": "Name" - } - ], - "entityType": "Account" - } - ], - "eventGroupingSettings": { - "aggregationKind": "AlertPerResult" - }, - "customDetails": { - "PowerAppsApp": "AppId", - "Environment": "EnvironmentId", - "PowerAppsAppName": "AppName", - "AppCreator": "AppCreator" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "Multiple users opened a malicious link after launching app {{AppName}}. Click here to navigate to the Power Apps Portal to examine the app: https://make.powerapps.com/environments/{{EnvironmentId}}/apps", - "alertDisplayNameFormat": "Possible malicious app detected - {{AppName}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject43').analyticRuleId43,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 43", - "parentId": "[variables('analyticRuleObject43').analyticRuleId43]", - "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject43').analyticRuleVersion43]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", + "contentKind": "AnalyticsRule", + "displayName": "Dataverse - User bulk retrieval outside normal activity", + "contentProductId": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]", + "id": "[variables('analyticRuleObject34')._analyticRulecontentProductId34]", + "version": "[variables('analyticRuleObject34').analyticRuleVersion34]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", - "contentKind": "AnalyticsRule", - "displayName": "Power Apps - Multiple users access a malicious link after launching new app", - "contentProductId": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]", - "id": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]", - "version": "[variables('analyticRuleObject43').analyticRuleVersion43]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject44').analyticRuleTemplateSpecName44]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Power Automate - Departing employee flow activity_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject44')._analyticRulecontentId44]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies instances where an employee who has been notified or is already terminated, on the TerminatedEmployees watchlist, creates or modifies a Power Automate flow.", - "displayName": "Power Automate - Departing employee flow activity", - "enabled": false, - "query": "let query_frequency = 1h;\nPowerAutomateActivity\n| where TimeGenerated >= ago(query_frequency)\n| where EventOriginalType in (\"CreateFlow\", \"EditFlow\")\n| join kind=inner (MSBizAppsTerminatedEmployees()) on $left.ActorName == $right.UserPrincipalName\n| extend path = parse_url(FlowDetailsUrl).Path\n| extend EnvironmentId = tostring(split(path, \"/\")[2])\n| extend FlowId = tostring(split(path, \"/\")[-2])\n| extend\n AccountName = tostring(split(ActorName, \"@\")[0]),\n UPNSuffix = tostring(split(ActorName, \"@\")[1]),\n PowerAutomateAppId = 27592,\n CloudAppId = 32780\n| project\n TimeGenerated,\n EventOriginalType,\n ActorName,\n EnvironmentId,\n AccountName,\n UPNSuffix,\n PowerAutomateAppId,\n CloudAppId,\n FlowId\n", - "queryFrequency": "PT1H", - "queryPeriod": "P7D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "PowerAutomate", - "dataTypes": [ - "PowerAutomateActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject35').analyticRuleTemplateSpecName35]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "F&O - Bank account change following network alias reassignment_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject35')._analyticRulecontentId35]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies changes to user accounts where the network alias was modified to a new value. Shortly afterwards, the updated alias is used to update a bank account number.", + "displayName": "F&O - Bank account change following network alias reassignment", + "enabled": false, + "query": "let query_frequency = 15m;\nFinanceOperationsActivity_CL\n| where LogType == \"Update\" and TableName == \"UserInfo\"\n| extend UserId = tostring(parse_json(tostring(FormattedData.[\"03::id\"])).NewData)\n| extend NetworkAlias = parse_json(tostring(FormattedData.networkAlias))\n| extend\n CurrentAlias = tostring(NetworkAlias.NewData),\n PreviousAlias = tostring(NetworkAlias.OldData)\n| where CurrentAlias != PreviousAlias\n| extend\n AliasUpdated = LogCreatedDateTime,\n AliasChangedBy = Username\n| join kind=inner(FinanceOperationsActivity_CL\n | where TimeGenerated >= ago (query_frequency)\n | where LogType == \"Update\" and TableName == \"BankAccountTable\"\n | extend AccountId = tostring(parse_json(tostring(FormattedData.AccountID)).NewData)\n | extend AccountNum = parse_json(tostring(FormattedData.AccountNum))\n | extend\n CurrentAccountNum = tostring(AccountNum.NewData),\n OldAccountNum = tostring(AccountNum.OldData)\n | where CurrentAccountNum != OldAccountNum\n | extend BankUpdated = LogCreatedDateTime)\n on $left.UserId == $right.Username\n| where BankUpdated > AliasUpdated\n| extend\n FinOpsAppId = 32780,\n AccountName = tostring(split(CurrentAlias, \"@\")[0]),\n UPNSuffix = tostring(split(CurrentAlias, \"@\")[1])\n| project\n AliasUpdated,\n AliasChangedBy,\n Username,\n AccountId,\n CurrentAccountNum,\n OldAccountNum,\n CurrentAlias,\n PreviousAlias,\n FinOpsAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT15M", + "queryPeriod": "P1D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dynamics365Finance", + "dataTypes": [ + "FinanceOperationsActivity_CL" + ] + } + ], + "tactics": [ + "CredentialAccess", + "LateralMovement", + "PrivilegeEscalation" + ], + "techniques": [ + "T1556", + "T0859", + "T1078" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AliasChangedBy", + "identifier": "FullName" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "Username", + "identifier": "FullName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "A user account alias was reassigned for {{Username}} by {{AliasChangedBy}} and shortly afterwards, bank account {{AccountId}} was modified.", + "alertDisplayNameFormat": "F&O - Suspicious bank account changes" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject35').analyticRuleId35,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 35", + "parentId": "[variables('analyticRuleObject35').analyticRuleId35]", + "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject35').analyticRuleVersion35]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Exfiltration", - "Impact" - ], - "techniques": [ - "T1567", - "T1485", - "T1491", - "T0813", - "T0879", - "T0826" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "PowerAutomateAppId", - "identifier": "AppId" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "customDetails": { - "Environment": "EnvironmentId", - "FlowDetails": "FlowId" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{ActorName}} is on the terminated employees watchlist and carried out {{EventOriginalType}} in environment id {{EnvironmentId}}.", - "alertDisplayNameFormat": "PowerAutomate - Terminated user {{EventOriginalType}} detected" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject44').analyticRuleId44,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 44", - "parentId": "[variables('analyticRuleObject44').analyticRuleId44]", - "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject44').analyticRuleVersion44]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", + "contentKind": "AnalyticsRule", + "displayName": "F&O - Bank account change following network alias reassignment", + "contentProductId": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]", + "id": "[variables('analyticRuleObject35')._analyticRulecontentProductId35]", + "version": "[variables('analyticRuleObject35').analyticRuleVersion35]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", - "contentKind": "AnalyticsRule", - "displayName": "Power Automate - Departing employee flow activity", - "contentProductId": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]", - "id": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]", - "version": "[variables('analyticRuleObject44').analyticRuleVersion44]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject45').analyticRuleTemplateSpecName45]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Power Automate - Unusual bulk deletion of flow resources_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject45')._analyticRulecontentId45]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies bulk deletion of Power Automate flows that exceed a predefined threshold defined in the query and deviate from activity patterns observed in the last 14 days.", - "displayName": "Power Automate - Unusual bulk deletion of flow resources", - "enabled": false, - "query": "// minThreshold: Minimum number of apps to be deleted to be considered an anomaly;\n// This is to prevent one-off isolated delete flow to be considered outlier.\n// The Min Threshold can be reduced or increased according to the traffic in the organization.\nlet minThreshold=10;\nlet interval = 1h;\nlet startTime = ago(14d);\nlet endTime = now();\nlet query_frequency = 1h;\nlet flow_deletion_events = PowerAutomateActivity\n | where TimeGenerated >= startTime\n | where EventOriginalType =~ \"DeleteFlow\"\n | extend IngestionTimeGenerated = TimeGenerated;\nflow_deletion_events\n| make-series DeletedFlowCount=count() on IngestionTimeGenerated from startTime to endTime step interval by ActorName, UserUpn, ActorUserId\n| extend(Anomalies, AnomalyScore, ExpectedUsage) = series_decompose_anomalies(DeletedFlowCount)\n| mv-expand\n DeletedFlowCount to typeof(double),\n IngestionTimeGenerated to typeof(datetime),\n Anomalies to typeof(double),\n AnomalyScore to typeof(double),\n ExpectedUsage to typeof(long)\n| where IngestionTimeGenerated >= ago(query_frequency)\n| where Anomalies != 0 and DeletedFlowCount >= minThreshold\n| lookup (flow_deletion_events\n | where IngestionTimeGenerated >= ago(query_frequency))\n on ActorName, UserUpn, ActorUserId\n| extend\n AccountName = tostring(split(ActorName, \"@\")[0]),\n UPNSuffix = tostring(split(ActorName, \"@\")[1]),\n PowerAutomateAppId = 27592\n| project\n TimeGenerated,\n ActorName,\n DeletedFlowCount,\n ExpectedUsage,\n Anomalies,\n AnomalyScore,\n AccountName,\n UPNSuffix,\n PowerAutomateAppId,\n UserUpn,\n ActorUserId\n", - "queryFrequency": "PT1H", - "queryPeriod": "P14D", - "severity": "Medium", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "PowerAutomate", - "dataTypes": [ - "PowerAutomateActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject36').analyticRuleTemplateSpecName36]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "F&O - Mass update or deletion of user records_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject36')._analyticRulecontentId36]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies large delete or update operations on Finance & Operations user records based on predefined thresholds.", + "displayName": "F&O - Mass update or deletion of user records", + "enabled": false, + "query": "// Set threshold for number of updated or deleted records\nlet update_detection_threshold = 50;\nlet deleted_detection_threshold = 10;\nFinanceOperationsActivity_CL\n| where TableName == \"UserInfo\" and LogType in (\"Update\", \"Delete\")\n| summarize\n TotalEvents = count(),\n StartTime = min(LogCreatedDateTime),\n EndTime = max(LogCreatedDateTime)\n by TableName, Username, LogType\n| where (LogType == \"Update\" and TotalEvents > update_detection_threshold) or (LogType == \"Delete\" and TotalEvents > deleted_detection_threshold)\n| extend FinOpsAppId = 32780\n| project StartTime, EndTime, Username, LogType, TableName, TotalEvents, FinOpsAppId\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dynamics365Finance", + "dataTypes": [ + "FinanceOperationsActivity_CL" + ] + } + ], + "tactics": [ + "Impact" + ], + "techniques": [ + "T1485", + "T1565", + "T1491" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "Username", + "identifier": "FullName" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "FinOpsAppId", + "identifier": "AppId" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{TotalEvents}} user records deleted in F&O by user {{Username}}", + "alertDisplayNameFormat": "F&O - many user account records deleted" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject36').analyticRuleId36,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 36", + "parentId": "[variables('analyticRuleObject36').analyticRuleId36]", + "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject36').analyticRuleVersion36]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Impact", - "DefenseEvasion" - ], - "techniques": [ - "T1485", - "T0828", - "T1562" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "PowerAutomateAppId", - "identifier": "AppId" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "customDetails": { - "DeletedFlowCount": "DeletedFlowCount" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "User {{ActorName}} deleted {{DeletedFlowCount}} flows in the last hour, surpassing the bulk delete threshold. This is anomalous compared to the past 14 days.", - "alertDisplayNameFormat": "Power Automate - unusual bulk deletion of {{DeletedFlowCount}} flows" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject45').analyticRuleId45,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 45", - "parentId": "[variables('analyticRuleObject45').analyticRuleId45]", - "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject45').analyticRuleVersion45]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", + "contentKind": "AnalyticsRule", + "displayName": "F&O - Mass update or deletion of user records", + "contentProductId": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]", + "id": "[variables('analyticRuleObject36')._analyticRulecontentProductId36]", + "version": "[variables('analyticRuleObject36').analyticRuleVersion36]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", - "contentKind": "AnalyticsRule", - "displayName": "Power Automate - Unusual bulk deletion of flow resources", - "contentProductId": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]", - "id": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]", - "version": "[variables('analyticRuleObject45').analyticRuleVersion45]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject46').analyticRuleTemplateSpecName46]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Power Platform - Account added to privileged Microsoft Entra roles_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject46')._analyticRulecontentId46]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies changes to privileged directory roles impacting Power Platform:\n- Dynamics 365 Admins\n- Power Platform Admins\n- Fabric Admins", - "displayName": "Power Platform - Account added to privileged Microsoft Entra roles", - "enabled": false, - "query": "// 44367163-eba1-44c3-98af-f5787879f96a = Dynamics 365 Administrator\n// 11648597-926c-4cf3-9c36-bcebb0ba8dcc = Power Platform Administrator\n// a9ea8996-122f-4c74-9520-8edcd192826c = Fabric Administrator\nlet query_frequency = 1h;\nlet role_template_ids = dynamic([\"44367163-eba1-44c3-98af-f5787879f96a\", \"11648597-926c-4cf3-9c36-bcebb0ba8dcc\", \"a9ea8996-122f-4c74-9520-8edcd192826c\"]);\nlet monitored_activities = dynamic([\"Assign\", \"AssignGrantedRole\", \"AssignPermanentGrantedRole\", \"AssignPermanentEligibleRole\", \"RoleElevatedOutsidePimAlert\"]);\nAuditLogs\n| where TimeGenerated >= ago(query_frequency)\n| where Category == \"RoleManagement\"\n and TargetResources has_any (role_template_ids)\n and AADOperationType in (monitored_activities)\n and Identity != \"MS-PIM\"\n| extend\n UserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName),\n AadUserId = tostring(parse_json(tostring(InitiatedBy.user)).id),\n IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress),\n RoleName = tostring(TargetResources[0].displayName),\n UserAdded = tostring(TargetResources[2].userPrincipalName)\n| extend\n RoleName = iif(isempty(RoleName), tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue), RoleName),\n UserAdded = iif(isempty(UserAdded), tostring(parse_json(tostring(TargetResources[0].userPrincipalName))), UserAdded),\n CloudAppId = int(32780),\n AccountName = tostring(split(UserPrincipalName, '@')[0]),\n UPNSuffix = tostring(split(UserPrincipalName, '@')[1])\n| project\n TimeGenerated,\n Identity,\n UserPrincipalName,\n AadUserId,\n RoleName,\n OperationName,\n UserAdded,\n TargetResources,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "AuditLogs" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject37').analyticRuleTemplateSpecName37]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "F&O - Non-interactive account mapped to self or sensitive privileged user_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject37')._analyticRulecontentId37]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies changes to Microsoft Entra client apps registered for Finance & Operations, specifically when a new client is mapped to a predefined list of sensitive privileged user accounts, or when a user associates a client app with their own account.", + "displayName": "F&O - Non-interactive account mapped to self or sensitive privileged user", + "enabled": false, + "query": "// Add sensitive privilege accounts to the privileged_user_accounts variable.\n// Example: let privileged_user_accounts = dynamic([\"Admin1\", \"Admin\"]);\nlet privileged_user_accounts = dynamic([]);\nFinanceOperationsActivity_CL\n| where TableName == \"SysAADClientTable\" and LogType in (\"Insert\", \"Update\")\n| extend ClientId = tostring(parse_json(tostring(FormattedData.[\"03::AADClientId\"])).NewData)\n| extend User = parse_json(tostring(FormattedData.UserId))\n| extend\n MappedUser = tostring(User.NewData),\n PreviousUserId = tostring(User.OldData),\n TargetAppName = tostring(parse_json(tostring(FormattedData.Name)).NewData),\n FinOpsAppId = 32780\n| where MappedUser in (privileged_user_accounts) or LogCreatedBy == MappedUser\n| project\n LogCreatedDateTime,\n LogCreatedBy,\n LogType,\n TargetAppName,\n MappedUser,\n PreviousUserId,\n ClientId,\n FinOpsAppId\n", + "queryFrequency": "PT15M", + "queryPeriod": "PT15M", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dynamics365Finance", + "dataTypes": [ + "FinanceOperationsActivity_CL" + ] + } + ], + "tactics": [ + "CredentialAccess", + "Persistence", + "PrivilegeEscalation" + ], + "techniques": [ + "T1556", + "T1098", + "T1136", + "T1078", + "T0859" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "LogCreatedBy", + "identifier": "FullName" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "ClientId", + "identifier": "AadUserId" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "FinOpsAppId", + "identifier": "AppId" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "MappedUser", + "identifier": "FullName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "User account {{LogCreatedBy}} mapped an Azure AD App to senstitive privileged user account {{MappedUser}}. The associated Azure AD client ID is {{ClientId}}", + "alertDisplayNameFormat": "F&O - Sensitive non-interactive user mapping detected" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject37').analyticRuleId37,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 37", + "parentId": "[variables('analyticRuleObject37').analyticRuleId37]", + "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject37').analyticRuleVersion37]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "PrivilegeEscalation" - ], - "techniques": [ - "T1078", - "T1068", - "T1548" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "CloudAppId", - "identifier": "AppId" - } - ], - "entityType": "CloudApplication" - }, - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "A user {{UserAdded}} was added to one of the Power Platform administrative roles: {{{RoleName}}", - "alertDisplayNameFormat": "Power Platform - Account added to privileged role {{RoleName}}" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject46').analyticRuleId46,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 46", - "parentId": "[variables('analyticRuleObject46').analyticRuleId46]", - "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject46').analyticRuleVersion46]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", + "contentKind": "AnalyticsRule", + "displayName": "F&O - Non-interactive account mapped to self or sensitive privileged user", + "contentProductId": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]", + "id": "[variables('analyticRuleObject37')._analyticRulecontentProductId37]", + "version": "[variables('analyticRuleObject37').analyticRuleVersion37]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", - "contentKind": "AnalyticsRule", - "displayName": "Power Platform - Account added to privileged Microsoft Entra roles", - "contentProductId": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]", - "id": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]", - "version": "[variables('analyticRuleObject46').analyticRuleVersion46]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject47').analyticRuleTemplateSpecName47]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Power Platform - Connector added to a sensitive environment_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject47')._analyticRulecontentId47]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies occurrences of new API connector creations within Power Platform, specifically targeting a predefined list of sensitive environments.", - "displayName": "Power Platform - Connector added to a sensitive environment", - "enabled": false, - "query": "let sensitive_environment_id = dynamic([\n // Specify the list of sensitive power platform environment ID's to monitor here.\n // Example: \"10e72012-8886-41ec-b973-250286419b38\", \"183c7056-7ed0-426f-8ae6-69819cf72259\"\n ]);\nlet query_frequency = 11h;\nPowerPlatformAdminActivity\n| where TimeGenerated >= ago (query_frequency)\n| where EventOriginalType == \"PutConnection\"\n| extend Properties = tostring(PropertyCollection)\n| extend SrcIpAddr = extract(@'\"enduser.ip_address\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| extend SrcIpAddr = iif(SrcIpAddr startswith '::ffff:', replace_string('::ffff:', '', SrcIpAddr), SrcIpAddr)\n| extend\n EnvironmentId = extract(@'\"powerplatform.analytics.resource.environment.id\",\"Value\":\"([^\"]+)\"', 1, Properties),\n ConnectionId = extract(@'\"powerplatform.analytics.resource.connection.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| where EnvironmentId in~ (sensitive_environment_id)\n| extend\n AccountName = tostring(split(ActorName, \"@\")[0]),\n UPNSuffix = tostring(split(ActorName, \"@\")[1])\n| project\n TimeGenerated,\n EventOriginalType,\n ActorName,\n SrcIpAddr,\n ConnectionId,\n EnvironmentId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P7D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "PowerPlatformAdmin", - "dataTypes": [ - "PowerPlatformAdminActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject38').analyticRuleTemplateSpecName38]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "F&O - Reverted bank account number modifications_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject38')._analyticRulecontentId38]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later.", + "displayName": "F&O - Reverted bank account number modifications", + "enabled": false, + "query": "let detection_window = 24h;\nlet query_frequency = 15m;\nlet bank_changes = FinanceOperationsActivity_CL\n | where LogType == \"Update\" and TableName == \"BankAccountTable\"\n | extend AccountId = tostring(parse_json(tostring(FormattedData.AccountID)).NewData)\n | extend AccountNum = parse_json(tostring(FormattedData.AccountNum))\n | extend\n CurrentAccountNum = tostring(AccountNum.NewData),\n OldAccountNum = tostring(AccountNum.OldData)\n | where CurrentAccountNum != OldAccountNum;\nbank_changes\n| join kind=inner (bank_changes\n | where TimeGenerated >= ago(query_frequency)\n | project-rename UpdatedTime = LogCreatedDateTime, UpdatedAccount = CurrentAccountNum)\n on $left.OldAccountNum == $right.UpdatedAccount\n| where UpdatedTime between (LogCreatedDateTime .. (LogCreatedDateTime + detection_window))\n| extend FinOpsAppId = 32780\n| project\n TimeGenerated,\n LogCreatedDateTime,\n LogType,\n TableName,\n Username,\n AccountId,\n CurrentAccountNum,\n OldAccountNum,\n FinOpsAppId\n", + "queryFrequency": "PT15M", + "queryPeriod": "P1D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "Dynamics365Finance", + "dataTypes": [ + "FinanceOperationsActivity_CL" + ] + } + ], + "tactics": [ + "Impact" + ], + "techniques": [ + "T1565", + "T1496", + "T0828", + "T0831" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "Username", + "identifier": "FullName" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "FinOpsAppId", + "identifier": "AppId" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "A suspicous bank account change was made in F&O, the bank account number was updated and then changed back to the orginal number a short time later. {{AccountId}} was changed by {{Username}}", + "alertDisplayNameFormat": "F&O - Suspicious bank account number changes" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject38').analyticRuleId38,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 38", + "parentId": "[variables('analyticRuleObject38').analyticRuleId38]", + "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject38').analyticRuleVersion38]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "Execution", - "Exfiltration" - ], - "techniques": [ - "T0871", - "T1567", - "T1537" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "SrcIpAddr", - "identifier": "Address" - } - ], - "entityType": "IP" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" }, - "customDetails": { - "Environment": "EnvironmentId", - "Connection": "ConnectionId" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "{{ActorName}} added a new API connector in environment id {{EnvironmentId}}. This environment has been listed as sensitive.", - "alertDisplayNameFormat": "New Power Platform connector added in a sensitive environment" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject47').analyticRuleId47,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 47", - "parentId": "[variables('analyticRuleObject47').analyticRuleId47]", - "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject47').analyticRuleVersion47]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", + "contentKind": "AnalyticsRule", + "displayName": "F&O - Reverted bank account number modifications", + "contentProductId": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]", + "id": "[variables('analyticRuleObject38')._analyticRulecontentProductId38]", + "version": "[variables('analyticRuleObject38').analyticRuleVersion38]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject39').analyticRuleTemplateSpecName39]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "F&O - Unusual sign-in activity using single factor authentication_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject39')._analyticRulecontentId39]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies sucessful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from a Microsoft Entra trusted network location, or from geolocations seen previously in the last 14 days are excluded.", + "displayName": "F&O - Unusual sign-in activity using single factor authentication", + "enabled": false, + "query": "// Dynamics Lifecycle services: 913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0\n// Microsoft Dynamics ERP: 00000015-0000-0000-c000-000000000000\nlet appid_list = dynamic([\"913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0\", \"00000015-0000-0000-c000-000000000000\"]);\nlet query_frequency = 1h;\nlet query_lookback = 14d;\nlet historical_sign_in_activity = SigninLogs\n | where TimeGenerated between (ago(query_lookback) .. ago(query_frequency));\nlet historical_sign_in_locations = historical_sign_in_activity\n | summarize by Location;\nlet multifactor_sign_in_count = toscalar(historical_sign_in_activity\n | where AppId in (appid_list) and ResultType == 0\n | where AuthenticationRequirement == \"multiFactorAuthentication\"\n | summarize count());\nSigninLogs\n| where TimeGenerated >= ago(query_frequency)\n| where AppId in (appid_list) and ResultType == 0\n| where multifactor_sign_in_count > 0\n| where Location !in (historical_sign_in_locations)\n| where NetworkLocationDetails !has \"trustedNamedLocation\"\n| summarize by UserPrincipalName, AppDisplayName, IPAddress, Location\n| extend\n CloudAppId = 32780,\n AccountName = tostring(split(UserPrincipalName, \"@\")[0]),\n UPNSuffix = tostring(split(UserPrincipalName, \"@\")[1])\n| project\n UserPrincipalName,\n AppDisplayName,\n IPAddress,\n Location,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "AzureActiveDirectory", + "dataTypes": [ + "SigninLogs" + ] + } + ], + "tactics": [ + "CredentialAccess", + "InitialAccess" + ], + "techniques": [ + "T1552", + "T1078" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPAddress", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Successful sign in by {{UserPrincipalName}} to {{AppDisplayName}} from location {{Location}} which has not been seen before in the last 14 days.", + "alertDisplayNameFormat": "Dynamics 365 F&O - Unusual sign-in without multi-factor authentication" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject39').analyticRuleId39,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 39", + "parentId": "[variables('analyticRuleObject39').analyticRuleId39]", + "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject39').analyticRuleVersion39]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] }, - "author": { - "name": "Microsoft" + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", + "contentKind": "AnalyticsRule", + "displayName": "F&O - Unusual sign-in activity using single factor authentication", + "contentProductId": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]", + "id": "[variables('analyticRuleObject39')._analyticRulecontentProductId39]", + "version": "[variables('analyticRuleObject39').analyticRuleVersion39]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject40').analyticRuleTemplateSpecName40]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Power Apps - App activity from unauthorized geo_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject40')._analyticRulecontentId40]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies Power Apps activity from countries in a predefined list of unauthorized countries.", + "displayName": "Power Apps - App activity from unauthorized geo", + "enabled": false, + "query": "let unauthorized_country_codes = dynamic([\n // Specify the disallowed two letter country codes\n // example: disallowed_country_codes = dynamic([\"RU\", \"KP\", \"IR\"])\n ]);\nlet query_frequency = 1h;\nlet query_lookback = 14d;\nlet powerapps_events = dynamic([\"LaunchPowerApp\", \"AppDlpEvaluationResultChange\", \"UpdatePowerApp\", \"PublishPowerApp\", \"RecordScopesConsent\", \"CreatePowerApp\", \"PowerAppPermissionEdited\", \"PowerAppPermissionDeleted\", \"ImportExistingCanvasApp\", \"DeletePowerApp\", \"ImportNewCanvasApp\", \"PromotePowerAppVersion\", \"RemoveHeroApp\", \"DeletePowerAppVersion\", \"PublishSolutionCanvasAppVersion\", \"AdminModifyAppPermissions\", \"AdminModifyAppOwner\", \"AdminQuarantineApp\", \"AdminDeleteApp\", \"AdminSetAppBypassConsent\", \"PatchPowerApp\"]);\nPowerPlatformAdminActivity\n| where TimeGenerated >= ago(query_frequency)\n| where EventOriginalType in (powerapps_events)\n| extend Properties = tostring(PropertyCollection)\n| extend SrcIpAddr = extract(@'\"enduser.ip_address\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| extend SrcIpAddr = iif(SrcIpAddr startswith '::ffff:', replace_string(SrcIpAddr, '::ffff:', ''), SrcIpAddr)\n| extend AppId = extract(@'\"powerplatform.analytics.resource.power_app.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| extend AppId = tolower(replace_string(AppId, '/providers/Microsoft.PowerApps/apps/', ''))\n| extend\n AppName = extract(@'\"powerplatform.analytics.resource.power_app.display_name\",\"Value\":\"([^\"]+)\"', 1, Properties),\n EnvironmentId = extract(@'\"powerplatform.analytics.resource.environment.id\",\"Value\":\"([^\"]+)\"', 1, Properties),\n EnvironmentName = extract(@'\"powerplatform.analytics.resource.environment.name\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| summarize FirstEvent = min(TimeGenerated) by ActorName, SrcIpAddr, AppName, AppId, EnvironmentId, EnvironmentName\n| join kind=inner (\n SigninLogs\n | where TimeGenerated >= ago(query_lookback)\n | where Location in (unauthorized_country_codes)\n | summarize by IPAddress, Location)\n on $left.SrcIpAddr == $right.IPAddress\n| extend\n PowerAppsEntityId = 27593,\n DataverseId = 32780,\n AccountName = tostring(split(ActorName, '@')[0]),\n UPNSuffix = tostring(split(ActorName, '@')[1])\n| project\n FirstEvent,\n ActorName,\n SrcIpAddr,\n Location,\n AppName,\n AppId,\n EnvironmentId,\n EnvironmentName,\n PowerAppsEntityId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "PowerPlatformAdmin", + "dataTypes": [ + "PowerPlatformAdminActivity" + ] + }, + { + "connectorId": "AzureActiveDirectory", + "dataTypes": [ + "SigninLogs" + ] + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1078" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "SrcIpAddr", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "PowerAppsEntityId", + "identifier": "AppId" + }, + { + "columnName": "AppName", + "identifier": "Name" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "customDetails": { + "App": "AppId", + "Environment": "EnvironmentId", + "EnvironmentName": "EnvironmentName" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "User {{ActorName}} activity associated with app {{AppName}} from an unauthorized geolocation: {{Location}}", + "alertDisplayNameFormat": "Power Apps activity from an unauthorized location" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject40').analyticRuleId40,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 40", + "parentId": "[variables('analyticRuleObject40').analyticRuleId40]", + "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject40').analyticRuleVersion40]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", + "contentKind": "AnalyticsRule", + "displayName": "Power Apps - App activity from unauthorized geo", + "contentProductId": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]", + "id": "[variables('analyticRuleObject40')._analyticRulecontentProductId40]", + "version": "[variables('analyticRuleObject40').analyticRuleVersion40]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", - "contentKind": "AnalyticsRule", - "displayName": "Power Platform - Connector added to a sensitive environment", - "contentProductId": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]", - "id": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]", - "version": "[variables('analyticRuleObject47').analyticRuleVersion47]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject48').analyticRuleTemplateSpecName48]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Power Platform - DLP policy updated or removed_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject48')._analyticRulecontentId48]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies changes to DLP policy, specifically policies which are updated or removed.", - "displayName": "Power Platform - DLP policy updated or removed", - "enabled": false, - "query": "let create_policy_ignore_time_window = 10m;\nlet query_frequency = 1h;\nlet dlp_policy_events = PowerPlatformAdminActivity\n | where TimeGenerated >= ago(query_frequency)\n | where EventOriginalType == \"GovernanceApiPolicyOperation\"\n | where PropertyCollection has_any (\"DeleteDlpPolicy\", \"UpdateDlpPolicy\", \"CreateDlpPolicy\")\n | mv-expand PropertyCollection\n | extend\n Name = tostring(PropertyCollection.Name),\n Value = tostring(PropertyCollection.Value)\n | summarize Properties = make_bag(bag_pack(Name, Value))\n by\n TimeGenerated,\n EventOriginalUid\n | extend\n PolicyName = tostring(Properties['powerplatform.analytics.resource.display_name']),\n EventType = tostring(Properties['powerplatform.analytics.resource.tenant.governance.api_policy.operation_name']),\n ActorName = tostring(Properties['enduser.principal_name']),\n PolicyId = tostring(Properties['powerplatform.analytics.resource.id']),\n AdditionalInfo = Properties['powerplatform.analytics.resource.tenant.governance.api_policy.additional_resources'];\nlet delete_events = dlp_policy_events\n | where EventType == \"DeleteDlpPolicy\";\nlet update_events = dlp_policy_events\n | where EventType == \"UpdateDlpPolicy\";\nlet create_events = dlp_policy_events\n | where EventType == \"CreateDlpPolicy\"\n | extend ignore_time = TimeGenerated + create_policy_ignore_time_window;\nunion\n delete_events,\n (update_events\n | join kind=leftouter (\n create_events\n | project-away TimeGenerated\n )\n on PolicyId\n | where isempty(ignore_time) or TimeGenerated > ignore_time\n | project-away ignore_time)\n| where TimeGenerated >= ago(query_frequency)\n| extend\n AccountName = tostring(split(ActorName, \"@\")[0]),\n UPNSuffix = tostring(split(ActorName, \"@\")[1])\n| project\n TimeGenerated,\n ActorName,\n EventType,\n PolicyName,\n PolicyId,\n AccountName,\n UPNSuffix,\n AdditionalInfo\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "Low", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "PowerPlatformAdmin", - "dataTypes": [ - "PowerPlatformAdminActivity" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject41').analyticRuleTemplateSpecName41]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Power Apps - Bulk sharing of Power Apps to newly created guest users_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject41')._analyticRulecontentId41]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies unusual bulk sharing, based on a predefined threshold in the query, of Power Apps to newly created Microsoft Entra guest users.", + "displayName": "Power Apps - Bulk sharing of Power Apps to newly created guest users", + "enabled": false, + "query": "////////////\n// threshold = If the number of unique accounts that a power app is shared with is greater than\n// threshold than it'll trigger an alert. A threshold of 5 is good to start with.\n// However, if this is giving too many false positives, please adjust the threshold.\n////////////\nlet threshold = 5;\n////////////\n// Please replace the allowed_domains with a list of domains of your partners/sibling orgs\n// with whom you generally share power apps with. This will allow us to filter\n// legitimate bulk sharing attempts. Avoid using domains such as gmail, outlook, etc.\n///////////\nlet allowed_domains = pack_array(\"contoso.com\");\nlet query_frequency = 1h;\nlet query_lookback = 14d;\nPowerPlatformAdminActivity\n| where TimeGenerated >= ago(query_frequency)\n| where EventOriginalType == \"PowerAppPermissionEdited\"\n| extend Properties = tostring(PropertyCollection)\n| extend AppId = extract(@'\"powerplatform.analytics.resource.power_app.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| extend AppId = tolower(replace_string(AppId, '/providers/Microsoft.PowerApps/apps/', ''))\n| extend TargetPrincipalId = extract(@'\"targetuser.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| join kind=leftouter (\n AuditLogs\n | where ActivityDateTime >= ago(query_lookback)\n | where SourceSystem =~ \"Azure AD\" and OperationName == \"Invite external user\"\n | where Result =~ \"success\"\n | extend InvitedOrgEmail = tostring(parse_json(AdditionalDetails[5])['value'])\n | extend InvitedOrgDomain = tostring(split(InvitedOrgEmail, \"@\")[1])\n | where not(InvitedOrgDomain has_any(allowed_domains))\n | extend\n InvitedById = tostring(parse_json(InitiatedBy)['user']['id']),\n InvitedByUPN = tostring(parse_json(InitiatedBy)['user']['userPrincipalName']),\n InvitedEmail = tostring(parse_json(TargetResources[0])['userPrincipalName']),\n InvitedId = tostring(parse_json(TargetResources[0])['id'])\n | summarize by InvitedById, InvitedByUPN, InvitedEmail, InvitedId, InvitedOrgDomain)\n on $left.TargetPrincipalId == $right.InvitedId\n| where isnotempty(InvitedId)\n| summarize\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n TargetedUsersCount=dcount(TargetPrincipalId),\n TargetedObjectIds = make_set(TargetPrincipalId, 1000),\n InvitedDomains = make_set(InvitedOrgDomain, 1000),\n InvitedEmailAddresses = make_set(InvitedEmail, 1000)\n by AppId, InvitedById, InvitedByUPN\n| extend\n PowerAppsEntityId = 27593,\n AccountName = tostring(split(InvitedByUPN, '@')[0]),\n UPNSuffix = tostring(split(InvitedByUPN, '@')[1])\n| project\n StartTime,\n EndTime,\n InvitedByUPN,\n InvitedById,\n InvitedDomains,\n InvitedEmailAddresses,\n TargetedUsersCount,\n TargetedObjectIds,\n AppId,\n PowerAppsEntityId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "PowerPlatformAdmin", + "dataTypes": [ + "PowerPlatformAdminActivity" + ] + }, + { + "connectorId": "AzureActiveDirectory", + "dataTypes": [ + "AuditLogs" + ] + } + ], + "tactics": [ + "ResourceDevelopment", + "InitialAccess", + "LateralMovement" + ], + "techniques": [ + "T1587", + "T1566", + "T1534" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "PowerAppsEntityId", + "identifier": "AppId" + }, + { + "columnName": "AppId", + "identifier": "InstanceName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "customDetails": { + "PowerAppsApp": "AppId" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{InvitedByUPN}} shared an app with {{TargetedUsersCount}} recently added guest user accounts that are not on the list of allowed partner domains. List of domain s {{InvitedDomains}}", + "alertDisplayNameFormat": "Power Apps - app shared with recently created external guest accounts" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject41').analyticRuleId41,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 41", + "parentId": "[variables('analyticRuleObject41').analyticRuleId41]", + "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject41').analyticRuleVersion41]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "DefenseEvasion" - ], - "techniques": [ - "T1480" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", + "contentKind": "AnalyticsRule", + "displayName": "Power Apps - Bulk sharing of Power Apps to newly created guest users", + "contentProductId": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]", + "id": "[variables('analyticRuleObject41')._analyticRulecontentProductId41]", + "version": "[variables('analyticRuleObject41').analyticRuleVersion41]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject42').analyticRuleTemplateSpecName42]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Power Apps - Multiple apps deleted_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject42')._analyticRulecontentId42]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies mass delete activity where multiple Power Apps are deleted, matching a predefined threshold of total apps deleted or app delete events across multiple Power Platform environments.", + "displayName": "Power Apps - Multiple apps deleted", + "enabled": false, + "query": "let total_app_mass_delete_threshold = 25;\nlet cross_environment_delete_threshold = 10;\nlet query_frequency = 1h;\nlet app_delete_events = materialize(\n PowerPlatformAdminActivity\n | where TimeGenerated >= ago (query_frequency)\n | where EventOriginalType == \"DeletePowerApp\"\n | extend Properties = tostring(PropertyCollection)\n | extend AppId = extract(@'\"powerplatform.analytics.resource.power_app.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n | extend AppId = tolower(replace_string(AppId, '/providers/Microsoft.PowerApps/apps/', ''))\n | extend EnvironmentId = extract(@'\"powerplatform.analytics.resource.environment.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n );\napp_delete_events\n| summarize AppCount = count(), EnvCount = dcount(EnvironmentId) by ActorName\n| where AppCount >= total_app_mass_delete_threshold or EnvCount >= cross_environment_delete_threshold\n| join kind=inner app_delete_events on ActorName\n| summarize\n Apps = make_set(AppId, 1000),\n Environments = make_set(EnvironmentId, 1000),\n StartTime = min(TimeGenerated)\n by AppCount, EnvCount, ActorName\n| extend\n PowerAppsEntityId = 27593,\n DataverseId = 32780,\n AccountName = tostring(split(ActorName, '@')[0]),\n UPNSuffix = tostring(split(ActorName, '@')[1])\n| project\n StartTime,\n ActorName,\n AppCount,\n Apps,\n EnvCount,\n Environments,\n PowerAppsEntityId,\n DataverseId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P7D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "PowerPlatformAdmin", + "dataTypes": [ + "PowerPlatformAdminActivity" + ] + } + ], + "tactics": [ + "Impact" + ], + "techniques": [ + "T1485", + "T0826" + ], + "entityMappings": [ + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "PowerAppsEntityId", + "identifier": "AppId" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "customDetails": { + "AppDeleteCount": "AppCount", + "AppsDeleted": "Apps", + "EnvironmentsCount": "EnvCount", + "EnvironmentsImpacted": "Environments" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{AppCount}} apps were deleted in {{EnvCount}} environments by {{ActorName}} , exceeding the mass delete threshold.", + "alertDisplayNameFormat": "Power Apps - mass deletion of apps" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject42').analyticRuleId42,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 42", + "parentId": "[variables('analyticRuleObject42').analyticRuleId42]", + "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject42').analyticRuleVersion42]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", + "contentKind": "AnalyticsRule", + "displayName": "Power Apps - Multiple apps deleted", + "contentProductId": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]", + "id": "[variables('analyticRuleObject42')._analyticRulecontentProductId42]", + "version": "[variables('analyticRuleObject42').analyticRuleVersion42]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject43').analyticRuleTemplateSpecName43]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Power Apps - Multiple users access a malicious link after launching new app_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject43')._analyticRulecontentId43]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies a chain of events, where a new Power App is created, followed by mulitple users launching the app within the detection window and clicking on the same malicious URL.", + "displayName": "Power Apps - Multiple users access a malicious link after launching new app", + "enabled": false, + "query": "// Define a threshold (distinct_user_launch_threshold) for\n// the minimum number of users who launched an app\n// to be in scope of this detection\nlet distinct_user_launch_threshold = 2;\n// Define a threshold for the minumum number of users\n// who clicked the same malicious link after launching the app\n// to be in scope of this detection\nlet distinct_user_url_click_threshold = 2;\nlet query_frequency = 1h;\nlet query_lookback = 14d;\nlet new_app_creation_activity = materialize(\n PowerPlatformAdminActivity\n | where TimeGenerated >= ago (query_lookback)\n | where EventOriginalType == \"CreatePowerApp\"\n | extend Properties = tostring(PropertyCollection)\n | extend SrcIpAddr = extract(@'\"enduser.ip_address\",\"Value\":\"([^\"]+)\"', 1, Properties)\n | extend SrcIpAddr = iif(SrcIpAddr startswith '::ffff:', replace_string(SrcIpAddr, '::ffff:', ''), SrcIpAddr)\n | extend AppId = extract(@'\"powerplatform.analytics.resource.power_app.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n | extend AppId = tolower(replace_string(AppId, '/providers/Microsoft.PowerApps/apps/', ''))\n | extend\n AppName = extract(@'\"powerplatform.analytics.resource.power_app.display_name\",\"Value\":\"([^\"]+)\"', 1, Properties),\n EnvironmentId = extract(@'\"powerplatform.analytics.resource.environment.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n | project-rename\n AppCreatedTime = TimeGenerated,\n AppCreator = ActorName,\n AppCreatorIpAddr = SrcIpAddr\n );\nlet distinct_apps = new_app_creation_activity\n | distinct AppName;\nlet new_app_launch_activity = materialize(\n new_app_creation_activity\n | join kind=inner (\n PowerPlatformAdminActivity\n | where TimeGenerated >= ago (query_lookback)\n | where EventOriginalType == \"LaunchPowerApp\"\n | where PropertyCollection has_any (distinct_apps)\n | extend Properties = tostring(PropertyCollection)\n | extend AppName = extract(@'\"powerplatform.analytics.resource.power_app.display_name\",\"Value\":\"([^\"]+)\"', 1, Properties)\n | summarize FirstAppLaunchTime = min(TimeGenerated) by ActorName, AppName)\n on AppName\n | where FirstAppLaunchTime > AppCreatedTime\n );\nlet new_app_launch_users = new_app_launch_activity\n | summarize LaunchCount = dcount(ActorName) by AppName\n | where LaunchCount > distinct_user_launch_threshold\n | join kind=inner new_app_launch_activity on AppName\n | summarize\n by\n ActorName,\n FirstAppLaunchTime,\n AppName,\n AppId,\n EnvironmentId,\n AppCreator,\n AppCreatorIpAddr;\nlet detected_urls = union isfuzzy=true\n (\n SecurityAlert\n | where TimeGenerated >= ago (query_lookback)\n | where Entities has_cs '\"Type\":\"url\"'\n | mv-expand todynamic(Entities)\n | where tostring(Entities.Type) == \"url\"\n | project Url = tostring(Entities.Url), Source = \"SecurityAlert\"\n ),\n (\n ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(query_lookback)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(isnotempty(Url))\n | project Url, Source = \"ThreatIntelligence\"\n )\n | summarize by Url, Source;\nlet url_click_events = materialize(\n union isfuzzy=true\n (\n UrlClickEvents\n | where TimeGenerated >= ago(query_frequency)\n | where isnotempty(ThreatTypes)\n | join kind=inner (new_app_launch_users) on $left.AccountUpn == $right.ActorName\n | where TimeGenerated between (FirstAppLaunchTime .. (FirstAppLaunchTime + 1h))\n | summarize by ActorName, Url, Source = \"MicrosoftDefender\"\n ),\n (\n _Im_WebSession\n | where TimeGenerated >= ago(query_frequency)\n | join kind=inner (new_app_launch_users) on $left.SrcUsername == $right.ActorName\n | join kind=inner (detected_urls) on Url\n | where TimeGenerated between (FirstAppLaunchTime .. (FirstAppLaunchTime + 1h))\n | summarize by ActorName, Url, Source\n )\n );\nlet distinct_url_click_events_count = toscalar(\n url_click_events\n | summarize DistinctUserCount = dcount(ActorName) by Url\n | where DistinctUserCount > distinct_user_url_click_threshold\n | summarize sum(DistinctUserCount)\n );\nurl_click_events\n| summarize DistinctUserCount = dcount(ActorName) by Url\n| where DistinctUserCount >= distinct_user_url_click_threshold\n| join kind=inner url_click_events on Url\n| join kind=inner (new_app_launch_users) on ActorName\n| extend\n PowerAppsEntityId = 27593,\n DataverseId = 32780,\n AccountName = tostring(split(ActorName, '@')[0]),\n UPNSuffix = tostring(split(ActorName, '@')[1])\n| project\n FirstAppLaunchTime,\n AppCreator,\n AppName,\n AppId,\n ImpactedUser = ActorName,\n AccountName,\n UPNSuffix,\n EnvironmentId,\n Url,\n Source,\n PowerAppsEntityId\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "PowerPlatformAdmin", + "dataTypes": [ + "PowerPlatformAdminActivity" + ] + }, + { + "connectorId": "MicrosoftThreatProtection", + "dataTypes": [ + "UrlClickEvents" + ] + }, + { + "connectorId": "ThreatIntelligence", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "ThreatIntelligenceTaxii", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "MicrosoftDefenderThreatIntelligence", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "ThreatIntelligence", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "ThreatIntelligenceTaxii", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "MicrosoftDefenderThreatIntelligence", + "dataTypes": [ + "ThreatIntelligenceIndicator" + ] + }, + { + "connectorId": "MicrosoftThreatProtection", + "dataTypes": [ + "UrlClickEvents" + ] + }, + { + "connectorId": "AzureActiveDirectoryIdentityProtection", + "dataTypes": [ + "SecurityAlert" + ] + } + ], + "tactics": [ + "InitialAccess" + ], + "techniques": [ + "T1189", + "T1566" + ], + "entityMappings": [ + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "PowerAppsEntityId", + "identifier": "AppId" + }, + { + "columnName": "AppName", + "identifier": "InstanceName" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "columnName": "Url", + "identifier": "Url" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AppCreator", + "identifier": "FullName" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + }, + { + "columnName": "AccountName", + "identifier": "Name" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "customDetails": { + "AppCreator": "AppCreator", + "Environment": "EnvironmentId", + "PowerAppsApp": "AppId", + "PowerAppsAppName": "AppName" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Multiple users opened a malicious link after launching app {{AppName}}. Click here to navigate to the Power Apps Portal to examine the app: https://make.powerapps.com/environments/{{EnvironmentId}}/apps", + "alertDisplayNameFormat": "Possible malicious app detected - {{AppName}} " + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject43').analyticRuleId43,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 43", + "parentId": "[variables('analyticRuleObject43').analyticRuleId43]", + "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject43').analyticRuleVersion43]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", + "contentKind": "AnalyticsRule", + "displayName": "Power Apps - Multiple users access a malicious link after launching new app", + "contentProductId": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]", + "id": "[variables('analyticRuleObject43')._analyticRulecontentProductId43]", + "version": "[variables('analyticRuleObject43').analyticRuleVersion43]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject44').analyticRuleTemplateSpecName44]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Power Automate - Departing employee flow activity_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject44')._analyticRulecontentId44]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies instances where an employee who has been notified or is already terminated, on the TerminatedEmployees watchlist, creates or modifies a Power Automate flow.", + "displayName": "Power Automate - Departing employee flow activity", + "enabled": false, + "query": "let query_frequency = 1h;\nPowerAutomateActivity\n| where TimeGenerated >= ago(query_frequency)\n| where EventOriginalType in (\"CreateFlow\", \"EditFlow\")\n| join kind=inner (MSBizAppsTerminatedEmployees()) on $left.ActorName == $right.UserPrincipalName\n| extend path = parse_url(FlowDetailsUrl).Path\n| extend EnvironmentId = tostring(split(path, \"/\")[2])\n| extend FlowId = tostring(split(path, \"/\")[-2])\n| extend\n AccountName = tostring(split(ActorName, \"@\")[0]),\n UPNSuffix = tostring(split(ActorName, \"@\")[1]),\n PowerAutomateAppId = 27592,\n CloudAppId = 32780\n| project\n TimeGenerated,\n EventOriginalType,\n ActorName,\n EnvironmentId,\n AccountName,\n UPNSuffix,\n PowerAutomateAppId,\n CloudAppId,\n FlowId\n", + "queryFrequency": "PT1H", + "queryPeriod": "P7D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "PowerAutomate", + "dataTypes": [ + "PowerAutomateActivity" + ] + } + ], + "tactics": [ + "Exfiltration", + "Impact" + ], + "techniques": [ + "T1567", + "T1485", + "T1491", + "T0813", + "T0879", + "T0826" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "PowerAutomateAppId", + "identifier": "AppId" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "customDetails": { + "Environment": "EnvironmentId", + "FlowDetails": "FlowId" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{ActorName}} is on the terminated employees watchlist and carried out {{EventOriginalType}} in environment id {{EnvironmentId}}.", + "alertDisplayNameFormat": "PowerAutomate - Terminated user {{EventOriginalType}} detected" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject44').analyticRuleId44,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 44", + "parentId": "[variables('analyticRuleObject44').analyticRuleId44]", + "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject44').analyticRuleVersion44]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", + "contentKind": "AnalyticsRule", + "displayName": "Power Automate - Departing employee flow activity", + "contentProductId": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]", + "id": "[variables('analyticRuleObject44')._analyticRulecontentProductId44]", + "version": "[variables('analyticRuleObject44').analyticRuleVersion44]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject45').analyticRuleTemplateSpecName45]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Power Automate - Unusual bulk deletion of flow resources_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject45')._analyticRulecontentId45]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies bulk deletion of Power Automate flows that exceed a predefined threshold defined in the query and deviate from activity patterns observed in the last 14 days.", + "displayName": "Power Automate - Unusual bulk deletion of flow resources", + "enabled": false, + "query": "// minThreshold: Minimum number of apps to be deleted to be considered an anomaly;\n// This is to prevent one-off isolated delete flow to be considered outlier.\n// The Min Threshold can be reduced or increased according to the traffic in the organization.\nlet minThreshold=10;\nlet interval = 1h;\nlet startTime = ago(14d);\nlet endTime = now();\nlet query_frequency = 1h;\nlet flow_deletion_events = PowerAutomateActivity\n | where TimeGenerated >= startTime\n | where EventOriginalType =~ \"DeleteFlow\"\n | extend IngestionTimeGenerated = TimeGenerated;\nflow_deletion_events\n| make-series DeletedFlowCount=count() on IngestionTimeGenerated from startTime to endTime step interval by ActorName, UserUpn, ActorUserId\n| extend(Anomalies, AnomalyScore, ExpectedUsage) = series_decompose_anomalies(DeletedFlowCount)\n| mv-expand\n DeletedFlowCount to typeof(double),\n IngestionTimeGenerated to typeof(datetime),\n Anomalies to typeof(double),\n AnomalyScore to typeof(double),\n ExpectedUsage to typeof(long)\n| where IngestionTimeGenerated >= ago(query_frequency)\n| where Anomalies != 0 and DeletedFlowCount >= minThreshold\n| lookup (flow_deletion_events\n | where IngestionTimeGenerated >= ago(query_frequency))\n on ActorName, UserUpn, ActorUserId\n| extend\n AccountName = tostring(split(ActorName, \"@\")[0]),\n UPNSuffix = tostring(split(ActorName, \"@\")[1]),\n PowerAutomateAppId = 27592\n| project\n TimeGenerated,\n ActorName,\n DeletedFlowCount,\n ExpectedUsage,\n Anomalies,\n AnomalyScore,\n AccountName,\n UPNSuffix,\n PowerAutomateAppId,\n UserUpn,\n ActorUserId\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "PowerAutomate", + "dataTypes": [ + "PowerAutomateActivity" + ] + } + ], + "tactics": [ + "Impact", + "DefenseEvasion" + ], + "techniques": [ + "T1485", + "T0828", + "T1562" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "PowerAutomateAppId", + "identifier": "AppId" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "customDetails": { + "DeletedFlowCount": "DeletedFlowCount" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "User {{ActorName}} deleted {{DeletedFlowCount}} flows in the last hour, surpassing the bulk delete threshold. This is anomalous compared to the past 14 days.", + "alertDisplayNameFormat": "Power Automate - unusual bulk deletion of {{DeletedFlowCount}} flows" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject45').analyticRuleId45,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 45", + "parentId": "[variables('analyticRuleObject45').analyticRuleId45]", + "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject45').analyticRuleVersion45]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", + "contentKind": "AnalyticsRule", + "displayName": "Power Automate - Unusual bulk deletion of flow resources", + "contentProductId": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]", + "id": "[variables('analyticRuleObject45')._analyticRulecontentProductId45]", + "version": "[variables('analyticRuleObject45').analyticRuleVersion45]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject46').analyticRuleTemplateSpecName46]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Power Platform - Account added to privileged Microsoft Entra roles_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject46')._analyticRulecontentId46]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies changes to privileged directory roles impacting Power Platform:\n- Dynamics 365 Admins\n- Power Platform Admins\n- Fabric Admins", + "displayName": "Power Platform - Account added to privileged Microsoft Entra roles", + "enabled": false, + "query": "// 44367163-eba1-44c3-98af-f5787879f96a = Dynamics 365 Administrator\n// 11648597-926c-4cf3-9c36-bcebb0ba8dcc = Power Platform Administrator\n// a9ea8996-122f-4c74-9520-8edcd192826c = Fabric Administrator\nlet query_frequency = 1h;\nlet role_template_ids = dynamic([\"44367163-eba1-44c3-98af-f5787879f96a\", \"11648597-926c-4cf3-9c36-bcebb0ba8dcc\", \"a9ea8996-122f-4c74-9520-8edcd192826c\"]);\nlet monitored_activities = dynamic([\"Assign\", \"AssignGrantedRole\", \"AssignPermanentGrantedRole\", \"AssignPermanentEligibleRole\", \"RoleElevatedOutsidePimAlert\"]);\nAuditLogs\n| where TimeGenerated >= ago(query_frequency)\n| where Category == \"RoleManagement\"\n and TargetResources has_any (role_template_ids)\n and AADOperationType in (monitored_activities)\n and Identity != \"MS-PIM\"\n| extend\n UserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName),\n AadUserId = tostring(parse_json(tostring(InitiatedBy.user)).id),\n IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress),\n RoleName = tostring(TargetResources[0].displayName),\n UserAdded = tostring(TargetResources[2].userPrincipalName)\n| extend\n RoleName = iif(isempty(RoleName), tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue), RoleName),\n UserAdded = iif(isempty(UserAdded), tostring(parse_json(tostring(TargetResources[0].userPrincipalName))), UserAdded),\n CloudAppId = int(32780),\n AccountName = tostring(split(UserPrincipalName, '@')[0]),\n UPNSuffix = tostring(split(UserPrincipalName, '@')[1])\n| project\n TimeGenerated,\n Identity,\n UserPrincipalName,\n AadUserId,\n RoleName,\n OperationName,\n UserAdded,\n TargetResources,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "AzureActiveDirectory", + "dataTypes": [ + "AuditLogs" + ] + } + ], + "tactics": [ + "PrivilegeEscalation" + ], + "techniques": [ + "T1078", + "T1068", + "T1548" + ], + "entityMappings": [ + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "CloudAppId", + "identifier": "AppId" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "A user {{UserAdded}} was added to one of the Power Platform administrative roles: {{{RoleName}}", + "alertDisplayNameFormat": "Power Platform - Account added to privileged role {{RoleName}}" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject46').analyticRuleId46,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 46", + "parentId": "[variables('analyticRuleObject46').analyticRuleId46]", + "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject46').analyticRuleVersion46]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", + "contentKind": "AnalyticsRule", + "displayName": "Power Platform - Account added to privileged Microsoft Entra roles", + "contentProductId": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]", + "id": "[variables('analyticRuleObject46')._analyticRulecontentProductId46]", + "version": "[variables('analyticRuleObject46').analyticRuleVersion46]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject47').analyticRuleTemplateSpecName47]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Power Platform - Connector added to a sensitive environment_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject47')._analyticRulecontentId47]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies occurrences of new API connector creations within Power Platform, specifically targeting a predefined list of sensitive environments.", + "displayName": "Power Platform - Connector added to a sensitive environment", + "enabled": false, + "query": "let sensitive_environment_id = dynamic([\n // Specify the list of sensitive power platform environment ID's to monitor here.\n // Example: \"10e72012-8886-41ec-b973-250286419b38\", \"183c7056-7ed0-426f-8ae6-69819cf72259\"\n ]);\nlet query_frequency = 11h;\nPowerPlatformAdminActivity\n| where TimeGenerated >= ago (query_frequency)\n| where EventOriginalType == \"PutConnection\"\n| extend Properties = tostring(PropertyCollection)\n| extend SrcIpAddr = extract(@'\"enduser.ip_address\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| extend SrcIpAddr = iif(SrcIpAddr startswith '::ffff:', replace_string('::ffff:', '', SrcIpAddr), SrcIpAddr)\n| extend\n EnvironmentId = extract(@'\"powerplatform.analytics.resource.environment.id\",\"Value\":\"([^\"]+)\"', 1, Properties),\n ConnectionId = extract(@'\"powerplatform.analytics.resource.connection.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| where EnvironmentId in~ (sensitive_environment_id)\n| extend\n AccountName = tostring(split(ActorName, \"@\")[0]),\n UPNSuffix = tostring(split(ActorName, \"@\")[1])\n| project\n TimeGenerated,\n EventOriginalType,\n ActorName,\n SrcIpAddr,\n ConnectionId,\n EnvironmentId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P7D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "PowerPlatformAdmin", + "dataTypes": [ + "PowerPlatformAdminActivity" + ] + } + ], + "tactics": [ + "Execution", + "Exfiltration" + ], + "techniques": [ + "T0871", + "T1567", + "T1537" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "SrcIpAddr", + "identifier": "Address" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "customDetails": { + "Connection": "ConnectionId", + "Environment": "EnvironmentId" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "{{ActorName}} added a new API connector in environment id {{EnvironmentId}}. This environment has been listed as sensitive.", + "alertDisplayNameFormat": "New Power Platform connector added in a sensitive environment" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject47').analyticRuleId47,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 47", + "parentId": "[variables('analyticRuleObject47').analyticRuleId47]", + "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject47').analyticRuleVersion47]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", + "contentKind": "AnalyticsRule", + "displayName": "Power Platform - Connector added to a sensitive environment", + "contentProductId": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]", + "id": "[variables('analyticRuleObject47')._analyticRulecontentProductId47]", + "version": "[variables('analyticRuleObject47').analyticRuleVersion47]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject48').analyticRuleTemplateSpecName48]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Power Platform - DLP policy updated or removed_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject48')._analyticRulecontentId48]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies changes to DLP policy, specifically policies which are updated or removed.", + "displayName": "Power Platform - DLP policy updated or removed", + "enabled": false, + "query": "let create_policy_ignore_time_window = 10m;\nlet query_frequency = 1h;\nlet dlp_policy_events = PowerPlatformAdminActivity\n | where TimeGenerated >= ago(query_frequency)\n | where EventOriginalType == \"GovernanceApiPolicyOperation\"\n | where PropertyCollection has_any (\"DeleteDlpPolicy\", \"UpdateDlpPolicy\", \"CreateDlpPolicy\")\n | mv-expand PropertyCollection\n | extend\n Name = tostring(PropertyCollection.Name),\n Value = tostring(PropertyCollection.Value)\n | summarize Properties = make_bag(bag_pack(Name, Value))\n by\n TimeGenerated,\n EventOriginalUid\n | extend\n PolicyName = tostring(Properties['powerplatform.analytics.resource.display_name']),\n EventType = tostring(Properties['powerplatform.analytics.resource.tenant.governance.api_policy.operation_name']),\n ActorName = tostring(Properties['enduser.principal_name']),\n PolicyId = tostring(Properties['powerplatform.analytics.resource.id']),\n AdditionalInfo = Properties['powerplatform.analytics.resource.tenant.governance.api_policy.additional_resources'];\nlet delete_events = dlp_policy_events\n | where EventType == \"DeleteDlpPolicy\";\nlet update_events = dlp_policy_events\n | where EventType == \"UpdateDlpPolicy\";\nlet create_events = dlp_policy_events\n | where EventType == \"CreateDlpPolicy\"\n | extend ignore_time = TimeGenerated + create_policy_ignore_time_window;\nunion\n delete_events,\n (update_events\n | join kind=leftouter (\n create_events\n | project-away TimeGenerated\n )\n on PolicyId\n | where isempty(ignore_time) or TimeGenerated > ignore_time\n | project-away ignore_time)\n| where TimeGenerated >= ago(query_frequency)\n| extend\n AccountName = tostring(split(ActorName, \"@\")[0]),\n UPNSuffix = tostring(split(ActorName, \"@\")[1])\n| project\n TimeGenerated,\n ActorName,\n EventType,\n PolicyName,\n PolicyId,\n AccountName,\n UPNSuffix,\n AdditionalInfo\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "PowerPlatformAdmin", + "dataTypes": [ + "PowerPlatformAdminActivity" + ] + } + ], + "tactics": [ + "DefenseEvasion" + ], + "techniques": [ + "T1480" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "customDetails": { + "Policy": "PolicyId", + "PolicyName": "PolicyName" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "A DLP policy {{PolicyName}} was as modfiied or deleted. Event type {{EventType}}", + "alertDisplayNameFormat": "PowerPlatform - DLP policy {{EventType}} event detected." + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject48').analyticRuleId48,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 48", + "parentId": "[variables('analyticRuleObject48').analyticRuleId48]", + "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject48').analyticRuleVersion48]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", + "contentKind": "AnalyticsRule", + "displayName": "Power Platform - DLP policy updated or removed", + "contentProductId": "[variables('analyticRuleObject48')._analyticRulecontentProductId48]", + "id": "[variables('analyticRuleObject48')._analyticRulecontentProductId48]", + "version": "[variables('analyticRuleObject48').analyticRuleVersion48]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject49').analyticRuleTemplateSpecName49]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Power Platform - Possibly compromised user accesses Power Platform services_AnalyticalRules Analytics Rule with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject49')._analyticRulecontentId49]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Identifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center.", + "displayName": "Power Platform - Possibly compromised user accesses Power Platform services", + "enabled": false, + "query": "let power_automate_appid = \"6204c1d1-4712-4c46-a7d9-3ed63d992682\";\nlet power_apps_appid = \"a8f7a65c-f5ba-4859-b2d6-df772c264e9d\";\nlet ppac_appid = \"065d9450-1e87-434e-ac2f-69af271549ed\";\nlet query_frequency = 1h;\nSigninLogs\n| where ingestion_time() >= ago(query_frequency)\n| where array_length(todynamic(RiskEventTypes)) != 0 or array_length(todynamic(RiskEventTypes_V2)) != 0\n| where AppId in (power_automate_appid, power_apps_appid, ppac_appid)\n| extend AffectedPlatform = case(\n AppId == ppac_appid,\n \"Power Platform Admin Center\",\n AppId == power_apps_appid,\n \"Power Apps\",\n AppId == power_automate_appid,\n \"Power Automate\",\n \"Unknown\"\n )\n| extend\n Severity = iif(AffectedPlatform in (\"Power Apps\", \"Power Automate\"), \"Medium\", \"High\"),\n CloudAppId = case(AffectedPlatform == \"Power Apps\", int(27593), AffectedPlatform == \"Power Automate\", int(27592), 0),\n AccountName = tostring(split(UserPrincipalName, '@')[0]),\n UPNSuffix = tostring(split(UserPrincipalName, '@')[1])\n| project\n TimeGenerated,\n UserId,\n UniqueTokenIdentifier,\n Identity,\n RiskEventTypes,\n RiskEventTypes_V2,\n UserPrincipalName,\n AppId,\n AppDisplayName,\n AffectedPlatform,\n IPAddress,\n Severity,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "queryFrequency": "PT1H", + "queryPeriod": "P1D", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "AzureActiveDirectory", + "dataTypes": [ + "SigninLogs" + ] + } + ], + "tactics": [ + "InitialAccess", + "LateralMovement" + ], + "techniques": [ + "T1078", + "T1210" + ], + "entityMappings": [ + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "AccountName", + "identifier": "Name" + }, + { + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IPAddress", + "identifier": "Address" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "columnName": "AffectedPlatform", + "identifier": "Name" + }, + { + "columnName": "AppId", + "identifier": "AppId" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "customDetails": { + "RiskEventTypes": "RiskEventTypes", + "RiskEventTypes_V2": "RiskEventTypes_V2" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "The user {{UserPrincipalName}} has sign-in risk events associated and successfully signed in to {{{AffectedPlatform}} from {{IPAddress}}", + "alertDisplayNameFormat": "Risky user sign-in activity in {{{AffectedPlatform}} ", + "alertSeverityColumnName": "Severity" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject49').analyticRuleId49,'/'))))]", + "properties": { + "description": "Microsoft Business Applications Analytics Rule 49", + "parentId": "[variables('analyticRuleObject49').analyticRuleId49]", + "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject49').analyticRuleVersion49]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", + "contentKind": "AnalyticsRule", + "displayName": "Power Platform - Possibly compromised user accesses Power Platform services", + "contentProductId": "[variables('analyticRuleObject49')._analyticRulecontentProductId49]", + "id": "[variables('analyticRuleObject49')._analyticRulecontentProductId49]", + "version": "[variables('analyticRuleObject49').analyticRuleVersion49]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Activity after Microsoft Entra alerts_HuntingQueries Hunting Query with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Microsoft_Business_Applications_Hunting_Query_1", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Dataverse - Activity after Microsoft Entra alerts", + "category": "Hunting Queries", + "query": "let match_window = 1h;\nlet analysis_window = 1d;\nlet lookback_window = 7d;\nSecurityAlert\n| where TimeGenerated > ago(analysis_window)\n| where ProviderName == 'IPC'\n| extend UserName = tostring(parse_json(ExtendedProperties).[\"User Account\"])\n| extend UserName = tolower(UserName)\n| extend TimeKey = bin(TimeGenerated, match_window)\n| join kind=inner(DataverseActivity\n | where TimeGenerated > ago(analysis_window)\n | extend UserName = tolower(UserId)\n | extend TimeKey = bin(TimeGenerated, match_window))\n on UserName, TimeKey\n| join kind=leftanti(DataverseActivity\n | where TimeGenerated between(ago(lookback_window) .. ago(analysis_window))\n | extend UserName = tolower(UserId))\n on UserName, OriginalObjectId\n| summarize\n Actions = make_set(OriginalObjectId),\n MostRecentAction = max(TimeGenerated1),\n IPs = make_set(split(tostring(ClientIp), ':')[0]),\n AADAlerts=make_set(Description),\n MostRecentAlert = max(TimeGenerated)\n by UserName\n| extend timestamp = MostRecentAction, AccountCustomEntity = UserName\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This hunting query looks for users conducting Dataverse/Dynamics 365 activity shortly after a Microsoft Entra Identity Protection alert for that user. The query only looks for users not seen before or conducting Dynamics activity not previously seen." + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1078" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]", + "properties": { + "description": "Microsoft Business Applications Hunting Query 1", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "contentKind": "HuntingQuery", + "displayName": "Dataverse - Activity after Microsoft Entra alerts", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '3.2.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '3.2.0')))]", + "version": "3.2.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Activity after failed logons_HuntingQueries Hunting Query with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Microsoft_Business_Applications_Hunting_Query_2", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Dataverse - Activity after failed logons", + "category": "Hunting Queries", + "query": "let threshold = 10;\nSigninLogs\n| where ResultType in (\"50125\", \"50140\", \"70043\", \"70044\")\n| summarize FailedSignInCount = count() by IPAddress\n| where FailedSignInCount >= threshold\n| join kind=inner (\n DataverseActivity\n | extend IPAddress = tostring(split(ClientIp, \":\")[0]))\n on IPAddress\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This hunting query looks for users conducting Dataverse/Dynamics 365 activity shortly after a number of failed logons. Use this to look for potential post brute force activity. Adjust the threshold figure based on false positive rate." + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1078,T0819,T1078.004" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]", + "properties": { + "description": "Microsoft Business Applications Hunting Query 2", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "contentKind": "HuntingQuery", + "displayName": "Dataverse - Activity after failed logons", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '3.2.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '3.2.0')))]", + "version": "3.2.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Cross-environment data export activity_HuntingQueries Hunting Query with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Microsoft_Business_Applications_Hunting_Query_3", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Dataverse - Cross-environment data export activity", + "category": "Hunting Queries", + "query": "//Modify environment_count_threshold to scale number of Dataverse instances to omit before including in results\nlet environment_count_threshold = 2;\nlet export_events = dynamic(['ExportToExcel', 'ExportPdfDocument', 'ExportWordDocument', 'ExecutePowerBISql']);\nDataverseActivity\n| where Message in (export_events)\n| summarize InstanceCount = dcount(InstanceUrl) by UserId\n| where InstanceCount > environment_count_threshold\n| join kind=inner (DataverseActivity\n | where Message in (export_events))\n on UserId\n| summarize FirstEvent = min(TimeGenerated), LastEvent = max(TimeGenerated) by UserId, InstanceCount, InstanceUrl, Message, ClientIp\n| extend CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstEvent,\n LastEvent,\n UserId,\n Message,\n ClientIp,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query searches for data export activity across a predetermined number of Dataverse instances. Data export activity across multiple environments could indicate suspicious activity as users typically work on a small number of environments." + }, + { + "name": "tactics", + "value": "Exfiltration,Collection" + }, + { + "name": "techniques", + "value": "T1567,T1409" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]", + "properties": { + "description": "Microsoft Business Applications Hunting Query 3", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "contentKind": "HuntingQuery", + "displayName": "Dataverse - Cross-environment data export activity", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '3.2.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '3.2.0')))]", + "version": "3.2.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Dataverse export copied to USB devices_HuntingQueries Hunting Query with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Microsoft_Business_Applications_Hunting_Query_4", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Dataverse - Dataverse export copied to USB devices", + "category": "Hunting Queries", + "query": "DataverseActivity\n| distinct InstanceUrl\n| join kind=inner (DeviceFileEvents)\n on $left.InstanceUrl == $right.FileOriginUrl\n| join kind=inner (DeviceEvents\n | where ActionType == \"UsbDriveMounted\"\n | extend DriveLetter = tostring(AdditionalFields.DriveLetter)\n | summarize MountedDriveLetters = make_set(DriveLetter, 26) by DeviceId, DeviceName)\n on DeviceId\n| extend TargetDriveLetter = tostring(split(FolderPath, \"\\\\\")[0])\n| where set_has_element(MountedDriveLetters, TargetDriveLetter)\n| join kind=inner (DeviceInfo\n | summarize arg_max(TimeGenerated, DeviceId, PublicIP) by DeviceName)\n on DeviceId\n| summarize LatestEvent = arg_max(TimeGenerated, *) by FileName, UserId = InitiatingProcessAccountUpn, InstanceUrl\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n LatestEvent,\n UserId,\n PublicIP,\n FolderPath,\n InstanceUrl,\n AccountName,\n UPNSuffix,\n CloudAppId\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query uses XDR data from M365 Defender to detect files downloaded from a Dataverse instance and copied to USB drive." + }, + { + "name": "tactics", + "value": "Exfiltration" + }, + { + "name": "techniques", + "value": "T1052,T1052.001" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]", + "properties": { + "description": "Microsoft Business Applications Hunting Query 4", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "contentKind": "HuntingQuery", + "displayName": "Dataverse - Dataverse export copied to USB devices", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '3.2.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '3.2.0')))]", + "version": "3.2.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Generic client app used to access production environments_HuntingQueries Hunting Query with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Microsoft_Business_Applications_Hunting_Query_5", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Dataverse - Generic client app used to access production environments", + "category": "Hunting Queries", + "query": "SigninLogs\n| where AppId == \"51f81489-12ee-4a9e-aaae-a2591f45987d\"\n| where ResourceIdentity == \"00000007-0000-0000-c000-000000000000\"\n| project-rename SigninTime = TimeGenerated\n| where ResultType == 0\n| join kind=inner(DataverseActivity\n | where Message == \"UserSignIn\")\n on $left.UserPrincipalName == $right.UserId\n| where TimeGenerated between (SigninTime .. (SigninTime + 1h))\n| summarize D365SigninTime = arg_min(TimeGenerated, *) by SigninTime, UserPrincipalName, IPAddress, UserAgent\n| extend CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n SigninTime,\n D365SigninTime,\n UserPrincipalName,\n IPAddress,\n UserAgent,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query detects the use of the built-in \"Dynamics 365 Example Application\" to access production environments. This generic app can not be restricted by Azure AD authorization controls and could be abused to gain unauthorized access via Web API." + }, + { + "name": "tactics", + "value": "Execution" + }, + { + "name": "techniques", + "value": "T1106,T0834" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]", + "properties": { + "description": "Microsoft Business Applications Hunting Query 5", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "contentKind": "HuntingQuery", + "displayName": "Dataverse - Generic client app used to access production environments", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '3.2.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '3.2.0')))]", + "version": "3.2.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Identity management activity outside of privileged directory role membership_HuntingQueries Hunting Query with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Microsoft_Business_Applications_Hunting_Query_6", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Dataverse - Identity management activity outside of privileged directory role membership", + "category": "Hunting Queries", + "query": "let admin_role_names = dynamic(['Dynamics 365 Administrator', 'Power Platform Administrator', 'Global Administrator']);\nlet event_types = dynamic(['Associate', 'Disassociate', 'Create', 'Delete', 'Upsert', 'Update']);\nlet excluded_accounts = dynamic(['cdsusermanagement@onmicrosoft.com', 'unknown', 'powervirtualagentsprod@onmicrosoft.com']);\nIdentityInfo\n| where TimeGenerated > ago(14d)\n| where array_length(AssignedRoles) > 0\n| mv-expand AssignedRoles\n| where AssignedRoles in (admin_role_names)\n| summarize by UserId = tolower(AccountUPN)\n| join kind=rightanti (DataverseActivity\n | where EntityName =~ 'systemuser' and Message in (event_types)\n | project TimeGenerated, UserId = tolower(UserId), ClientIp, InstanceUrl, OriginalObjectId\n | where UserId !in (excluded_accounts))\n on UserId\n| extend CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n OriginalObjectId,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query detects identity administration events in Dataverse/Dynamics 365 made by accounts which are not members of privileged directory roles 'Dynamics 365 Admins', 'Power Platform Admins' or 'Global Admins" + }, + { + "name": "tactics", + "value": "PrivilegeEscalation" + }, + { + "name": "techniques", + "value": "T1078,T1078.004" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]", + "properties": { + "description": "Microsoft Business Applications Hunting Query 6", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "contentKind": "HuntingQuery", + "displayName": "Dataverse - Identity management activity outside of privileged directory role membership", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '3.2.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '3.2.0')))]", + "version": "3.2.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject7').huntingQueryTemplateSpecName7]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse - Identity management changes without MFA_HuntingQueries Hunting Query with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Microsoft_Business_Applications_Hunting_Query_7", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Dataverse - Identity management changes without MFA", + "category": "Hunting Queries", + "query": "let event_types = dynamic(['Associate', 'Disassociate', 'Create', 'Delete', 'Upsert', 'Update']);\nlet excluded_accounts = dynamic(['cdsusermanagement@onmicrosoft.com', 'unknown', 'powervirtualagentsprod@onmicrosoft.com']);\nSigninLogs\n| where AuthenticationRequirement == \"singleFactorAuthentication\"\n| where ResourceIdentity == \"00000007-0000-0000-c000-000000000000\" or AppId == \"00000007-0000-0000-c000-000000000000\"\n| where ResultType == 0\n| summarize by UserId = tolower(UserPrincipalName)\n| join kind=inner (DataverseActivity\n | where EntityName =~ 'systemuser' and Message in (event_types)\n | project TimeGenerated, UserId = tolower(UserId), ClientIp, InstanceUrl, OriginalObjectId\n | where UserId !in (excluded_accounts))\n on UserId\n| extend CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n OriginalObjectId,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query is used to show privileged identity administration operations in Dataverse made by accounts that signed in without using MFA" + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1078,T0819,T1078.004" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7),'/'))))]", + "properties": { + "description": "Microsoft Business Applications Hunting Query 7", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7)]", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "contentKind": "HuntingQuery", + "displayName": "Dataverse - Identity management changes without MFA", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '3.2.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '3.2.0')))]", + "version": "3.2.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject8').huntingQueryTemplateSpecName8]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Power Apps - Anomalous bulk sharing of Power App to newly created guest users_HuntingQueries Hunting Query with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Microsoft_Business_Applications_Hunting_Query_8", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Power Apps - Anomalous bulk sharing of Power App to newly created guest users", + "category": "Hunting Queries", + "query": "////////////\n// Please replace the allowed_domains with a list of domains of your partners/sibling orgs\n// with whom you generally share power apps with. This will allow us to filter\n// legitimate bulk sharing attempts. Avoid using domains such as gmail, outlook, etc.\n///////////\nlet allowed_domains = pack_array(\"contoso.com\");\nlet start = ago(14d);\nlet end = now();\nlet interval = 1h;\nPowerPlatformAdminActivity\n| where EventOriginalType == \"PowerAppPermissionEdited\"\n| extend Properties = tostring(PropertyCollection)\n| extend AppId = extract(@'\"powerplatform.analytics.resource.power_app.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| extend AppId = tolower(replace_string(AppId, '/providers/Microsoft.PowerApps/apps/', ''))\n| extend TargetPrincipalId = extract(@'\"targetuser.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| extend\n PowerAppsAppId = AppId\n| join kind=leftouter (AuditLogs\n | where ActivityDateTime >= ago(14d)\n | where SourceSystem =~ \"Azure AD\" and OperationName == \"Invite external user\"\n | where Result =~ \"success\"\n | extend InvitedOrgEmail = tostring(parse_json(AdditionalDetails[5])['value'])\n | extend InvitedOrgDomain = tostring(split(InvitedOrgEmail, \"@\")[1])\n | where not(InvitedOrgDomain has_any(allowed_domains))\n | extend\n InvitedById = tostring(parse_json(InitiatedBy)['user']['id']),\n InvitedByUPN = tostring(parse_json(InitiatedBy)['user']['userPrincipalName']),\n InvitedEmail = tostring(parse_json(TargetResources[0])['userPrincipalName']),\n InvitedId = tostring(parse_json(TargetResources[0])['id'])\n | summarize by InvitedById, InvitedByUPN, InvitedEmail, InvitedId, InvitedOrgDomain)\n on $left.TargetPrincipalId == $right.InvitedId\n| where isnotempty(InvitedId)\n| make-series counter=dcount(TargetPrincipalId) default=0 on TimeGenerated in range(start, end, interval) by PowerAppsAppId, InvitedById, InvitedByUPN\n| extend(Anomalies, AnomalyScore, ExpectedUsage) = series_decompose_anomalies(counter)\n| mv-expand\n counter to typeof(double),\n TimeGenerated to typeof(datetime),\n Anomalies to typeof(double),\n AnomalyScore to typeof(double),\n ExpectedUsage to typeof(long)\n| where Anomalies != 0\n| extend\n PowerAppsEntityId = 27593,\n AccountName = tostring(split(InvitedByUPN, '@')[0]),\n UPNSuffix = tostring(split(InvitedByUPN, '@')[1])\n| project\n TimeGenerated,\n ActualUsage=counter,\n ExpectedUsage,\n AnomalyScore,\n Anomalies,\n PowerAppsAppId,\n InvitedById,\n InvitedByUPN,\n PowerAppsEntityId,\n AccountName,\n UPNSuffix\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "The query detects anomalous attempts to perform bulk sharing of Power App to newly created guest users." + }, + { + "name": "tactics", + "value": "InitialAccess,LateralMovement,ResourceDevelopment" + }, + { + "name": "techniques", + "value": "T1566,T1534,T1587" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8),'/'))))]", + "properties": { + "description": "Microsoft Business Applications Hunting Query 8", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8)]", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject8').huntingQueryVersion8]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "contentKind": "HuntingQuery", + "displayName": "Power Apps - Anomalous bulk sharing of Power App to newly created guest users", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '3.2.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '3.2.0')))]", + "version": "3.2.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse-Add-SharePoint-Site Playbook with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Dataverse-Add-SharePoint-Site", + "type": "string" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "Enter value for resourceGroupName" + } + }, + "subscriptionId": { + "type": "string", + "metadata": { + "description": "Enter value for subscriptionId" + } + }, + "watchlistAlias": { + "type": "string", + "defaultValue": "MSBizApps-Configuration", + "metadata": { + "description": "Enter value for watchlistAlias" + } + }, + "workspaceId": { + "type": "string", + "metadata": { + "description": "Enter value for workspaceId" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[[parameters('resourceGroupName')]" + }, + "subscriptionId": { + "type": "string", + "defaultValue": "[[parameters('subscriptionId')]" + }, + "watchlistAlias": { + "type": "string", + "defaultValue": "[[parameters('watchlistAlias')]" + }, + "workspaceId": { + "type": "string", + "defaultValue": "[[parameters('workspaceId')]" + } + }, + "triggers": { + "Microsoft_Sentinel_alert": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + } + } + }, + "actions": { + "Compose_Data": { + "runAfter": { + "For_each": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "InstanceUrl": "@variables('InstanceUrl')", + "SharePointUrl": "@variables('SharePointSiteUrl')" + } + }, + "Condition": { + "actions": { + "Terminate": { + "type": "Terminate", + "inputs": { + "runError": { + "code": "TooManyEntities", + "message": "Found more than 2 entities in a single alert. Please ensure the Analytics Rule Event Grouping is set to: Trigger an alert for each event" + }, + "runStatus": "Failed" + } + } + }, + "runAfter": { + "Initialize_InstanceUrl": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "greater": [ + "@length(triggerBody()?['Entities'])", + 2 + ] + } + ] + }, + "type": "If" + }, + "For_each": { + "foreach": "@triggerBody()?['Entities']", + "actions": { + "Switch": { + "cases": { + "Case_Dataverse": { + "case": 32780, + "actions": { + "Set_SharePointSiteUrl": { + "type": "SetVariable", + "inputs": { + "name": "InstanceUrl", + "value": "@{items('For_each')?['InstanceName']}" + } + } + } + }, + "Case_SharePoint": { + "case": 20892, + "actions": { + "Set_InstanceUrl": { + "type": "SetVariable", + "inputs": { + "name": "SharePointSiteUrl", + "value": "@{items('For_each')?['InstanceName']}" + } + } + } + } + }, + "expression": "@items('For_each')['AppId']", + "type": "Switch" + } + }, + "runAfter": { + "Condition": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Initialize_InstanceUrl": { + "runAfter": { + "Initialize_SharePointSiteUrl": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "InstanceUrl", + "type": "string" + } + ] + } + }, + "Initialize_SharePointSiteUrl": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "SharePointSiteUrl", + "type": "string" + } + ] + } + }, + "Watchlists_-_Add_a_new_Watchlist_Item": { + "runAfter": { + "Compose_Data": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Category": "SharePoint", + "Data": "@string(outputs('Compose_Data'))" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent(parameters('watchlistAlias'))}/watchlistItem" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "MS-BizApps-Add-SharePoint-Site", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ], + "metadata": { + "title": "Dataverse: Add SharePoint sites to watchlist", + "description": "This playbook is used to add new or updated SharePoint document management sites into the configuration watchlist. When combined with a scheduled analytics rule monitoring the Dataverse activity log, this Playbook will trigger when a new SharePoint document management site mapping is added. The site will be added to a watchlist to extend monitoring coverage.", + "prerequisites": [ + "1. Collect the subscription ID, resource group name and workspace ID of the Sentinel workspace." + ], + "postDeployment": [ + "1. Create a Sentinel automation rule to trigger this Playbook for the the Analytics Rule **Dataverse - SharePoint document management site added or updated**.", + "2. Configure Event Grouping settings for the Analytics rule to **Trigger an alert for each event**." + ], + "tags": [ + "Remediation" + ], + "lastUpdateTime": "2022-10-11T00:00:00Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "Playbook", + "displayName": "Dataverse-Add-SharePoint-Site", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse-Blocklist-Add-User-AlertTrigger Playbook with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion2')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Dataverse-Blocklist-Add-User-AlertTrigger", + "type": "string" + }, + "GroupId": { + "type": "string", + "metadata": { + "description": "Enter object ID for Microsoft Entra group" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "AzureadConnectionName": "[[concat('Azuread-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "GroupId": { + "type": "string", + "defaultValue": "[[parameters('GroupId')]" + } + }, + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + } + } + }, + "actions": { + "Entities_-_Get_Accounts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_each": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Add_user_to_group": { + "runAfter": { + "Get_user": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "@@odata.id": "@body('Get_user')?['id']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "post", + "path": "/v1.0/groups/@{encodeURIComponent(parameters('GroupId'))}/members/$ref" + } + }, + "Get_user": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" + } + } + }, + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach", + "description": "Iterate on each Dynamics 365 user account" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "azuread": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]", + "connectionName": "[[variables('AzureadConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "D365-Blocklist-Add-User-AlertTrigger", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureadConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureadConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId2')]", + "contentId": "[variables('_playbookContentId2')]", + "kind": "Playbook", + "version": "[variables('playbookVersion2')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ], + "metadata": { + "title": "Dataverse: Add user to blocklist (alert trigger)", + "description": "This playbook can be triggered on-demand when a Microsoft Sentinel alert is raised, allowing the analyst to add affected user entitites to a pre-defined Microsoft Entra group, resulting in blocked access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse.", + "prerequisites": [ + "1. Create a security group in Microsoft Entra used to block access and take note of the group's object ID.", + "2. Create a Conditional Access policy in Microsoft Entra.", + "3. Configure the Conditional Access Policy to block access to Common Data Service (appid 00000007-0000-0000-c000-000000000000) for members of the group created in step 1." + ], + "postDeployment": [ + "1. Grant permissions to Sentinel for Playook managed identity.", + "2. Authorize connection for Microsoft Entra." + ], + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "lastUpdateTime": "2022-10-11T00:00:00Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId2')]", + "contentKind": "Playbook", + "displayName": "Dataverse-Blocklist-Add-User-AlertTrigger", + "contentProductId": "[variables('_playbookcontentProductId2')]", + "id": "[variables('_playbookcontentProductId2')]", + "version": "[variables('playbookVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse-Blocklist-Add-User-Via-Outlook Playbook with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion3')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Dataverse-Blocklist-Add-User-Via-Outlook", + "type": "string" + }, + "GroupId": { + "type": "string", + "metadata": { + "description": "Enter object ID for Microsoft Entra group" + } + }, + "ToAlias": { + "type": "string", + "metadata": { + "description": "Enter value for ToAlias" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[[concat('Office365-', parameters('PlaybookName'))]", + "AzureadConnectionName": "[[concat('Azuread-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365')]", + "_connection-3": "[[variables('connection-3')]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]", + "_connection-4": "[[variables('connection-4')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "GroupId": { + "type": "string", + "defaultValue": "[[parameters('GroupId')]" + }, + "ToAlias": { + "type": "string", + "defaultValue": "[[parameters('ToAlias')]" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Entities_-_Get_Accounts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_each": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Condition_to_check_the_SOC_selected_option": { + "actions": { + "Add_user_to_group": { + "runAfter": { + "Get_user": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "@@odata.id": "@body('Get_user')?['id']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "post", + "path": "/v1.0/groups/@{encodeURIComponent(parameters('GroupId'))}/members/$ref" + } + }, + "Condition": { + "actions": { + "Add_comment_to_incident_(V3)": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

User was added to CA block group in AAD: @{items('For_each')?['Name']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Add_user_to_group": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_4": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Account name: @{items('For_each')?['Name']}
\nError: @{body('Add_user_to_group')['error']['message']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@int(actionOutputs('Add_user_to_group').statusCode)", + 204 + ] + } + ] + }, + "type": "If", + "description": "Verify the execution result of function" + }, + "Get_user": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" + } + } + }, + "runAfter": { + "Send_email_with_options": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_3": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Account name: @{items('For_each')?['Name']}
\nSOC Action: Ignore

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Send_email_with_options')?['SelectedOption']", + "Approve" + ] + } + ] + }, + "type": "If" + }, + "Send_email_with_options": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "Message": { + "Body": "

Incident Url: @{triggerBody()?['object']?['properties']?['incidentUrl']}

\n

Incident#: @{triggerBody()?['object']?['properties']?['incidentNumber']}

\n

User Id: @{items('For_each')?['Name']}

\n

The account will be added to the CA block group in AAD.

\n", + "HideHTMLMessage": false, + "Importance": "High", + "Options": "Approve, Deny", + "ShowHTMLConfirmationDialog": false, + "Subject": "Dynamics 365 block user in Conditional Access", + "To": "@parameters('ToAlias')", + "UseOnlyHTMLMessage": true + }, + "NotificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "path": "/mailwithoptions/$subscriptions" + } + } + }, + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach", + "description": "Iterate on each Dynamics 365 user account" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365')]" + }, + "azuread": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]", + "connectionName": "[[variables('AzureadConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "D365-Blocklist-Add-User-Via-Outlook", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('Office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureadConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureadConnectionName')]", + "api": { + "id": "[[variables('_connection-4')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId3')]", + "contentId": "[variables('_playbookContentId3')]", + "kind": "Playbook", + "version": "[variables('playbookVersion3')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ], + "metadata": { + "title": "Dataverse: Add user to blocklist using Outlook approval workflow", + "description": "This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically add affected user entitites to a pre-defined Microsoft Entra group, using an Outlook based approval workflow, resulting in blocked access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse.", + "prerequisites": [ + "1. An email address for SOC to receieve approval requests.", + "2. Create a security group in Microsoft Entra used to block access and take note of the group's object ID.", + "3. Create a Conditional Access policy in Microsoft Entra.", + "4. Configure the Conditional Access Policy to block access to Common Data Service (appid 00000007-0000-0000-c000-000000000000) for members of the group created in step 1." + ], + "postDeployment": [ + "1. Grant permissions to Sentinel for Playbook managed identity.", + "2. Authorize connection for Microsoft Entra.", + "3. Authorize connection for Microsoft Outlook." + ], + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "lastUpdateTime": "2022-10-11T00:00:00Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId3')]", + "contentKind": "Playbook", + "displayName": "Dataverse-Blocklist-Add-User-Via-Outlook", + "contentProductId": "[variables('_playbookcontentProductId3')]", + "id": "[variables('_playbookcontentProductId3')]", + "version": "[variables('playbookVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse-Blocklist-Add-User-Via-Teams Playbook with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion4')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Dataverse-Blocklist-Add-User-Via-Teams", + "type": "string" + }, + "GroupId": { + "type": "string", + "metadata": { + "description": "Enter object ID for Microsoft Entra group" + } + }, + "TeamsChannelId": { + "type": "string", + "metadata": { + "description": "Enter value for TeamsChannelId" + } + }, + "TeamsGroupId": { + "type": "string", + "metadata": { + "description": "Enter value for TeamsGroupId" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "TeamsConnectionName": "[[concat('Teams-', parameters('PlaybookName'))]", + "AzureadConnectionName": "[[concat('Azuread-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]", + "_connection-3": "[[variables('connection-3')]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]", + "_connection-4": "[[variables('connection-4')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "GroupId": { + "type": "string", + "defaultValue": "[[parameters('GroupId')]" + }, + "TeamsChannelId": { + "type": "string", + "defaultValue": "[[parameters('TeamsChannelId')]" + }, + "TeamsGroupId": { + "type": "string", + "defaultValue": "[[parameters('TeamsGroupId')]" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Entities_-_Get_Accounts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_each": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Condition_to_check_the_SOC_selected_option": { + "actions": { + "Add_user_to_group": { + "runAfter": { + "Get_user": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "@@odata.id": "@body('Get_user')?['id']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "post", + "path": "/v1.0/groups/@{encodeURIComponent(parameters('GroupId'))}/members/$ref" + } + }, + "Condition": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

User was added to CA block group in AAD: @{items('For_each')?['Name']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Add_user_to_group": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_3": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Account name: @{items('For_each')?['Name']}
\nError: @{body('Add_user_to_group')['error']['message']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@int(actionOutputs('Add_user_to_group').statusCode)", + 204 + ] + } + ] + }, + "type": "If", + "description": "Verify the execution result of function" + }, + "Get_user": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" + } + } + }, + "runAfter": { + "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Account name: @{items('For_each')?['Name']}
\nSOC Action: Ignore

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['submitActionId']", + "Block user" + ] + } + ] + }, + "type": "If", + "description": "Verify the SOC action to remove the SkuIds" + }, + "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "body": { + "messageBody": " {\n \"type\": \"AdaptiveCard\",\n \"body\": [\n \n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"text\": \"Suspicious Account - Azure Sentinel\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Possible Comprised User detected by the provider\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"@{triggerBody()?['object']?['properties']?['severity']} incident @{triggerBody()?['object']?['properties']?['title']} \",\n \"wrap\": true,\n \"weight\":\"bolder\"\n },\n \n {\n \"type\": \"TextBlock\",\n \"text\": \"Incident description\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\":\" @{triggerBody()?['object']?['properties']?['description']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Graph API Information:\",\n \"wrap\": true\n },\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://1.bp.blogspot.com/-XRTHPrt7nR4/Xu9koskiFWI/AAAAAAAAGcY/SRKJLzVYSekWRZqd1Adyrg66-1eaghZmwCK4BGAsYHg/s191/graph-icon-1.png\",\n \"size\": \"Small\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Do you want to add the following account to the D365 Conditional Access Block list: @{items('For_each')?['Name']}\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n{\n \"type\": \"TextBlock\",\n \"text\": \"Click approve to authorize adding user to block list.\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n \n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration:\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n }\n ],\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Block user\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Ignore\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}", + "recipient": { + "channelId": "@parameters('TeamsChannelId')" + }, + "shouldUpdateCard": true + }, + "notificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams']['connectionId']" + } + }, + "path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions", + "queries": { + "groupId": "@parameters('TeamsGroupId')" + } + } + } + }, + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach", + "description": "Iterate on each Dynamics 365 user account" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "teams": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "connectionName": "[[variables('TeamsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]" + }, + "azuread": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]", + "connectionName": "[[variables('AzureadConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "D365-Blocklist-Add-User-Via-Teams", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('TeamsConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('TeamsConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureadConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureadConnectionName')]", + "api": { + "id": "[[variables('_connection-4')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId4')]", + "contentId": "[variables('_playbookContentId4')]", + "kind": "Playbook", + "version": "[variables('playbookVersion4')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ], + "metadata": { + "title": "Dataverse: Add user to blocklist using Teams approval workflow", + "description": "This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically add affected user entitites to a pre-defined Microsoft Entra group, using a Teams adaptive card approval workflow, resulting in blocked access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse.", + "prerequisites": [ + "1. Teams group and channel ID to receive approval requests.", + "2. Create a security group in Microsoft Entra used to block access and take note of the group's object ID.", + "3. Create a Conditional Access policy in Microsoft Entra.", + "4. Configure the Conditional Access Policy to block access to Common Data Service (appid 00000007-0000-0000-c000-000000000000) for members of the group created in step 1." + ], + "postDeployment": [ + "1. Grant permissions to Sentinel for Playook managed identity.", + "2. Authorize connection for Microsoft Entra.", + "3. Authorize connection for Microsoft Teams." + ], + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "lastUpdateTime": "2022-10-11T00:00:00Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId4')]", + "contentKind": "Playbook", + "displayName": "Dataverse-Blocklist-Add-User-Via-Teams", + "contentProductId": "[variables('_playbookcontentProductId4')]", + "id": "[variables('_playbookcontentProductId4')]", + "version": "[variables('playbookVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse-Blocklist-Add-User Playbook with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion5')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Dataverse-Blocklist-Add-User", + "type": "string" + }, + "GroupId": { + "type": "string", + "metadata": { + "description": "Enter object ID for Microsoft Entra group" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "AzureadConnectionName": "[[concat('Azuread-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "GroupId": { + "type": "string", + "defaultValue": "[[parameters('GroupId')]" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Entities_-_Get_Accounts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_each": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Add_user_to_group": { + "runAfter": { + "Get_user": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "@@odata.id": "@body('Get_user')?['id']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "post", + "path": "/v1.0/groups/@{encodeURIComponent(parameters('GroupId'))}/members/$ref" + } + }, + "Condition": { + "actions": { + "Add_comment_to_incident_(V3)": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

User was added to CA block group in AAD: @{items('For_each')?['Name']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Add_user_to_group": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment_to_incident_(V3)_2": { + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Account name: @{items('For_each')?['Name']}
\nError: @{body('Add_user_to_group')['error']['message']}

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@int(actionOutputs('Add_user_to_group').statusCode)", + 204 + ] + } + ] + }, + "type": "If", + "description": "Verify the execution result of function" + }, + "Get_user": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" + } + } + }, + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach", + "description": "Iterate on each Dynamics 365 user account" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "azuread": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]", + "connectionName": "[[variables('AzureadConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "D365-Blocklist-Add-User", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureadConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureadConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId5')]", + "contentId": "[variables('_playbookContentId5')]", + "kind": "Playbook", + "version": "[variables('playbookVersion5')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ], + "metadata": { + "title": "Dataverse: Add user to blocklist (incident trigger)", + "description": "This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically add affected user entitites to a pre-defined Microsoft Entra group, resulting in blocked access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse.", + "prerequisites": [ + "1. Create a security group in Microsoft Entra used to block access and take note of the group's object ID.", + "2. Create a Conditional Access policy in Microsoft Entra.", + "3. Configure the Conditional Access Policy to block access to Common Data Service (appid 00000007-0000-0000-c000-000000000000) for members of the group created in step 1." + ], + "postDeployment": [ + "1. Grant permissions to Sentinel for Playook managed identity.", + "2. Authorize connection for Microsoft Entra." + ], + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "lastUpdateTime": "2022-10-11T00:00:00Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId5')]", + "contentKind": "Playbook", + "displayName": "Dataverse-Blocklist-Add-User", + "contentProductId": "[variables('_playbookcontentProductId5')]", + "id": "[variables('_playbookcontentProductId5')]", + "version": "[variables('playbookVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName6')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse-Blocklist-Remove-User-AlertTrigger Playbook with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion6')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Dataverse-Blocklist-Remove-User-AlertTrigger", + "type": "string" + }, + "GroupId": { + "type": "string", + "metadata": { + "description": "Enter object ID for Microsoft Entra group" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "AzureadConnectionName": "[[concat('Azuread-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "GroupId": { + "type": "string", + "defaultValue": "[[parameters('GroupId')]" + } + }, + "triggers": { + "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + } + } + }, + "actions": { + "Entities_-_Get_Accounts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['Entities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_each": { + "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", + "actions": { + "Get_user": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "get", + "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" + } + }, + "Remove_Member_From_Group": { + "runAfter": { + "Get_user": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuread']['connectionId']" + } + }, + "method": "delete", + "path": "/v1.0/groups/@{encodeURIComponent(parameters('GroupId'))}/members/@{encodeURIComponent(body('Get_user')?['id'])}/$ref" + } + } + }, + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach", + "description": "Iterate on each Dynamics 365 user account" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "azuread": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]", + "connectionName": "[[variables('AzureadConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "D365-Blocklist-Remove-User-AlertTrigger", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureadConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureadConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId6')]", + "contentId": "[variables('_playbookContentId6')]", + "kind": "Playbook", + "version": "[variables('playbookVersion6')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ], + "metadata": { + "title": "Dataverse: Remove user from blocklist", + "description": "This playbook can be triggered on-demand when a Microsoft Sentinel alert is raised, allowing the analyst to remove affected user entitites from a pre-defined Microsoft Entra group used to block access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse.", + "prerequisites": [ + "1. Object ID of the Microsoft Entra security group used to block access." + ], + "postDeployment": [ + "1. Grant permissions to Sentinel for Playook managed identity.", + "2. Authorize connection for Microsoft Entra." + ], + "entities": [ + "Account" + ], + "tags": [ + "Remediation" + ], + "lastUpdateTime": "2022-10-11T00:00:00Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId6')]", + "contentKind": "Playbook", + "displayName": "Dataverse-Blocklist-Remove-User-AlertTrigger", + "contentProductId": "[variables('_playbookcontentProductId6')]", + "id": "[variables('_playbookcontentProductId6')]", + "version": "[variables('playbookVersion6')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName7')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Dataverse-Send-Manager-Notification Playbook with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion7')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Dataverse-Send-Manager-Notification", + "type": "string" + }, + "FallbackMailbox": { + "type": "string", + "metadata": { + "description": "Enter email address for fallback mailbox" + } + }, + "ManagerTypeIsD365": { + "type": "string", + "defaultValue": "true", + "metadata": { + "description": "Leave as true to use Dynamics 365 manager or set to false for Office 365 manager" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[[concat('Office365-', parameters('PlaybookName'))]", + "Office365usersConnectionName": "[[concat('Office365users-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365')]", + "_connection-3": "[[variables('connection-3')]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365users')]", + "_connection-4": "[[variables('connection-4')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "FallbackMailbox": { + "defaultValue": "[[parameters('FallbackMailbox')]", + "type": "string" + }, + "ManagerTypeIsD365": { + "defaultValue": "[[parameters('ManagerTypeIsD365')]", + "type": "string" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "For_each": { + "foreach": "@body('Parse_JSON')", + "actions": { + "Condition": { + "actions": { + "Set_variable": { + "type": "SetVariable", + "inputs": { + "name": "InstanceUrl", + "value": "@items('For_each')?['properties']?['instanceName']" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@items('For_each')['kind']", + "CloudApplication" + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Initialize_variable": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "InstanceUrl", + "type": "string", + "value": "@{null}" + } + ] + } + }, + "InstanceUrl_Exists": { + "actions": { + "ManagerTypeIsD365": { + "actions": { + "Entities_-_Get_D365_Accounts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_each_D365_account": { + "foreach": "@body('Entities_-_Get_D365_Accounts')?['Accounts']", + "actions": { + "Get_D365_User": { + "type": "Http", + "inputs": { + "authentication": { + "audience": "@variables('InstanceUrl')", + "type": "ManagedServiceIdentity" + }, + "headers": { + "OData-MaxVersion": "4.0", + "OData-Version": "4.0", + "accept": "application/json" + }, + "method": "GET", + "uri": "@{variables('InstanceUrl')}api/data/v9.2/systemusers?$select=_parentsystemuserid_value,windowsliveid&$filter=windowsliveid eq '@{concat(items('For_each_D365_account')?['accountName'],'@',items('For_each_D365_account')?['upnSuffix'])}'" + } + }, + "User_Has_Manager_D365": { + "actions": { + "Get_Manager": { + "type": "Http", + "inputs": { + "authentication": { + "audience": "@variables('InstanceUrl')", + "type": "ManagedServiceIdentity" + }, + "headers": { + "OData-MaxVersion": "4.0", + "OData-Version": "4.0", + "accept": "application/json" + }, + "method": "GET", + "uri": "@{variables('InstanceUrl')}api/data/v9.2/systemusers?$filter=_parentsystemuserid_value eq @{body('Get_D365_User')['value'][0]?['_parentsystemuserid_value']}&$select=firstname,lastname,internalemailaddress" + } + }, + "Send_email_to_D365_manager": { + "runAfter": { + "Get_Manager": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

Microsoft Sentinel incident was triggered for a user reporting to you. Information is listed below:
\n
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_D365_account')?['Name']}

", + "Importance": "High", + "Subject": "@triggerBody()?['object']?['properties']?['title']", + "To": "@{body('Get_Manager')['value'][0]?['internalemailaddress']}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365_1']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "runAfter": { + "Get_D365_User": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Send_email_to_fallback_mailbox_(D365)": { + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

Title: @{triggerBody()?['object']?['properties']?['title']}
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_D365_account')?['Name']}
\n
\nAlert generated for user .  However, this user has no manager assignment in Dynamics 365.

", + "Importance": "High", + "Subject": "Manager notification rule was triggered but no manager assigned in Dynamics 365", + "To": "@parameters('FallbackMailbox')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365_1']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Get_D365_User')['value'][0]?['_parentsystemuserid_value']", + "@null" + ] + } + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Entities_-_Get_D365_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "else": { + "actions": { + "Entities_-_Get_O365_Accounts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_each_O365_account": { + "foreach": "@body('Entities_-_Get_O365_Accounts')?['Accounts']", + "actions": { + "Get_manager_(V2)": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['office365users']['connectionId']" + } + }, + "method": "get", + "path": "/codeless/v1.0/users/@{encodeURIComponent(concat(items('For_each_O365_account')?['accountName'],'@',items('For_each_O365_account')?['upnSuffix']))}/manager" + } + }, + "User_Has_Manager_O365": { + "actions": { + "Send_email_to_O365_manager": { + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

Microsoft Sentinel incident was triggered for a user reporting to you. Information is listed below:
\n
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_O365_account')?['Name']}

", + "Importance": "High", + "Subject": "@triggerBody()?['object']?['properties']?['title']", + "To": "@body('Get_manager_(V2)')?['mail']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365_1']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "runAfter": { + "Get_manager_(V2)": [ + "Succeeded", + "Failed" + ] + }, + "else": { + "actions": { + "Send_email_to_fallback_mailbox_(O365)": { + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

Title: @{triggerBody()?['object']?['properties']?['title']}
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_O365_account')?['Name']}
\n
\nAlert generated for user .  However, this user has no manager assignment in Office 365.

", + "Importance": "High", + "Subject": "Manager notification rule was triggered but no manager assigned in Office 365", + "To": "@parameters('FallbackMailbox')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365_1']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Get_manager_(V2)')?['mail']", + "@null" + ] + } + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "Entities_-_Get_O365_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + } + }, + "expression": { + "and": [ + { + "equals": [ + "@parameters('ManagerTypeIsD365')", + true + ] + } + ] + }, + "type": "If" + } + }, + "runAfter": { + "For_each": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Entities_-_Get_Missing_Instance_Accounts": { + "type": "ApiConnection", + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/account" + } + }, + "For_each_account_(Missing_Instance)": { + "foreach": "@body('Entities_-_Get_Missing_Instance_Accounts')?['Accounts']", + "actions": { + "Send_email_to_fallback_mailbox_(Missing_Instance)": { + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

Title: @{triggerBody()?['object']?['properties']?['title']}
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_account_(Missing_Instance)')?['Name']}
\n
\nPlease ensure incidents triggering this playbook contain Cloud App type entity mappings with the InstanceUrl set in the InstanceName property of the entity mapping.

", + "Importance": "High", + "Subject": "Manager notification Playbook was triggered but Dynamics 365 instance URL was not found", + "To": "@parameters('FallbackMailbox')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365_1']['connectionId']" + } + }, + "method": "post", + "path": "/v2/Mail" + } + } + }, + "runAfter": { + "Entities_-_Get_Missing_Instance_Accounts": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + } + }, + "expression": { + "or": [ + { + "equals": [ + "@parameters('ManagerTypeIsD365')", + "@false" + ] + }, + { + "startsWith": [ + "@tolower(variables('InstanceUrl'))", + "https://" + ] + } + ] + }, + "type": "If" + }, + "Parse_JSON": { + "runAfter": { + "Initialize_variable": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "schema": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "properties": { + "properties": { + "appId": { + "type": "integer" + }, + "appName": { + "type": "string" + }, + "friendlyName": { + "type": "string" + }, + "instanceName": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + } + }, + "required": [ + "id", + "type", + "kind", + "properties" + ], + "type": "object" + }, + "type": "array" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365_1": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365')]" + }, + "office365users": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365usersConnectionName'))]", + "connectionName": "[[variables('Office365usersConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365users')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "D365-Send-Manager-Notification", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365usersConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('Office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365usersConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('Office365usersConnectionName')]", + "api": { + "id": "[[variables('_connection-4')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId7')]", + "contentId": "[variables('_playbookContentId7')]", + "kind": "Playbook", + "version": "[variables('playbookVersion7')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ], + "metadata": { + "title": "Dataverse: Send notification to manager", + "description": "This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically send an email notificiation to the manager of the affected user entitites. The Playbook can be configured to send either to the Dynamics 365 manager, or using the manager in Office 365.", + "prerequisites": [ + "1. Ensure user accounts have a manager assigned in either Dynamics 365 or Office 365." + ], + "postDeployment": [ + "1. Set the ManagerTypeIsD365 Playbook parameter to false if using Office 365 manager.", + "2. Configure an email address for the FallbackMailbox Playbook parameter. This inbox will be used for any user entity without a manager assigned." + ], + "entities": [ + "Account" + ], + "tags": [ + "Notification" + ], + "lastUpdateTime": "2022-11-01T00:00:00Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId7')]", + "contentKind": "Playbook", + "displayName": "Dataverse-Send-Manager-Notification", + "contentProductId": "[variables('_playbookcontentProductId7')]", + "id": "[variables('_playbookcontentProductId7')]", + "version": "[variables('playbookVersion7')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName8')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MSBizApps-Incident-From-Alert-Teams Playbook with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion8')]", + "parameters": { + "PlaybookName": { + "defaultValue": "MSBizApps-Incident-From-Alert-Teams", + "type": "string" + }, + "WorkloadOwnersAddress": { + "type": "String", + "metadata": { + "description": "Enter value for WorkloadOwnersAddress" + } + }, + "EscalationsAddress": { + "type": "String", + "metadata": { + "description": "Enter value for EscalationsAddress" + } + }, + "OriginatorId": { + "type": "String", + "metadata": { + "description": "Enter value for OriginatorId" + } + }, + "SharedMailboxAddress": { + "type": "String", + "metadata": { + "description": "Enter value for SharedMailboxAddress" + } + }, + "TeamsChannelLink": { + "type": "String", + "metadata": { + "description": "Enter value for TeamsChannelLink" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "Office365ConnectionName": "[[concat('Office365-', parameters('PlaybookName'))]", + "TeamsConnectionName": "[[concat('Teams-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365')]", + "_connection-3": "[[variables('connection-3')]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]", + "_connection-4": "[[variables('connection-4')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "WorkloadOwnersAddress": { + "defaultValue": "[[parameters('WorkloadOwnersAddress')]", + "type": "String" + }, + "EscalationsAddress": { + "defaultValue": "[[parameters('EscalationsAddress')]", + "type": "String" + }, + "OriginatorId": { + "defaultValue": "[[parameters('OriginatorId')]", + "type": "String" + }, + "SharedMailboxAddress": { + "defaultValue": "[[parameters('SharedMailboxAddress')]", + "type": "String" + }, + "TeamsChannelLink": { + "defaultValue": "[[parameters('TeamsChannelLink')]", + "type": "String" + }, + "_PlaybookName": { + "defaultValue": "[[parameters('PlaybookName')]", + "type": "String" + } + }, + "triggers": { + "Microsoft_Sentinel_alert": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" + } + }, + "path": "/subscribe" + } + } + }, + "actions": { + "Condition": { + "actions": { + "Add_alert_to_incident": { + "runAfter": { + "Create_incident": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Create_incident')?['id']", + "relatedResourceId": "@triggerBody()?['SystemAlertId']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Relation/Create" + } + }, + "Create_incident": { + "type": "ApiConnection", + "inputs": { + "body": { + "description": "This alert was flagged as suspicious by the BizApps team:\n\n@{triggerBody()?['Description']}\n", + "severity": "@triggerBody()?['Severity']", + "status": "New", + "title": "@triggerBody()?['AlertDisplayName']" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" + } + }, + "method": "put", + "path": "/Incidents/subscriptions/@{triggerBody()?['workspaceInfo']?['SubscriptionId']}/resourceGroups/@{triggerBody()?['workspaceInfo']?['ResourceGroupName']}/workspaces/@{triggerBody()?['workspaceInfo']?['WorkspaceName']}" + } + } + }, + "runAfter": { + "Post_adaptive_card_and_wait_for_a_response": [ + "Succeeded" + ] + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@outputs('Post_adaptive_card_and_wait_for_a_response')?['body']?['submitActionId']", + "Yes, this was authorized" + ] + } + } + ] + }, + "type": "If" + }, + "Initialize_OutlookMessage": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "OutlookMessage", + "type": "string", + "value": "\n\n \n \n\n\n Visit the Outlook Dev Portal to learn more\n about Actionable Messages.\n\n" + } + ] + } + }, + "Post_adaptive_card_and_wait_for_a_response": { + "runAfter": { + "Send_an_email_from_a_shared_mailbox_(V2)": [ + "Succeeded" + ] + }, + "limit": { + "timeout": "PT24H" + }, + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "body": { + "messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"ColumnSet\",\n\"width\": \"auto\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"width\": \"auto\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"small\"\n }\n ]\n },\n {\n \"type\": \"Column\",\n \"width\": \"auto\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"text\": \"@{triggerBody()?['AlertDisplayName']}\",\n \"wrap\": true,\n \"horizontalAlignment\": \"left\"\n }\n ]\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Microsoft Sentinel alert was created: @{triggerBody()?['Description']}\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Is this activity legitmate?\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n }\n ],\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Yes, this was authorized\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"No, create an incident\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}", + "recipient": { + "channelId": "[variables('blanks')]", + "groupId": "[variables('blanks')]" + }, + "updateMessage": "Thanks for your response!" + }, + "notificationUrl": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['teams_1']['connectionId']" + } + }, + "path": "/v1.0/teams/conversation/gatherinput/poster/Flow bot/location/@{encodeURIComponent('Channel')}/$subscriptions" + } + }, + "Send_an_email_escalation_due_to_timeout": { + "runAfter": { + "Set_Escalation_Message": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

@{variables('OutlookMessage')}

", + "Importance": "High", + "MailboxAddress": "@parameters('SharedMailboxAddress')", + "Subject": "ESCALATION: Security Process Impaired Due to Lack of Response", + "To": "@parameters('EscalationsAddress')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/SharedMailbox/Mail" + } + }, + "Send_an_email_from_a_shared_mailbox_(V2)": { + "runAfter": { + "Initialize_OutlookMessage": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

@{variables('OutlookMessage')}

", + "Importance": "High", + "MailboxAddress": "@parameters('SharedMailboxAddress')", + "Subject": "ACTION REQUIRED: Microsoft Sentinel Security Alert", + "To": "@parameters('WorkloadOwnersAddress')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/SharedMailbox/Mail" + } + }, + "Send_an_email_notification_of_failure": { + "runAfter": { + "Set_Failure_Message": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "Body": "

@{variables('OutlookMessage')}

", + "Importance": "High", + "MailboxAddress": "@parameters('SharedMailboxAddress')", + "Subject": "FAILURE: Security Process Impaired Due to Playbook Failure", + "To": "@parameters('SharedMailboxAddress')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['office365']['connectionId']" + } + }, + "method": "post", + "path": "/v2/SharedMailbox/Mail" + } + }, + "Set_Escalation_Message": { + "runAfter": { + "Post_adaptive_card_and_wait_for_a_response": [ + "TimedOut" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "OutlookMessage", + "value": "\n\n \n \n\n\n Visit the Outlook Dev Portal to learn more\n about Actionable Messages.\n\n" + } + }, + "Set_Failure_Message": { + "runAfter": { + "Post_adaptive_card_and_wait_for_a_response": [ + "Skipped", + "Failed" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "OutlookMessage", + "value": "\n\n \n \n\n\n Visit the Outlook Dev Portal to learn more\n about Actionable Messages.\n\n" + } + }, + "Terminate_Failed": { + "runAfter": { + "Send_an_email_notification_of_failure": [ + "Succeeded" + ] + }, + "type": "Terminate", + "inputs": { + "runError": { + "code": "PlaybookFailed", + "message": "Playbook failed to post a message in Teams" + }, + "runStatus": "Failed" + } + }, + "Terminate_Succeeded": { + "runAfter": { + "Send_an_email_escalation_due_to_timeout": [ + "Succeeded" + ] + }, + "type": "Terminate", + "inputs": { + "runStatus": "Succeeded" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel_1": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "office365": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "connectionName": "[[variables('Office365ConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365')]" + }, + "teams_1": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", + "connectionName": "[[variables('TeamsConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "MSBizApps-Admin-Teams-Approval-AlertTrigger", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('Office365ConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('Office365ConnectionName')]", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('TeamsConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('TeamsConnectionName')]", + "api": { + "id": "[[variables('_connection-4')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId8')]", + "contentId": "[variables('_playbookContentId8')]", + "kind": "Playbook", + "version": "[variables('playbookVersion8')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ], - "entityType": "Account" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "customDetails": { - "PolicyName": "PolicyName", - "Policy": "PolicyId" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "A DLP policy {{PolicyName}} was as modfiied or deleted. Event type {{EventType}}", - "alertDisplayNameFormat": "PowerPlatform - DLP policy {{EventType}} event detected." - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject48').analyticRuleId48,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 48", - "parentId": "[variables('analyticRuleObject48').analyticRuleId48]", - "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject48').analyticRuleVersion48]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" + "metadata": { + "title": "Security workflow: alert verification with workload owners", + "description": "This playbook can reduce burden on the SOC by offloading alert verification to IT admins for specific analytics rules. It is triggered when a Microsoft Sentinel alert is generated, creates a message (and associated notification email) in the workload owner's Microsoft Teams channel containing details of the alert. If the workload owner responds that the activity is not authorized, the alert will be converted to an incident in Microsoft Sentinel for the SOC to handle.", + "prerequisites": [ + "1. Take note of the Microsoft Teams channel URL (right click channel and 'Get link to channel').", + "2. An Exchange Online shared mailbox for the SOC.", + "3. Email address for the workload owners to send alert notifications.", + "4. Email address to send escalation notifications if workload owners do not respond.", + "5. Register a new provider at the [Actionable Email Developer Dashboard](https://aka.ms/publishoam) \n a. Add the SOC mailbox as the sender address. \n b. Add the Teams channel URL as the target URL. \n c. Select the workload owner and escalation email address as test users for validation. \n d. Take note of the Provider Id (originator)." + ], + "postDeployment": [ + "1. In Logic Apps designer view, edit the 'Post adaptive card and wait for a reponse' action.", + "2. In the 'Team' and 'Channel' boxes, click on the 'X' to reveal the dropdown selector menu.", + "3. Select the appropriate Teams channel to receive notifications.", + "4. Assign Microsoft Sentinel Responder role to the playbook's managed identity on the Microsoft Sentinel workspace resource group." + ], + "entities": [ + "Account" + ], + "tags": [ + "Notification" + ], + "lastUpdateTime": "2022-11-01T00:00:00Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId8')]", + "contentKind": "Playbook", + "displayName": "MSBizApps-Incident-From-Alert-Teams", + "contentProductId": "[variables('_playbookcontentProductId8')]", + "id": "[variables('_playbookcontentProductId8')]", + "version": "[variables('playbookVersion8')]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", - "contentKind": "AnalyticsRule", - "displayName": "Power Platform - DLP policy updated or removed", - "contentProductId": "[variables('analyticRuleObject48')._analyticRulecontentProductId48]", - "id": "[variables('analyticRuleObject48')._analyticRulecontentProductId48]", - "version": "[variables('analyticRuleObject48').analyticRuleVersion48]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject49').analyticRuleTemplateSpecName49]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Power Platform - Possibly compromised user accesses Power Platform services_AnalyticalRules Analytics Rule with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject49')._analyticRulecontentId49]", - "apiVersion": "2023-02-01-preview", - "kind": "Scheduled", - "location": "[parameters('workspace-location')]", - "properties": { - "description": "Identifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center.", - "displayName": "Power Platform - Possibly compromised user accesses Power Platform services", - "enabled": false, - "query": "let power_automate_appid = \"6204c1d1-4712-4c46-a7d9-3ed63d992682\";\nlet power_apps_appid = \"a8f7a65c-f5ba-4859-b2d6-df772c264e9d\";\nlet ppac_appid = \"065d9450-1e87-434e-ac2f-69af271549ed\";\nlet query_frequency = 1h;\nSigninLogs\n| where ingestion_time() >= ago(query_frequency)\n| where array_length(todynamic(RiskEventTypes)) != 0 or array_length(todynamic(RiskEventTypes_V2)) != 0\n| where AppId in (power_automate_appid, power_apps_appid, ppac_appid)\n| extend AffectedPlatform = case(\n AppId == ppac_appid,\n \"Power Platform Admin Center\",\n AppId == power_apps_appid,\n \"Power Apps\",\n AppId == power_automate_appid,\n \"Power Automate\",\n \"Unknown\"\n )\n| extend\n Severity = iif(AffectedPlatform in (\"Power Apps\", \"Power Automate\"), \"Medium\", \"High\"),\n CloudAppId = case(AffectedPlatform == \"Power Apps\", int(27593), AffectedPlatform == \"Power Automate\", int(27592), 0),\n AccountName = tostring(split(UserPrincipalName, '@')[0]),\n UPNSuffix = tostring(split(UserPrincipalName, '@')[1])\n| project\n TimeGenerated,\n UserId,\n UniqueTokenIdentifier,\n Identity,\n RiskEventTypes,\n RiskEventTypes_V2,\n UserPrincipalName,\n AppId,\n AppDisplayName,\n AffectedPlatform,\n IPAddress,\n Severity,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "queryFrequency": "PT1H", - "queryPeriod": "P1D", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "triggerOperator": "GreaterThan", - "triggerThreshold": 0, - "status": "Available", - "requiredDataConnectors": [ - { - "connectorId": "AzureActiveDirectory", - "dataTypes": [ - "SigninLogs" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject1').parserTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "DataverseSharePointSites Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject1').parserVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject1')._parserName1]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "DataverseSharePointSites", + "category": "MSBizAppsFunctions", + "functionAlias": "DataverseSharePointSites", + "query": "let DataverseSharepointSites_definition = datatable(InstanceUrl: string, SharePointUrl: string)['_', '_'];\nlet DataverseSharepointSites_data = (\n _GetWatchlist(MSBizAppsConfigurationWatchlistAlias)\n | where SearchKey == \"SharePoint\"\n | extend Data = todynamic(column_ifexists('Data', dynamic({\"InstanceUrl\": \"_\", \"SharePointUrl\": \"_\"})))\n | project\n InstanceUrl = tostring(Data.InstanceUrl),\n SharePointUrl = tostring(Data.SharePointUrl)\n );\nDataverseSharepointSites_data\n| union isfuzzy = true (DataverseSharepointSites_definition)\n| where InstanceUrl != '_'\n| extend InstanceUrl = tolower(iff(InstanceUrl endswith '/', InstanceUrl, strcat(InstanceUrl, '/')))\n| extend SharePointUrl = tolower(iff(SharePointUrl endswith '/', SharePointUrl, strcat(SharePointUrl, '/')))\n| project InstanceUrl, SharePointUrl\n", + "functionParameters": "MSBizAppsConfigurationWatchlistAlias:string='MSBizApps-Configuration'", + "version": 2, + "tags": [ + { + "name": "description", + "value": "DataverseSharePointSites" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'DataverseSharePointSites')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "name": "Microsoft Business Applications", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } ] - } - ], - "tactics": [ - "InitialAccess", - "LateralMovement" - ], - "techniques": [ - "T1078", - "T1210" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "columnName": "AccountName", - "identifier": "Name" - }, - { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" - } - ], - "entityType": "Account" - }, - { - "fieldMappings": [ - { - "columnName": "IPAddress", - "identifier": "Address" - } - ], - "entityType": "IP" - }, - { - "fieldMappings": [ - { - "columnName": "AffectedPlatform", - "identifier": "Name" - }, - { - "columnName": "AppId", - "identifier": "AppId" - } - ], - "entityType": "CloudApplication" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "customDetails": { - "RiskEventTypes": "RiskEventTypes", - "RiskEventTypes_V2": "RiskEventTypes_V2" - }, - "alertDetailsOverride": { - "alertDescriptionFormat": "The user {{UserPrincipalName}} has sign-in risk events associated and successfully signed in to {{{AffectedPlatform}} from {{IPAddress}}", - "alertSeverityColumnName": "Severity", - "alertDisplayNameFormat": "Risky user sign-in activity in {{{AffectedPlatform}} " - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject49').analyticRuleId49,'/'))))]", - "properties": { - "description": "Microsoft Business Applications Analytics Rule 49", - "parentId": "[variables('analyticRuleObject49').analyticRuleId49]", - "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject49').analyticRuleVersion49]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", - "contentKind": "AnalyticsRule", - "displayName": "Power Platform - Possibly compromised user accesses Power Platform services", - "contentProductId": "[variables('analyticRuleObject49')._analyticRulecontentProductId49]", - "id": "[variables('analyticRuleObject49')._analyticRulecontentProductId49]", - "version": "[variables('analyticRuleObject49').analyticRuleVersion49]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Activity after Microsoft Entra alerts_HuntingQueries Hunting Query with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Microsoft_Business_Applications_Hunting_Query_1", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Dataverse - Activity after Microsoft Entra alerts", - "category": "Hunting Queries", - "query": "let match_window = 1h;\nlet analysis_window = 1d;\nlet lookback_window = 7d;\nSecurityAlert\n| where TimeGenerated > ago(analysis_window)\n| where ProviderName == 'IPC'\n| extend UserName = tostring(parse_json(ExtendedProperties).[\"User Account\"])\n| extend UserName = tolower(UserName)\n| extend TimeKey = bin(TimeGenerated, match_window)\n| join kind=inner(DataverseActivity\n | where TimeGenerated > ago(analysis_window)\n | extend UserName = tolower(UserId)\n | extend TimeKey = bin(TimeGenerated, match_window))\n on UserName, TimeKey\n| join kind=leftanti(DataverseActivity\n | where TimeGenerated between(ago(lookback_window) .. ago(analysis_window))\n | extend UserName = tolower(UserId))\n on UserName, OriginalObjectId\n| summarize\n Actions = make_set(OriginalObjectId),\n MostRecentAction = max(TimeGenerated1),\n IPs = make_set(split(tostring(ClientIp), ':')[0]),\n AADAlerts=make_set(Description),\n MostRecentAlert = max(TimeGenerated)\n by UserName\n| extend timestamp = MostRecentAction, AccountCustomEntity = UserName\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "This hunting query looks for users conducting Dataverse/Dynamics 365 activity shortly after a Microsoft Entra Identity Protection alert for that user. The query only looks for users not seen before or conducting Dynamics activity not previously seen." - }, - { - "name": "tactics", - "value": "InitialAccess" - }, - { - "name": "techniques", - "value": "T1078" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]", - "properties": { - "description": "Microsoft Business Applications Hunting Query 1", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]", - "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject1').huntingQueryVersion1]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject1').parserContentId1]", + "contentKind": "Parser", + "displayName": "DataverseSharePointSites", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '3.2.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '3.2.0')))]", + "version": "[variables('parserObject1').parserVersion1]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", - "contentKind": "HuntingQuery", - "displayName": "Dataverse - Activity after Microsoft Entra alerts", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '3.2.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '3.2.0')))]", - "version": "3.2.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Activity after failed logons_HuntingQueries Hunting Query with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Microsoft_Business_Applications_Hunting_Query_2", - "location": "[parameters('workspace-location')]", - "properties": { + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject1')._parserName1]", + "location": "[parameters('workspace-location')]", + "properties": { "eTag": "*", - "displayName": "Dataverse - Activity after failed logons", - "category": "Hunting Queries", - "query": "let threshold = 10;\nSigninLogs\n| where ResultType in (\"50125\", \"50140\", \"70043\", \"70044\")\n| summarize FailedSignInCount = count() by IPAddress\n| where FailedSignInCount >= threshold\n| join kind=inner (\n DataverseActivity\n | extend IPAddress = tostring(split(ClientIp, \":\")[0]))\n on IPAddress\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n", + "displayName": "DataverseSharePointSites", + "category": "MSBizAppsFunctions", + "functionAlias": "DataverseSharePointSites", + "query": "let DataverseSharepointSites_definition = datatable(InstanceUrl: string, SharePointUrl: string)['_', '_'];\nlet DataverseSharepointSites_data = (\n _GetWatchlist(MSBizAppsConfigurationWatchlistAlias)\n | where SearchKey == \"SharePoint\"\n | extend Data = todynamic(column_ifexists('Data', dynamic({\"InstanceUrl\": \"_\", \"SharePointUrl\": \"_\"})))\n | project\n InstanceUrl = tostring(Data.InstanceUrl),\n SharePointUrl = tostring(Data.SharePointUrl)\n );\nDataverseSharepointSites_data\n| union isfuzzy = true (DataverseSharepointSites_definition)\n| where InstanceUrl != '_'\n| extend InstanceUrl = tolower(iff(InstanceUrl endswith '/', InstanceUrl, strcat(InstanceUrl, '/')))\n| extend SharePointUrl = tolower(iff(SharePointUrl endswith '/', SharePointUrl, strcat(SharePointUrl, '/')))\n| project InstanceUrl, SharePointUrl\n", + "functionParameters": "MSBizAppsConfigurationWatchlistAlias:string='MSBizApps-Configuration'", "version": 2, "tags": [ - { - "name": "description", - "value": "This hunting query looks for users conducting Dataverse/Dynamics 365 activity shortly after a number of failed logons. Use this to look for potential post brute force activity. Adjust the threshold figure based on false positive rate." - }, - { - "name": "tactics", - "value": "InitialAccess" - }, - { - "name": "techniques", - "value": "T1078,T0819,T1078.004" - } + { + "name": "description", + "value": "DataverseSharePointSites" + } ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]", - "properties": { - "description": "Microsoft Business Applications Hunting Query 2", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]", - "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject2').huntingQueryVersion2]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", - "contentKind": "HuntingQuery", - "displayName": "Dataverse - Activity after failed logons", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '3.2.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '3.2.0')))]", - "version": "3.2.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Cross-environment data export activity_HuntingQueries Hunting Query with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Microsoft_Business_Applications_Hunting_Query_3", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Dataverse - Cross-environment data export activity", - "category": "Hunting Queries", - "query": "//Modify environment_count_threshold to scale number of Dataverse instances to omit before including in results\nlet environment_count_threshold = 2;\nlet export_events = dynamic(['ExportToExcel', 'ExportPdfDocument', 'ExportWordDocument', 'ExecutePowerBISql']);\nDataverseActivity\n| where Message in (export_events)\n| summarize InstanceCount = dcount(InstanceUrl) by UserId\n| where InstanceCount > environment_count_threshold\n| join kind=inner (DataverseActivity\n | where Message in (export_events))\n on UserId\n| summarize FirstEvent = min(TimeGenerated), LastEvent = max(TimeGenerated) by UserId, InstanceCount, InstanceUrl, Message, ClientIp\n| extend CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n FirstEvent,\n LastEvent,\n UserId,\n Message,\n ClientIp,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "This query searches for data export activity across a predetermined number of Dataverse instances. Data export activity across multiple environments could indicate suspicious activity as users typically work on a small number of environments." - }, - { - "name": "tactics", - "value": "Exfiltration,Collection" - }, - { - "name": "techniques", - "value": "T1567,T1409" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]", - "properties": { - "description": "Microsoft Business Applications Hunting Query 3", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]", - "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject3').huntingQueryVersion3]", + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'DataverseSharePointSites')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Microsoft" + "name": "Microsoft" }, "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" } - } } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", - "contentKind": "HuntingQuery", - "displayName": "Dataverse - Cross-environment data export activity", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '3.2.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '3.2.0')))]", - "version": "3.2.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Dataverse export copied to USB devices_HuntingQueries Hunting Query with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Microsoft_Business_Applications_Hunting_Query_4", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Dataverse - Dataverse export copied to USB devices", - "category": "Hunting Queries", - "query": "DataverseActivity\n| distinct InstanceUrl\n| join kind=inner (DeviceFileEvents)\n on $left.InstanceUrl == $right.FileOriginUrl\n| join kind=inner (DeviceEvents\n | where ActionType == \"UsbDriveMounted\"\n | extend DriveLetter = tostring(AdditionalFields.DriveLetter)\n | summarize MountedDriveLetters = make_set(DriveLetter, 26) by DeviceId, DeviceName)\n on DeviceId\n| extend TargetDriveLetter = tostring(split(FolderPath, \"\\\\\")[0])\n| where set_has_element(MountedDriveLetters, TargetDriveLetter)\n| join kind=inner (DeviceInfo\n | summarize arg_max(TimeGenerated, DeviceId, PublicIP) by DeviceName)\n on DeviceId\n| summarize LatestEvent = arg_max(TimeGenerated, *) by FileName, UserId = InitiatingProcessAccountUpn, InstanceUrl\n| extend\n CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n LatestEvent,\n UserId,\n PublicIP,\n FolderPath,\n InstanceUrl,\n AccountName,\n UPNSuffix,\n CloudAppId\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "This query uses XDR data from M365 Defender to detect files downloaded from a Dataverse instance and copied to USB drive." - }, - { - "name": "tactics", - "value": "Exfiltration" - }, - { - "name": "techniques", - "value": "T1052,T1052.001" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]", - "properties": { - "description": "Microsoft Business Applications Hunting Query 4", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]", - "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject4').huntingQueryVersion4]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject2').parserTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MSBizAppsNetworkAddresses Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject2').parserVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject2')._parserName2]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "MSBizAppsNetworkAddresses", + "category": "MSBizAppsFunctions", + "functionAlias": "MSBizAppsNetworkAddresses", + "query": "let MsBizAppsNetworkAddresses_definition = datatable (\n IPSubnet: string,\n RangeName: string,\n Tags: string\n) [\n '_', '_', '_'\n];\nlet MsBizAppsNetworkAddresses_data = (\n _GetWatchlist(NetworkAddressesWatchlistAlias)\n | project\n IPSubnet = tostring(column_ifexists('IP Subnet', '_')),\n RangeName = tostring(column_ifexists('Range Name', '_')),\n Tags = tostring(column_ifexists('Tags', '_'))\n );\nMsBizAppsNetworkAddresses_data\n| union isfuzzy = true (MsBizAppsNetworkAddresses_definition)\n| where IPSubnet != '_'\n| project IPSubnet, RangeName, Tags\n", + "functionParameters": "NetworkAddressesWatchlistAlias:string='NetworkAddresses'", + "version": 2, + "tags": [ + { + "name": "description", + "value": "MSBizAppsNetworkAddresses" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", + "dependsOn": [ + "[variables('parserObject2')._parserId2]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsNetworkAddresses')]", + "contentId": "[variables('parserObject2').parserContentId2]", + "kind": "Parser", + "version": "[variables('parserObject2').parserVersion2]", + "source": { + "name": "Microsoft Business Applications", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject2').parserContentId2]", + "contentKind": "Parser", + "displayName": "MSBizAppsNetworkAddresses", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '3.2.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '3.2.0')))]", + "version": "[variables('parserObject2').parserVersion2]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", - "contentKind": "HuntingQuery", - "displayName": "Dataverse - Dataverse export copied to USB devices", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '3.2.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '3.2.0')))]", - "version": "3.2.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Generic client app used to access production environments_HuntingQueries Hunting Query with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Microsoft_Business_Applications_Hunting_Query_5", - "location": "[parameters('workspace-location')]", - "properties": { + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject2')._parserName2]", + "location": "[parameters('workspace-location')]", + "properties": { "eTag": "*", - "displayName": "Dataverse - Generic client app used to access production environments", - "category": "Hunting Queries", - "query": "SigninLogs\n| where AppId == \"51f81489-12ee-4a9e-aaae-a2591f45987d\"\n| where ResourceIdentity == \"00000007-0000-0000-c000-000000000000\"\n| project-rename SigninTime = TimeGenerated\n| where ResultType == 0\n| join kind=inner(DataverseActivity\n | where Message == \"UserSignIn\")\n on $left.UserPrincipalName == $right.UserId\n| where TimeGenerated between (SigninTime .. (SigninTime + 1h))\n| summarize D365SigninTime = arg_min(TimeGenerated, *) by SigninTime, UserPrincipalName, IPAddress, UserAgent\n| extend CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n SigninTime,\n D365SigninTime,\n UserPrincipalName,\n IPAddress,\n UserAgent,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", + "displayName": "MSBizAppsNetworkAddresses", + "category": "MSBizAppsFunctions", + "functionAlias": "MSBizAppsNetworkAddresses", + "query": "let MsBizAppsNetworkAddresses_definition = datatable (\n IPSubnet: string,\n RangeName: string,\n Tags: string\n) [\n '_', '_', '_'\n];\nlet MsBizAppsNetworkAddresses_data = (\n _GetWatchlist(NetworkAddressesWatchlistAlias)\n | project\n IPSubnet = tostring(column_ifexists('IP Subnet', '_')),\n RangeName = tostring(column_ifexists('Range Name', '_')),\n Tags = tostring(column_ifexists('Tags', '_'))\n );\nMsBizAppsNetworkAddresses_data\n| union isfuzzy = true (MsBizAppsNetworkAddresses_definition)\n| where IPSubnet != '_'\n| project IPSubnet, RangeName, Tags\n", + "functionParameters": "NetworkAddressesWatchlistAlias:string='NetworkAddresses'", "version": 2, "tags": [ - { - "name": "description", - "value": "This query detects the use of the built-in \"Dynamics 365 Example Application\" to access production environments. This generic app can not be restricted by Azure AD authorization controls and could be abused to gain unauthorized access via Web API." - }, - { - "name": "tactics", - "value": "Execution" - }, - { - "name": "techniques", - "value": "T1106,T0834" - } + { + "name": "description", + "value": "MSBizAppsNetworkAddresses" + } ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]", - "properties": { - "description": "Microsoft Business Applications Hunting Query 5", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]", - "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject5').huntingQueryVersion5]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", - "contentKind": "HuntingQuery", - "displayName": "Dataverse - Generic client app used to access production environments", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '3.2.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '3.2.0')))]", - "version": "3.2.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Identity management activity outside of privileged directory role membership_HuntingQueries Hunting Query with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Microsoft_Business_Applications_Hunting_Query_6", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Dataverse - Identity management activity outside of privileged directory role membership", - "category": "Hunting Queries", - "query": "let admin_role_names = dynamic(['Dynamics 365 Administrator', 'Power Platform Administrator', 'Global Administrator']);\nlet event_types = dynamic(['Associate', 'Disassociate', 'Create', 'Delete', 'Upsert', 'Update']);\nlet excluded_accounts = dynamic(['cdsusermanagement@onmicrosoft.com', 'unknown', 'powervirtualagentsprod@onmicrosoft.com']);\nIdentityInfo\n| where TimeGenerated > ago(14d)\n| where array_length(AssignedRoles) > 0\n| mv-expand AssignedRoles\n| where AssignedRoles in (admin_role_names)\n| summarize by UserId = tolower(AccountUPN)\n| join kind=rightanti (DataverseActivity\n | where EntityName =~ 'systemuser' and Message in (event_types)\n | project TimeGenerated, UserId = tolower(UserId), ClientIp, InstanceUrl, OriginalObjectId\n | where UserId !in (excluded_accounts))\n on UserId\n| extend CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n OriginalObjectId,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "This query detects identity administration events in Dataverse/Dynamics 365 made by accounts which are not members of privileged directory roles 'Dynamics 365 Admins', 'Power Platform Admins' or 'Global Admins" - }, - { - "name": "tactics", - "value": "PrivilegeEscalation" - }, - { - "name": "techniques", - "value": "T1078,T1078.004" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]", - "properties": { - "description": "Microsoft Business Applications Hunting Query 6", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]", - "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject6').huntingQueryVersion6]", + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", + "dependsOn": [ + "[variables('parserObject2')._parserId2]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsNetworkAddresses')]", + "contentId": "[variables('parserObject2').parserContentId2]", + "kind": "Parser", + "version": "[variables('parserObject2').parserVersion2]", "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Microsoft" + "name": "Microsoft" }, "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" } - } } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", - "contentKind": "HuntingQuery", - "displayName": "Dataverse - Identity management activity outside of privileged directory role membership", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '3.2.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '3.2.0')))]", - "version": "3.2.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject7').huntingQueryTemplateSpecName7]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse - Identity management changes without MFA_HuntingQueries Hunting Query with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Microsoft_Business_Applications_Hunting_Query_7", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Dataverse - Identity management changes without MFA", - "category": "Hunting Queries", - "query": "let event_types = dynamic(['Associate', 'Disassociate', 'Create', 'Delete', 'Upsert', 'Update']);\nlet excluded_accounts = dynamic(['cdsusermanagement@onmicrosoft.com', 'unknown', 'powervirtualagentsprod@onmicrosoft.com']);\nSigninLogs\n| where AuthenticationRequirement == \"singleFactorAuthentication\"\n| where ResourceIdentity == \"00000007-0000-0000-c000-000000000000\" or AppId == \"00000007-0000-0000-c000-000000000000\"\n| where ResultType == 0\n| summarize by UserId = tolower(UserPrincipalName)\n| join kind=inner (DataverseActivity\n | where EntityName =~ 'systemuser' and Message in (event_types)\n | project TimeGenerated, UserId = tolower(UserId), ClientIp, InstanceUrl, OriginalObjectId\n | where UserId !in (excluded_accounts))\n on UserId\n| extend CloudAppId = int(32780),\n AccountName = tostring(split(UserId, '@')[0]),\n UPNSuffix = tostring(split(UserId, '@')[1])\n| project\n TimeGenerated,\n UserId,\n ClientIp,\n OriginalObjectId,\n InstanceUrl,\n CloudAppId,\n AccountName,\n UPNSuffix\n", - "version": 2, - "tags": [ - { - "name": "description", - "value": "This query is used to show privileged identity administration operations in Dataverse made by accounts that signed in without using MFA" - }, - { - "name": "tactics", - "value": "InitialAccess" - }, - { - "name": "techniques", - "value": "T1078,T0819,T1078.004" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7),'/'))))]", - "properties": { - "description": "Microsoft Business Applications Hunting Query 7", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7)]", - "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject7').huntingQueryVersion7]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject3').parserTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MSBizAppsOrgSettings Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject3').parserVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject3')._parserName3]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "MSBizAppsOrgSettings", + "category": "MSBizAppsFunctions", + "functionAlias": "MSBizAppsOrgSettings", + "query": "datatable (Field: string, DisplayName: string, Description: string)[\n \"ACIWebEndpointUrl\", \"ACI Tenant URL.\", \"ACI Web Endpoint URL.\",\n \"AcknowledgementTemplateId\", \"Acknowledgement Template\", \"Unique identifier of the template to be used for acknowledgement when a user unsubscribes.\",\n \"ActivityTypeFilter\", \"Enable Rich Editing Experience for Appointment\", \"Information on whether filtering activity based on entity in app.\",\n \"ActivityTypeFilterV2\", \"Show only activities configured in the app when accessing 'New activity' button\", \"Whether to show only activities configured in this app or all activities in the 'New activity' button.\",\n \"AdvancedColumnEditorEnabled\", \"Advanced column editor enabled\", \"Flag to indicate if the display column options on a view in model-driven apps is enabled\",\n \"AdvancedColumnFilteringEnabled\", \"Advanced column filtering enabled\", \"Flag to indicate if the advanced column filtering in a view in model-driven apps is enabled\",\n \"AdvancedFilteringEnabled\", \"Advanced filtering enabled\", \"Flag to indicate if the advanced filtering on all tables in a model-driven app is enabled\",\n \"AdvancedLookupEnabled\", \"Advanced lookup enabled\", \"Flag to indicate if the Advanced Lookup feature is enabled for lookup controls\",\n \"AdvancedLookupInEditFilter\", \"Enable Advanced Lookup In Edit Filter\", \"Enables advanced lookup in grid edit filter panel\",\n \"AllowAddressBookSyncs\", \"Allow Address Book Synchronization\", \"Indicates whether background address book synchronization in Microsoft Office Outlook is allowed.\",\n \"AllowApplicationUserAccess\", \"Allow All Application Users Access.\", \"Information that specifies whether all application users are allowed to access the environment\",\n \"AllowAutoResponseCreation\", \"Allow Automatic Response Creation\", \"Indicates whether automatic response creation is allowed.\",\n \"AllowAutoUnsubscribe\", \"Allow Automatic Unsubscribe\", \"Indicates whether automatic unsubscribe is allowed.\",\n \"AllowAutoUnsubscribeAcknowledgement\", \"Allow Automatic Unsubscribe Acknowledgement\", \"Indicates whether automatic unsubscribe acknowledgement email is allowed to send.\",\n \"AllowClientMessageBarAd\", \"Allow Outlook Client Message Bar Advertisement\", \"Indicates whether Outlook Client message bar advertisement is allowed.\",\n \"AllowConnectorsOnPowerFXActions\", \"Enable connectors on power fx actions.\", \"Information on whether connectors on power fx actions is enabled.\",\n \"AllowedIpRangeForFirewall\", \"List of IP Ranges to be allowed by the firewall rule\", \"Information that specifies the range of IP addresses that are in allow list for the firewall.\",\n \"AllowedIpRangeForStorageAccessSignatures\", \"List of IP Ranges to be allowed for generating the SAS URIs.\", \"Information that specifies the range of IP addresses that are in allowed list for generating the SAS URIs.\",\n \"AllowedMimeTypes\", \"List of allowed mime types.\", \"Allow upload or download of certain mime types.\",\n \"AllowedServiceTagsForFirewall\", \"List of Service Tags to be allowed by the firewall rule\", \"Information that specifies the List of Service Tags that should be allowed by the firewall.\",\n \"AllowEntityOnlyAudit\", \"Allow Entity Level Auditing\", \"Indicates whether auditing of changes to entity is allowed when no attributes have changed.\",\n \"AllowLeadingWildcardsInGridSearch\", \"Allow Leading Wildcards In Grid Search\", \"Enables ends-with searches in grids with the use of a leading wildcard on all tables in the environment\",\n \"AllowLeadingWildcardsInQuickFind\", \"Allow Leading Wildcards In Quick Find\", \"Enables ends-with searches in grids with the use of a leading wildcard on all tables in the environment\",\n \"AllowLegacyClientExperience\", \"Enable access to legacy web client UI\", \"Enable access to legacy web client UI\",\n \"AllowLegacyDialogsEmbedding\", \"Enable embedding of certain legacy dialogs in Unified Interface browser client\", \"Enable embedding of certain legacy dialogs in Unified Interface browser client\",\n \"AllowMarketingEmailExecution\", \"Allow Marketing Email Execution\", \"Indicates whether marketing emails execution is allowed.\",\n \"AllowMicrosoftTrustedServiceTags\", \"Allow Microsoft Trusted Service Tags\", \"Information that specifies whether Microsoft Trusted Service Tags are allowed\",\n \"AllowOfflineScheduledSyncs\", \"Allow Offline Scheduled Synchronization\", \"Indicates whether background offline synchronization in Microsoft Office Outlook is allowed.\",\n \"AllowOutlookScheduledSyncs\", \"Allow Scheduled Synchronization\", \"Indicates whether scheduled synchronizations to Outlook are allowed.\",\n \"AllowRedirectAdminSettingsToModernUI\", \"Allow Redirect Legacy Admin Settings To Modern UI\", \"Control whether the organization Allow Redirect Legacy Admin Settings To Modern UI\",\n \"AllowUnresolvedPartiesOnEmailSend\", \"Allow Unresolved Address Email Send\", \"Indicates whether users are allowed to send email to unresolved parties (parties must still have an email address).\",\n \"AllowUserFormModePreference\", \"Allow User Form Mode Preference\", \"Indicates whether individuals can select their form mode preference in their personal options.\",\n \"AllowUsersHidingSystemViews\", \"Allow users hiding system views\", \"Flag to indicate if allow end users to hide system views in model-driven apps is enabled\",\n \"AllowUsersSeeAppdownloadMessage\", \"Allow the showing tablet application notification bars in a browser.\", \"Indicates whether the showing tablet application notification bars in a browser is allowed.\",\n \"AllowWebExcelExport\", \"Allow Export to Excel\", \"Indicates whether Web-based export of grids to Microsoft Office Excel is allowed.\",\n \"AMDesignator\", \"AM Designator\", \"AM designator to use throughout Microsoft Dynamics CRM.\",\n \"AppDesignerExperienceEnabled\", \"Enable App Designer Experience for this Organization\", \"Indicates whether the appDesignerExperience is enabled for the organization.\",\n \"AppointmentRichEditorExperience\", \"Enable Rich Editing Experience for Appointment\", \"Information on whether rich editing experience for Appointment is enabled.\",\n \"AppointmentWithTeamsMeeting\", \"Enable teams Meeting experience for appointment\", \"Information on whether Teams meeting experience for Appointment is enabled.\",\n \"AppointmentWithTeamsMeetingV2\", \"Enable Teams meetings for appointments\", \"Whether Teams meetings experience for appointments is enabled.\",\n \"AuditRetentionPeriod\", \"Audit Retention Period Settings\", \"Audit Retention Period settings stored in Organization Database.\",\n \"AuditRetentionPeriodV2\", \"Audit Retention Period Settings\", \"Audit Retention Period settings stored in Organization Database.\",\n \"AutoApplyDefaultonCaseCreate\", \"Auto Apply Default Entitlement on Case Create\", \"Select whether to auto apply the default customer entitlement on case creation.\",\n \"AutoApplyDefaultonCaseUpdate\", \"Auto Apply Default Entitlement on Case Update\", \"Select whether to auto apply the default customer entitlement on case update.\",\n \"AutoApplySLA\", \"Is Auto-apply SLA After Manually Over-riding\", \"Indicates whether to Auto-apply SLA on case record update after SLA was manually applied.\",\n \"AzureSchedulerJobCollectionName\", \"For internal use only.\", \"For internal use only.\",\n \"BaseCurrencyId\", \"Currency\", \"Unique identifier of the base currency of the organization.\",\n \"BingMapsApiKey\", \"Bing Maps API Key\", \"Api Key to be used in requests to Bing Maps services.\",\n \"BlockedAttachments\", \"Block Attachments\", \"Prevent upload or download of certain attachment types that are considered dangerous.\",\n \"BlockedMimeTypes\", \"List of blocked mime types.\", \"Prevent upload or download of certain mime types that are considered dangerous.\",\n \"BoundDashboardDefaultCardExpanded\", \"Display cards in expanded state for Interactive Dashboard\", \"Display cards in expanded state for interactive dashboard\",\n \"BulkOperationPrefix\", \"Bulk Operation Prefix\", \"Prefix used for bulk operation numbering.\",\n \"BusinessCardOptions\", \"Enable New BusinessCardOptions\", \"BusinessCardOptions\",\n \"BusinessClosureCalendarId\", \"Business Closure Calendar\", \"Unique identifier of the business closure calendar of organization.\",\n \"CalendarType\", \"Calendar Type\", \"Calendar type for the system. Set to Gregorian US by default.\",\n \"CampaignPrefix\", \"Campaign Prefix\", \"Prefix used for campaign numbering.\",\n \"CanOptOutNewSearchExperience\", \"Can disable Oct 2020 Search\", \"Indicates whether the organization can opt out of the new Relevance search experience (released in Oct 2020)\",\n \"CascadeStatusUpdate\", \"Cascade Status Update\", \"Flag to cascade Update on incident.\",\n \"CasePrefix\", \"Case Prefix\", \"Prefix to use for all cases throughout Microsoft Dynamics 365.\",\n \"CategoryPrefix\", \"Category Prefix\", \"Type the prefix to use for all categories in Microsoft Dynamics 365.\",\n \"ClientFeatureSet\", \"Client Feature Set\", \"Client Features to be enabled as an XML BLOB.\",\n \"ContentSecurityPolicyConfiguration\", \"Content Security Policy Configuration\", \"Policy configuration for CSP\",\n \"ContentSecurityPolicyConfigurationForCanvas\", \"Content Security Policy Configuration for Canvas apps\", \"Content Security Policy configuration for Canvas apps.\",\n \"ContentSecurityPolicyOptions\", \"Content Security Policy Options\", \"Content Security Policy Options.\",\n \"ContentSecurityPolicyReportUri\", \"Content Security Policy Report Uri\", \"Content Security Policy Report Uri.\",\n \"ContractPrefix\", \"Contract Prefix\", \"Prefix to use for all contracts throughout Microsoft Dynamics 365.\",\n \"CopresenceRefreshRate\", \"CopresenceRefreshRate\", \"Refresh rate for copresence data in seconds.\",\n \"CortanaProactiveExperienceEnabled\", \"Enable Cortana Proactive Experience Flow processes for this Organization\", \"Indicates whether the feature CortanaProactiveExperience Flow processes should be enabled for the organization.\",\n \"CreateProductsWithoutParentInActiveState\", \"Enable Active Initial Product State\", \"Enable Initial state of newly created products to be Active instead of Draft\",\n \"CurrencyDecimalPrecision\", \"Currency Decimal Precision\", \"Number of decimal places that can be used for currency.\",\n \"CurrencyDisplayOption\", \"Display Currencies Using\", \"Indicates whether to display money fields with currency code or currency symbol.\",\n \"CurrencyFormatCode\", \"Currency Format Code\", \"Information about how currency symbols are placed throughout Microsoft Dynamics CRM.\",\n \"CurrencySymbol\", \"Currency Symbol\", \"Symbol used for currency throughout Microsoft Dynamics 365.\",\n \"CurrentBulkOperationNumber\", \"Current Bulk Operation Number\", \"Current bulk operation number. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCampaignNumber\", \"Current Campaign Number\", \"Current campaign number. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCaseNumber\", \"Current Case Number\", \"First case number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCategoryNumber\", \"Current Category Number\", \"Enter the first number to use for Categories. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentContractNumber\", \"Current Contract Number\", \"First contract number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentInvoiceNumber\", \"Current Invoice Number\", \"First invoice number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentKaNumber\", \"Current Knowledge Article Number\", \"Enter the first number to use for knowledge articles. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentKbNumber\", \"Current Article Number\", \"First article number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentOrderNumber\", \"Current Order Number\", \"First order number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentQuoteNumber\", \"Current Quote Number\", \"First quote number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"DateFormatCode\", \"Date Format Code\", \"Information about how the date is displayed throughout Microsoft CRM.\",\n \"DateFormatString\", \"Date Format String\", \"String showing how the date is displayed throughout Microsoft CRM.\",\n \"DateSeparator\", \"Date Separator\", \"Character used to separate the month, the day, and the year in dates throughout Microsoft Dynamics 365.\",\n \"DaysBeforeEmailDescriptionIsMigrated\", \"Number of days before we migrate email description to blob.\", \"Number of days before we migrate email description to blob.\",\n \"DaysBeforeInactiveTeamsChatSyncDisabled\", \"Days Before Inactive Teams Chat Sync Disabled\", \"Days of inactivity before sync is disabled for a Teams Chat.\",\n \"DecimalSymbol\", \"Decimal Symbol\", \"Symbol used for decimal in Microsoft Dynamics 365.\",\n \"DefaultCountryCode\", \"Default Country Code\", \"Text area to enter default country code.\",\n \"DefaultCrmCustomName\", \"Name of the default app\", \"Name of the default crm custom.\",\n \"DefaultEmailServerProfileId\", \"Email Server Profile\", \"Unique identifier of the default email server profile.\",\n \"DefaultEmailSettings\", \"Default Email Settings\", \"XML string containing the default email settings that are applied when a user or queue is created.\",\n \"DefaultMobileOfflineProfileId\", \"Default Mobile Offline Profile\", \"Unique identifier of the default mobile offline profile.\",\n \"DefaultRecurrenceEndRangeType\", \"Default Recurrence End Range Type\", \"Type of default recurrence end range date.\",\n \"DefaultThemeData\", \"Default Theme Data\", \"Default theme data for the organization.\",\n \"DelegatedAdminUserId\", \"Delegated Admin\", \"Unique identifier of the delegated admin user for the organization.\",\n \"DisableSocialCare\", \"Is Social Care disabled\", \"Indicates whether Social Care is disabled.\",\n \"DiscountCalculationMethod\", \"Discount calculation method\", \"Discount calculation method for the QOOI product.\",\n \"DisplayNavigationTour\", \"Display Navigation Tour\", \"Indicates whether or not navigation tour is displayed.\",\n \"EmailConnectionChannel\", \"Email Connection Channel\", \"Select if you want to use the Email Router or server-side synchronization for email processing.\",\n \"EmailCorrelationEnabled\", \"Use Email Correlation\", \"Flag to turn email correlation on or off.\",\n \"EmailSendPollingPeriod\", \"Email Send Polling Frequency\", \"Normal polling frequency used for sending email in Microsoft Office Outlook.\",\n \"EnableAsyncMergeAPIForUCI\", \"Asynchronous merge enabled for UCI\", \"Determines whether records merged through the merge dialog in UCI are merged asynchronously\",\n \"EnableBingMapsIntegration\", \"Enable Integration with Bing Maps\", \"Enable Integration with Bing Maps\",\n \"EnableCanvasAppsInSolutionsByDefault\", \"Enable the creation of Canvas apps in Dataverse / Solution by default\", \"Note: By enabling this feature, you will also enable the automatic creation of enviornment variables when adding data sources for your apps.\",\n \"EnableFlowsInSolutionByDefault\", \"Enable the creation of flows within a solution by default.\", \"Indicates whether the creation of flows is within a solution by default for this organization.\",\n \"EnableFlowsInSolutionByDefaultGracePeriod\", \"Indicates whether the organization is opted into a grace period for auto-enablement of 'creation of flows within a solution by default' functionality.\", \"Organizations with this attribute set to true will be granted a grace period and excluded from the initial world wide enablement of 'creation of flows within a solution by default' functionality. Once the grace period expires, the functionality will be enabled in your organization.\",\n \"EnableImmersiveSkypeIntegration\", \"Enable Integration with Immersive Skype\", \"Enable Integration with Immersive Skype\",\n \"EnableIpBasedCookieBinding\", \"Enable IP Address Based Cookie Binding\", \"Information that specifies whether IP based cookie binding is enabled\",\n \"EnableIpBasedFirewallRule\", \"Enable IP Range based Firewall\", \"Information that specifies whether IP based firewall rule is enabled\",\n \"EnableIpBasedFirewallRuleInAuditMode\", \"Enable IP Range based Firewall In Audit Only Mode\", \"Information that specifies whether IP based firewall rule is enabled in Audit Only Mode\",\n \"EnableIpBasedStorageAccessSignatureRule\", \"Enable IP SAS URI generation rule\", \"Information that specifies whether IP based SAS URI generation rule is enabled\",\n \"EnableLivePersonaCardUCI\", \"Indicates whether the user has enabled or disabled Live Persona Card feature in UCI.\", \"Indicates whether the user has enabled or disabled Live Persona Card feature in UCI.\",\n \"EnableLivePersonCardIntegrationInOffice\", \"Indicates whether the user has enabled or disabled LivePersonCardIntegration in Office.\", \"Indicates whether the user has enabled or disabled LivePersonCardIntegration in Office.\",\n \"EnableLPAuthoring\", \"Enable Learning Path Authoring\", \"Select to enable learning path auhtoring.\",\n \"EnableMakerSwitchToClassic\", \"Switch Maker Portal to Classic\", \"Control whether the organization Switch Maker Portal to Classic\",\n \"EnableMicrosoftFlowIntegration\", \"Enable Integration with Microsoft Flow\", \"Enable Integration with Microsoft Flow\",\n \"EnablePricingOnCreate\", \"Enable Pricing On Create\", \"Enable pricing calculations on a Create call.\",\n \"EnableSmartMatching\", \"Enable Smart Matching\", \"Use Smart Matching.\",\n \"EnableUnifiedClientCDN\", \"Enable UCI CDN for organization\", \"Leave empty to use default setting. Set to on/off to enable/disable CDN for UCI.\",\n \"EnableUnifiedInterfaceShellRefresh\", \"Enable site map and commanding update\", \"Enable site map and commanding update\",\n \"EnforceReadOnlyPlugins\", \"Organization setting to enforce read only plugins.\", \"Organization setting to enforce read only plugins.\",\n \"EntityImage\", \"Entity Image\", \"The default image for the entity.\",\n \"ExpireChangeTrackingInDays\", \"Days to Expire Change Tracking Deleted Records\", \"Maximum number of days to keep change tracking deleted records\",\n \"ExpireSubscriptionsInDays\", \"Days to Expire Subscriptions\", \"Maximum number of days before deleting inactive subscriptions.\",\n \"ExternalBaseUrl\", \"External Base URL\", \"Specify the base URL to use to look for external document suggestions.\",\n \"ExternalPartyCorrelationKeys\", \"ExternalPartyEnabled Entities correlation Keys\", \"XML string containing the ExternalPartyEnabled entities correlation keys for association of existing External Party instance entities to newly created IsExternalPartyEnabled entities.For internal use only\",\n \"ExternalPartyEntitySettings\", \"ExternalPartyEnabled Entities Settings.For internal use only\", \"XML string containing the ExternalPartyEnabled entities settings.\",\n \"FeatureSet\", \"Feature Set\", \"Features to be enabled as an XML BLOB.\",\n \"FiscalCalendarStart\", \"Fiscal Calendar Start\", \"Start date for the fiscal period that is to be used throughout Microsoft CRM.\",\n \"FiscalPeriodFormat\", \"Fiscal Period Format\", \"Information that specifies how the name of the fiscal period is displayed throughout Microsoft CRM.\",\n \"FiscalPeriodFormatPeriod\", \"Format for Fiscal Period\", \"Format in which the fiscal period will be displayed.\",\n \"FiscalPeriodType\", \"Fiscal Period Type\", \"Type of fiscal period used throughout Microsoft CRM.\",\n \"FiscalYearDisplayCode\", \"Fiscal Year Display\", \"Information that specifies whether the fiscal year should be displayed based on the start date or the end date of the fiscal year.\",\n \"FiscalYearFormat\", \"Fiscal Year Format\", \"Information that specifies how the name of the fiscal year is displayed throughout Microsoft CRM.\",\n \"FiscalYearFormatPrefix\", \"Prefix for Fiscal Year\", \"Prefix for the display of the fiscal year.\",\n \"FiscalYearFormatSuffix\", \"Suffix for Fiscal Year\", \"Suffix for the display of the fiscal year.\",\n \"FiscalYearFormatYear\", \"Fiscal Year Format Year\", \"Format for the year.\",\n \"FiscalYearPeriodConnect\", \"Fiscal Year Period Connector\", \"Information that specifies how the names of the fiscal year and the fiscal period should be connected when displayed together.\",\n \"FullNameConventionCode\", \"Full Name Display Order\", \"Order in which names are to be displayed throughout Microsoft CRM.\",\n \"FutureExpansionWindow\", \"Future Expansion Window\", \"Specifies the maximum number of months in future for which the recurring activities can be created.\",\n \"GenerateAlertsForErrors\", \"Generate Alerts For Errors\", \"Indicates whether alerts will be generated for errors.\",\n \"GenerateAlertsForInformation\", \"Generate Alerts For Information\", \"Indicates whether alerts will be generated for information.\",\n \"GenerateAlertsForWarnings\", \"Generate Alerts For Warnings\", \"Indicates whether alerts will be generated for warnings.\",\n \"GetStartedPaneContentEnabled\", \"Is Get Started Pane Content Enabled\", \"Indicates whether Get Started content is enabled for this organization.\",\n \"GlobalAppendUrlParametersEnabled\", \"Is AppendUrl Parameters enabled\", \"Indicates whether the append URL parameters is enabled.\",\n \"GlobalHelpUrl\", \"Global Help URL.\", \"URL for the web page global help.\",\n \"GlobalHelpUrlEnabled\", \"Is Customizable Global Help enabled\", \"Indicates whether the customizable global help is enabled.\",\n \"GoalRollupExpiryTime\", \"Rollup Expiration Time for Goal\", \"Number of days after the goal's end date after which the rollup of the goal stops automatically.\",\n \"GoalRollupFrequency\", \"Automatic Rollup Frequency for Goal\", \"Number of hours between automatic rollup jobs .\",\n \"GrantAccessToNetworkService\", \"Grant Access To Network Service\", \"For internal use only.\",\n \"HashDeltaSubjectCount\", \"Hash Delta Subject Count\", \"Maximum difference allowed between subject keywords count of the email messaged to be correlated\",\n \"HashFilterKeywords\", \"Hash Filter Keywords\", \"Filter Subject Keywords\",\n \"HashMaxCount\", \"Hash Max Count\", \"Maximum number of subject keywords or recipients used for correlation\",\n \"HashMinAddressCount\", \"Hash Min Address Count\", \"Minimum number of recipients required to match for email messaged to be correlated\",\n \"HighContrastThemeData\", \"High contrast Theme Data\", \"High contrast theme data for the organization.\",\n \"IgnoreInternalEmail\", \"Ignore Internal Email\", \"Indicates whether incoming email sent by internal Microsoft Dynamics 365 users or queues should be tracked.\",\n \"ImproveSearchLoggingEnabled\", \"Share search query data\", \"Indicates whether an organization has consented to sharing search query data to help improve search results\",\n \"InactivityTimeoutEnabled\", \"Inactivity timeout enabled\", \"Information that specifies whether Inactivity timeout is enabled\",\n \"InactivityTimeoutInMins\", \"Inactivity timeout in minutes\", \"Inactivity timeout in minutes\",\n \"InactivityTimeoutReminderInMins\", \"Inactivity timeout reminder in minutes\", \"Inactivity timeout reminder in minutes\",\n \"IncomingEmailExchangeEmailRetrievalBatchSize\", \"Exchange Email Retrieval Batch Size\", \"Setting for the Async Service Mailbox Queue. Defines the retrieval batch size of exchange server.\",\n \"InitialVersion\", \"Initial Version\", \"Initial version of the organization.\",\n \"IntegrationUserId\", \"Integration User\", \"Unique identifier of the integration user for the organization.\",\n \"InvoicePrefix\", \"Invoice Prefix\", \"Prefix to use for all invoice numbers throughout Microsoft Dynamics 365.\",\n \"IpBasedStorageAccessSignatureMode\", \"IP Based SAS mode\", \"IP Based SAS mode.\",\n \"IsActionCardEnabled\", \"Enable Action Card for this Organization\", \"Indicates whether the feature Action Card should be enabled for the organization.\",\n \"IsActionSupportFeatureEnabled\", \"Action Support Feature enabled\", \"Information that specifies whether Action Support Feature is enabled\",\n \"IsActivityAnalysisEnabled\", \"Enable Relationship Analytics for this Organization\", \"Indicates whether the feature Relationship Analytics should be enabled for the organization.\",\n \"IsAppMode\", \"Is Application Mode Enabled\", \"Indicates whether loading of Microsoft Dynamics 365 in a browser window that does not have address, tool, and menu bars is enabled.\",\n \"IsAppointmentAttachmentSyncEnabled\", \"Is Attachment Sync Enabled\", \"Enable or disable attachments sync for outlook and exchange.\",\n \"IsAssignedTasksSyncEnabled\", \"Is Assigned Tasks Sync Enabled\", \"Enable or disable assigned tasks sync for outlook and exchange.\",\n \"IsAuditEnabled\", \"Is Auditing Enabled\", \"Enable or disable auditing of changes.\",\n \"IsAutoDataCaptureEnabled\", \"Enable Auto Capture for this Organization\", \"Indicates whether the feature Auto Capture should be enabled for the organization.\",\n \"IsAutoDataCaptureV2Enabled\", \"Enable Auto Capture V2 for this Organization\", \"Indicates whether the V2 feature of Auto Capture should be enabled for the organization.\",\n \"IsAutoInstallAppForD365InTeamsEnabled\", \"IsAutoInstallAppForD365InTeamsEnabled\", \"\",\n \"IsAutoSaveEnabled\", \"Auto Save Enabled\", \"Information on whether auto save is enabled.\",\n \"IsBaseCardStaticFieldDataEnabled\", \"IsBaseCardStaticFieldDataEnabled\", \"\",\n \"IsBasicGeospatialIntegrationEnabled\", \"Enable the basic Geospatial features in Canvas Apps\", \"Determines whether users can make use of basic Geospatial featuers in Canvas apps.\",\n \"IsBPFEntityCustomizationFeatureEnabled\", \"BPF Entity Customization Feature enabled\", \"Information that specifies whether BPF Entity Customization Feature is enabled\",\n \"IsCollaborationExperienceEnabled\", \"IsCollaborationExperienceEnabled\", \"\",\n \"IsConflictDetectionEnabledForMobileClient\", \"Is Conflict Detection for Mobile Client enabled\", \"Information that specifies whether conflict detection for mobile client is enabled.\",\n \"IsContactMailingAddressSyncEnabled\", \"Is Mailing Address Sync Enabled\", \"Enable or disable mailing address sync for outlook and exchange.\",\n \"IsContentSecurityPolicyEnabled\", \"Enable Content Security Policy for this organization\", \"Indicates whether Content Security Policy has been enabled for the organization.\",\n \"IsContentSecurityPolicyEnabledForCanvas\", \"Enable Content Security Policy for this organization's Canvas apps\", \"Indicates whether Content Security Policy has been enabled for this organization's Canvas apps.\",\n \"IsContextualEmailEnabled\", \"Indicates whether Contextual email experience is enabled on this organization\", \"Indicates whether Contextual email experience is enabled on this organization\",\n \"IsContextualHelpEnabled\", \"Enables Contextual Help in UCI\", \"Select to enable Contextual Help in UCI.\",\n \"IsCopilotFeedbackEnabled\", \"Allow users to provide feedback for App Copilot\", \"Determines whether users can provide feedback for App Copilot.\",\n \"IsCustomControlsInCanvasAppsEnabled\", \"Enable Custom Controls in canvas PowerApps feature for this organization\", \"Indicates whether Custom Controls in canvas PowerApps feature has been enabled for the organization.\",\n \"IsDefaultCountryCodeCheckEnabled\", \"Enable or disable country code selection\", \"Enable or disable country code selection.\",\n \"IsDelegateAccessEnabled\", \"Is Delegation Access Enabled\", \"Enable Delegation Access content\",\n \"IsDelveActionHubIntegrationEnabled\", \"Enable Action Hub for this Organization\", \"Indicates whether the feature Action Hub should be enabled for the organization.\",\n \"IsDesktopFlowSchemaV2Enabled\", \"Enable v2 schema for Desktop Flows in this organization.\", \"Indicates whether v2 schema for Desktop Flows is enabled in this organization.\",\n \"IsDuplicateDetectionEnabled\", \"Is Duplicate Detection Enabled\", \"Indicates whether duplicate detection of records is enabled.\",\n \"IsDuplicateDetectionEnabledForImport\", \"Is Duplicate Detection Enabled For Import\", \"Indicates whether duplicate detection of records during import is enabled.\",\n \"IsDuplicateDetectionEnabledForOfflineSync\", \"Is Duplicate Detection Enabled For Offline Synchronization\", \"Indicates whether duplicate detection of records during offline synchronization is enabled.\",\n \"IsDuplicateDetectionEnabledForOnlineCreateUpdate\", \"Is Duplicate Detection Enabled for Online Create/Update\", \"Indicates whether duplicate detection during online create or update is enabled.\",\n \"IsEmailAddressValidationEnabled\", \"Enable Smart Email Address Validation.\", \"Information on whether Smart Email Address Validation is enabled.\",\n \"IsEmailMonitoringAllowed\", \"Allow tracking recipient activity on sent emails\", \"Allow tracking recipient activity on sent emails.\",\n \"IsEmailServerProfileContentFilteringEnabled\", \"Is Email Server Profile Content Filtering Enabled\", \"Enable Email Server Profile content filtering\",\n \"IsEnabledForAllRoles\", \"option set values for isenabledforallroles\", \"Indicates whether appmodule is enabled for all roles\",\n \"IsExternalFileStorageEnabled\", \"Enable external file storage\", \"Indicates whether the organization's files are being stored in Azure.\",\n \"IsExternalSearchIndexEnabled\", \"Enable external search data syncing\", \"Select whether data can be synchronized with an external search index.\",\n \"IsFiscalPeriodMonthBased\", \"Is Fiscal Period Monthly\", \"Indicates whether the fiscal period is displayed as the month number.\",\n \"IsFolderAutoCreatedonSP\", \"Automatically create folders\", \"Select whether folders should be automatically created on SharePoint.\",\n \"IsFolderBasedTrackingEnabled\", \"Is Folder Based Tracking Enabled\", \"Enable or disable folder based tracking for Server Side Sync.\",\n \"IsFullTextSearchEnabled\", \"Enable Full-text search for Quick Find\", \"Indicates whether full-text search for Quick Find entities should be enabled for the organization.\",\n \"IsGeospatialAzureMapsIntegrationEnabled\", \"Enable geospatial Azure Maps integration.\", \"Indicates whether geospatial capabilities leveraging Azure Maps are enabled.\",\n \"IsHierarchicalSecurityModelEnabled\", \"Enable Hierarchical Security Model\", \"Enable Hierarchical Security Model\",\n \"IsIdeasDataCollectionEnabled\", \"Enable Ideas data collection.\", \"Indicates whether data collection for ideas in canvas PowerApps has been enabled.\",\n \"IsLUISEnabledforD365Bot\", \"LUIS Consent for Dynamics 365 Bot\", \"Give Consent to use LUIS in Dynamics 365 Bot\",\n \"IsMailboxForcedUnlockingEnabled\", \"Is Mailbox Forced Unlocking Enabled\", \"Enable or disable forced unlocking for Server Side Sync mailboxes.\",\n \"IsMailboxInactiveBackoffEnabled\", \"Is Mailbox Keep Alive Enabled\", \"Enable or disable mailbox keep alive for Server Side Sync.\",\n \"IsManualSalesForecastingEnabled\", \"Enable Manual Sales Forecasting feature for this organization\", \"Indicates whether Manual Sales Forecasting feature has been enabled for the organization.\",\n \"IsMobileClientOnDemandSyncEnabled\", \"Is Mobile Client On Demand Sync enabled\", \"Information that specifies whether mobile client on demand sync is enabled.\",\n \"IsMobileOfflineEnabled\", \"Enable MobileOffline for this Organization\", \"Indicates whether the feature MobileOffline should be enabled for the organization.\",\n \"IsModelDrivenAppsInMSTeamsEnabled\", \"Enable embedding Model Apps in Microsoft Teams\", \"Indicates whether Model Apps can be embedded within Microsoft Teams. This is a tenant admin controlled preview/experimental feature.\",\n \"IsMSTeamsCollaborationEnabled\", \"Enable Microsoft Teams Collaboration for this organization\", \"Indicates whether Microsoft Teams Collaboration feature has been enabled for the organization.\",\n \"IsMSTeamsEnabled\", \"Enable Microsoft Teams integration\", \"Indicates whether Microsoft Teams integration has been enabled for the organization.\",\n \"IsMSTeamsSettingChangedByUser\", \"Microsoft Teams integration changed by user\", \"Indicates whether the user has enabled or disabled Microsoft Teams integration.\",\n \"IsMSTeamsUserSyncEnabled\", \"Enable Microsoft Teams User Sync for this organization\", \"Indicates whether Microsoft Teams User Sync feature has been enabled for the organization.\",\n \"IsNewAddProductExperienceEnabled\", \"Indicates whether new add product experience is enabled in opportunity form\", \"Indicates whether new add product experience is enabled.\",\n \"IsNotesAnalysisEnabled\", \"Enable Notes Analysis for this Organization\", \"Indicates whether the feature Notes Analysis should be enabled for the organization.\",\n \"IsNotificationForD365InTeamsEnabled\", \"IsNotificationForD365InTeamsEnabled\", \"\",\n \"IsOfficeGraphEnabled\", \"Enable OfficeGraph for this Organization\", \"Indicates whether the feature OfficeGraph should be enabled for the organization.\",\n \"IsOneDriveEnabled\", \"Enable One Drive for this Organization\", \"Indicates whether the feature One Drive should be enabled for the organization.\",\n \"IsPAIEnabled\", \"Enable PAI feature for this organization\", \"Indicates whether PAI feature has been enabled for the organization.\",\n \"IsPDFGenerationEnabled\", \"Enable PDF Generation feature for this organization\", \"Indicates whether PDF Generation feature has been enabled for the organization.\",\n \"IsPlaybookEnabled\", \"Enable playbook feature for this organization\", \"Indicates whether playbook feature has been enabled for the organization.\",\n \"IsPresenceEnabled\", \"Presence Enabled\", \"Information on whether IM presence is enabled.\",\n \"IsPreviewEnabledForActionCard\", \"Enable Preview Action Card feature for this Organization\", \"Indicates whether the Preview feature for Action Card should be enabled for the organization.\",\n \"IsPreviewForAutoCaptureEnabled\", \"Enable Auto Capture for this Organization at Preview Settings\", \"Indicates whether the feature Auto Capture should be enabled for the organization at Preview Settings.\",\n \"IsPreviewForEmailMonitoringAllowed\", \"Allows Preview For Email Monitoring\", \"Is Preview For Email Monitoring Allowed.\",\n \"IsPriceListMandatory\", \"Indicates whether PriceList is mandatory for adding existing products to sales entities\", \"Indicates whether PriceList is mandatory for adding existing products to sales entities.\",\n \"IsQuickCreateEnabledForOpportunityClose\", \"Enable quick create form for opportunity close feature for this organization\", \"Select whether to use the standard Out-of-box Opportunity Close experience or opt to for a customized experience.\",\n \"IsReadAuditEnabled\", \"Is Read Auditing Enabled\", \"Enable or disable auditing of read operations.\",\n \"IsRelationshipInsightsEnabled\", \"Enable Relationship Insights for this Organization\", \"Indicates whether the feature Relationship Insights should be enabled for the organization.\",\n \"IsResourceBookingExchangeSyncEnabled\", \"Resource booking synchronization enabled\", \"Indicates if the synchronization of user resource booking with Exchange is enabled at organization level.\",\n \"IsRichTextNotesEnabled\", \"Indicates whether rich text editor for notes experience is enabled on this organization\", \"Indicates whether rich text editor for notes experience is enabled on this organization\",\n \"IsRpaAutoscaleAadJoinEnabled\", \"Enable AAD Join for RPA Autoscale feature for this organization.\", \"Indicates whether AAD Join for RPA Autoscale is enabled in this organization..\",\n \"IsRpaAutoscaleEnabled\", \"Enable RPA Autoscale feature for this organization\", \"Indicates whether Autoscale feature for RPA is enabled in this organization.\",\n \"IsRpaBoxCrossGeoEnabled\", \"Enable RPA Box cross geo feature for this organization\", \"Indicates whether RPA Box feature is enabled in this organization in locations outside the tenant's geographical location.\",\n \"IsRpaBoxEnabled\", \"Enable RPA Box feature for this organization\", \"Indicates whether RPA Box feature is enabled in this organization.\",\n \"IsRpaUnattendedEnabled\", \"Enable RPA Unattended feature for this organization\", \"Indicates whether Unattended runs feature for RPA is enabled in this organization.\",\n \"IsSalesAssistantEnabled\", \"Enable Sales Assistant mobile app\", \"Indicates whether Sales Assistant mobile app has been enabled for the organization.\",\n \"IsSharingInOrgAllowed\", \"IsSharingInOrgAllowed\", \"\",\n \"IsSOPIntegrationEnabled\", \"Is Sales Order Integration Enabled\", \"Enable sales order processing integration.\",\n \"IsTextWrapEnabled\", \"Enable Text Wrap\", \"Information on whether text wrap is enabled.\",\n \"IsUserAccessAuditEnabled\", \"Is User Access Auditing Enabled\", \"Enable or disable auditing of user access.\",\n \"ISVIntegrationCode\", \"ISV Integration Mode\", \"Indicates whether loading of Microsoft Dynamics 365 in a browser window that does not have address, tool, and menu bars is enabled.\",\n \"IsWriteInProductsAllowed\", \"Indicates whether Write-in Products can be added to Opportunity/Quote/Order/Invoice or not\", \"Indicates whether Write-in Products can be added to Opportunity/Quote/Order/Invoice or not.\",\n \"KaPrefix\", \"Knowledge Article Prefix\", \"Type the prefix to use for all knowledge articles in Microsoft Dynamics 365.\",\n \"KbPrefix\", \"Article Prefix\", \"Prefix to use for all articles in Microsoft Dynamics 365.\",\n \"KMSettings\", \"Knowledge Management Settings\", \"XML string containing the Knowledge Management settings that are applied in Knowledge Management Wizard.\",\n \"LanguageCode\", \"Language\", \"Preferred language for the organization.\",\n \"LocaleId\", \"Locale\", \"Unique identifier of the locale of the organization.\",\n \"LongDateFormatCode\", \"Long Date Format\", \"Information that specifies how the Long Date format is displayed in Microsoft Dynamics 365.\",\n \"LookupCharacterCountBeforeResolve\", \"Minimum number of characters before resolving suggestions in lookup\", \"Minimum number of characters that should be entered in the lookup control before resolving for suggestions\",\n \"LookupResolveDelayMS\", \"Minimum delay (in milliseconds) for debouncing lookup control input\", \"Minimum delay (in milliseconds) between consecutive inputs in a lookup control that will trigger a search for suggestions\",\n \"MailboxIntermittentIssueMinRange\", \"Lower Threshold For Mailbox Intermittent Issue\", \"Lower Threshold For Mailbox Intermittent Issue.\",\n \"MailboxPermanentIssueMinRange\", \"Lower Threshold For Mailbox Permanent Issue.\", \"Lower Threshold For Mailbox Permanent Issue.\",\n \"MaxActionStepsInBPF\", \"Maximum number of actionsteps allowed in a BPF\", \"Maximum number of actionsteps allowed in a BPF\",\n \"MaxAllowedPendingRollupJobCount\", \"MaxAllowedPendingRollupJobCount\", \"Maximum Allowed Pending Rollup Job Count\",\n \"MaxAllowedPendingRollupJobPercentage\", \"MaxAllowedPendingRollupJobPercentage\", \"Percentage Of Entity Table Size For Kicking Off Bootstrap Job\",\n \"MaxAppointmentDurationDays\", \"Max Appointment Duration\", \"Maximum number of days an appointment can last.\",\n \"MaxConditionsForMobileOfflineFilters\", \"Maximum number of conditions allowed for mobile offline filters\", \"Maximum number of conditions allowed for mobile offline filters\",\n \"MaxDepthForHierarchicalSecurityModel\", \"Maximum depth for hierarchy security propagation.\", \"Maximum depth for hierarchy security propagation.\",\n \"MaxFolderBasedTrackingMappings\", \"Max Folder Based Tracking Mappings\", \"Maximum number of Folder Based Tracking mappings user can add\",\n \"MaximumActiveBusinessProcessFlowsAllowedPerEntity\", \"Maximum active business process flows per entity\", \"Maximum number of active business process flows allowed per entity\",\n \"MaximumDynamicPropertiesAllowed\", \"Product Properties Item Limit\", \"Restrict the maximum number of product properties for a product family/bundle\",\n \"MaximumEntitiesWithActiveSLA\", \"Maximum number of active SLA allowed per entity in online\", \"Maximum number of active SLA allowed per entity in online\",\n \"MaximumSLAKPIPerEntityWithActiveSLA\", \"Maximum number of active SLA KPI allowed per entity in online\", \"Maximum number of SLA KPI per active SLA allowed for entity in online\",\n \"MaximumTrackingNumber\", \"Max Tracking Number\", \"Maximum tracking number before recycling takes place.\",\n \"MaxProductsInBundle\", \"Bundle Item Limit\", \"Restrict the maximum no of items in a bundle\",\n \"MaxRecordsForExportToExcel\", \"Max Records For Excel Export\", \"Maximum number of records that will be exported to a static Microsoft Office Excel worksheet when exporting from the grid.\",\n \"MaxRecordsForLookupFilters\", \"Max Records Filter Selection\", \"Maximum number of lookup and picklist records that can be selected by user for filtering.\",\n \"MaxRollupFieldsPerEntity\", \"MaxRollupFieldsPerEntity\", \"Maximum Rollup Fields Per Entity\",\n \"MaxRollupFieldsPerOrg\", \"MaxRollupFieldsPerOrg\", \"Maximum Rollup Fields Per Organization\",\n \"MaxSLAItemsPerSLA\", \"Max SLA Items Per SLA\", \"\",\n \"MaxUploadFileSize\", \"Max Upload File Size\", \"Maximum allowed size of an attachment.\",\n \"MicrosoftFlowEnvironment\", \"(Deprecated) Environment selected for Integration with Microsoft Flow\", \"(Deprecated) Environment selected for Integration with Microsoft Flow\",\n \"MinAddressBookSyncInterval\", \"Min Address Synchronization Frequency\", \"Normal polling frequency used for address book synchronization in Microsoft Office Outlook.\",\n \"MinOfflineSyncInterval\", \"Min Offline Synchronization Frequency\", \"Normal polling frequency used for background offline synchronization in Microsoft Office Outlook.\",\n \"MinOutlookSyncInterval\", \"Min Synchronization Frequency\", \"Minimum allowed time between scheduled Outlook synchronizations.\",\n \"MobileOfflineSyncInterval\", \"Sync interval for mobile offline.\", \"Sync interval for mobile offline.\",\n \"ModernAdvancedFindFiltering\", \"Modern advanced find filtering\", \"Flag to indicate if the modern advanced find filtering on all tables in a model-driven app is enabled\",\n \"ModernAppDesignerCoauthoringEnabled\", \"Coauthoring in Modern App Designer Enabled\", \"Indicates whether coauthoring is enabled in modern app designer\",\n \"MultiColumnSortEnabled\", \"Enable Multi Column Sort Editor In Views\", \"Show the sort by button on views\",\n \"Name\", \"Organization Name\", \"Name of the organization. The name is set when Microsoft CRM is installed and should not be changed.\",\n \"NaturalLanguageAssistFilter\", \"Natural Language Assist\", \"Enables Natural Language Assist Filter.\",\n \"NegativeCurrencyFormatCode\", \"Negative Currency Format\", \"Information that specifies how negative currency numbers are displayed throughout Microsoft Dynamics 365.\",\n \"NegativeFormatCode\", \"Negative Format\", \"Information that specifies how negative numbers are displayed throughout Microsoft CRM.\",\n \"NewSearchExperienceEnabled\", \"Oct 2020 Search enabled\", \"Indicates whether an organization has enabled the new Relevance search experience (released in Oct 2020) for the organization\",\n \"NextTrackingNumber\", \"Next Tracking Number\", \"Next token to be placed on the subject line of an email message.\",\n \"NotifyMailboxOwnerOfEmailServerLevelAlerts\", \"Notify Mailbox Owner Of Email Server Level Alerts\", \"Indicates whether mailbox owners will be notified of email server profile level alerts.\",\n \"NumberFormat\", \"Number Format\", \"Specification of how numbers are displayed throughout Microsoft CRM.\",\n \"NumberGroupFormat\", \"Number Grouping Format\", \"Specifies how numbers are grouped in Microsoft Dynamics 365.\",\n \"NumberSeparator\", \"Number Separator\", \"Symbol used for number separation in Microsoft Dynamics 365.\",\n \"OfficeAppsAutoDeploymentEnabled\", \"Enable Office Apps Auto Deployment for this Organization\", \"Indicates whether the Office Apps auto deployment is enabled for the organization.\",\n \"OfficeGraphDelveUrl\", \"The url to open the Delve\", \"The url to open the Delve for the organization.\",\n \"OOBPriceCalculationEnabled\", \"Enable OOB Price calculation\", \"Enable OOB pricing calculation logic for Opportunity, Quote, Order and Invoice entities.\",\n \"OptOutSchemaV2EnabledByDefault\", \"Opt-out of schema v2 being automatically enabled for this organization.\", \"Indicates if this organization will opt-out from automatically enabling schema v2 on the organization.\",\n \"OrderPrefix\", \"Order Prefix\", \"Prefix to use for all orders throughout Microsoft Dynamics 365.\",\n \"OrgDbOrgSettings\", \"Organization Database Organization Settings\", \"Organization settings stored in Organization Database.\",\n \"OrgInsightsEnabled\", \"Enable OrgInsights for this Organization\", \"Select whether to turn on OrgInsights for the organization.\",\n \"PaiPreviewScenarioEnabled\", \"Display Preview Feature for this organization\", \"Indicates whether Preview feature has been enabled for the organization.\",\n \"PastExpansionWindow\", \"Past Expansion Window\", \"Specifies the maximum number of months in past for which the recurring activities can be created.\",\n \"PcfDatasetGridEnabled\", \"Enable modern grids in model-driven apps\", \"Leave empty to use default setting. Set to on/off to enable/disable replacement of default grids with modern ones in model-driven apps.\",\n \"PerformACTSyncAfter\", \"PerformACTSyncAfter\", \"This setting contains the date time before an ACT sync can execute.\",\n \"Picture\", \"Picture\", \"For internal use only.\",\n \"PinpointLanguageCode\", \"\", \"\",\n \"PluginTraceLogSetting\", \"Plug-in Trace Log Setting\", \"Plug-in Trace Log Setting for the Organization.\",\n \"PMDesignator\", \"PM Designator\", \"PM designator to use throughout Microsoft Dynamics 365.\",\n \"PostMessageWhitelistDomains\", \"For internal use only.\", \"For internal use only.\",\n \"PowerAppsMakerBotEnabled\", \"Enable bot for makers.\", \"Indicates whether bot for makers is enabled.\",\n \"PowerBIAllowCrossRegionOperations\", \"Power BI allow cross region operations\", \"Indicates whether cross region operations are allowed for the organization\",\n \"PowerBIAutomaticPermissionsAssignment\", \"Power BI automatic permissions assignment\", \"Indicates whether automatic permissions assignment to Power BI has been enabled for the organization\",\n \"PowerBIComponentsCreate\", \"Power BI components creation\", \"Indicates whether creation of Power BI components has been enabled for the organization\",\n \"PowerBiFeatureEnabled\", \"Enable Power BI feature for this Organization\", \"Indicates whether the Power BI feature should be enabled for the organization.\",\n \"PricingDecimalPrecision\", \"Pricing Decimal Precision\", \"Number of decimal places that can be used for prices.\",\n \"PrivacyStatementUrl\", \"Privacy Statement URL\", \"Privacy Statement URL\",\n \"PrivilegeUserGroupId\", \"Privilege User Group\", \"Unique identifier of the default privilege for users in the organization.\",\n \"PrivReportingGroupId\", \"Privilege Reporting Group\", \"For internal use only.\",\n \"PrivReportingGroupName\", \"Privilege Reporting Group Name\", \"For internal use only.\",\n \"ProductRecommendationsEnabled\", \"Enable Product Recommendations for this Organization\", \"Select whether to turn on product recommendations for the organization.\",\n \"QualifyLeadAdditionalOptions\", \"Enable New Qualify Lead Experience with configuration MDD\", \"Indicates whether prompt should be shown for new Qualify Lead Experience\",\n \"QuickActionToOpenRecordsInSidePaneEnabled\", \"Enable quick actions to open records in search side pane\", \"Flag to indicate if the feature to use quick action to open records in search side pane is enabled\",\n \"QuickFindRecordLimitEnabled\", \"Quick Find Record Limit Enabled\", \"Indicates whether a quick find record limit should be enabled for this organization (allows for faster Quick Find queries but prevents overly broad searches).\",\n \"QuotePrefix\", \"Quote Prefix\", \"Prefix to use for all quotes throughout Microsoft Dynamics 365.\",\n \"RecalculateSLA\", \"Indicates whether SLA Recalculation has been enabled for the organization\", \"Indicates whether SLA Recalculation has been enabled for the organization\",\n \"RecurrenceDefaultNumberOfOccurrences\", \"Recurrence Default Number of Occurrences\", \"Specifies the default value for number of occurrences field in the recurrence dialog.\",\n \"RecurrenceExpansionJobBatchInterval\", \"Recurrence Expansion Job Batch Interval\", \"Specifies the interval (in seconds) for pausing expansion job.\",\n \"RecurrenceExpansionJobBatchSize\", \"Recurrence Expansion On Demand Job Batch Size\", \"Specifies the value for number of instances created in on demand job in one shot.\",\n \"RecurrenceExpansionSynchCreateMax\", \"Recurrence Expansion Synchronization Create Maximum\", \"Specifies the maximum number of instances to be created synchronously after creating a recurring appointment.\",\n \"ReferenceSiteMapXml\", \"Reference SiteMap XML\", \"XML string that defines the navigation structure for the application. This is the site map from the previously upgraded build and is used in a 3-way merge during upgrade.\",\n \"ReleaseCadence\", \"Current orgnization release cadence value\", \"Current orgnization release cadence value\",\n \"ReleaseChannel\", \"Model app refresh channel\", \"Model app refresh channel\",\n \"ReleaseWaveName\", \"Release Wave\", \"Release Wave Applied to Environment.\",\n \"RelevanceSearchEnabledByPlatform\", \"Relevance search enabled automatically by Dataverse\", \"Indicates whether relevance search was enabled for the environment as part of Dataverse's relevance search on-by-default sweep\",\n \"RelevanceSearchModifiedOn\", \"RelevanceSearchModifiedOnDate\", \"This setting contains the last modified date for relevance search setting that appears as a toggle in PPAC.\",\n \"RenderSecureIFrameForEmail\", \"Render Secure Frame For Email\", \"Flag to render the body of email in the Web form in an IFRAME with the security='restricted' attribute set. This is additional security but can cause a credentials prompt.\",\n \"ReportingGroupId\", \"Reporting Group\", \"For internal use only.\",\n \"ReportingGroupName\", \"Reporting Group Name\", \"For internal use only.\",\n \"ReportScriptErrors\", \"Report Script Errors\", \"Picklist for selecting the organization preference for reporting scripting errors.\",\n \"RequireApprovalForQueueEmail\", \"Is Approval For Queue Email Required\", \"Indicates whether Send As Other User privilege is enabled.\",\n \"RequireApprovalForUserEmail\", \"Is Approval For User Email Required\", \"Indicates whether Send As Other User privilege is enabled.\",\n \"ResolveSimilarUnresolvedEmailAddress\", \"Apply same email address to all unresolved matches when you manually resolve it for one\", \"Apply same email address to all unresolved matches when you manually resolve it for one\",\n \"RestrictStatusUpdate\", \"Restrict Status Update\", \"Flag to restrict Update on incident.\",\n \"ReverseProxyIpAddresses\", \"List of reverse proxy IP addresses to be allowed.\", \"Information that specifies Reverse Proxy IP addresses from which requests have to be allowed.\",\n \"RiErrorStatus\", \"Error status of Relationship Insights provisioning.\", \"Error status of Relationship Insights provisioning.\",\n \"SampleDataImportId\", \"Sample Data Import\", \"Unique identifier of the sample data import job.\",\n \"SchemaNamePrefix\", \"Customization Name Prefix\", \"Prefix used for custom entities and attributes.\",\n \"SendBulkEmailInUCI\", \"Send Bulk Email in UCI\", \"Indicates whether Send Bulk Email in UCI is enabled for the org.\",\n \"ServeStaticResourcesFromAzureCDN\", \"Serve Static Content From CDN\", \"Serve Static Content From CDN\",\n \"SessionRecordingEnabled\", \"Enable the session recording feature\", \"Enable the session recording feature to record user sessions in UCI\",\n \"SessionTimeoutEnabled\", \"Session timeout enabled\", \"Information that specifies whether session timeout is enabled\",\n \"SessionTimeoutInMins\", \"Session timeout in minutes\", \"Session timeout in minutes\",\n \"SessionTimeoutReminderInMins\", \"Session timeout reminder in minutes\", \"Session timeout reminder in minutes\",\n \"SharePointDeploymentType\", \"Choose SharePoint Deployment Type\", \"Indicates which SharePoint deployment type is configured for Server to Server. (Online or On-Premises)\",\n \"ShareToPreviousOwnerOnAssign\", \"Share To Previous Owner On Assign\", \"Information that specifies whether to share to previous owner on assign.\",\n \"ShowKBArticleDeprecationNotification\", \"Show KBArticle deprecation message to user\", \"Select whether to display a KB article deprecation notification to the user.\",\n \"ShowWeekNumber\", \"Show Week Number\", \"Information that specifies whether to display the week number in calendar displays throughout Microsoft CRM.\",\n \"SignupOutlookDownloadFWLink\", \"CRMForOutlookDownloadURL\", \"CRM for Outlook Download URL\",\n \"SiteMapXml\", \"SiteMap XML\", \"XML string that defines the navigation structure for the application.\",\n \"SlaPauseStates\", \"SLA pause states\", \"Contains the on hold case status values.\",\n \"SocialInsightsEnabled\", \"Social Insights Enabled\", \"Flag for whether the organization is using Social Insights.\",\n \"SocialInsightsInstance\", \"Social Insights instance identifier\", \"Identifier for the Social Insights instance for the organization.\",\n \"SocialInsightsTermsAccepted\", \"Social Insights Terms of Use\", \"Flag for whether the organization has accepted the Social Insights terms of use.\",\n \"SortId\", \"Sort\", \"For internal use only.\",\n \"SqlAccessGroupId\", \"SQL Access Group\", \"For internal use only.\",\n \"SqlAccessGroupName\", \"SQL Access Group Name\", \"For internal use only.\",\n \"SQMEnabled\", \"Is SQM Enabled\", \"Setting for SQM data collection, 0 no, 1 yes enabled\",\n \"SupportUserId\", \"Support User\", \"Unique identifier of the support user for the organization.\",\n \"SuppressSLA\", \"Is SLA suppressed\", \"Indicates whether SLA is suppressed.\",\n \"SuppressValidationEmails\", \"Whether Admin emails are sent when Solution Checker validation fails\", \"Leave empty to use default setting. Set to on/off to enable/disable Admin emails when Solution Checker validation fails.\",\n \"SyncBulkOperationBatchSize\", \"Number of records to update per operation in Sync Bulk Pause/Resume/Cancel\", \"Number of records to update per operation in Sync Bulk Pause/Resume/Cancel\",\n \"SyncBulkOperationMaxLimit\", \"Max total number of records to update in database for Sync Bulk Pause/Resume/Cancel\", \"Max total number of records to update in database for Sync Bulk Pause/Resume/Cancel\",\n \"SyncOptInSelection\", \"Enable dynamics 365 azure sync framework for this organization.\", \"Indicates the selection to use the dynamics 365 azure sync framework or server side sync.\",\n \"SyncOptInSelectionStatus\", \"Status of opt-in or opt-out operation for dynamics 365 azure sync.\", \"Indicates the status of the opt-in or opt-out operation for dynamics 365 azure sync.\",\n \"SystemUserId\", \"System User\", \"Unique identifier of the system user for the organization.\",\n \"TableScopedDVSearchInApps\", \"Table Scoped Dataverse Search In Apps\", \"Controls the appearance of option to search over a single DV search indexed table in model-driven apps global search in the header.\",\n \"TagMaxAggressiveCycles\", \"Auto-Tag Max Cycles\", \"Maximum number of aggressive polling cycles executed for email auto-tagging when a new email is received.\",\n \"TagPollingPeriod\", \"Auto-Tag Interval\", \"Normal polling frequency used for email receive auto-tagging in outlook.\",\n \"TaskBasedFlowEnabled\", \"Enable Task Flow processes for this Organization\", \"Select whether to turn on task flows for the organization.\",\n \"TeamsChatDataSync\", \"Enable Teams Chat Data Sync.\", \"Information on whether Teams Chat Data Sync is enabled.\",\n \"TelemetryInstrumentationKey\", \"Telemetry Instrumentation Key\", \"Instrumentation key for Application Insights used to log plugins telemetry.\",\n \"TextAnalyticsEnabled\", \"Enable Text Analytics for this Organization\", \"Select whether to turn on text analytics for the organization.\",\n \"TimeFormatCode\", \"Time Format Code\", \"Information that specifies how the time is displayed throughout Microsoft CRM.\",\n \"TimeFormatString\", \"Time Format String\", \"Text for how time is displayed in Microsoft Dynamics 365.\",\n \"TimeSeparator\", \"Time Separator\", \"Text for how the time separator is displayed throughout Microsoft Dynamics 365.\",\n \"TimeZoneRuleVersionNumber\", \"Time Zone Rule Version Number\", \"For internal use only.\",\n \"TokenExpiry\", \"Token Expiration Duration\", \"Duration used for token expiration.\",\n \"TokenKey\", \"Token Key\", \"Token key.\",\n \"TraceLogMaximumAgeInDays\", \"Tracelog record maximum age in days\", \"Tracelog record maximum age in days\",\n \"TrackingPrefix\", \"Tracking Prefix\", \"History list of tracking token prefixes.\",\n \"TrackingTokenIdBase\", \"Tracking Token Base\", \"Base number used to provide separate tracking token identifiers to users belonging to different deployments.\",\n \"TrackingTokenIdDigits\", \"Tracking Token Digits\", \"Number of digits used to represent a tracking token identifier.\",\n \"UniqueSpecifierLength\", \"Unique String Length\", \"Number of characters appended to invoice, quote, and order numbers.\",\n \"UnresolveEmailAddressIfMultipleMatch\", \"Set To,cc,bcc fields as unresolved if multiple matches are found\", \"Indicates whether email address should be unresolved if multiple matches are found\",\n \"UseInbuiltRuleForDefaultPricelistSelection\", \"Use Inbuilt Rule For Default Pricelist Selection\", \"Flag indicates whether to Use Inbuilt Rule For DefaultPricelist.\",\n \"UseLegacyRendering\", \"Legacy Form Rendering\", \"Select whether to use legacy form rendering.\",\n \"UsePositionHierarchy\", \"Use position hierarchy\", \"Use position hierarchy\",\n \"UseQuickFindViewForGridSearch\", \"Use Quick Find view when searching in grids\", \"Indicates whether searching in a grid should use the Quick Find view for the entity.\",\n \"UserAccessAuditingInterval\", \"User Authentication Auditing Interval\", \"The interval at which user access is checked for auditing.\",\n \"UseReadForm\", \"Use Read-Optimized Form\", \"Indicates whether the read-optimized form should be enabled for this organization.\",\n \"UserGroupId\", \"User Group\", \"Unique identifier of the default group of users in the organization.\",\n \"UserRatingEnabled\", \"Enable the user rating feature\", \"Enable the user rating feature to show the NSAT score and comment to maker\",\n \"UseSkypeProtocol\", \"User Skype Protocol\", \"Indicates default protocol selected for organization.\",\n \"UTCConversionTimeZoneCode\", \"UTC Conversion Time Zone Code\", \"Time zone code that was in use when the record was created.\",\n \"ValidationMode\", \"Validation mode for apps in this environment\", \"Validation mode for apps in this environment\",\n \"WebResourceHash\", \"Web resource hash\", \"Hash value of web resources.\",\n \"WeekStartDayCode\", \"Week Start Day Code\", \"Designated first day of the week throughout Microsoft Dynamics 365.\",\n \"WidgetProperties\", \"For Internal use only.\", \"For Internal use only.\",\n \"YammerGroupId\", \"Yammer Group Id\", \"Denotes the Yammer group ID\",\n \"YammerNetworkPermalink\", \"Yammer Network Permalink\", \"Denotes the Yammer network permalink\",\n \"YammerOAuthAccessTokenExpired\", \"Yammer OAuth Access Token Expired\", \"Denotes whether the OAuth access token for Yammer network has expired\",\n \"YammerPostMethod\", \"Internal Use Only\", \"Internal Use Only\",\n \"YearStartWeekCode\", \"Year Start Week Code\", \"Information that specifies how the first week of the year is specified in Microsoft Dynamics 365.\",\n \"AcknowledgementTemplateIdName\", \"\", \"Name of the template to be used for unsubscription acknowledgement.\",\n \"BaseCurrencyIdName\", \"\", \"\",\n \"BaseCurrencyPrecision\", \"Base Currency Precision\", \"Number of decimal places that can be used for the base currency.\",\n \"BaseCurrencySymbol\", \"Base Currency Symbol\", \"Symbol used for the base currency.\",\n \"BaseISOCurrencyCode\", \"Base ISO Currency Code\", \"\",\n \"CreatedBy\", \"Created By\", \"Unique identifier of the user who created the organization.\",\n \"CreatedByName\", \"\", \"\",\n \"CreatedByYomiName\", \"\", \"\",\n \"CreatedOn\", \"Created On\", \"Date and time when the organization was created.\",\n \"CreatedOnBehalfBy\", \"Created By (Delegate)\", \"Unique identifier of the delegate user who created the organization.\",\n \"CreatedOnBehalfByName\", \"\", \"\",\n \"CreatedOnBehalfByYomiName\", \"\", \"\",\n \"CurrentImportSequenceNumber\", \"Current Import Sequence Number\", \"Import sequence to use.\",\n \"CurrentParsedTableNumber\", \"Current Parsed Table Number\", \"First parsed table number to use.\",\n \"DaysSinceRecordLastModifiedMaxValue\", \"Max value of Days since record last modified\", \"The maximum value for the Mobile Offline setting Days since record last modified\",\n \"DefaultEmailServerProfileIdName\", \"\", \"Name of the email server profile to be used as default profile for the mailboxes.\",\n \"DefaultMobileOfflineProfileIdName\", \"\", \"Name of the default mobile offline profile to be used as default profile for mobile offline.\",\n \"DisabledReason\", \"Disabled Reason\", \"Reason for disabling the organization.\",\n \"EntityImage_Timestamp\", \"\", \"\",\n \"EntityImage_URL\", \"\", \"\",\n \"EntityImageId\", \"Entity Image Id\", \"For internal use only.\",\n \"FiscalSettingsUpdated\", \"Is Fiscal Settings Updated\", \"Information that specifies whether the fiscal settings have been updated.\",\n \"IsAllMoneyDecimal\", \"Set if all money attributes are converted to decimal\", \"Indicates whether all money attributes are converted to decimal.\",\n \"IsDisabled\", \"Is Organization Disabled\", \"Information that specifies whether the organization is disabled.\",\n \"MaxSupportedInternetExplorerVersion\", \"Max supported IE version\", \"The maximum version of IE to run browser emulation for in Outlook client\",\n \"MaxVerboseLoggingMailbox\", \"Max No Of Mailboxes To Enable For Verbose Logging\", \"Maximum number of mailboxes that can be toggled for verbose logging\",\n \"MaxVerboseLoggingSyncCycles\", \"Maximum number of sync cycles for which verbose logging will be enabled by default\", \"Maximum number of sync cycles for which verbose logging will be enabled by default\",\n \"MetadataSyncLastTimeOfNeverExpiredDeletedObjects\", \"The last date/time for never expired metadata tracking deleted objects\", \"What is the last date/time where there are metadata tracking deleted objects that have never been outside of the expiration period.\",\n \"MetadataSyncTimestamp\", \"Metadata sync version\", \"Contains the maximum version number for attributes used by metadata synchronization that have changed.\",\n \"MobileOfflineMinLicenseProd\", \"Minimum number of user license required for mobile offline service by production/preview organization\", \"Minimum number of user license required for mobile offline service by production/preview organization\",\n \"MobileOfflineMinLicenseTrial\", \"Minimum number of user license required for mobile offline service by trial organization\", \"Minimum number of user license required for mobile offline service by trial organization\",\n \"ModifiedBy\", \"Modified By\", \"Unique identifier of the user who last modified the organization.\",\n \"ModifiedByName\", \"\", \"\",\n \"ModifiedByYomiName\", \"\", \"\",\n \"ModifiedOn\", \"Modified On\", \"Date and time when the organization was last modified.\",\n \"ModifiedOnBehalfBy\", \"Modified By (Delegate)\", \"Unique identifier of the delegate user who last modified the organization.\",\n \"ModifiedOnBehalfByName\", \"\", \"\",\n \"ModifiedOnBehalfByYomiName\", \"\", \"\",\n \"NextCustomObjectTypeCode\", \"Next Entity Type Code\", \"Next entity type code to use for custom entities.\",\n \"OrganizationId\", \"Organization\", \"Unique identifier of the organization.\",\n \"OrganizationState\", \"Organization State\", \"Indicates the organization lifecycle state\",\n \"ParsedTableColumnPrefix\", \"Parsed Table Column Prefix\", \"Prefix used for parsed table columns.\",\n \"ParsedTablePrefix\", \"Parsed Table Prefix\", \"Prefix used for parsed tables.\",\n \"V3CalloutConfigHash\", \"V3 Callout Hash\", \"Hash of the V3 callout configuration file.\",\n \"VersionNumber\", \"Version Number\", \"Version number of the organization.\"\n]\n| project FieldName = tolower(Field), DisplayName, Description\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "MSBizAppsOrgSettings" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", + "dependsOn": [ + "[variables('parserObject3')._parserId3]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsOrgSettings')]", + "contentId": "[variables('parserObject3').parserContentId3]", + "kind": "Parser", + "version": "[variables('parserObject3').parserVersion3]", + "source": { + "name": "Microsoft Business Applications", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } + } + ] }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject3').parserContentId3]", + "contentKind": "Parser", + "displayName": "MSBizAppsOrgSettings", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '3.2.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '3.2.0')))]", + "version": "[variables('parserObject3').parserVersion3]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", - "contentKind": "HuntingQuery", - "displayName": "Dataverse - Identity management changes without MFA", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '3.2.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '3.2.0')))]", - "version": "3.2.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryObject8').huntingQueryTemplateSpecName8]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Power Apps - Anomalous bulk sharing of Power App to newly created guest users_HuntingQueries Hunting Query with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2022-10-01", - "name": "Microsoft_Business_Applications_Hunting_Query_8", - "location": "[parameters('workspace-location')]", - "properties": { + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject3')._parserName3]", + "location": "[parameters('workspace-location')]", + "properties": { "eTag": "*", - "displayName": "Power Apps - Anomalous bulk sharing of Power App to newly created guest users", - "category": "Hunting Queries", - "query": "////////////\n// Please replace the allowed_domains with a list of domains of your partners/sibling orgs\n// with whom you generally share power apps with. This will allow us to filter\n// legitimate bulk sharing attempts. Avoid using domains such as gmail, outlook, etc.\n///////////\nlet allowed_domains = pack_array(\"contoso.com\");\nlet start = ago(14d);\nlet end = now();\nlet interval = 1h;\nPowerPlatformAdminActivity\n| where EventOriginalType == \"PowerAppPermissionEdited\"\n| extend Properties = tostring(PropertyCollection)\n| extend AppId = extract(@'\"powerplatform.analytics.resource.power_app.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| extend AppId = tolower(replace_string(AppId, '/providers/Microsoft.PowerApps/apps/', ''))\n| extend TargetPrincipalId = extract(@'\"targetuser.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| extend\n PowerAppsAppId = AppId\n| join kind=leftouter (AuditLogs\n | where ActivityDateTime >= ago(14d)\n | where SourceSystem =~ \"Azure AD\" and OperationName == \"Invite external user\"\n | where Result =~ \"success\"\n | extend InvitedOrgEmail = tostring(parse_json(AdditionalDetails[5])['value'])\n | extend InvitedOrgDomain = tostring(split(InvitedOrgEmail, \"@\")[1])\n | where not(InvitedOrgDomain has_any(allowed_domains))\n | extend\n InvitedById = tostring(parse_json(InitiatedBy)['user']['id']),\n InvitedByUPN = tostring(parse_json(InitiatedBy)['user']['userPrincipalName']),\n InvitedEmail = tostring(parse_json(TargetResources[0])['userPrincipalName']),\n InvitedId = tostring(parse_json(TargetResources[0])['id'])\n | summarize by InvitedById, InvitedByUPN, InvitedEmail, InvitedId, InvitedOrgDomain)\n on $left.TargetPrincipalId == $right.InvitedId\n| where isnotempty(InvitedId)\n| make-series counter=dcount(TargetPrincipalId) default=0 on TimeGenerated in range(start, end, interval) by PowerAppsAppId, InvitedById, InvitedByUPN\n| extend(Anomalies, AnomalyScore, ExpectedUsage) = series_decompose_anomalies(counter)\n| mv-expand\n counter to typeof(double),\n TimeGenerated to typeof(datetime),\n Anomalies to typeof(double),\n AnomalyScore to typeof(double),\n ExpectedUsage to typeof(long)\n| where Anomalies != 0\n| extend\n PowerAppsEntityId = 27593,\n AccountName = tostring(split(InvitedByUPN, '@')[0]),\n UPNSuffix = tostring(split(InvitedByUPN, '@')[1])\n| project\n TimeGenerated,\n ActualUsage=counter,\n ExpectedUsage,\n AnomalyScore,\n Anomalies,\n PowerAppsAppId,\n InvitedById,\n InvitedByUPN,\n PowerAppsEntityId,\n AccountName,\n UPNSuffix\n", + "displayName": "MSBizAppsOrgSettings", + "category": "MSBizAppsFunctions", + "functionAlias": "MSBizAppsOrgSettings", + "query": "datatable (Field: string, DisplayName: string, Description: string)[\n \"ACIWebEndpointUrl\", \"ACI Tenant URL.\", \"ACI Web Endpoint URL.\",\n \"AcknowledgementTemplateId\", \"Acknowledgement Template\", \"Unique identifier of the template to be used for acknowledgement when a user unsubscribes.\",\n \"ActivityTypeFilter\", \"Enable Rich Editing Experience for Appointment\", \"Information on whether filtering activity based on entity in app.\",\n \"ActivityTypeFilterV2\", \"Show only activities configured in the app when accessing 'New activity' button\", \"Whether to show only activities configured in this app or all activities in the 'New activity' button.\",\n \"AdvancedColumnEditorEnabled\", \"Advanced column editor enabled\", \"Flag to indicate if the display column options on a view in model-driven apps is enabled\",\n \"AdvancedColumnFilteringEnabled\", \"Advanced column filtering enabled\", \"Flag to indicate if the advanced column filtering in a view in model-driven apps is enabled\",\n \"AdvancedFilteringEnabled\", \"Advanced filtering enabled\", \"Flag to indicate if the advanced filtering on all tables in a model-driven app is enabled\",\n \"AdvancedLookupEnabled\", \"Advanced lookup enabled\", \"Flag to indicate if the Advanced Lookup feature is enabled for lookup controls\",\n \"AdvancedLookupInEditFilter\", \"Enable Advanced Lookup In Edit Filter\", \"Enables advanced lookup in grid edit filter panel\",\n \"AllowAddressBookSyncs\", \"Allow Address Book Synchronization\", \"Indicates whether background address book synchronization in Microsoft Office Outlook is allowed.\",\n \"AllowApplicationUserAccess\", \"Allow All Application Users Access.\", \"Information that specifies whether all application users are allowed to access the environment\",\n \"AllowAutoResponseCreation\", \"Allow Automatic Response Creation\", \"Indicates whether automatic response creation is allowed.\",\n \"AllowAutoUnsubscribe\", \"Allow Automatic Unsubscribe\", \"Indicates whether automatic unsubscribe is allowed.\",\n \"AllowAutoUnsubscribeAcknowledgement\", \"Allow Automatic Unsubscribe Acknowledgement\", \"Indicates whether automatic unsubscribe acknowledgement email is allowed to send.\",\n \"AllowClientMessageBarAd\", \"Allow Outlook Client Message Bar Advertisement\", \"Indicates whether Outlook Client message bar advertisement is allowed.\",\n \"AllowConnectorsOnPowerFXActions\", \"Enable connectors on power fx actions.\", \"Information on whether connectors on power fx actions is enabled.\",\n \"AllowedIpRangeForFirewall\", \"List of IP Ranges to be allowed by the firewall rule\", \"Information that specifies the range of IP addresses that are in allow list for the firewall.\",\n \"AllowedIpRangeForStorageAccessSignatures\", \"List of IP Ranges to be allowed for generating the SAS URIs.\", \"Information that specifies the range of IP addresses that are in allowed list for generating the SAS URIs.\",\n \"AllowedMimeTypes\", \"List of allowed mime types.\", \"Allow upload or download of certain mime types.\",\n \"AllowedServiceTagsForFirewall\", \"List of Service Tags to be allowed by the firewall rule\", \"Information that specifies the List of Service Tags that should be allowed by the firewall.\",\n \"AllowEntityOnlyAudit\", \"Allow Entity Level Auditing\", \"Indicates whether auditing of changes to entity is allowed when no attributes have changed.\",\n \"AllowLeadingWildcardsInGridSearch\", \"Allow Leading Wildcards In Grid Search\", \"Enables ends-with searches in grids with the use of a leading wildcard on all tables in the environment\",\n \"AllowLeadingWildcardsInQuickFind\", \"Allow Leading Wildcards In Quick Find\", \"Enables ends-with searches in grids with the use of a leading wildcard on all tables in the environment\",\n \"AllowLegacyClientExperience\", \"Enable access to legacy web client UI\", \"Enable access to legacy web client UI\",\n \"AllowLegacyDialogsEmbedding\", \"Enable embedding of certain legacy dialogs in Unified Interface browser client\", \"Enable embedding of certain legacy dialogs in Unified Interface browser client\",\n \"AllowMarketingEmailExecution\", \"Allow Marketing Email Execution\", \"Indicates whether marketing emails execution is allowed.\",\n \"AllowMicrosoftTrustedServiceTags\", \"Allow Microsoft Trusted Service Tags\", \"Information that specifies whether Microsoft Trusted Service Tags are allowed\",\n \"AllowOfflineScheduledSyncs\", \"Allow Offline Scheduled Synchronization\", \"Indicates whether background offline synchronization in Microsoft Office Outlook is allowed.\",\n \"AllowOutlookScheduledSyncs\", \"Allow Scheduled Synchronization\", \"Indicates whether scheduled synchronizations to Outlook are allowed.\",\n \"AllowRedirectAdminSettingsToModernUI\", \"Allow Redirect Legacy Admin Settings To Modern UI\", \"Control whether the organization Allow Redirect Legacy Admin Settings To Modern UI\",\n \"AllowUnresolvedPartiesOnEmailSend\", \"Allow Unresolved Address Email Send\", \"Indicates whether users are allowed to send email to unresolved parties (parties must still have an email address).\",\n \"AllowUserFormModePreference\", \"Allow User Form Mode Preference\", \"Indicates whether individuals can select their form mode preference in their personal options.\",\n \"AllowUsersHidingSystemViews\", \"Allow users hiding system views\", \"Flag to indicate if allow end users to hide system views in model-driven apps is enabled\",\n \"AllowUsersSeeAppdownloadMessage\", \"Allow the showing tablet application notification bars in a browser.\", \"Indicates whether the showing tablet application notification bars in a browser is allowed.\",\n \"AllowWebExcelExport\", \"Allow Export to Excel\", \"Indicates whether Web-based export of grids to Microsoft Office Excel is allowed.\",\n \"AMDesignator\", \"AM Designator\", \"AM designator to use throughout Microsoft Dynamics CRM.\",\n \"AppDesignerExperienceEnabled\", \"Enable App Designer Experience for this Organization\", \"Indicates whether the appDesignerExperience is enabled for the organization.\",\n \"AppointmentRichEditorExperience\", \"Enable Rich Editing Experience for Appointment\", \"Information on whether rich editing experience for Appointment is enabled.\",\n \"AppointmentWithTeamsMeeting\", \"Enable teams Meeting experience for appointment\", \"Information on whether Teams meeting experience for Appointment is enabled.\",\n \"AppointmentWithTeamsMeetingV2\", \"Enable Teams meetings for appointments\", \"Whether Teams meetings experience for appointments is enabled.\",\n \"AuditRetentionPeriod\", \"Audit Retention Period Settings\", \"Audit Retention Period settings stored in Organization Database.\",\n \"AuditRetentionPeriodV2\", \"Audit Retention Period Settings\", \"Audit Retention Period settings stored in Organization Database.\",\n \"AutoApplyDefaultonCaseCreate\", \"Auto Apply Default Entitlement on Case Create\", \"Select whether to auto apply the default customer entitlement on case creation.\",\n \"AutoApplyDefaultonCaseUpdate\", \"Auto Apply Default Entitlement on Case Update\", \"Select whether to auto apply the default customer entitlement on case update.\",\n \"AutoApplySLA\", \"Is Auto-apply SLA After Manually Over-riding\", \"Indicates whether to Auto-apply SLA on case record update after SLA was manually applied.\",\n \"AzureSchedulerJobCollectionName\", \"For internal use only.\", \"For internal use only.\",\n \"BaseCurrencyId\", \"Currency\", \"Unique identifier of the base currency of the organization.\",\n \"BingMapsApiKey\", \"Bing Maps API Key\", \"Api Key to be used in requests to Bing Maps services.\",\n \"BlockedAttachments\", \"Block Attachments\", \"Prevent upload or download of certain attachment types that are considered dangerous.\",\n \"BlockedMimeTypes\", \"List of blocked mime types.\", \"Prevent upload or download of certain mime types that are considered dangerous.\",\n \"BoundDashboardDefaultCardExpanded\", \"Display cards in expanded state for Interactive Dashboard\", \"Display cards in expanded state for interactive dashboard\",\n \"BulkOperationPrefix\", \"Bulk Operation Prefix\", \"Prefix used for bulk operation numbering.\",\n \"BusinessCardOptions\", \"Enable New BusinessCardOptions\", \"BusinessCardOptions\",\n \"BusinessClosureCalendarId\", \"Business Closure Calendar\", \"Unique identifier of the business closure calendar of organization.\",\n \"CalendarType\", \"Calendar Type\", \"Calendar type for the system. Set to Gregorian US by default.\",\n \"CampaignPrefix\", \"Campaign Prefix\", \"Prefix used for campaign numbering.\",\n \"CanOptOutNewSearchExperience\", \"Can disable Oct 2020 Search\", \"Indicates whether the organization can opt out of the new Relevance search experience (released in Oct 2020)\",\n \"CascadeStatusUpdate\", \"Cascade Status Update\", \"Flag to cascade Update on incident.\",\n \"CasePrefix\", \"Case Prefix\", \"Prefix to use for all cases throughout Microsoft Dynamics 365.\",\n \"CategoryPrefix\", \"Category Prefix\", \"Type the prefix to use for all categories in Microsoft Dynamics 365.\",\n \"ClientFeatureSet\", \"Client Feature Set\", \"Client Features to be enabled as an XML BLOB.\",\n \"ContentSecurityPolicyConfiguration\", \"Content Security Policy Configuration\", \"Policy configuration for CSP\",\n \"ContentSecurityPolicyConfigurationForCanvas\", \"Content Security Policy Configuration for Canvas apps\", \"Content Security Policy configuration for Canvas apps.\",\n \"ContentSecurityPolicyOptions\", \"Content Security Policy Options\", \"Content Security Policy Options.\",\n \"ContentSecurityPolicyReportUri\", \"Content Security Policy Report Uri\", \"Content Security Policy Report Uri.\",\n \"ContractPrefix\", \"Contract Prefix\", \"Prefix to use for all contracts throughout Microsoft Dynamics 365.\",\n \"CopresenceRefreshRate\", \"CopresenceRefreshRate\", \"Refresh rate for copresence data in seconds.\",\n \"CortanaProactiveExperienceEnabled\", \"Enable Cortana Proactive Experience Flow processes for this Organization\", \"Indicates whether the feature CortanaProactiveExperience Flow processes should be enabled for the organization.\",\n \"CreateProductsWithoutParentInActiveState\", \"Enable Active Initial Product State\", \"Enable Initial state of newly created products to be Active instead of Draft\",\n \"CurrencyDecimalPrecision\", \"Currency Decimal Precision\", \"Number of decimal places that can be used for currency.\",\n \"CurrencyDisplayOption\", \"Display Currencies Using\", \"Indicates whether to display money fields with currency code or currency symbol.\",\n \"CurrencyFormatCode\", \"Currency Format Code\", \"Information about how currency symbols are placed throughout Microsoft Dynamics CRM.\",\n \"CurrencySymbol\", \"Currency Symbol\", \"Symbol used for currency throughout Microsoft Dynamics 365.\",\n \"CurrentBulkOperationNumber\", \"Current Bulk Operation Number\", \"Current bulk operation number. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCampaignNumber\", \"Current Campaign Number\", \"Current campaign number. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCaseNumber\", \"Current Case Number\", \"First case number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCategoryNumber\", \"Current Category Number\", \"Enter the first number to use for Categories. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentContractNumber\", \"Current Contract Number\", \"First contract number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentInvoiceNumber\", \"Current Invoice Number\", \"First invoice number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentKaNumber\", \"Current Knowledge Article Number\", \"Enter the first number to use for knowledge articles. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentKbNumber\", \"Current Article Number\", \"First article number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentOrderNumber\", \"Current Order Number\", \"First order number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentQuoteNumber\", \"Current Quote Number\", \"First quote number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"DateFormatCode\", \"Date Format Code\", \"Information about how the date is displayed throughout Microsoft CRM.\",\n \"DateFormatString\", \"Date Format String\", \"String showing how the date is displayed throughout Microsoft CRM.\",\n \"DateSeparator\", \"Date Separator\", \"Character used to separate the month, the day, and the year in dates throughout Microsoft Dynamics 365.\",\n \"DaysBeforeEmailDescriptionIsMigrated\", \"Number of days before we migrate email description to blob.\", \"Number of days before we migrate email description to blob.\",\n \"DaysBeforeInactiveTeamsChatSyncDisabled\", \"Days Before Inactive Teams Chat Sync Disabled\", \"Days of inactivity before sync is disabled for a Teams Chat.\",\n \"DecimalSymbol\", \"Decimal Symbol\", \"Symbol used for decimal in Microsoft Dynamics 365.\",\n \"DefaultCountryCode\", \"Default Country Code\", \"Text area to enter default country code.\",\n \"DefaultCrmCustomName\", \"Name of the default app\", \"Name of the default crm custom.\",\n \"DefaultEmailServerProfileId\", \"Email Server Profile\", \"Unique identifier of the default email server profile.\",\n \"DefaultEmailSettings\", \"Default Email Settings\", \"XML string containing the default email settings that are applied when a user or queue is created.\",\n \"DefaultMobileOfflineProfileId\", \"Default Mobile Offline Profile\", \"Unique identifier of the default mobile offline profile.\",\n \"DefaultRecurrenceEndRangeType\", \"Default Recurrence End Range Type\", \"Type of default recurrence end range date.\",\n \"DefaultThemeData\", \"Default Theme Data\", \"Default theme data for the organization.\",\n \"DelegatedAdminUserId\", \"Delegated Admin\", \"Unique identifier of the delegated admin user for the organization.\",\n \"DisableSocialCare\", \"Is Social Care disabled\", \"Indicates whether Social Care is disabled.\",\n \"DiscountCalculationMethod\", \"Discount calculation method\", \"Discount calculation method for the QOOI product.\",\n \"DisplayNavigationTour\", \"Display Navigation Tour\", \"Indicates whether or not navigation tour is displayed.\",\n \"EmailConnectionChannel\", \"Email Connection Channel\", \"Select if you want to use the Email Router or server-side synchronization for email processing.\",\n \"EmailCorrelationEnabled\", \"Use Email Correlation\", \"Flag to turn email correlation on or off.\",\n \"EmailSendPollingPeriod\", \"Email Send Polling Frequency\", \"Normal polling frequency used for sending email in Microsoft Office Outlook.\",\n \"EnableAsyncMergeAPIForUCI\", \"Asynchronous merge enabled for UCI\", \"Determines whether records merged through the merge dialog in UCI are merged asynchronously\",\n \"EnableBingMapsIntegration\", \"Enable Integration with Bing Maps\", \"Enable Integration with Bing Maps\",\n \"EnableCanvasAppsInSolutionsByDefault\", \"Enable the creation of Canvas apps in Dataverse / Solution by default\", \"Note: By enabling this feature, you will also enable the automatic creation of enviornment variables when adding data sources for your apps.\",\n \"EnableFlowsInSolutionByDefault\", \"Enable the creation of flows within a solution by default.\", \"Indicates whether the creation of flows is within a solution by default for this organization.\",\n \"EnableFlowsInSolutionByDefaultGracePeriod\", \"Indicates whether the organization is opted into a grace period for auto-enablement of 'creation of flows within a solution by default' functionality.\", \"Organizations with this attribute set to true will be granted a grace period and excluded from the initial world wide enablement of 'creation of flows within a solution by default' functionality. Once the grace period expires, the functionality will be enabled in your organization.\",\n \"EnableImmersiveSkypeIntegration\", \"Enable Integration with Immersive Skype\", \"Enable Integration with Immersive Skype\",\n \"EnableIpBasedCookieBinding\", \"Enable IP Address Based Cookie Binding\", \"Information that specifies whether IP based cookie binding is enabled\",\n \"EnableIpBasedFirewallRule\", \"Enable IP Range based Firewall\", \"Information that specifies whether IP based firewall rule is enabled\",\n \"EnableIpBasedFirewallRuleInAuditMode\", \"Enable IP Range based Firewall In Audit Only Mode\", \"Information that specifies whether IP based firewall rule is enabled in Audit Only Mode\",\n \"EnableIpBasedStorageAccessSignatureRule\", \"Enable IP SAS URI generation rule\", \"Information that specifies whether IP based SAS URI generation rule is enabled\",\n \"EnableLivePersonaCardUCI\", \"Indicates whether the user has enabled or disabled Live Persona Card feature in UCI.\", \"Indicates whether the user has enabled or disabled Live Persona Card feature in UCI.\",\n \"EnableLivePersonCardIntegrationInOffice\", \"Indicates whether the user has enabled or disabled LivePersonCardIntegration in Office.\", \"Indicates whether the user has enabled or disabled LivePersonCardIntegration in Office.\",\n \"EnableLPAuthoring\", \"Enable Learning Path Authoring\", \"Select to enable learning path auhtoring.\",\n \"EnableMakerSwitchToClassic\", \"Switch Maker Portal to Classic\", \"Control whether the organization Switch Maker Portal to Classic\",\n \"EnableMicrosoftFlowIntegration\", \"Enable Integration with Microsoft Flow\", \"Enable Integration with Microsoft Flow\",\n \"EnablePricingOnCreate\", \"Enable Pricing On Create\", \"Enable pricing calculations on a Create call.\",\n \"EnableSmartMatching\", \"Enable Smart Matching\", \"Use Smart Matching.\",\n \"EnableUnifiedClientCDN\", \"Enable UCI CDN for organization\", \"Leave empty to use default setting. Set to on/off to enable/disable CDN for UCI.\",\n \"EnableUnifiedInterfaceShellRefresh\", \"Enable site map and commanding update\", \"Enable site map and commanding update\",\n \"EnforceReadOnlyPlugins\", \"Organization setting to enforce read only plugins.\", \"Organization setting to enforce read only plugins.\",\n \"EntityImage\", \"Entity Image\", \"The default image for the entity.\",\n \"ExpireChangeTrackingInDays\", \"Days to Expire Change Tracking Deleted Records\", \"Maximum number of days to keep change tracking deleted records\",\n \"ExpireSubscriptionsInDays\", \"Days to Expire Subscriptions\", \"Maximum number of days before deleting inactive subscriptions.\",\n \"ExternalBaseUrl\", \"External Base URL\", \"Specify the base URL to use to look for external document suggestions.\",\n \"ExternalPartyCorrelationKeys\", \"ExternalPartyEnabled Entities correlation Keys\", \"XML string containing the ExternalPartyEnabled entities correlation keys for association of existing External Party instance entities to newly created IsExternalPartyEnabled entities.For internal use only\",\n \"ExternalPartyEntitySettings\", \"ExternalPartyEnabled Entities Settings.For internal use only\", \"XML string containing the ExternalPartyEnabled entities settings.\",\n \"FeatureSet\", \"Feature Set\", \"Features to be enabled as an XML BLOB.\",\n \"FiscalCalendarStart\", \"Fiscal Calendar Start\", \"Start date for the fiscal period that is to be used throughout Microsoft CRM.\",\n \"FiscalPeriodFormat\", \"Fiscal Period Format\", \"Information that specifies how the name of the fiscal period is displayed throughout Microsoft CRM.\",\n \"FiscalPeriodFormatPeriod\", \"Format for Fiscal Period\", \"Format in which the fiscal period will be displayed.\",\n \"FiscalPeriodType\", \"Fiscal Period Type\", \"Type of fiscal period used throughout Microsoft CRM.\",\n \"FiscalYearDisplayCode\", \"Fiscal Year Display\", \"Information that specifies whether the fiscal year should be displayed based on the start date or the end date of the fiscal year.\",\n \"FiscalYearFormat\", \"Fiscal Year Format\", \"Information that specifies how the name of the fiscal year is displayed throughout Microsoft CRM.\",\n \"FiscalYearFormatPrefix\", \"Prefix for Fiscal Year\", \"Prefix for the display of the fiscal year.\",\n \"FiscalYearFormatSuffix\", \"Suffix for Fiscal Year\", \"Suffix for the display of the fiscal year.\",\n \"FiscalYearFormatYear\", \"Fiscal Year Format Year\", \"Format for the year.\",\n \"FiscalYearPeriodConnect\", \"Fiscal Year Period Connector\", \"Information that specifies how the names of the fiscal year and the fiscal period should be connected when displayed together.\",\n \"FullNameConventionCode\", \"Full Name Display Order\", \"Order in which names are to be displayed throughout Microsoft CRM.\",\n \"FutureExpansionWindow\", \"Future Expansion Window\", \"Specifies the maximum number of months in future for which the recurring activities can be created.\",\n \"GenerateAlertsForErrors\", \"Generate Alerts For Errors\", \"Indicates whether alerts will be generated for errors.\",\n \"GenerateAlertsForInformation\", \"Generate Alerts For Information\", \"Indicates whether alerts will be generated for information.\",\n \"GenerateAlertsForWarnings\", \"Generate Alerts For Warnings\", \"Indicates whether alerts will be generated for warnings.\",\n \"GetStartedPaneContentEnabled\", \"Is Get Started Pane Content Enabled\", \"Indicates whether Get Started content is enabled for this organization.\",\n \"GlobalAppendUrlParametersEnabled\", \"Is AppendUrl Parameters enabled\", \"Indicates whether the append URL parameters is enabled.\",\n \"GlobalHelpUrl\", \"Global Help URL.\", \"URL for the web page global help.\",\n \"GlobalHelpUrlEnabled\", \"Is Customizable Global Help enabled\", \"Indicates whether the customizable global help is enabled.\",\n \"GoalRollupExpiryTime\", \"Rollup Expiration Time for Goal\", \"Number of days after the goal's end date after which the rollup of the goal stops automatically.\",\n \"GoalRollupFrequency\", \"Automatic Rollup Frequency for Goal\", \"Number of hours between automatic rollup jobs .\",\n \"GrantAccessToNetworkService\", \"Grant Access To Network Service\", \"For internal use only.\",\n \"HashDeltaSubjectCount\", \"Hash Delta Subject Count\", \"Maximum difference allowed between subject keywords count of the email messaged to be correlated\",\n \"HashFilterKeywords\", \"Hash Filter Keywords\", \"Filter Subject Keywords\",\n \"HashMaxCount\", \"Hash Max Count\", \"Maximum number of subject keywords or recipients used for correlation\",\n \"HashMinAddressCount\", \"Hash Min Address Count\", \"Minimum number of recipients required to match for email messaged to be correlated\",\n \"HighContrastThemeData\", \"High contrast Theme Data\", \"High contrast theme data for the organization.\",\n \"IgnoreInternalEmail\", \"Ignore Internal Email\", \"Indicates whether incoming email sent by internal Microsoft Dynamics 365 users or queues should be tracked.\",\n \"ImproveSearchLoggingEnabled\", \"Share search query data\", \"Indicates whether an organization has consented to sharing search query data to help improve search results\",\n \"InactivityTimeoutEnabled\", \"Inactivity timeout enabled\", \"Information that specifies whether Inactivity timeout is enabled\",\n \"InactivityTimeoutInMins\", \"Inactivity timeout in minutes\", \"Inactivity timeout in minutes\",\n \"InactivityTimeoutReminderInMins\", \"Inactivity timeout reminder in minutes\", \"Inactivity timeout reminder in minutes\",\n \"IncomingEmailExchangeEmailRetrievalBatchSize\", \"Exchange Email Retrieval Batch Size\", \"Setting for the Async Service Mailbox Queue. Defines the retrieval batch size of exchange server.\",\n \"InitialVersion\", \"Initial Version\", \"Initial version of the organization.\",\n \"IntegrationUserId\", \"Integration User\", \"Unique identifier of the integration user for the organization.\",\n \"InvoicePrefix\", \"Invoice Prefix\", \"Prefix to use for all invoice numbers throughout Microsoft Dynamics 365.\",\n \"IpBasedStorageAccessSignatureMode\", \"IP Based SAS mode\", \"IP Based SAS mode.\",\n \"IsActionCardEnabled\", \"Enable Action Card for this Organization\", \"Indicates whether the feature Action Card should be enabled for the organization.\",\n \"IsActionSupportFeatureEnabled\", \"Action Support Feature enabled\", \"Information that specifies whether Action Support Feature is enabled\",\n \"IsActivityAnalysisEnabled\", \"Enable Relationship Analytics for this Organization\", \"Indicates whether the feature Relationship Analytics should be enabled for the organization.\",\n \"IsAppMode\", \"Is Application Mode Enabled\", \"Indicates whether loading of Microsoft Dynamics 365 in a browser window that does not have address, tool, and menu bars is enabled.\",\n \"IsAppointmentAttachmentSyncEnabled\", \"Is Attachment Sync Enabled\", \"Enable or disable attachments sync for outlook and exchange.\",\n \"IsAssignedTasksSyncEnabled\", \"Is Assigned Tasks Sync Enabled\", \"Enable or disable assigned tasks sync for outlook and exchange.\",\n \"IsAuditEnabled\", \"Is Auditing Enabled\", \"Enable or disable auditing of changes.\",\n \"IsAutoDataCaptureEnabled\", \"Enable Auto Capture for this Organization\", \"Indicates whether the feature Auto Capture should be enabled for the organization.\",\n \"IsAutoDataCaptureV2Enabled\", \"Enable Auto Capture V2 for this Organization\", \"Indicates whether the V2 feature of Auto Capture should be enabled for the organization.\",\n \"IsAutoInstallAppForD365InTeamsEnabled\", \"IsAutoInstallAppForD365InTeamsEnabled\", \"\",\n \"IsAutoSaveEnabled\", \"Auto Save Enabled\", \"Information on whether auto save is enabled.\",\n \"IsBaseCardStaticFieldDataEnabled\", \"IsBaseCardStaticFieldDataEnabled\", \"\",\n \"IsBasicGeospatialIntegrationEnabled\", \"Enable the basic Geospatial features in Canvas Apps\", \"Determines whether users can make use of basic Geospatial featuers in Canvas apps.\",\n \"IsBPFEntityCustomizationFeatureEnabled\", \"BPF Entity Customization Feature enabled\", \"Information that specifies whether BPF Entity Customization Feature is enabled\",\n \"IsCollaborationExperienceEnabled\", \"IsCollaborationExperienceEnabled\", \"\",\n \"IsConflictDetectionEnabledForMobileClient\", \"Is Conflict Detection for Mobile Client enabled\", \"Information that specifies whether conflict detection for mobile client is enabled.\",\n \"IsContactMailingAddressSyncEnabled\", \"Is Mailing Address Sync Enabled\", \"Enable or disable mailing address sync for outlook and exchange.\",\n \"IsContentSecurityPolicyEnabled\", \"Enable Content Security Policy for this organization\", \"Indicates whether Content Security Policy has been enabled for the organization.\",\n \"IsContentSecurityPolicyEnabledForCanvas\", \"Enable Content Security Policy for this organization's Canvas apps\", \"Indicates whether Content Security Policy has been enabled for this organization's Canvas apps.\",\n \"IsContextualEmailEnabled\", \"Indicates whether Contextual email experience is enabled on this organization\", \"Indicates whether Contextual email experience is enabled on this organization\",\n \"IsContextualHelpEnabled\", \"Enables Contextual Help in UCI\", \"Select to enable Contextual Help in UCI.\",\n \"IsCopilotFeedbackEnabled\", \"Allow users to provide feedback for App Copilot\", \"Determines whether users can provide feedback for App Copilot.\",\n \"IsCustomControlsInCanvasAppsEnabled\", \"Enable Custom Controls in canvas PowerApps feature for this organization\", \"Indicates whether Custom Controls in canvas PowerApps feature has been enabled for the organization.\",\n \"IsDefaultCountryCodeCheckEnabled\", \"Enable or disable country code selection\", \"Enable or disable country code selection.\",\n \"IsDelegateAccessEnabled\", \"Is Delegation Access Enabled\", \"Enable Delegation Access content\",\n \"IsDelveActionHubIntegrationEnabled\", \"Enable Action Hub for this Organization\", \"Indicates whether the feature Action Hub should be enabled for the organization.\",\n \"IsDesktopFlowSchemaV2Enabled\", \"Enable v2 schema for Desktop Flows in this organization.\", \"Indicates whether v2 schema for Desktop Flows is enabled in this organization.\",\n \"IsDuplicateDetectionEnabled\", \"Is Duplicate Detection Enabled\", \"Indicates whether duplicate detection of records is enabled.\",\n \"IsDuplicateDetectionEnabledForImport\", \"Is Duplicate Detection Enabled For Import\", \"Indicates whether duplicate detection of records during import is enabled.\",\n \"IsDuplicateDetectionEnabledForOfflineSync\", \"Is Duplicate Detection Enabled For Offline Synchronization\", \"Indicates whether duplicate detection of records during offline synchronization is enabled.\",\n \"IsDuplicateDetectionEnabledForOnlineCreateUpdate\", \"Is Duplicate Detection Enabled for Online Create/Update\", \"Indicates whether duplicate detection during online create or update is enabled.\",\n \"IsEmailAddressValidationEnabled\", \"Enable Smart Email Address Validation.\", \"Information on whether Smart Email Address Validation is enabled.\",\n \"IsEmailMonitoringAllowed\", \"Allow tracking recipient activity on sent emails\", \"Allow tracking recipient activity on sent emails.\",\n \"IsEmailServerProfileContentFilteringEnabled\", \"Is Email Server Profile Content Filtering Enabled\", \"Enable Email Server Profile content filtering\",\n \"IsEnabledForAllRoles\", \"option set values for isenabledforallroles\", \"Indicates whether appmodule is enabled for all roles\",\n \"IsExternalFileStorageEnabled\", \"Enable external file storage\", \"Indicates whether the organization's files are being stored in Azure.\",\n \"IsExternalSearchIndexEnabled\", \"Enable external search data syncing\", \"Select whether data can be synchronized with an external search index.\",\n \"IsFiscalPeriodMonthBased\", \"Is Fiscal Period Monthly\", \"Indicates whether the fiscal period is displayed as the month number.\",\n \"IsFolderAutoCreatedonSP\", \"Automatically create folders\", \"Select whether folders should be automatically created on SharePoint.\",\n \"IsFolderBasedTrackingEnabled\", \"Is Folder Based Tracking Enabled\", \"Enable or disable folder based tracking for Server Side Sync.\",\n \"IsFullTextSearchEnabled\", \"Enable Full-text search for Quick Find\", \"Indicates whether full-text search for Quick Find entities should be enabled for the organization.\",\n \"IsGeospatialAzureMapsIntegrationEnabled\", \"Enable geospatial Azure Maps integration.\", \"Indicates whether geospatial capabilities leveraging Azure Maps are enabled.\",\n \"IsHierarchicalSecurityModelEnabled\", \"Enable Hierarchical Security Model\", \"Enable Hierarchical Security Model\",\n \"IsIdeasDataCollectionEnabled\", \"Enable Ideas data collection.\", \"Indicates whether data collection for ideas in canvas PowerApps has been enabled.\",\n \"IsLUISEnabledforD365Bot\", \"LUIS Consent for Dynamics 365 Bot\", \"Give Consent to use LUIS in Dynamics 365 Bot\",\n \"IsMailboxForcedUnlockingEnabled\", \"Is Mailbox Forced Unlocking Enabled\", \"Enable or disable forced unlocking for Server Side Sync mailboxes.\",\n \"IsMailboxInactiveBackoffEnabled\", \"Is Mailbox Keep Alive Enabled\", \"Enable or disable mailbox keep alive for Server Side Sync.\",\n \"IsManualSalesForecastingEnabled\", \"Enable Manual Sales Forecasting feature for this organization\", \"Indicates whether Manual Sales Forecasting feature has been enabled for the organization.\",\n \"IsMobileClientOnDemandSyncEnabled\", \"Is Mobile Client On Demand Sync enabled\", \"Information that specifies whether mobile client on demand sync is enabled.\",\n \"IsMobileOfflineEnabled\", \"Enable MobileOffline for this Organization\", \"Indicates whether the feature MobileOffline should be enabled for the organization.\",\n \"IsModelDrivenAppsInMSTeamsEnabled\", \"Enable embedding Model Apps in Microsoft Teams\", \"Indicates whether Model Apps can be embedded within Microsoft Teams. This is a tenant admin controlled preview/experimental feature.\",\n \"IsMSTeamsCollaborationEnabled\", \"Enable Microsoft Teams Collaboration for this organization\", \"Indicates whether Microsoft Teams Collaboration feature has been enabled for the organization.\",\n \"IsMSTeamsEnabled\", \"Enable Microsoft Teams integration\", \"Indicates whether Microsoft Teams integration has been enabled for the organization.\",\n \"IsMSTeamsSettingChangedByUser\", \"Microsoft Teams integration changed by user\", \"Indicates whether the user has enabled or disabled Microsoft Teams integration.\",\n \"IsMSTeamsUserSyncEnabled\", \"Enable Microsoft Teams User Sync for this organization\", \"Indicates whether Microsoft Teams User Sync feature has been enabled for the organization.\",\n \"IsNewAddProductExperienceEnabled\", \"Indicates whether new add product experience is enabled in opportunity form\", \"Indicates whether new add product experience is enabled.\",\n \"IsNotesAnalysisEnabled\", \"Enable Notes Analysis for this Organization\", \"Indicates whether the feature Notes Analysis should be enabled for the organization.\",\n \"IsNotificationForD365InTeamsEnabled\", \"IsNotificationForD365InTeamsEnabled\", \"\",\n \"IsOfficeGraphEnabled\", \"Enable OfficeGraph for this Organization\", \"Indicates whether the feature OfficeGraph should be enabled for the organization.\",\n \"IsOneDriveEnabled\", \"Enable One Drive for this Organization\", \"Indicates whether the feature One Drive should be enabled for the organization.\",\n \"IsPAIEnabled\", \"Enable PAI feature for this organization\", \"Indicates whether PAI feature has been enabled for the organization.\",\n \"IsPDFGenerationEnabled\", \"Enable PDF Generation feature for this organization\", \"Indicates whether PDF Generation feature has been enabled for the organization.\",\n \"IsPlaybookEnabled\", \"Enable playbook feature for this organization\", \"Indicates whether playbook feature has been enabled for the organization.\",\n \"IsPresenceEnabled\", \"Presence Enabled\", \"Information on whether IM presence is enabled.\",\n \"IsPreviewEnabledForActionCard\", \"Enable Preview Action Card feature for this Organization\", \"Indicates whether the Preview feature for Action Card should be enabled for the organization.\",\n \"IsPreviewForAutoCaptureEnabled\", \"Enable Auto Capture for this Organization at Preview Settings\", \"Indicates whether the feature Auto Capture should be enabled for the organization at Preview Settings.\",\n \"IsPreviewForEmailMonitoringAllowed\", \"Allows Preview For Email Monitoring\", \"Is Preview For Email Monitoring Allowed.\",\n \"IsPriceListMandatory\", \"Indicates whether PriceList is mandatory for adding existing products to sales entities\", \"Indicates whether PriceList is mandatory for adding existing products to sales entities.\",\n \"IsQuickCreateEnabledForOpportunityClose\", \"Enable quick create form for opportunity close feature for this organization\", \"Select whether to use the standard Out-of-box Opportunity Close experience or opt to for a customized experience.\",\n \"IsReadAuditEnabled\", \"Is Read Auditing Enabled\", \"Enable or disable auditing of read operations.\",\n \"IsRelationshipInsightsEnabled\", \"Enable Relationship Insights for this Organization\", \"Indicates whether the feature Relationship Insights should be enabled for the organization.\",\n \"IsResourceBookingExchangeSyncEnabled\", \"Resource booking synchronization enabled\", \"Indicates if the synchronization of user resource booking with Exchange is enabled at organization level.\",\n \"IsRichTextNotesEnabled\", \"Indicates whether rich text editor for notes experience is enabled on this organization\", \"Indicates whether rich text editor for notes experience is enabled on this organization\",\n \"IsRpaAutoscaleAadJoinEnabled\", \"Enable AAD Join for RPA Autoscale feature for this organization.\", \"Indicates whether AAD Join for RPA Autoscale is enabled in this organization..\",\n \"IsRpaAutoscaleEnabled\", \"Enable RPA Autoscale feature for this organization\", \"Indicates whether Autoscale feature for RPA is enabled in this organization.\",\n \"IsRpaBoxCrossGeoEnabled\", \"Enable RPA Box cross geo feature for this organization\", \"Indicates whether RPA Box feature is enabled in this organization in locations outside the tenant's geographical location.\",\n \"IsRpaBoxEnabled\", \"Enable RPA Box feature for this organization\", \"Indicates whether RPA Box feature is enabled in this organization.\",\n \"IsRpaUnattendedEnabled\", \"Enable RPA Unattended feature for this organization\", \"Indicates whether Unattended runs feature for RPA is enabled in this organization.\",\n \"IsSalesAssistantEnabled\", \"Enable Sales Assistant mobile app\", \"Indicates whether Sales Assistant mobile app has been enabled for the organization.\",\n \"IsSharingInOrgAllowed\", \"IsSharingInOrgAllowed\", \"\",\n \"IsSOPIntegrationEnabled\", \"Is Sales Order Integration Enabled\", \"Enable sales order processing integration.\",\n \"IsTextWrapEnabled\", \"Enable Text Wrap\", \"Information on whether text wrap is enabled.\",\n \"IsUserAccessAuditEnabled\", \"Is User Access Auditing Enabled\", \"Enable or disable auditing of user access.\",\n \"ISVIntegrationCode\", \"ISV Integration Mode\", \"Indicates whether loading of Microsoft Dynamics 365 in a browser window that does not have address, tool, and menu bars is enabled.\",\n \"IsWriteInProductsAllowed\", \"Indicates whether Write-in Products can be added to Opportunity/Quote/Order/Invoice or not\", \"Indicates whether Write-in Products can be added to Opportunity/Quote/Order/Invoice or not.\",\n \"KaPrefix\", \"Knowledge Article Prefix\", \"Type the prefix to use for all knowledge articles in Microsoft Dynamics 365.\",\n \"KbPrefix\", \"Article Prefix\", \"Prefix to use for all articles in Microsoft Dynamics 365.\",\n \"KMSettings\", \"Knowledge Management Settings\", \"XML string containing the Knowledge Management settings that are applied in Knowledge Management Wizard.\",\n \"LanguageCode\", \"Language\", \"Preferred language for the organization.\",\n \"LocaleId\", \"Locale\", \"Unique identifier of the locale of the organization.\",\n \"LongDateFormatCode\", \"Long Date Format\", \"Information that specifies how the Long Date format is displayed in Microsoft Dynamics 365.\",\n \"LookupCharacterCountBeforeResolve\", \"Minimum number of characters before resolving suggestions in lookup\", \"Minimum number of characters that should be entered in the lookup control before resolving for suggestions\",\n \"LookupResolveDelayMS\", \"Minimum delay (in milliseconds) for debouncing lookup control input\", \"Minimum delay (in milliseconds) between consecutive inputs in a lookup control that will trigger a search for suggestions\",\n \"MailboxIntermittentIssueMinRange\", \"Lower Threshold For Mailbox Intermittent Issue\", \"Lower Threshold For Mailbox Intermittent Issue.\",\n \"MailboxPermanentIssueMinRange\", \"Lower Threshold For Mailbox Permanent Issue.\", \"Lower Threshold For Mailbox Permanent Issue.\",\n \"MaxActionStepsInBPF\", \"Maximum number of actionsteps allowed in a BPF\", \"Maximum number of actionsteps allowed in a BPF\",\n \"MaxAllowedPendingRollupJobCount\", \"MaxAllowedPendingRollupJobCount\", \"Maximum Allowed Pending Rollup Job Count\",\n \"MaxAllowedPendingRollupJobPercentage\", \"MaxAllowedPendingRollupJobPercentage\", \"Percentage Of Entity Table Size For Kicking Off Bootstrap Job\",\n \"MaxAppointmentDurationDays\", \"Max Appointment Duration\", \"Maximum number of days an appointment can last.\",\n \"MaxConditionsForMobileOfflineFilters\", \"Maximum number of conditions allowed for mobile offline filters\", \"Maximum number of conditions allowed for mobile offline filters\",\n \"MaxDepthForHierarchicalSecurityModel\", \"Maximum depth for hierarchy security propagation.\", \"Maximum depth for hierarchy security propagation.\",\n \"MaxFolderBasedTrackingMappings\", \"Max Folder Based Tracking Mappings\", \"Maximum number of Folder Based Tracking mappings user can add\",\n \"MaximumActiveBusinessProcessFlowsAllowedPerEntity\", \"Maximum active business process flows per entity\", \"Maximum number of active business process flows allowed per entity\",\n \"MaximumDynamicPropertiesAllowed\", \"Product Properties Item Limit\", \"Restrict the maximum number of product properties for a product family/bundle\",\n \"MaximumEntitiesWithActiveSLA\", \"Maximum number of active SLA allowed per entity in online\", \"Maximum number of active SLA allowed per entity in online\",\n \"MaximumSLAKPIPerEntityWithActiveSLA\", \"Maximum number of active SLA KPI allowed per entity in online\", \"Maximum number of SLA KPI per active SLA allowed for entity in online\",\n \"MaximumTrackingNumber\", \"Max Tracking Number\", \"Maximum tracking number before recycling takes place.\",\n \"MaxProductsInBundle\", \"Bundle Item Limit\", \"Restrict the maximum no of items in a bundle\",\n \"MaxRecordsForExportToExcel\", \"Max Records For Excel Export\", \"Maximum number of records that will be exported to a static Microsoft Office Excel worksheet when exporting from the grid.\",\n \"MaxRecordsForLookupFilters\", \"Max Records Filter Selection\", \"Maximum number of lookup and picklist records that can be selected by user for filtering.\",\n \"MaxRollupFieldsPerEntity\", \"MaxRollupFieldsPerEntity\", \"Maximum Rollup Fields Per Entity\",\n \"MaxRollupFieldsPerOrg\", \"MaxRollupFieldsPerOrg\", \"Maximum Rollup Fields Per Organization\",\n \"MaxSLAItemsPerSLA\", \"Max SLA Items Per SLA\", \"\",\n \"MaxUploadFileSize\", \"Max Upload File Size\", \"Maximum allowed size of an attachment.\",\n \"MicrosoftFlowEnvironment\", \"(Deprecated) Environment selected for Integration with Microsoft Flow\", \"(Deprecated) Environment selected for Integration with Microsoft Flow\",\n \"MinAddressBookSyncInterval\", \"Min Address Synchronization Frequency\", \"Normal polling frequency used for address book synchronization in Microsoft Office Outlook.\",\n \"MinOfflineSyncInterval\", \"Min Offline Synchronization Frequency\", \"Normal polling frequency used for background offline synchronization in Microsoft Office Outlook.\",\n \"MinOutlookSyncInterval\", \"Min Synchronization Frequency\", \"Minimum allowed time between scheduled Outlook synchronizations.\",\n \"MobileOfflineSyncInterval\", \"Sync interval for mobile offline.\", \"Sync interval for mobile offline.\",\n \"ModernAdvancedFindFiltering\", \"Modern advanced find filtering\", \"Flag to indicate if the modern advanced find filtering on all tables in a model-driven app is enabled\",\n \"ModernAppDesignerCoauthoringEnabled\", \"Coauthoring in Modern App Designer Enabled\", \"Indicates whether coauthoring is enabled in modern app designer\",\n \"MultiColumnSortEnabled\", \"Enable Multi Column Sort Editor In Views\", \"Show the sort by button on views\",\n \"Name\", \"Organization Name\", \"Name of the organization. The name is set when Microsoft CRM is installed and should not be changed.\",\n \"NaturalLanguageAssistFilter\", \"Natural Language Assist\", \"Enables Natural Language Assist Filter.\",\n \"NegativeCurrencyFormatCode\", \"Negative Currency Format\", \"Information that specifies how negative currency numbers are displayed throughout Microsoft Dynamics 365.\",\n \"NegativeFormatCode\", \"Negative Format\", \"Information that specifies how negative numbers are displayed throughout Microsoft CRM.\",\n \"NewSearchExperienceEnabled\", \"Oct 2020 Search enabled\", \"Indicates whether an organization has enabled the new Relevance search experience (released in Oct 2020) for the organization\",\n \"NextTrackingNumber\", \"Next Tracking Number\", \"Next token to be placed on the subject line of an email message.\",\n \"NotifyMailboxOwnerOfEmailServerLevelAlerts\", \"Notify Mailbox Owner Of Email Server Level Alerts\", \"Indicates whether mailbox owners will be notified of email server profile level alerts.\",\n \"NumberFormat\", \"Number Format\", \"Specification of how numbers are displayed throughout Microsoft CRM.\",\n \"NumberGroupFormat\", \"Number Grouping Format\", \"Specifies how numbers are grouped in Microsoft Dynamics 365.\",\n \"NumberSeparator\", \"Number Separator\", \"Symbol used for number separation in Microsoft Dynamics 365.\",\n \"OfficeAppsAutoDeploymentEnabled\", \"Enable Office Apps Auto Deployment for this Organization\", \"Indicates whether the Office Apps auto deployment is enabled for the organization.\",\n \"OfficeGraphDelveUrl\", \"The url to open the Delve\", \"The url to open the Delve for the organization.\",\n \"OOBPriceCalculationEnabled\", \"Enable OOB Price calculation\", \"Enable OOB pricing calculation logic for Opportunity, Quote, Order and Invoice entities.\",\n \"OptOutSchemaV2EnabledByDefault\", \"Opt-out of schema v2 being automatically enabled for this organization.\", \"Indicates if this organization will opt-out from automatically enabling schema v2 on the organization.\",\n \"OrderPrefix\", \"Order Prefix\", \"Prefix to use for all orders throughout Microsoft Dynamics 365.\",\n \"OrgDbOrgSettings\", \"Organization Database Organization Settings\", \"Organization settings stored in Organization Database.\",\n \"OrgInsightsEnabled\", \"Enable OrgInsights for this Organization\", \"Select whether to turn on OrgInsights for the organization.\",\n \"PaiPreviewScenarioEnabled\", \"Display Preview Feature for this organization\", \"Indicates whether Preview feature has been enabled for the organization.\",\n \"PastExpansionWindow\", \"Past Expansion Window\", \"Specifies the maximum number of months in past for which the recurring activities can be created.\",\n \"PcfDatasetGridEnabled\", \"Enable modern grids in model-driven apps\", \"Leave empty to use default setting. Set to on/off to enable/disable replacement of default grids with modern ones in model-driven apps.\",\n \"PerformACTSyncAfter\", \"PerformACTSyncAfter\", \"This setting contains the date time before an ACT sync can execute.\",\n \"Picture\", \"Picture\", \"For internal use only.\",\n \"PinpointLanguageCode\", \"\", \"\",\n \"PluginTraceLogSetting\", \"Plug-in Trace Log Setting\", \"Plug-in Trace Log Setting for the Organization.\",\n \"PMDesignator\", \"PM Designator\", \"PM designator to use throughout Microsoft Dynamics 365.\",\n \"PostMessageWhitelistDomains\", \"For internal use only.\", \"For internal use only.\",\n \"PowerAppsMakerBotEnabled\", \"Enable bot for makers.\", \"Indicates whether bot for makers is enabled.\",\n \"PowerBIAllowCrossRegionOperations\", \"Power BI allow cross region operations\", \"Indicates whether cross region operations are allowed for the organization\",\n \"PowerBIAutomaticPermissionsAssignment\", \"Power BI automatic permissions assignment\", \"Indicates whether automatic permissions assignment to Power BI has been enabled for the organization\",\n \"PowerBIComponentsCreate\", \"Power BI components creation\", \"Indicates whether creation of Power BI components has been enabled for the organization\",\n \"PowerBiFeatureEnabled\", \"Enable Power BI feature for this Organization\", \"Indicates whether the Power BI feature should be enabled for the organization.\",\n \"PricingDecimalPrecision\", \"Pricing Decimal Precision\", \"Number of decimal places that can be used for prices.\",\n \"PrivacyStatementUrl\", \"Privacy Statement URL\", \"Privacy Statement URL\",\n \"PrivilegeUserGroupId\", \"Privilege User Group\", \"Unique identifier of the default privilege for users in the organization.\",\n \"PrivReportingGroupId\", \"Privilege Reporting Group\", \"For internal use only.\",\n \"PrivReportingGroupName\", \"Privilege Reporting Group Name\", \"For internal use only.\",\n \"ProductRecommendationsEnabled\", \"Enable Product Recommendations for this Organization\", \"Select whether to turn on product recommendations for the organization.\",\n \"QualifyLeadAdditionalOptions\", \"Enable New Qualify Lead Experience with configuration MDD\", \"Indicates whether prompt should be shown for new Qualify Lead Experience\",\n \"QuickActionToOpenRecordsInSidePaneEnabled\", \"Enable quick actions to open records in search side pane\", \"Flag to indicate if the feature to use quick action to open records in search side pane is enabled\",\n \"QuickFindRecordLimitEnabled\", \"Quick Find Record Limit Enabled\", \"Indicates whether a quick find record limit should be enabled for this organization (allows for faster Quick Find queries but prevents overly broad searches).\",\n \"QuotePrefix\", \"Quote Prefix\", \"Prefix to use for all quotes throughout Microsoft Dynamics 365.\",\n \"RecalculateSLA\", \"Indicates whether SLA Recalculation has been enabled for the organization\", \"Indicates whether SLA Recalculation has been enabled for the organization\",\n \"RecurrenceDefaultNumberOfOccurrences\", \"Recurrence Default Number of Occurrences\", \"Specifies the default value for number of occurrences field in the recurrence dialog.\",\n \"RecurrenceExpansionJobBatchInterval\", \"Recurrence Expansion Job Batch Interval\", \"Specifies the interval (in seconds) for pausing expansion job.\",\n \"RecurrenceExpansionJobBatchSize\", \"Recurrence Expansion On Demand Job Batch Size\", \"Specifies the value for number of instances created in on demand job in one shot.\",\n \"RecurrenceExpansionSynchCreateMax\", \"Recurrence Expansion Synchronization Create Maximum\", \"Specifies the maximum number of instances to be created synchronously after creating a recurring appointment.\",\n \"ReferenceSiteMapXml\", \"Reference SiteMap XML\", \"XML string that defines the navigation structure for the application. This is the site map from the previously upgraded build and is used in a 3-way merge during upgrade.\",\n \"ReleaseCadence\", \"Current orgnization release cadence value\", \"Current orgnization release cadence value\",\n \"ReleaseChannel\", \"Model app refresh channel\", \"Model app refresh channel\",\n \"ReleaseWaveName\", \"Release Wave\", \"Release Wave Applied to Environment.\",\n \"RelevanceSearchEnabledByPlatform\", \"Relevance search enabled automatically by Dataverse\", \"Indicates whether relevance search was enabled for the environment as part of Dataverse's relevance search on-by-default sweep\",\n \"RelevanceSearchModifiedOn\", \"RelevanceSearchModifiedOnDate\", \"This setting contains the last modified date for relevance search setting that appears as a toggle in PPAC.\",\n \"RenderSecureIFrameForEmail\", \"Render Secure Frame For Email\", \"Flag to render the body of email in the Web form in an IFRAME with the security='restricted' attribute set. This is additional security but can cause a credentials prompt.\",\n \"ReportingGroupId\", \"Reporting Group\", \"For internal use only.\",\n \"ReportingGroupName\", \"Reporting Group Name\", \"For internal use only.\",\n \"ReportScriptErrors\", \"Report Script Errors\", \"Picklist for selecting the organization preference for reporting scripting errors.\",\n \"RequireApprovalForQueueEmail\", \"Is Approval For Queue Email Required\", \"Indicates whether Send As Other User privilege is enabled.\",\n \"RequireApprovalForUserEmail\", \"Is Approval For User Email Required\", \"Indicates whether Send As Other User privilege is enabled.\",\n \"ResolveSimilarUnresolvedEmailAddress\", \"Apply same email address to all unresolved matches when you manually resolve it for one\", \"Apply same email address to all unresolved matches when you manually resolve it for one\",\n \"RestrictStatusUpdate\", \"Restrict Status Update\", \"Flag to restrict Update on incident.\",\n \"ReverseProxyIpAddresses\", \"List of reverse proxy IP addresses to be allowed.\", \"Information that specifies Reverse Proxy IP addresses from which requests have to be allowed.\",\n \"RiErrorStatus\", \"Error status of Relationship Insights provisioning.\", \"Error status of Relationship Insights provisioning.\",\n \"SampleDataImportId\", \"Sample Data Import\", \"Unique identifier of the sample data import job.\",\n \"SchemaNamePrefix\", \"Customization Name Prefix\", \"Prefix used for custom entities and attributes.\",\n \"SendBulkEmailInUCI\", \"Send Bulk Email in UCI\", \"Indicates whether Send Bulk Email in UCI is enabled for the org.\",\n \"ServeStaticResourcesFromAzureCDN\", \"Serve Static Content From CDN\", \"Serve Static Content From CDN\",\n \"SessionRecordingEnabled\", \"Enable the session recording feature\", \"Enable the session recording feature to record user sessions in UCI\",\n \"SessionTimeoutEnabled\", \"Session timeout enabled\", \"Information that specifies whether session timeout is enabled\",\n \"SessionTimeoutInMins\", \"Session timeout in minutes\", \"Session timeout in minutes\",\n \"SessionTimeoutReminderInMins\", \"Session timeout reminder in minutes\", \"Session timeout reminder in minutes\",\n \"SharePointDeploymentType\", \"Choose SharePoint Deployment Type\", \"Indicates which SharePoint deployment type is configured for Server to Server. (Online or On-Premises)\",\n \"ShareToPreviousOwnerOnAssign\", \"Share To Previous Owner On Assign\", \"Information that specifies whether to share to previous owner on assign.\",\n \"ShowKBArticleDeprecationNotification\", \"Show KBArticle deprecation message to user\", \"Select whether to display a KB article deprecation notification to the user.\",\n \"ShowWeekNumber\", \"Show Week Number\", \"Information that specifies whether to display the week number in calendar displays throughout Microsoft CRM.\",\n \"SignupOutlookDownloadFWLink\", \"CRMForOutlookDownloadURL\", \"CRM for Outlook Download URL\",\n \"SiteMapXml\", \"SiteMap XML\", \"XML string that defines the navigation structure for the application.\",\n \"SlaPauseStates\", \"SLA pause states\", \"Contains the on hold case status values.\",\n \"SocialInsightsEnabled\", \"Social Insights Enabled\", \"Flag for whether the organization is using Social Insights.\",\n \"SocialInsightsInstance\", \"Social Insights instance identifier\", \"Identifier for the Social Insights instance for the organization.\",\n \"SocialInsightsTermsAccepted\", \"Social Insights Terms of Use\", \"Flag for whether the organization has accepted the Social Insights terms of use.\",\n \"SortId\", \"Sort\", \"For internal use only.\",\n \"SqlAccessGroupId\", \"SQL Access Group\", \"For internal use only.\",\n \"SqlAccessGroupName\", \"SQL Access Group Name\", \"For internal use only.\",\n \"SQMEnabled\", \"Is SQM Enabled\", \"Setting for SQM data collection, 0 no, 1 yes enabled\",\n \"SupportUserId\", \"Support User\", \"Unique identifier of the support user for the organization.\",\n \"SuppressSLA\", \"Is SLA suppressed\", \"Indicates whether SLA is suppressed.\",\n \"SuppressValidationEmails\", \"Whether Admin emails are sent when Solution Checker validation fails\", \"Leave empty to use default setting. Set to on/off to enable/disable Admin emails when Solution Checker validation fails.\",\n \"SyncBulkOperationBatchSize\", \"Number of records to update per operation in Sync Bulk Pause/Resume/Cancel\", \"Number of records to update per operation in Sync Bulk Pause/Resume/Cancel\",\n \"SyncBulkOperationMaxLimit\", \"Max total number of records to update in database for Sync Bulk Pause/Resume/Cancel\", \"Max total number of records to update in database for Sync Bulk Pause/Resume/Cancel\",\n \"SyncOptInSelection\", \"Enable dynamics 365 azure sync framework for this organization.\", \"Indicates the selection to use the dynamics 365 azure sync framework or server side sync.\",\n \"SyncOptInSelectionStatus\", \"Status of opt-in or opt-out operation for dynamics 365 azure sync.\", \"Indicates the status of the opt-in or opt-out operation for dynamics 365 azure sync.\",\n \"SystemUserId\", \"System User\", \"Unique identifier of the system user for the organization.\",\n \"TableScopedDVSearchInApps\", \"Table Scoped Dataverse Search In Apps\", \"Controls the appearance of option to search over a single DV search indexed table in model-driven apps global search in the header.\",\n \"TagMaxAggressiveCycles\", \"Auto-Tag Max Cycles\", \"Maximum number of aggressive polling cycles executed for email auto-tagging when a new email is received.\",\n \"TagPollingPeriod\", \"Auto-Tag Interval\", \"Normal polling frequency used for email receive auto-tagging in outlook.\",\n \"TaskBasedFlowEnabled\", \"Enable Task Flow processes for this Organization\", \"Select whether to turn on task flows for the organization.\",\n \"TeamsChatDataSync\", \"Enable Teams Chat Data Sync.\", \"Information on whether Teams Chat Data Sync is enabled.\",\n \"TelemetryInstrumentationKey\", \"Telemetry Instrumentation Key\", \"Instrumentation key for Application Insights used to log plugins telemetry.\",\n \"TextAnalyticsEnabled\", \"Enable Text Analytics for this Organization\", \"Select whether to turn on text analytics for the organization.\",\n \"TimeFormatCode\", \"Time Format Code\", \"Information that specifies how the time is displayed throughout Microsoft CRM.\",\n \"TimeFormatString\", \"Time Format String\", \"Text for how time is displayed in Microsoft Dynamics 365.\",\n \"TimeSeparator\", \"Time Separator\", \"Text for how the time separator is displayed throughout Microsoft Dynamics 365.\",\n \"TimeZoneRuleVersionNumber\", \"Time Zone Rule Version Number\", \"For internal use only.\",\n \"TokenExpiry\", \"Token Expiration Duration\", \"Duration used for token expiration.\",\n \"TokenKey\", \"Token Key\", \"Token key.\",\n \"TraceLogMaximumAgeInDays\", \"Tracelog record maximum age in days\", \"Tracelog record maximum age in days\",\n \"TrackingPrefix\", \"Tracking Prefix\", \"History list of tracking token prefixes.\",\n \"TrackingTokenIdBase\", \"Tracking Token Base\", \"Base number used to provide separate tracking token identifiers to users belonging to different deployments.\",\n \"TrackingTokenIdDigits\", \"Tracking Token Digits\", \"Number of digits used to represent a tracking token identifier.\",\n \"UniqueSpecifierLength\", \"Unique String Length\", \"Number of characters appended to invoice, quote, and order numbers.\",\n \"UnresolveEmailAddressIfMultipleMatch\", \"Set To,cc,bcc fields as unresolved if multiple matches are found\", \"Indicates whether email address should be unresolved if multiple matches are found\",\n \"UseInbuiltRuleForDefaultPricelistSelection\", \"Use Inbuilt Rule For Default Pricelist Selection\", \"Flag indicates whether to Use Inbuilt Rule For DefaultPricelist.\",\n \"UseLegacyRendering\", \"Legacy Form Rendering\", \"Select whether to use legacy form rendering.\",\n \"UsePositionHierarchy\", \"Use position hierarchy\", \"Use position hierarchy\",\n \"UseQuickFindViewForGridSearch\", \"Use Quick Find view when searching in grids\", \"Indicates whether searching in a grid should use the Quick Find view for the entity.\",\n \"UserAccessAuditingInterval\", \"User Authentication Auditing Interval\", \"The interval at which user access is checked for auditing.\",\n \"UseReadForm\", \"Use Read-Optimized Form\", \"Indicates whether the read-optimized form should be enabled for this organization.\",\n \"UserGroupId\", \"User Group\", \"Unique identifier of the default group of users in the organization.\",\n \"UserRatingEnabled\", \"Enable the user rating feature\", \"Enable the user rating feature to show the NSAT score and comment to maker\",\n \"UseSkypeProtocol\", \"User Skype Protocol\", \"Indicates default protocol selected for organization.\",\n \"UTCConversionTimeZoneCode\", \"UTC Conversion Time Zone Code\", \"Time zone code that was in use when the record was created.\",\n \"ValidationMode\", \"Validation mode for apps in this environment\", \"Validation mode for apps in this environment\",\n \"WebResourceHash\", \"Web resource hash\", \"Hash value of web resources.\",\n \"WeekStartDayCode\", \"Week Start Day Code\", \"Designated first day of the week throughout Microsoft Dynamics 365.\",\n \"WidgetProperties\", \"For Internal use only.\", \"For Internal use only.\",\n \"YammerGroupId\", \"Yammer Group Id\", \"Denotes the Yammer group ID\",\n \"YammerNetworkPermalink\", \"Yammer Network Permalink\", \"Denotes the Yammer network permalink\",\n \"YammerOAuthAccessTokenExpired\", \"Yammer OAuth Access Token Expired\", \"Denotes whether the OAuth access token for Yammer network has expired\",\n \"YammerPostMethod\", \"Internal Use Only\", \"Internal Use Only\",\n \"YearStartWeekCode\", \"Year Start Week Code\", \"Information that specifies how the first week of the year is specified in Microsoft Dynamics 365.\",\n \"AcknowledgementTemplateIdName\", \"\", \"Name of the template to be used for unsubscription acknowledgement.\",\n \"BaseCurrencyIdName\", \"\", \"\",\n \"BaseCurrencyPrecision\", \"Base Currency Precision\", \"Number of decimal places that can be used for the base currency.\",\n \"BaseCurrencySymbol\", \"Base Currency Symbol\", \"Symbol used for the base currency.\",\n \"BaseISOCurrencyCode\", \"Base ISO Currency Code\", \"\",\n \"CreatedBy\", \"Created By\", \"Unique identifier of the user who created the organization.\",\n \"CreatedByName\", \"\", \"\",\n \"CreatedByYomiName\", \"\", \"\",\n \"CreatedOn\", \"Created On\", \"Date and time when the organization was created.\",\n \"CreatedOnBehalfBy\", \"Created By (Delegate)\", \"Unique identifier of the delegate user who created the organization.\",\n \"CreatedOnBehalfByName\", \"\", \"\",\n \"CreatedOnBehalfByYomiName\", \"\", \"\",\n \"CurrentImportSequenceNumber\", \"Current Import Sequence Number\", \"Import sequence to use.\",\n \"CurrentParsedTableNumber\", \"Current Parsed Table Number\", \"First parsed table number to use.\",\n \"DaysSinceRecordLastModifiedMaxValue\", \"Max value of Days since record last modified\", \"The maximum value for the Mobile Offline setting Days since record last modified\",\n \"DefaultEmailServerProfileIdName\", \"\", \"Name of the email server profile to be used as default profile for the mailboxes.\",\n \"DefaultMobileOfflineProfileIdName\", \"\", \"Name of the default mobile offline profile to be used as default profile for mobile offline.\",\n \"DisabledReason\", \"Disabled Reason\", \"Reason for disabling the organization.\",\n \"EntityImage_Timestamp\", \"\", \"\",\n \"EntityImage_URL\", \"\", \"\",\n \"EntityImageId\", \"Entity Image Id\", \"For internal use only.\",\n \"FiscalSettingsUpdated\", \"Is Fiscal Settings Updated\", \"Information that specifies whether the fiscal settings have been updated.\",\n \"IsAllMoneyDecimal\", \"Set if all money attributes are converted to decimal\", \"Indicates whether all money attributes are converted to decimal.\",\n \"IsDisabled\", \"Is Organization Disabled\", \"Information that specifies whether the organization is disabled.\",\n \"MaxSupportedInternetExplorerVersion\", \"Max supported IE version\", \"The maximum version of IE to run browser emulation for in Outlook client\",\n \"MaxVerboseLoggingMailbox\", \"Max No Of Mailboxes To Enable For Verbose Logging\", \"Maximum number of mailboxes that can be toggled for verbose logging\",\n \"MaxVerboseLoggingSyncCycles\", \"Maximum number of sync cycles for which verbose logging will be enabled by default\", \"Maximum number of sync cycles for which verbose logging will be enabled by default\",\n \"MetadataSyncLastTimeOfNeverExpiredDeletedObjects\", \"The last date/time for never expired metadata tracking deleted objects\", \"What is the last date/time where there are metadata tracking deleted objects that have never been outside of the expiration period.\",\n \"MetadataSyncTimestamp\", \"Metadata sync version\", \"Contains the maximum version number for attributes used by metadata synchronization that have changed.\",\n \"MobileOfflineMinLicenseProd\", \"Minimum number of user license required for mobile offline service by production/preview organization\", \"Minimum number of user license required for mobile offline service by production/preview organization\",\n \"MobileOfflineMinLicenseTrial\", \"Minimum number of user license required for mobile offline service by trial organization\", \"Minimum number of user license required for mobile offline service by trial organization\",\n \"ModifiedBy\", \"Modified By\", \"Unique identifier of the user who last modified the organization.\",\n \"ModifiedByName\", \"\", \"\",\n \"ModifiedByYomiName\", \"\", \"\",\n \"ModifiedOn\", \"Modified On\", \"Date and time when the organization was last modified.\",\n \"ModifiedOnBehalfBy\", \"Modified By (Delegate)\", \"Unique identifier of the delegate user who last modified the organization.\",\n \"ModifiedOnBehalfByName\", \"\", \"\",\n \"ModifiedOnBehalfByYomiName\", \"\", \"\",\n \"NextCustomObjectTypeCode\", \"Next Entity Type Code\", \"Next entity type code to use for custom entities.\",\n \"OrganizationId\", \"Organization\", \"Unique identifier of the organization.\",\n \"OrganizationState\", \"Organization State\", \"Indicates the organization lifecycle state\",\n \"ParsedTableColumnPrefix\", \"Parsed Table Column Prefix\", \"Prefix used for parsed table columns.\",\n \"ParsedTablePrefix\", \"Parsed Table Prefix\", \"Prefix used for parsed tables.\",\n \"V3CalloutConfigHash\", \"V3 Callout Hash\", \"Hash of the V3 callout configuration file.\",\n \"VersionNumber\", \"Version Number\", \"Version number of the organization.\"\n]\n| project FieldName = tolower(Field), DisplayName, Description\n", + "functionParameters": "", "version": 2, - "tags": [ - { - "name": "description", - "value": "The query detects anomalous attempts to perform bulk sharing of Power App to newly created guest users." - }, - { - "name": "tactics", - "value": "InitialAccess,LateralMovement,ResourceDevelopment" - }, - { - "name": "techniques", - "value": "T1566,T1534,T1587" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8),'/'))))]", - "properties": { - "description": "Microsoft Business Applications Hunting Query 8", - "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8)]", - "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", - "kind": "HuntingQuery", - "version": "[variables('huntingQueryObject8').huntingQueryVersion8]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", - "contentKind": "HuntingQuery", - "displayName": "Power Apps - Anomalous bulk sharing of Power App to newly created guest users", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '3.2.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '3.2.0')))]", - "version": "3.2.0" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse-Add-SharePoint-Site Playbook with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion1')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Dataverse-Add-SharePoint-Site", - "type": "string" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "Enter value for resourceGroupName" - } - }, - "subscriptionId": { - "type": "string", - "metadata": { - "description": "Enter value for subscriptionId" - } - }, - "watchlistAlias": { - "type": "string", - "defaultValue": "MSBizApps-Configuration", - "metadata": { - "description": "Enter value for watchlistAlias" - } - }, - "workspaceId": { - "type": "string", - "metadata": { - "description": "Enter value for workspaceId" - } - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "[[parameters('resourceGroupName')]" - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[[parameters('subscriptionId')]" - }, - "watchlistAlias": { - "type": "string", - "defaultValue": "[[parameters('watchlistAlias')]" - }, - "workspaceId": { - "type": "string", - "defaultValue": "[[parameters('workspaceId')]" - } - }, - "triggers": { - "Microsoft_Sentinel_alert": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/subscribe" - } - } - }, - "actions": { - "Compose_Data": { - "runAfter": { - "For_each": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": { - "InstanceUrl": "@variables('InstanceUrl')", - "SharePointUrl": "@variables('SharePointSiteUrl')" - } - }, - "Condition": { - "actions": { - "Terminate": { - "type": "Terminate", - "inputs": { - "runError": { - "code": "TooManyEntities", - "message": "Found more than 2 entities in a single alert. Please ensure the Analytics Rule Event Grouping is set to: Trigger an alert for each event" - }, - "runStatus": "Failed" - } - } - }, - "runAfter": { - "Initialize_InstanceUrl": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "greater": [ - "@length(triggerBody()?['Entities'])", - 2 - ] - } - ] - }, - "type": "If" - }, - "For_each": { - "foreach": "@triggerBody()?['Entities']", - "actions": { - "Switch": { - "cases": { - "Case_Dataverse": { - "case": 32780, - "actions": { - "Set_SharePointSiteUrl": { - "type": "SetVariable", - "inputs": { - "name": "InstanceUrl", - "value": "@{items('For_each')?['InstanceName']}" - } - } - } - }, - "Case_SharePoint": { - "case": 20892, - "actions": { - "Set_InstanceUrl": { - "type": "SetVariable", - "inputs": { - "name": "SharePointSiteUrl", - "value": "@{items('For_each')?['InstanceName']}" - } - } - } - } - }, - "expression": "@items('For_each')['AppId']", - "type": "Switch" - } - }, - "runAfter": { - "Condition": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Initialize_InstanceUrl": { - "runAfter": { - "Initialize_SharePointSiteUrl": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "InstanceUrl", - "type": "string" - } - ] - } - }, - "Initialize_SharePointSiteUrl": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "SharePointSiteUrl", - "type": "string" - } - ] - } - }, - "Watchlists_-_Add_a_new_Watchlist_Item": { - "runAfter": { - "Compose_Data": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Category": "SharePoint", - "Data": "@string(outputs('Compose_Data'))" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent(parameters('watchlistAlias'))}/watchlistItem" - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - } + "tags": [ + { + "name": "description", + "value": "MSBizAppsOrgSettings" } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "MS-BizApps-Add-SharePoint-Site", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId1')]", - "contentId": "[variables('_playbookContentId1')]", - "kind": "Playbook", - "version": "[variables('playbookVersion1')]", + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", + "dependsOn": [ + "[variables('parserObject3')._parserId3]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsOrgSettings')]", + "contentId": "[variables('parserObject3').parserContentId3]", + "kind": "Parser", + "version": "[variables('parserObject3').parserVersion3]", "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Microsoft" + "name": "Microsoft" }, "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" } - } } - ], - "metadata": { - "title": "Dataverse: Add SharePoint sites to watchlist", - "description": "This playbook is used to add new or updated SharePoint document management sites into the configuration watchlist. When combined with a scheduled analytics rule monitoring the Dataverse activity log, this Playbook will trigger when a new SharePoint document management site mapping is added. The site will be added to a watchlist to extend monitoring coverage.", - "prerequisites": [ - "1. Collect the subscription ID, resource group name and workspace ID of the Sentinel workspace." - ], - "postDeployment": [ - "1. Create a Sentinel automation rule to trigger this Playbook for the the Analytics Rule **Dataverse - SharePoint document management site added or updated**.", - "2. Configure Event Grouping settings for the Analytics rule to **Trigger an alert for each event**." - ], - "tags": [ - "Remediation" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject4').parserTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], - "lastUpdateTime": "2022-10-11T00:00:00Z", - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId1')]", - "contentKind": "Playbook", - "displayName": "Dataverse-Add-SharePoint-Site", - "contentProductId": "[variables('_playbookcontentProductId1')]", - "id": "[variables('_playbookcontentProductId1')]", - "version": "[variables('playbookVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse-Blocklist-Add-User-AlertTrigger Playbook with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion2')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Dataverse-Blocklist-Add-User-AlertTrigger", - "type": "string" - }, - "GroupId": { - "type": "string", - "metadata": { - "description": "Enter object ID for Microsoft Entra group" - } - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "AzureadConnectionName": "[[concat('Azuread-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "GroupId": { - "type": "string", - "defaultValue": "[[parameters('GroupId')]" - } - }, - "triggers": { - "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/subscribe" - } - } - }, - "actions": { - "Entities_-_Get_Accounts": { - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['Entities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - } - }, - "For_each": { - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "actions": { - "Add_user_to_group": { - "runAfter": { - "Get_user": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "@@odata.id": "@body('Get_user')?['id']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "post", - "path": "/v1.0/groups/@{encodeURIComponent(parameters('GroupId'))}/members/$ref" - } - }, - "Get_user": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "get", - "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" - } + "properties": { + "description": "MSBizAppsTerminatedEmployees Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject4').parserVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject4')._parserName4]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "MSBizAppsTerminatedEmployees", + "category": "MSBizAppsFunctions", + "functionAlias": "MSBizAppsTerminatedEmployees", + "query": "let TerminatedEmployees_definition = datatable (\n UserIdentifier: string,\n UserAADObjectId: string,\n UserOnPremSid: string,\n UserPrincipalName: string,\n UserState: string,\n NotificationDate: datetime,\n TerminationDate: datetime,\n Tags: string\n) [\n '_', '_', '_', '_', '_', datetime(null), datetime(null), '_'\n];\nlet TerminatedEmployees_data = (\n _GetWatchlist(TerminatedEmployeesWatchlistAlias)\n | project\n UserIdentifier = column_ifexists('User Identifier', '_'),\n UserAADObjectId = column_ifexists('User AAD Object Id', '_'),\n UserOnPremSid = column_ifexists('User On-Prem Sid', '_'),\n UserPrincipalName = column_ifexists('User Principal Name', '_'),\n UserState = column_ifexists('UserState', '_'),\n NotificationDate = todatetime(column_ifexists('Notification date', datetime(null))),\n TerminationDate = todatetime(column_ifexists('Termination date', datetime(null))),\n Tags = column_ifexists('Tags', '_')\n );\nTerminatedEmployees_data\n| union isfuzzy = true (TerminatedEmployees_definition)\n| where UserPrincipalName != '_'\n| project\n UserIdentifier = tostring(UserIdentifier),\n UserAADObjectId = tostring(UserAADObjectId),\n UserOnPremSid = tostring(UserOnPremSid),\n UserPrincipalName = tostring(UserPrincipalName),\n UserState = tostring(UserState),\n NotificationDate = todatetime(NotificationDate),\n TerminationDate = todatetime(TerminationDate),\n Tags = tostring(Tags)\n", + "functionParameters": "TerminatedEmployeesWatchlistAlias:string='TerminatedEmployees'", + "version": 2, + "tags": [ + { + "name": "description", + "value": "MSBizAppsTerminatedEmployees" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", + "dependsOn": [ + "[variables('parserObject4')._parserId4]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsTerminatedEmployees')]", + "contentId": "[variables('parserObject4').parserContentId4]", + "kind": "Parser", + "version": "[variables('parserObject4').parserVersion4]", + "source": { + "name": "Microsoft Business Applications", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } } - }, - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] - }, - "type": "Foreach", - "description": "Iterate on each Dynamics 365 user account" - } - } + ] }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "azuread": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]", - "connectionName": "[[variables('AzureadConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]" - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject4').parserContentId4]", + "contentKind": "Parser", + "displayName": "MSBizAppsTerminatedEmployees", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '3.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '3.0.1')))]", + "version": "[variables('parserObject4').parserVersion4]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject4')._parserName4]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "MSBizAppsTerminatedEmployees", + "category": "MSBizAppsFunctions", + "functionAlias": "MSBizAppsTerminatedEmployees", + "query": "let TerminatedEmployees_definition = datatable (\n UserIdentifier: string,\n UserAADObjectId: string,\n UserOnPremSid: string,\n UserPrincipalName: string,\n UserState: string,\n NotificationDate: datetime,\n TerminationDate: datetime,\n Tags: string\n) [\n '_', '_', '_', '_', '_', datetime(null), datetime(null), '_'\n];\nlet TerminatedEmployees_data = (\n _GetWatchlist(TerminatedEmployeesWatchlistAlias)\n | project\n UserIdentifier = column_ifexists('User Identifier', '_'),\n UserAADObjectId = column_ifexists('User AAD Object Id', '_'),\n UserOnPremSid = column_ifexists('User On-Prem Sid', '_'),\n UserPrincipalName = column_ifexists('User Principal Name', '_'),\n UserState = column_ifexists('UserState', '_'),\n NotificationDate = todatetime(column_ifexists('Notification date', datetime(null))),\n TerminationDate = todatetime(column_ifexists('Termination date', datetime(null))),\n Tags = column_ifexists('Tags', '_')\n );\nTerminatedEmployees_data\n| union isfuzzy = true (TerminatedEmployees_definition)\n| where UserPrincipalName != '_'\n| project\n UserIdentifier = tostring(UserIdentifier),\n UserAADObjectId = tostring(UserAADObjectId),\n UserOnPremSid = tostring(UserOnPremSid),\n UserPrincipalName = tostring(UserPrincipalName),\n UserState = tostring(UserState),\n NotificationDate = todatetime(NotificationDate),\n TerminationDate = todatetime(TerminationDate),\n Tags = tostring(Tags)\n", + "functionParameters": "TerminatedEmployeesWatchlistAlias:string='TerminatedEmployees'", + "version": 2, + "tags": [ + { + "name": "description", + "value": "MSBizAppsTerminatedEmployees" } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "tags": { - "hidden-SentinelTemplateName": "D365-Blocklist-Add-User-AlertTrigger", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureadConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureadConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId2')]", - "contentId": "[variables('_playbookContentId2')]", - "kind": "Playbook", - "version": "[variables('playbookVersion2')]", + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", + "dependsOn": [ + "[variables('parserObject4')._parserId4]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsTerminatedEmployees')]", + "contentId": "[variables('parserObject4').parserContentId4]", + "kind": "Parser", + "version": "[variables('parserObject4').parserVersion4]", "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Microsoft" + "name": "Microsoft" }, "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" } - } } - ], - "metadata": { - "title": "Dataverse: Add user to blocklist (alert trigger)", - "description": "This playbook can be triggered on-demand when a Microsoft Sentinel alert is raised, allowing the analyst to add affected user entitites to a pre-defined Microsoft Entra group, resulting in blocked access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse.", - "prerequisites": [ - "1. Create a security group in Microsoft Entra used to block access and take note of the group's object ID.", - "2. Create a Conditional Access policy in Microsoft Entra.", - "3. Configure the Conditional Access Policy to block access to Common Data Service (appid 00000007-0000-0000-c000-000000000000) for members of the group created in step 1." - ], - "postDeployment": [ - "1. Grant permissions to Sentinel for Playook managed identity.", - "2. Authorize connection for Microsoft Entra." - ], - "entities": [ - "Account" - ], - "tags": [ - "Remediation" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject5').parserTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], - "lastUpdateTime": "2022-10-11T00:00:00Z", - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId2')]", - "contentKind": "Playbook", - "displayName": "Dataverse-Blocklist-Add-User-AlertTrigger", - "contentProductId": "[variables('_playbookcontentProductId2')]", - "id": "[variables('_playbookcontentProductId2')]", - "version": "[variables('playbookVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse-Blocklist-Add-User-Via-Outlook Playbook with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion3')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Dataverse-Blocklist-Add-User-Via-Outlook", - "type": "string" - }, - "GroupId": { - "type": "string", - "metadata": { - "description": "Enter object ID for Microsoft Entra group" - } - }, - "ToAlias": { - "type": "string", - "metadata": { - "description": "Enter value for ToAlias" - } - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "Office365ConnectionName": "[[concat('Office365-', parameters('PlaybookName'))]", - "AzureadConnectionName": "[[concat('Azuread-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365')]", - "_connection-3": "[[variables('connection-3')]", - "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]", - "_connection-4": "[[variables('connection-4')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "GroupId": { - "type": "string", - "defaultValue": "[[parameters('GroupId')]" - }, - "ToAlias": { - "type": "string", - "defaultValue": "[[parameters('ToAlias')]" - } - }, - "triggers": { - "When_Azure_Sentinel_incident_creation_rule_was_triggered": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "Entities_-_Get_Accounts": { - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - } - }, - "For_each": { - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "actions": { - "Condition_to_check_the_SOC_selected_option": { - "actions": { - "Add_user_to_group": { - "runAfter": { - "Get_user": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "@@odata.id": "@body('Get_user')?['id']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "post", - "path": "/v1.0/groups/@{encodeURIComponent(parameters('GroupId'))}/members/$ref" - } - }, - "Condition": { - "actions": { - "Add_comment_to_incident_(V3)": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

User was added to CA block group in AAD: @{items('For_each')?['Name']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - }, - "runAfter": { - "Add_user_to_group": [ - "Succeeded", - "Failed" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_(V3)_4": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

Account name: @{items('For_each')?['Name']}
\nError: @{body('Add_user_to_group')['error']['message']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@int(actionOutputs('Add_user_to_group').statusCode)", - 204 - ] - } - ] - }, - "type": "If", - "description": "Verify the execution result of function" - }, - "Get_user": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "get", - "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" - } - } - }, - "runAfter": { - "Send_email_with_options": [ - "Succeeded" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_(V3)_3": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

Account name: @{items('For_each')?['Name']}
\nSOC Action: Ignore

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@body('Send_email_with_options')?['SelectedOption']", - "Approve" + "properties": { + "description": "MSBizAppsVIPUsers Data Parser with template version 3.2.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject5').parserVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject5')._parserName5]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "MSBizAppsVIPUsers", + "category": "MSBizAppsFunctions", + "functionAlias": "MSBizAppsVIPUsers", + "query": "let MSBizAppsVIPUsers_definition = datatable (\n UserIdentifier: string,\n UserAADObjectId: string,\n UserOnPremSid: string,\n UserPrincipalName: string,\n Tags: string\n) [\n '_', '_', '_', '_', '_'\n];\nlet MSBizAppsVIPUsers_data = (\n _GetWatchlist(VIPUsersWatchlistAlias)\n | project\n UserIdentifier = tostring(column_ifexists('User Identifier', '_')),\n UserAADObjectId = tostring(column_ifexists('User AAD Object Id', '_')),\n UserOnPremSid = tostring(column_ifexists('User On-Prem Sid', '_')),\n UserPrincipalName = tostring(column_ifexists('User Principal Name', '_')),\n Tags = tostring(column_ifexists('Tags', '_'))\n );\nMSBizAppsVIPUsers_data\n| union isfuzzy = true (MSBizAppsVIPUsers_definition)\n| where UserPrincipalName != '_'\n| project\n UserIdentifier,\n UserAADObjectId,\n UserOnPremSid,\n UserPrincipalName,\n Tags\n", + "functionParameters": "VIPUsersWatchlistAlias:string='VIPUsers'", + "version": 2, + "tags": [ + { + "name": "description", + "value": "MSBizAppsVIPUsers" + } ] - } - ] - }, - "type": "If" - }, - "Send_email_with_options": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "Message": { - "Body": "

Incident Url: @{triggerBody()?['object']?['properties']?['incidentUrl']}

\n

Incident#: @{triggerBody()?['object']?['properties']?['incidentNumber']}

\n

User Id: @{items('For_each')?['Name']}

\n

The account will be added to the CA block group in AAD.

\n", - "HideHTMLMessage": false, - "Importance": "High", - "Options": "Approve, Deny", - "ShowHTMLConfirmationDialog": false, - "Subject": "Dynamics 365 block user in Conditional Access", - "To": "@parameters('ToAlias')", - "UseOnlyHTMLMessage": true - }, - "NotificationUrl": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "path": "/mailwithoptions/$subscriptions" - } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", + "dependsOn": [ + "[variables('parserObject5')._parserId5]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsVIPUsers')]", + "contentId": "[variables('parserObject5').parserContentId5]", + "kind": "Parser", + "version": "[variables('parserObject5').parserVersion5]", + "source": { + "name": "Microsoft Business Applications", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" + } + } } - }, - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] - }, - "type": "Foreach", - "description": "Iterate on each Dynamics 365 user account" - } - } + ] }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "connectionName": "[[variables('Office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365')]" - }, - "azuread": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]", - "connectionName": "[[variables('AzureadConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]" - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject5').parserContentId5]", + "contentKind": "Parser", + "displayName": "MSBizAppsVIPUsers", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '3.2.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '3.2.0')))]", + "version": "[variables('parserObject5').parserVersion5]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject5')._parserName5]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "MSBizAppsVIPUsers", + "category": "MSBizAppsFunctions", + "functionAlias": "MSBizAppsVIPUsers", + "query": "let MSBizAppsVIPUsers_definition = datatable (\n UserIdentifier: string,\n UserAADObjectId: string,\n UserOnPremSid: string,\n UserPrincipalName: string,\n Tags: string\n) [\n '_', '_', '_', '_', '_'\n];\nlet MSBizAppsVIPUsers_data = (\n _GetWatchlist(VIPUsersWatchlistAlias)\n | project\n UserIdentifier = tostring(column_ifexists('User Identifier', '_')),\n UserAADObjectId = tostring(column_ifexists('User AAD Object Id', '_')),\n UserOnPremSid = tostring(column_ifexists('User On-Prem Sid', '_')),\n UserPrincipalName = tostring(column_ifexists('User Principal Name', '_')),\n Tags = tostring(column_ifexists('Tags', '_'))\n );\nMSBizAppsVIPUsers_data\n| union isfuzzy = true (MSBizAppsVIPUsers_definition)\n| where UserPrincipalName != '_'\n| project\n UserIdentifier,\n UserAADObjectId,\n UserOnPremSid,\n UserPrincipalName,\n Tags\n", + "functionParameters": "VIPUsersWatchlistAlias:string='VIPUsers'", + "version": 2, + "tags": [ + { + "name": "description", + "value": "MSBizAppsVIPUsers" } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "tags": { - "hidden-SentinelTemplateName": "D365-Blocklist-Add-User-Via-Outlook", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('Office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureadConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureadConnectionName')]", - "api": { - "id": "[[variables('_connection-4')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId3')]", - "contentId": "[variables('_playbookContentId3')]", - "kind": "Playbook", - "version": "[variables('playbookVersion3')]", + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", + "dependsOn": [ + "[variables('parserObject5')._parserId5]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsVIPUsers')]", + "contentId": "[variables('parserObject5').parserContentId5]", + "kind": "Parser", + "version": "[variables('parserObject5').parserVersion5]", "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Microsoft" + "name": "Microsoft" }, "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" + "tier": "Microsoft", + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "link": "https://support.microsoft.com" } - } - } - ], - "metadata": { - "title": "Dataverse: Add user to blocklist using Outlook approval workflow", - "description": "This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically add affected user entitites to a pre-defined Microsoft Entra group, using an Outlook based approval workflow, resulting in blocked access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse.", - "prerequisites": [ - "1. An email address for SOC to receieve approval requests.", - "2. Create a security group in Microsoft Entra used to block access and take note of the group's object ID.", - "3. Create a Conditional Access policy in Microsoft Entra.", - "4. Configure the Conditional Access Policy to block access to Common Data Service (appid 00000007-0000-0000-c000-000000000000) for members of the group created in step 1." - ], - "postDeployment": [ - "1. Grant permissions to Sentinel for Playbook managed identity.", - "2. Authorize connection for Microsoft Entra.", - "3. Authorize connection for Microsoft Outlook." - ], - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "lastUpdateTime": "2022-10-11T00:00:00Z", - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] } - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId3')]", - "contentKind": "Playbook", - "displayName": "Dataverse-Blocklist-Add-User-Via-Outlook", - "contentProductId": "[variables('_playbookcontentProductId3')]", - "id": "[variables('_playbookcontentProductId3')]", - "version": "[variables('playbookVersion3')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse-Blocklist-Add-User-Via-Teams Playbook with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion4')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Dataverse-Blocklist-Add-User-Via-Teams", - "type": "string" - }, - "GroupId": { - "type": "string", - "metadata": { - "description": "Enter object ID for Microsoft Entra group" - } - }, - "TeamsChannelId": { - "type": "string", - "metadata": { - "description": "Enter value for TeamsChannelId" - } - }, - "TeamsGroupId": { - "type": "string", - "metadata": { - "description": "Enter value for TeamsGroupId" - } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('watchlist1-id'))]", + "apiVersion": "2023-02-01", + "properties": { + "description": "Configuration for Microsoft Business Applications solution", + "displayName": "MSBizApps-Configuration", + "source": "ContentHub", + "provider": "Microsoft", + "numberOfLinesToSkip": 0, + "itemsSearchKey": "Category", + "rawContent": "Category,Data\n_,_\n", + "watchlistAlias": "MSBizApps-Configuration", + "contentType": "text/csv" } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "TeamsConnectionName": "[[concat('Teams-', parameters('PlaybookName'))]", - "AzureadConnectionName": "[[concat('Azuread-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]", - "_connection-3": "[[variables('connection-3')]", - "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]", - "_connection-4": "[[variables('connection-4')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "GroupId": { - "type": "string", - "defaultValue": "[[parameters('GroupId')]" - }, - "TeamsChannelId": { - "type": "string", - "defaultValue": "[[parameters('TeamsChannelId')]" - }, - "TeamsGroupId": { - "type": "string", - "defaultValue": "[[parameters('TeamsGroupId')]" - } - }, - "triggers": { - "When_Azure_Sentinel_incident_creation_rule_was_triggered": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "Entities_-_Get_Accounts": { - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - } - }, - "For_each": { - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "actions": { - "Condition_to_check_the_SOC_selected_option": { - "actions": { - "Add_user_to_group": { - "runAfter": { - "Get_user": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "@@odata.id": "@body('Get_user')?['id']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "post", - "path": "/v1.0/groups/@{encodeURIComponent(parameters('GroupId'))}/members/$ref" - } - }, - "Condition": { - "actions": { - "Add_comment_to_incident_(V3)_2": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

User was added to CA block group in AAD: @{items('For_each')?['Name']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - }, - "runAfter": { - "Add_user_to_group": [ - "Succeeded", - "Failed" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_(V3)_3": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

Account name: @{items('For_each')?['Name']}
\nError: @{body('Add_user_to_group')['error']['message']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition10'), variables('dataConnectorVersion10'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentId10')]", + "displayName": "Microsoft Power Automate", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion10')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId10'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId10')]", + "title": "Microsoft Power Automate", + "publisher": "Microsoft", + "logo": "PowerAutomate.svg", + "descriptionMarkdown": "Power Automate is a Microsoft service that helps users create automated workflows between apps and services to synchronize files, get notifications, collect data, and more. It simplifies task automation, increasing efficiency by reducing manual, repetitive tasks, and enhancing productivity. The Power Automate data connector provides the capability to ingest Power Automate activity logs from the Microsoft Purview Audit log into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Microsoft Power Automate", + "baseQuery": "PowerAutomateActivity" + } + ], + "sampleQueries": [ + { + "description": "Microsoft Power Automate Logs", + "query": "PowerAutomateActivity\n | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "PowerAutomateActivity", + "lastDataReceivedQuery": "PowerAutomateActivity\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "status": 2, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Tenant Permissions", + "description": "'Security Administrator' or 'Global Administrator' on the workspace's tenant." + }, + { + "name": "Micorosft Purview Audit", + "description": "Microsoft Purview Audit (Standard or Premium) must be activated." + } + ] + }, + "instructionSteps": [ + { + "title": "Connect Microsoft Power Automate audit logs to Microsoft Sentinel", + "description": "This connector uses the Office Management API to get your Power Automate audit logs. The logs will be stored and processed in your existing Microsoft Sentinel workspace. You can find the data in the **PowerAutomateActivity** table.", + "instructions": [ + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ] } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@int(actionOutputs('Add_user_to_group').statusCode)", - 204 ] - } - ] - }, - "type": "If", - "description": "Verify the execution result of function" - }, - "Get_user": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "get", - "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" - } - } - }, - "runAfter": { - "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": [ - "Succeeded" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_(V3)": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

Account name: @{items('For_each')?['Name']}
\nSOC Action: Ignore

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@body('Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response')?['submitActionId']", - "Block user" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentId10')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId10'))]", + "contentId": "[variables('_dataConnectorContentId10')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion10')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections10')]", + "contentId": "[variables('_dataConnectorContentIdConnections10')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.Insights/dataCollectionRules", + "apiVersion": "2021-09-01-preview", + "name": "[variables('_dataConnectorDataCollectionRulePrefix10')]", + "location": "[parameters('workspace-location')]", + "properties": { + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('_workspaceResourceId')]", + "name": "[variables('_destinationName')]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-PowerAutomateActivity" + ], + "destinations": [ + "[variables('_destinationName')]" + ], + "transformKql": "source", + "outputStream": "Microsoft-PowerAutomateActivity" + } ] - } - ] - }, - "type": "If", - "description": "Verify the SOC action to remove the SkuIds" - }, - "Post_an_Adaptive_Card_to_a_Teams_channel_and_wait_for_a_response": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "body": { - "messageBody": " {\n \"type\": \"AdaptiveCard\",\n \"body\": [\n \n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"text\": \"Suspicious Account - Azure Sentinel\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Possible Comprised User detected by the provider\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"@{triggerBody()?['object']?['properties']?['severity']} incident @{triggerBody()?['object']?['properties']?['title']} \",\n \"wrap\": true,\n \"weight\":\"bolder\"\n },\n \n {\n \"type\": \"TextBlock\",\n \"text\": \"Incident description\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\":\" @{triggerBody()?['object']?['properties']?['description']}\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"[Click here to view the Incident](@{triggerBody()?['object']?['properties']?['incidentUrl']})\",\n \"wrap\": true\n },\n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Graph API Information:\",\n \"wrap\": true\n },\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://1.bp.blogspot.com/-XRTHPrt7nR4/Xu9koskiFWI/AAAAAAAAGcY/SRKJLzVYSekWRZqd1Adyrg66-1eaghZmwCK4BGAsYHg/s191/graph-icon-1.png\",\n \"size\": \"Small\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Do you want to add the following account to the D365 Conditional Access Block list: @{items('For_each')?['Name']}\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n{\n \"type\": \"TextBlock\",\n \"text\": \"Click approve to authorize adding user to block list.\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n \n {\n \"type\": \"TextBlock\",\n \"size\": \"Medium\",\n \"weight\": \"Bolder\",\n \"text\": \"Incident configuration:\",\n \"wrap\": true\n }\n ],\n \"width\": \"auto\"\n }\n ]\n },\n {\n \"type\": \"ColumnSet\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"style\": \"Person\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"Small\"\n }\n ],\n \"width\": \"auto\"\n }\n ]\n }\n ],\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Block user\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Ignore\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}", - "recipient": { - "channelId": "@parameters('TeamsChannelId')" - }, - "shouldUpdateCard": true - }, - "notificationUrl": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['teams']['connectionId']" - } - }, - "path": "/flowbot/actions/flowcontinuation/recipienttypes/channel/$subscriptions", - "queries": { - "groupId": "@parameters('TeamsGroupId')" } - } } - }, - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] - }, - "type": "Foreach", - "description": "Iterate on each Dynamics 365 user account" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "teams": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", - "connectionName": "[[variables('TeamsConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]" - }, - "azuread": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]", - "connectionName": "[[variables('AzureadConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "tags": { - "hidden-SentinelTemplateName": "D365-Blocklist-Add-User-Via-Teams", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('TeamsConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('TeamsConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureadConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureadConnectionName')]", - "api": { - "id": "[[variables('_connection-4')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId4')]", - "contentId": "[variables('_playbookContentId4')]", - "kind": "Playbook", - "version": "[variables('playbookVersion4')]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" + ] }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } - } - ], - "metadata": { - "title": "Dataverse: Add user to blocklist using Teams approval workflow", - "description": "This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically add affected user entitites to a pre-defined Microsoft Entra group, using a Teams adaptive card approval workflow, resulting in blocked access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse.", - "prerequisites": [ - "1. Teams group and channel ID to receive approval requests.", - "2. Create a security group in Microsoft Entra used to block access and take note of the group's object ID.", - "3. Create a Conditional Access policy in Microsoft Entra.", - "4. Configure the Conditional Access Policy to block access to Common Data Service (appid 00000007-0000-0000-c000-000000000000) for members of the group created in step 1." - ], - "postDeployment": [ - "1. Grant permissions to Sentinel for Playook managed identity.", - "2. Authorize connection for Microsoft Entra.", - "3. Authorize connection for Microsoft Teams." - ], - "entities": [ - "Account" - ], - "tags": [ - "Remediation" - ], - "lastUpdateTime": "2022-10-11T00:00:00Z", - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId4')]", - "contentKind": "Playbook", - "displayName": "Dataverse-Blocklist-Add-User-Via-Teams", - "contentProductId": "[variables('_playbookcontentProductId4')]", - "id": "[variables('_playbookcontentProductId4')]", - "version": "[variables('playbookVersion4')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse-Blocklist-Add-User Playbook with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion5')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Dataverse-Blocklist-Add-User", - "type": "string" - }, - "GroupId": { - "type": "string", - "metadata": { - "description": "Enter object ID for Microsoft Entra group" - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[variables('_dataConnectorcontentProductId10')]", + "id": "[variables('_dataConnectorcontentProductId10')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorVersion10')]" } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "AzureadConnectionName": "[[concat('Azuread-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "GroupId": { - "type": "string", - "defaultValue": "[[parameters('GroupId')]" - } - }, - "triggers": { - "When_Azure_Sentinel_incident_creation_rule_was_triggered": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "Entities_-_Get_Accounts": { - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId10'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId10')]", + "title": "Microsoft Power Automate", + "publisher": "Microsoft", + "logo": "PowerAutomate.svg", + "descriptionMarkdown": "Power Automate is a Microsoft service that helps users create automated workflows between apps and services to synchronize files, get notifications, collect data, and more. It simplifies task automation, increasing efficiency by reducing manual, repetitive tasks, and enhancing productivity. The Power Automate data connector provides the capability to ingest Power Automate activity logs from the Microsoft Purview Audit log into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Microsoft Power Automate", + "baseQuery": "PowerAutomateActivity" + } + ], + "sampleQueries": [ + { + "description": "Microsoft Power Automate Logs", + "query": "PowerAutomateActivity\n | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "PowerAutomateActivity", + "lastDataReceivedQuery": "PowerAutomateActivity\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "status": 2, + "isPreview": true }, - "For_each": { - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "actions": { - "Add_user_to_group": { - "runAfter": { - "Get_user": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "@@odata.id": "@body('Get_user')?['id']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } }, - "method": "post", - "path": "/v1.0/groups/@{encodeURIComponent(parameters('GroupId'))}/members/$ref" - } - }, - "Condition": { - "actions": { - "Add_comment_to_incident_(V3)": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

User was added to CA block group in AAD: @{items('For_each')?['Name']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - }, - "runAfter": { - "Add_user_to_group": [ - "Succeeded", - "Failed" - ] - }, - "else": { - "actions": { - "Add_comment_to_incident_(V3)_2": { - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "

Account name: @{items('For_each')?['Name']}
\nError: @{body('Add_user_to_group')['error']['message']}

" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@int(actionOutputs('Add_user_to_group').statusCode)", - 204 - ] - } - ] - }, - "type": "If", - "description": "Verify the execution result of function" - }, - "Get_user": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Tenant Permissions", + "description": "'Security Administrator' or 'Global Administrator' on the workspace's tenant." }, - "method": "get", - "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" - } - } - }, - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" + { + "name": "Micorosft Purview Audit", + "description": "Microsoft Purview Audit (Standard or Premium) must be activated." + } ] - }, - "type": "Foreach", - "description": "Iterate on each Dynamics 365 user account" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } + }, + "instructionSteps": [ + { + "title": "Connect Microsoft Power Automate audit logs to Microsoft Sentinel", + "description": "This connector uses the Office Management API to get your Power Automate audit logs. The logs will be stored and processed in your existing Microsoft Sentinel workspace. You can find the data in the **PowerAutomateActivity** table.", + "instructions": [ + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ] } - }, - "azuread": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]", - "connectionName": "[[variables('AzureadConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "tags": { - "hidden-SentinelTemplateName": "D365-Blocklist-Add-User", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureadConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureadConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" + ] } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId5')]", - "contentId": "[variables('_playbookContentId5')]", - "kind": "Playbook", - "version": "[variables('playbookVersion5')]", + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentId10')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId10'))]", + "contentId": "[variables('_dataConnectorContentId10')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion10')]", "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Microsoft" + "name": "Microsoft" }, "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections10')]", + "contentId": "[variables('_dataConnectorContentIdConnections10')]", + "kind": "ResourcesDataConnector" + } + ] } - } } - ], - "metadata": { - "title": "Dataverse: Add user to blocklist (incident trigger)", - "description": "This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically add affected user entitites to a pre-defined Microsoft Entra group, resulting in blocked access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse.", - "prerequisites": [ - "1. Create a security group in Microsoft Entra used to block access and take note of the group's object ID.", - "2. Create a Conditional Access policy in Microsoft Entra.", - "3. Configure the Conditional Access Policy to block access to Common Data Service (appid 00000007-0000-0000-c000-000000000000) for members of the group created in step 1." - ], - "postDeployment": [ - "1. Grant permissions to Sentinel for Playook managed identity.", - "2. Authorize connection for Microsoft Entra." - ], - "entities": [ - "Account" - ], - "tags": [ - "Remediation" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections10'), variables('dataConnectorVersionConnections10'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], - "lastUpdateTime": "2022-10-11T00:00:00Z", - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId5')]", - "contentKind": "Playbook", - "displayName": "Dataverse-Blocklist-Add-User", - "contentProductId": "[variables('_playbookcontentProductId5')]", - "id": "[variables('_playbookcontentProductId5')]", - "version": "[variables('playbookVersion5')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName6')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse-Blocklist-Remove-User-AlertTrigger Playbook with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion6')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Dataverse-Blocklist-Remove-User-AlertTrigger", - "type": "string" - }, - "GroupId": { - "type": "string", - "metadata": { - "description": "Enter object ID for Microsoft Entra group" - } - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "AzureadConnectionName": "[[concat('Azuread-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "GroupId": { - "type": "string", - "defaultValue": "[[parameters('GroupId')]" - } - }, - "triggers": { - "When_a_response_to_an_Azure_Sentinel_alert_is_triggered": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/subscribe" - } - } - }, - "actions": { - "Entities_-_Get_Accounts": { - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['Entities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - } - }, - "For_each": { - "foreach": "@body('Entities_-_Get_Accounts')?['Accounts']", - "actions": { - "Get_user": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } - }, - "method": "get", - "path": "/v1.0/users/@{encodeURIComponent(concat(items('For_each')?['Name'], '@', items('for_each')?['UPNSuffix']))}" - } - }, - "Remove_Member_From_Group": { - "runAfter": { - "Get_user": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuread']['connectionId']" - } + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections10')]", + "displayName": "[concat(variables('_solutionName'), variables('dataConnectorTemplateNameConnections10'))]", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersionConnections10')]", + "parameters": { + "connectorDefinitionName": { + "defaultValue": "connectorDefinitionName", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" }, - "method": "delete", - "path": "/v1.0/groups/@{encodeURIComponent(parameters('GroupId'))}/members/@{encodeURIComponent(body('Get_user')?['id'])}/$ref" - } + "type": "object" } - }, - "runAfter": { - "Entities_-_Get_Accounts": [ - "Succeeded" - ] - }, - "type": "Foreach", - "description": "Iterate on each Dynamics 365 user account" - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections10')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections10'))]", + "contentId": "[variables('_dataConnectorContentIdConnections10')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorVersionConnections10')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_uiConfigId10'))]", + "apiVersion": "2022-12-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "PurviewAudit", + "properties": { + "TenantId": "[[subscription().tenantId]", + "SourceType": "MicrosoftFlow", + "ConnectorDefinitionName": "[[parameters('connectorDefinitionName')]", + "DataTypes": { + "Logs": { + "state": "Enabled" + } + }, + "DcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "StreamName": "OFFICEPOWERAUTOMATE_RESTAPI" + } + } } - }, - "azuread": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]", - "connectionName": "[[variables('AzureadConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuread')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "tags": { - "hidden-SentinelTemplateName": "D365-Blocklist-Remove-User-AlertTrigger", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('AzureadConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureadConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('AzureadConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId6')]", - "contentId": "[variables('_playbookContentId6')]", - "kind": "Playbook", - "version": "[variables('playbookVersion6')]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" + ] }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections10'),'-', variables('dataConnectorVersionConnections10'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorVersionConnections10')]" } - ], - "metadata": { - "title": "Dataverse: Remove user from blocklist", - "description": "This playbook can be triggered on-demand when a Microsoft Sentinel alert is raised, allowing the analyst to remove affected user entitites from a pre-defined Microsoft Entra group used to block access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse.", - "prerequisites": [ - "1. Object ID of the Microsoft Entra security group used to block access." - ], - "postDeployment": [ - "1. Grant permissions to Sentinel for Playook managed identity.", - "2. Authorize connection for Microsoft Entra." - ], - "entities": [ - "Account" - ], - "tags": [ - "Remediation" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition14'), variables('dataConnectorVersion14'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], - "lastUpdateTime": "2022-10-11T00:00:00Z", - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId6')]", - "contentKind": "Playbook", - "displayName": "Dataverse-Blocklist-Remove-User-AlertTrigger", - "contentProductId": "[variables('_playbookcontentProductId6')]", - "id": "[variables('_playbookcontentProductId6')]", - "version": "[variables('playbookVersion6')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName7')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Dataverse-Send-Manager-Notification Playbook with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion7')]", - "parameters": { - "PlaybookName": { - "defaultValue": "Dataverse-Send-Manager-Notification", - "type": "string" - }, - "FallbackMailbox": { - "type": "string", - "metadata": { - "description": "Enter email address for fallback mailbox" - } - }, - "ManagerTypeIsD365": { - "type": "string", - "defaultValue": "true", - "metadata": { - "description": "Leave as true to use Dynamics 365 manager or set to false for Office 365 manager" - } - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "Office365ConnectionName": "[[concat('Office365-', parameters('PlaybookName'))]", - "Office365usersConnectionName": "[[concat('Office365users-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365')]", - "_connection-3": "[[variables('connection-3')]", - "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365users')]", - "_connection-4": "[[variables('connection-4')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "FallbackMailbox": { - "defaultValue": "[[parameters('FallbackMailbox')]", - "type": "string" - }, - "ManagerTypeIsD365": { - "defaultValue": "[[parameters('ManagerTypeIsD365')]", - "type": "string" - } - }, - "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "path": "/incident-creation" - } - } - }, - "actions": { - "For_each": { - "foreach": "@body('Parse_JSON')", - "actions": { - "Condition": { - "actions": { - "Set_variable": { - "type": "SetVariable", - "inputs": { - "name": "InstanceUrl", - "value": "@items('For_each')?['properties']?['instanceName']" - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@items('For_each')['kind']", - "CloudApplication" - ] - } - ] - }, - "type": "If" - } - }, - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Initialize_variable": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "InstanceUrl", - "type": "string", - "value": "@{null}" - } - ] - } - }, - "InstanceUrl_Exists": { - "actions": { - "ManagerTypeIsD365": { - "actions": { - "Entities_-_Get_D365_Accounts": { - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - } - }, - "For_each_D365_account": { - "foreach": "@body('Entities_-_Get_D365_Accounts')?['Accounts']", - "actions": { - "Get_D365_User": { - "type": "Http", - "inputs": { - "authentication": { - "audience": "@variables('InstanceUrl')", - "type": "ManagedServiceIdentity" - }, - "headers": { - "OData-MaxVersion": "4.0", - "OData-Version": "4.0", - "accept": "application/json" - }, - "method": "GET", - "uri": "@{variables('InstanceUrl')}api/data/v9.2/systemusers?$select=_parentsystemuserid_value,windowsliveid&$filter=windowsliveid eq '@{concat(items('For_each_D365_account')?['accountName'],'@',items('For_each_D365_account')?['upnSuffix'])}'" - } - }, - "User_Has_Manager_D365": { - "actions": { - "Get_Manager": { - "type": "Http", - "inputs": { - "authentication": { - "audience": "@variables('InstanceUrl')", - "type": "ManagedServiceIdentity" - }, - "headers": { - "OData-MaxVersion": "4.0", - "OData-Version": "4.0", - "accept": "application/json" - }, - "method": "GET", - "uri": "@{variables('InstanceUrl')}api/data/v9.2/systemusers?$filter=_parentsystemuserid_value eq @{body('Get_D365_User')['value'][0]?['_parentsystemuserid_value']}&$select=firstname,lastname,internalemailaddress" - } - }, - "Send_email_to_D365_manager": { - "runAfter": { - "Get_Manager": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

Microsoft Sentinel incident was triggered for a user reporting to you. Information is listed below:
\n
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_D365_account')?['Name']}

", - "Importance": "High", - "Subject": "@triggerBody()?['object']?['properties']?['title']", - "To": "@{body('Get_Manager')['value'][0]?['internalemailaddress']}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365_1']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - } - }, - "runAfter": { - "Get_D365_User": [ - "Succeeded" - ] - }, - "else": { - "actions": { - "Send_email_to_fallback_mailbox_(D365)": { - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

Title: @{triggerBody()?['object']?['properties']?['title']}
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_D365_account')?['Name']}
\n
\nAlert generated for user .  However, this user has no manager assignment in Dynamics 365.

", - "Importance": "High", - "Subject": "Manager notification rule was triggered but no manager assigned in Dynamics 365", - "To": "@parameters('FallbackMailbox')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365_1']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - } - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@body('Get_D365_User')['value'][0]?['_parentsystemuserid_value']", - "@null" - ] + "properties": { + "contentId": "[variables('_dataConnectorContentId14')]", + "displayName": "Microsoft Dataverse", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion14')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId14'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId14')]", + "title": "Microsoft Dataverse", + "publisher": "Microsoft", + "logo": "Dataverse.svg", + "descriptionMarkdown": "Microsoft Dataverse is a scalable and secure data platform that enables organizations to store and manage data used by business applications. The Microsoft Dataverse data connector provides the capability to ingest Dataverse and Dynamics 365 CRM activity logs from the Microsoft Purview Audit log into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Microsoft Dataverse", + "baseQuery": "DataverseActivity" } - } - ] - }, - "type": "If" - } - }, - "runAfter": { - "Entities_-_Get_D365_Accounts": [ - "Succeeded" - ] - }, - "type": "Foreach" - } - }, - "else": { - "actions": { - "Entities_-_Get_O365_Accounts": { - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - } - }, - "For_each_O365_account": { - "foreach": "@body('Entities_-_Get_O365_Accounts')?['Accounts']", - "actions": { - "Get_manager_(V2)": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['office365users']['connectionId']" + ], + "sampleQueries": [ + { + "description": "Microsoft Dataverse Logs", + "query": "DataverseActivity\n | sort by TimeGenerated" } - }, - "method": "get", - "path": "/codeless/v1.0/users/@{encodeURIComponent(concat(items('For_each_O365_account')?['accountName'],'@',items('For_each_O365_account')?['upnSuffix']))}/manager" - } - }, - "User_Has_Manager_O365": { - "actions": { - "Send_email_to_O365_manager": { - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

Microsoft Sentinel incident was triggered for a user reporting to you. Information is listed below:
\n
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_O365_account')?['Name']}

", - "Importance": "High", - "Subject": "@triggerBody()?['object']?['properties']?['title']", - "To": "@body('Get_manager_(V2)')?['mail']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365_1']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" + ], + "dataTypes": [ + { + "name": "DataverseActivity", + "lastDataReceivedQuery": "DataverseActivity\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } - } - }, - "runAfter": { - "Get_manager_(V2)": [ - "Succeeded", - "Failed" - ] - }, - "else": { - "actions": { - "Send_email_to_fallback_mailbox_(O365)": { - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

Title: @{triggerBody()?['object']?['properties']?['title']}
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_O365_account')?['Name']}
\n
\nAlert generated for user .  However, this user has no manager assignment in Office 365.

", - "Importance": "High", - "Subject": "Manager notification rule was triggered but no manager assigned in Office 365", - "To": "@parameters('FallbackMailbox')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365_1']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" } - } + ], + "availability": { + "status": 2, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Tenant Permissions", + "description": "'Security Administrator' or 'Global Administrator' on the workspace's tenant." + }, + { + "name": "Micorosft Purview Audit", + "description": "Microsoft Purview Audit (Standard or Premium) must be activated." + }, + { + "name": "Production Dataverse", + "description": "Activity logging is available only for Production environments. Other types, such as sandbox, do not support activity logging." + }, + { + "name": "Dataverse Audit Settings", + "description": "Audit settings must be configured both globally and at the entity/table level. [See the documentation to learn more about Dataverse audit settings](https://learn.microsoft.com/azure/sentinel/business-applications/deploy-power-platform-solution)." + } + ] }, - "expression": { - "and": [ + "instructionSteps": [ { - "not": { - "equals": [ - "@body('Get_manager_(V2)')?['mail']", - "@null" + "title": "Connect Microsoft Dataverse audit logs to Microsoft Sentinel", + "description": "This connector uses the Office Management API to get your Dataverse audit logs. The logs will be stored and processed in your existing Microsoft Sentinel workspace. You can find the data in the **DataverseActivity** table.", + "instructions": [ + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } ] - } } - ] - }, - "type": "If" - } - }, - "runAfter": { - "Entities_-_Get_O365_Accounts": [ - "Succeeded" - ] - }, - "type": "Foreach" - } - } - }, - "expression": { - "and": [ - { - "equals": [ - "@parameters('ManagerTypeIsD365')", - true + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentId14')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId14'))]", + "contentId": "[variables('_dataConnectorContentId14')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion14')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections14')]", + "contentId": "[variables('_dataConnectorContentIdConnections14')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.Insights/dataCollectionRules", + "apiVersion": "2021-09-01-preview", + "name": "[variables('_dataConnectorDataCollectionRulePrefix14')]", + "location": "[parameters('workspace-location')]", + "properties": { + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('_workspaceResourceId')]", + "name": "[variables('_destinationName')]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-DataverseActivity" + ], + "destinations": [ + "[variables('_destinationName')]" + ], + "transformKql": "source", + "outputStream": "Microsoft-DataverseActivity" + } ] - } - ] - }, - "type": "If" + } } - }, - "runAfter": { - "For_each": [ - "Succeeded" - ] - }, - "else": { - "actions": { - "Entities_-_Get_Missing_Instance_Accounts": { - "type": "ApiConnection", - "inputs": { - "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/entities/account" - } - }, - "For_each_account_(Missing_Instance)": { - "foreach": "@body('Entities_-_Get_Missing_Instance_Accounts')?['Accounts']", - "actions": { - "Send_email_to_fallback_mailbox_(Missing_Instance)": { - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

Title: @{triggerBody()?['object']?['properties']?['title']}
\nDescription: @{triggerBody()?['object']?['properties']?['description']}
\nUser: @{items('For_each_account_(Missing_Instance)')?['Name']}
\n
\nPlease ensure incidents triggering this playbook contain Cloud App type entity mappings with the InstanceUrl set in the InstanceName property of the entity mapping.

", - "Importance": "High", - "Subject": "Manager notification Playbook was triggered but Dynamics 365 instance URL was not found", - "To": "@parameters('FallbackMailbox')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365_1']['connectionId']" - } - }, - "method": "post", - "path": "/v2/Mail" - } - } - }, - "runAfter": { - "Entities_-_Get_Missing_Instance_Accounts": [ - "Succeeded" - ] - }, - "type": "Foreach" - } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[variables('_dataConnectorcontentProductId14')]", + "id": "[variables('_dataConnectorcontentProductId14')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorVersion14')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId14'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId14')]", + "title": "Microsoft Dataverse", + "publisher": "Microsoft", + "logo": "Dataverse.svg", + "descriptionMarkdown": "Microsoft Dataverse is a scalable and secure data platform that enables organizations to store and manage data used by business applications. The Microsoft Dataverse data connector provides the capability to ingest Dataverse and Dynamics 365 CRM activity logs from the Microsoft Purview Audit log into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Microsoft Dataverse", + "baseQuery": "DataverseActivity" } - }, - "expression": { - "or": [ - { - "equals": [ - "@parameters('ManagerTypeIsD365')", - "@false" - ] - }, - { - "startsWith": [ - "@tolower(variables('InstanceUrl'))", - "https://" - ] - } - ] - }, - "type": "If" - }, - "Parse_JSON": { - "runAfter": { - "Initialize_variable": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@triggerBody()?['object']?['properties']?['relatedEntities']", - "schema": { - "items": { - "properties": { - "id": { - "type": "string" - }, - "kind": { - "type": "string" - }, - "properties": { - "properties": { - "appId": { - "type": "integer" - }, - "appName": { - "type": "string" - }, - "friendlyName": { - "type": "string" - }, - "instanceName": { - "type": "string" - } - }, - "type": "object" - }, - "type": { - "type": "string" - } - }, - "required": [ - "id", - "type", - "kind", - "properties" - ], - "type": "object" - }, - "type": "array" + ], + "sampleQueries": [ + { + "description": "Microsoft Dataverse Logs", + "query": "DataverseActivity\n | sort by TimeGenerated" } - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } + ], + "dataTypes": [ + { + "name": "DataverseActivity", + "lastDataReceivedQuery": "DataverseActivity\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } - }, - "office365_1": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "connectionName": "[[variables('Office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365')]" - }, - "office365users": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365usersConnectionName'))]", - "connectionName": "[[variables('Office365usersConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365users')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "identity": { - "type": "SystemAssigned" - }, - "tags": { - "hidden-SentinelTemplateName": "D365-Send-Manager-Notification", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365usersConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('Office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365usersConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('Office365usersConnectionName')]", - "api": { - "id": "[[variables('_connection-4')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId7')]", - "contentId": "[variables('_playbookContentId7')]", - "kind": "Playbook", - "version": "[variables('playbookVersion7')]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } - } - ], - "metadata": { - "title": "Dataverse: Send notification to manager", - "description": "This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically send an email notificiation to the manager of the affected user entitites. The Playbook can be configured to send either to the Dynamics 365 manager, or using the manager in Office 365.", - "prerequisites": [ - "1. Ensure user accounts have a manager assigned in either Dynamics 365 or Office 365." - ], - "postDeployment": [ - "1. Set the ManagerTypeIsD365 Playbook parameter to false if using Office 365 manager.", - "2. Configure an email address for the FallbackMailbox Playbook parameter. This inbox will be used for any user entity without a manager assigned." - ], - "entities": [ - "Account" - ], - "tags": [ - "Notification" - ], - "lastUpdateTime": "2022-11-01T00:00:00Z", - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId7')]", - "contentKind": "Playbook", - "displayName": "Dataverse-Send-Manager-Notification", - "contentProductId": "[variables('_playbookcontentProductId7')]", - "id": "[variables('_playbookcontentProductId7')]", - "version": "[variables('playbookVersion7')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName8')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MSBizApps-Incident-From-Alert-Teams Playbook with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion8')]", - "parameters": { - "PlaybookName": { - "defaultValue": "MSBizApps-Incident-From-Alert-Teams", - "type": "string" - }, - "WorkloadOwnersAddress": { - "type": "String", - "metadata": { - "description": "Enter value for WorkloadOwnersAddress" - } - }, - "EscalationsAddress": { - "type": "String", - "metadata": { - "description": "Enter value for EscalationsAddress" - } - }, - "OriginatorId": { - "type": "String", - "metadata": { - "description": "Enter value for OriginatorId" - } - }, - "SharedMailboxAddress": { - "type": "String", - "metadata": { - "description": "Enter value for SharedMailboxAddress" - } - }, - "TeamsChannelLink": { - "type": "String", - "metadata": { - "description": "Enter value for TeamsChannelLink" - } - } - }, - "variables": { - "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "Office365ConnectionName": "[[concat('Office365-', parameters('PlaybookName'))]", - "TeamsConnectionName": "[[concat('Teams-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365')]", - "_connection-3": "[[variables('connection-3')]", - "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]", - "_connection-4": "[[variables('connection-4')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "properties": { - "provisioningState": "Succeeded", - "state": "Enabled", - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - }, - "WorkloadOwnersAddress": { - "defaultValue": "[[parameters('WorkloadOwnersAddress')]", - "type": "String" - }, - "EscalationsAddress": { - "defaultValue": "[[parameters('EscalationsAddress')]", - "type": "String" - }, - "OriginatorId": { - "defaultValue": "[[parameters('OriginatorId')]", - "type": "String" - }, - "SharedMailboxAddress": { - "defaultValue": "[[parameters('SharedMailboxAddress')]", - "type": "String" - }, - "TeamsChannelLink": { - "defaultValue": "[[parameters('TeamsChannelLink')]", - "type": "String" + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "status": 2, + "isPreview": true }, - "_PlaybookName": { - "defaultValue": "[[parameters('PlaybookName')]", - "type": "String" - } - }, - "triggers": { - "Microsoft_Sentinel_alert": { - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" - } - }, - "path": "/subscribe" - } - } - }, - "actions": { - "Condition": { - "actions": { - "Add_alert_to_incident": { - "runAfter": { - "Create_incident": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "incidentArmId": "@body('Create_incident')?['id']", - "relatedResourceId": "@triggerBody()?['SystemAlertId']" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" - } + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } }, - "method": "post", - "path": "/Incidents/Relation/Create" - } - }, - "Create_incident": { - "type": "ApiConnection", - "inputs": { - "body": { - "description": "This alert was flagged as suspicious by the BizApps team:\n\n@{triggerBody()?['Description']}\n", - "severity": "@triggerBody()?['Severity']", - "status": "New", - "title": "@triggerBody()?['AlertDisplayName']" + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Tenant Permissions", + "description": "'Security Administrator' or 'Global Administrator' on the workspace's tenant." }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel_1']['connectionId']" - } + { + "name": "Micorosft Purview Audit", + "description": "Microsoft Purview Audit (Standard or Premium) must be activated." }, - "method": "put", - "path": "/Incidents/subscriptions/@{triggerBody()?['workspaceInfo']?['SubscriptionId']}/resourceGroups/@{triggerBody()?['workspaceInfo']?['ResourceGroupName']}/workspaces/@{triggerBody()?['workspaceInfo']?['WorkspaceName']}" - } - } - }, - "runAfter": { - "Post_adaptive_card_and_wait_for_a_response": [ - "Succeeded" - ] - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@outputs('Post_adaptive_card_and_wait_for_a_response')?['body']?['submitActionId']", - "Yes, this was authorized" - ] - } - } - ] - }, - "type": "If" - }, - "Initialize_OutlookMessage": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "OutlookMessage", - "type": "string", - "value": "\n\n \n \n\n\n Visit the Outlook Dev Portal to learn more\n about Actionable Messages.\n\n" - } - ] - } - }, - "Post_adaptive_card_and_wait_for_a_response": { - "runAfter": { - "Send_an_email_from_a_shared_mailbox_(V2)": [ - "Succeeded" - ] - }, - "limit": { - "timeout": "PT24H" - }, - "type": "ApiConnectionWebhook", - "inputs": { - "body": { - "body": { - "messageBody": "{\n \"type\": \"AdaptiveCard\",\n \"body\": [\n {\n \"type\": \"ColumnSet\",\n\"width\": \"auto\",\n \"columns\": [\n {\n \"type\": \"Column\",\n \"width\": \"auto\",\n \"items\": [\n {\n \"type\": \"Image\",\n \"url\": \"https://connectoricons-prod.azureedge.net/releases/v1.0.1391/1.0.1391.2130/azuresentinel/icon.png\",\n \"size\": \"small\"\n }\n ]\n },\n {\n \"type\": \"Column\",\n \"width\": \"auto\",\n \"items\": [\n {\n \"type\": \"TextBlock\",\n \"size\": \"large\",\n \"weight\": \"bolder\",\n \"text\": \"@{triggerBody()?['AlertDisplayName']}\",\n \"wrap\": true,\n \"horizontalAlignment\": \"left\"\n }\n ]\n }\n ]\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Microsoft Sentinel alert was created: @{triggerBody()?['Description']}\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n },\n {\n \"type\": \"TextBlock\",\n \"text\": \"Is this activity legitmate?\",\n \"wrap\": true,\n \"weight\": \"Bolder\"\n }\n ],\n \"actions\": [\n {\n \"type\": \"Action.Submit\",\n \"title\": \"Yes, this was authorized\"\n },\n {\n \"type\": \"Action.Submit\",\n \"title\": \"No, create an incident\"\n }\n ],\n \"$schema\": \"http://adaptivecards.io/schemas/adaptive-card.json\",\n \"version\": \"1.2\"\n}", - "recipient": { - "channelId": "[variables('blanks')]", - "groupId": "[variables('blanks')]" + { + "name": "Production Dataverse", + "description": "Activity logging is available only for Production environments. Other types, such as sandbox, do not support activity logging." }, - "updateMessage": "Thanks for your response!" - }, - "notificationUrl": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['teams_1']['connectionId']" - } - }, - "path": "/v1.0/teams/conversation/gatherinput/poster/Flow bot/location/@{encodeURIComponent('Channel')}/$subscriptions" - } - }, - "Send_an_email_escalation_due_to_timeout": { - "runAfter": { - "Set_Escalation_Message": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

@{variables('OutlookMessage')}

", - "Importance": "High", - "MailboxAddress": "@parameters('SharedMailboxAddress')", - "Subject": "ESCALATION: Security Process Impaired Due to Lack of Response", - "To": "@parameters('EscalationsAddress')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/SharedMailbox/Mail" - } - }, - "Send_an_email_from_a_shared_mailbox_(V2)": { - "runAfter": { - "Initialize_OutlookMessage": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

@{variables('OutlookMessage')}

", - "Importance": "High", - "MailboxAddress": "@parameters('SharedMailboxAddress')", - "Subject": "ACTION REQUIRED: Microsoft Sentinel Security Alert", - "To": "@parameters('WorkloadOwnersAddress')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/SharedMailbox/Mail" - } - }, - "Send_an_email_notification_of_failure": { - "runAfter": { - "Set_Failure_Message": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "body": { - "Body": "

@{variables('OutlookMessage')}

", - "Importance": "High", - "MailboxAddress": "@parameters('SharedMailboxAddress')", - "Subject": "FAILURE: Security Process Impaired Due to Playbook Failure", - "To": "@parameters('SharedMailboxAddress')" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['office365']['connectionId']" - } - }, - "method": "post", - "path": "/v2/SharedMailbox/Mail" - } - }, - "Set_Escalation_Message": { - "runAfter": { - "Post_adaptive_card_and_wait_for_a_response": [ - "TimedOut" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "OutlookMessage", - "value": "\n\n \n \n\n\n Visit the Outlook Dev Portal to learn more\n about Actionable Messages.\n\n" - } - }, - "Set_Failure_Message": { - "runAfter": { - "Post_adaptive_card_and_wait_for_a_response": [ - "Skipped", - "Failed" - ] - }, - "type": "SetVariable", - "inputs": { - "name": "OutlookMessage", - "value": "\n\n \n \n\n\n Visit the Outlook Dev Portal to learn more\n about Actionable Messages.\n\n" - } - }, - "Terminate_Failed": { - "runAfter": { - "Send_an_email_notification_of_failure": [ - "Succeeded" + { + "name": "Dataverse Audit Settings", + "description": "Audit settings must be configured both globally and at the entity/table level. [See the documentation to learn more about Dataverse audit settings](https://learn.microsoft.com/azure/sentinel/business-applications/deploy-power-platform-solution)." + } ] - }, - "type": "Terminate", - "inputs": { - "runError": { - "code": "PlaybookFailed", - "message": "Playbook failed to post a message in Teams" - }, - "runStatus": "Failed" - } }, - "Terminate_Succeeded": { - "runAfter": { - "Send_an_email_escalation_due_to_timeout": [ - "Succeeded" - ] - }, - "type": "Terminate", - "inputs": { - "runStatus": "Succeeded" - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel_1": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } + "instructionSteps": [ + { + "title": "Connect Microsoft Dataverse audit logs to Microsoft Sentinel", + "description": "This connector uses the Office Management API to get your Dataverse audit logs. The logs will be stored and processed in your existing Microsoft Sentinel workspace. You can find the data in the **DataverseActivity** table.", + "instructions": [ + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ] } - }, - "office365": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "connectionName": "[[variables('Office365ConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Office365')]" - }, - "teams_1": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]", - "connectionName": "[[variables('TeamsConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Teams')]" - } - } - } - } - }, - "name": "[[parameters('PlaybookName')]", - "type": "Microsoft.Logic/workflows", - "location": "[[variables('workspace-location-inline')]", - "tags": { - "hidden-SentinelTemplateName": "MSBizApps-Admin-Teams-Approval-AlertTrigger", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - }, - "identity": { - "type": "SystemAssigned" - }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('Office365ConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('TeamsConnectionName'))]" - ] - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('Office365ConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('Office365ConnectionName')]", - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('TeamsConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", - "properties": { - "displayName": "[[variables('TeamsConnectionName')]", - "api": { - "id": "[[variables('_connection-4')]" + ] } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId8')]", - "contentId": "[variables('_playbookContentId8')]", - "kind": "Playbook", - "version": "[variables('playbookVersion8')]", + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentId14')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId14'))]", + "contentId": "[variables('_dataConnectorContentId14')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion14')]", "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Microsoft" + "name": "Microsoft" }, "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections14')]", + "contentId": "[variables('_dataConnectorContentIdConnections14')]", + "kind": "ResourcesDataConnector" + } + ] } - } } - ], - "metadata": { - "title": "Security workflow: alert verification with workload owners", - "description": "This playbook can reduce burden on the SOC by offloading alert verification to IT admins for specific analytics rules. It is triggered when a Microsoft Sentinel alert is generated, creates a message (and associated notification email) in the workload owner's Microsoft Teams channel containing details of the alert. If the workload owner responds that the activity is not authorized, the alert will be converted to an incident in Microsoft Sentinel for the SOC to handle.", - "prerequisites": [ - "1. Take note of the Microsoft Teams channel URL (right click channel and 'Get link to channel').", - "2. An Exchange Online shared mailbox for the SOC.", - "3. Email address for the workload owners to send alert notifications.", - "4. Email address to send escalation notifications if workload owners do not respond.", - "5. Register a new provider at the [Actionable Email Developer Dashboard](https://aka.ms/publishoam) \n a. Add the SOC mailbox as the sender address. \n b. Add the Teams channel URL as the target URL. \n c. Select the workload owner and escalation email address as test users for validation. \n d. Take note of the Provider Id (originator)." - ], - "postDeployment": [ - "1. In Logic Apps designer view, edit the 'Post adaptive card and wait for a reponse' action.", - "2. In the 'Team' and 'Channel' boxes, click on the 'X' to reveal the dropdown selector menu.", - "3. Select the appropriate Teams channel to receive notifications.", - "4. Assign Microsoft Sentinel Responder role to the playbook's managed identity on the Microsoft Sentinel workspace resource group." - ], - "entities": [ - "Account" - ], - "tags": [ - "Notification" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections14'), variables('dataConnectorVersionConnections14'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], - "lastUpdateTime": "2022-11-01T00:00:00Z", - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId8')]", - "contentKind": "Playbook", - "displayName": "MSBizApps-Incident-From-Alert-Teams", - "contentProductId": "[variables('_playbookcontentProductId8')]", - "id": "[variables('_playbookcontentProductId8')]", - "version": "[variables('playbookVersion8')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject1').parserTemplateSpecName1]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "DataverseSharePointSites Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject1').parserVersion1]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject1')._parserName1]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "DataverseSharePointSites", - "category": "MSBizAppsFunctions", - "functionAlias": "DataverseSharePointSites", - "query": "let DataverseSharepointSites_definition = datatable(InstanceUrl: string, SharePointUrl: string)['_', '_'];\nlet DataverseSharepointSites_data = (\n _GetWatchlist(MSBizAppsConfigurationWatchlistAlias)\n | where SearchKey == \"SharePoint\"\n | extend Data = todynamic(column_ifexists('Data', dynamic({\"InstanceUrl\": \"_\", \"SharePointUrl\": \"_\"})))\n | project\n InstanceUrl = tostring(Data.InstanceUrl),\n SharePointUrl = tostring(Data.SharePointUrl)\n );\nDataverseSharepointSites_data\n| union isfuzzy = true (DataverseSharepointSites_definition)\n| where InstanceUrl != '_'\n| extend InstanceUrl = tolower(iff(InstanceUrl endswith '/', InstanceUrl, strcat(InstanceUrl, '/')))\n| extend SharePointUrl = tolower(iff(SharePointUrl endswith '/', SharePointUrl, strcat(SharePointUrl, '/')))\n| project InstanceUrl, SharePointUrl\n", - "functionParameters": "MSBizAppsConfigurationWatchlistAlias:string='MSBizApps-Configuration'", - "version": 2, - "tags": [ - { - "name": "description", - "value": "DataverseSharePointSites" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", - "dependsOn": [ - "[variables('parserObject1')._parserId1]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'DataverseSharePointSites')]", - "contentId": "[variables('parserObject1').parserContentId1]", - "kind": "Parser", - "version": "[variables('parserObject1').parserVersion1]", - "source": { - "name": "Microsoft Business Applications", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections14')]", + "displayName": "[concat(variables('_solutionName'), variables('dataConnectorTemplateNameConnections14'))]", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersionConnections14')]", + "parameters": { + "connectorDefinitionName": { + "defaultValue": "connectorDefinitionName", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + } + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections14')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections14'))]", + "contentId": "[variables('_dataConnectorContentIdConnections14')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorVersionConnections14')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_uiConfigId14'))]", + "apiVersion": "2022-12-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "PurviewAudit", + "properties": { + "TenantId": "[[subscription().tenantId]", + "SourceType": "CRM", + "ConnectorDefinitionName": "[[parameters('connectorDefinitionName')]", + "DataTypes": { + "Logs": { + "state": "Enabled" + } + }, + "DcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "StreamName": "OFFICEDATAVERSE_RESTAPI" + } + } + } + ] }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections14'),'-', variables('dataConnectorVersionConnections14'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorVersionConnections14')]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject1').parserContentId1]", - "contentKind": "Parser", - "displayName": "DataverseSharePointSites", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '3.2.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '3.2.0')))]", - "version": "[variables('parserObject1').parserVersion1]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject1')._parserName1]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "DataverseSharePointSites", - "category": "MSBizAppsFunctions", - "functionAlias": "DataverseSharePointSites", - "query": "let DataverseSharepointSites_definition = datatable(InstanceUrl: string, SharePointUrl: string)['_', '_'];\nlet DataverseSharepointSites_data = (\n _GetWatchlist(MSBizAppsConfigurationWatchlistAlias)\n | where SearchKey == \"SharePoint\"\n | extend Data = todynamic(column_ifexists('Data', dynamic({\"InstanceUrl\": \"_\", \"SharePointUrl\": \"_\"})))\n | project\n InstanceUrl = tostring(Data.InstanceUrl),\n SharePointUrl = tostring(Data.SharePointUrl)\n );\nDataverseSharepointSites_data\n| union isfuzzy = true (DataverseSharepointSites_definition)\n| where InstanceUrl != '_'\n| extend InstanceUrl = tolower(iff(InstanceUrl endswith '/', InstanceUrl, strcat(InstanceUrl, '/')))\n| extend SharePointUrl = tolower(iff(SharePointUrl endswith '/', SharePointUrl, strcat(SharePointUrl, '/')))\n| project InstanceUrl, SharePointUrl\n", - "functionParameters": "MSBizAppsConfigurationWatchlistAlias:string='MSBizApps-Configuration'", - "version": 2, - "tags": [ - { - "name": "description", - "value": "DataverseSharePointSites" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", - "dependsOn": [ - "[variables('parserObject1')._parserId1]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'DataverseSharePointSites')]", - "contentId": "[variables('parserObject1').parserContentId1]", - "kind": "Parser", - "version": "[variables('parserObject1').parserVersion1]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject2').parserTemplateSpecName2]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MSBizAppsNetworkAddresses Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject2').parserVersion2]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject2')._parserName2]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "MSBizAppsNetworkAddresses", - "category": "MSBizAppsFunctions", - "functionAlias": "MSBizAppsNetworkAddresses", - "query": "let MsBizAppsNetworkAddresses_definition = datatable (\n IPSubnet: string,\n RangeName: string,\n Tags: string\n) [\n '_', '_', '_'\n];\nlet MsBizAppsNetworkAddresses_data = (\n _GetWatchlist(NetworkAddressesWatchlistAlias)\n | project\n IPSubnet = tostring(column_ifexists('IP Subnet', '_')),\n RangeName = tostring(column_ifexists('Range Name', '_')),\n Tags = tostring(column_ifexists('Tags', '_'))\n );\nMsBizAppsNetworkAddresses_data\n| union isfuzzy = true (MsBizAppsNetworkAddresses_definition)\n| where IPSubnet != '_'\n| project IPSubnet, RangeName, Tags\n", - "functionParameters": "NetworkAddressesWatchlistAlias:string='NetworkAddresses'", - "version": 2, - "tags": [ - { - "name": "description", - "value": "MSBizAppsNetworkAddresses" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", - "dependsOn": [ - "[variables('parserObject2')._parserId2]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsNetworkAddresses')]", - "contentId": "[variables('parserObject2').parserContentId2]", - "kind": "Parser", - "version": "[variables('parserObject2').parserVersion2]", - "source": { - "name": "Microsoft Business Applications", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition15'), variables('dataConnectorVersion15'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentId15')]", + "displayName": "Microsoft Power Platform Admin Activity", + "contentKind": "DataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion15')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId15'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId15')]", + "title": "Microsoft Power Platform Admin Activity", + "publisher": "Microsoft", + "logo": "PowerPlatform.svg", + "descriptionMarkdown": "Microsoft Power Platform is a low-code/no-code suite empowering both citizen and pro developers to streamline business processes by enabling the creation of custom apps, automation of workflows, and data analysis with minimal coding. The Power Platform Admin data connector provides the capability to ingest Power Platform administrator activity logs from the Microsoft Purview Audit log into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Microsoft Power Platform Admin Activity", + "baseQuery": "PowerPlatformAdminActivity" + } + ], + "sampleQueries": [ + { + "description": "Microsoft Power Platform Admin Activity Logs", + "query": "PowerPlatformAdminActivity\n | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "PowerPlatformAdminActivity", + "lastDataReceivedQuery": "PowerPlatformAdminActivity\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "status": 2, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Tenant Permissions", + "description": "'Security Administrator' or 'Global Administrator' on the workspace's tenant." + }, + { + "name": "Micorosft Purview Audit", + "description": "Microsoft Purview Audit (Standard or Premium) must be activated." + } + ] + }, + "instructionSteps": [ + { + "title": "Connect Microsoft Power Platform Admin Activity audit logs to Microsoft Sentinel", + "description": "This connector uses the Office Management API to get your Power Platform administrator audit logs. The logs will be stored and processed in your existing Microsoft Sentinel workspace. You can find the data in the **PowerPlatformAdminActivity** table.", + "instructions": [ + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentId15')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId15'))]", + "contentId": "[variables('_dataConnectorContentId15')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion15')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections15')]", + "contentId": "[variables('_dataConnectorContentIdConnections15')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.Insights/dataCollectionRules", + "apiVersion": "2021-09-01-preview", + "name": "[variables('_dataConnectorDataCollectionRulePrefix15')]", + "location": "[parameters('workspace-location')]", + "properties": { + "dataCollectionEndpointId": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('_workspaceResourceId')]", + "name": "[variables('_destinationName')]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Microsoft-PowerPlatformAdminActivity" + ], + "destinations": [ + "[variables('_destinationName')]" + ], + "transformKql": "source", + "outputStream": "Microsoft-PowerPlatformAdminActivity" + } + ] + } + } + ] }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[variables('_dataConnectorcontentProductId15')]", + "id": "[variables('_dataConnectorcontentProductId15')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorVersion15')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId15'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId15')]", + "title": "Microsoft Power Platform Admin Activity", + "publisher": "Microsoft", + "logo": "PowerPlatform.svg", + "descriptionMarkdown": "Microsoft Power Platform is a low-code/no-code suite empowering both citizen and pro developers to streamline business processes by enabling the creation of custom apps, automation of workflows, and data analysis with minimal coding. The Power Platform Admin data connector provides the capability to ingest Power Platform administrator activity logs from the Microsoft Purview Audit log into Microsoft Sentinel.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Microsoft Power Platform Admin Activity", + "baseQuery": "PowerPlatformAdminActivity" + } + ], + "sampleQueries": [ + { + "description": "Microsoft Power Platform Admin Activity Logs", + "query": "PowerPlatformAdminActivity\n | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "PowerPlatformAdminActivity", + "lastDataReceivedQuery": "PowerPlatformAdminActivity\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "status": 2, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "Read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key)", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Tenant Permissions", + "description": "'Security Administrator' or 'Global Administrator' on the workspace's tenant." + }, + { + "name": "Micorosft Purview Audit", + "description": "Microsoft Purview Audit (Standard or Premium) must be activated." + } + ] + }, + "instructionSteps": [ + { + "title": "Connect Microsoft Power Platform Admin Activity audit logs to Microsoft Sentinel", + "description": "This connector uses the Office Management API to get your Power Platform administrator audit logs. The logs will be stored and processed in your existing Microsoft Sentinel workspace. You can find the data in the **PowerPlatformAdminActivity** table.", + "instructions": [ + { + "parameters": { + "label": "toggle", + "name": "toggle" + }, + "type": "ConnectionToggleButton" + } + ] + } + ] } - } } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject2').parserContentId2]", - "contentKind": "Parser", - "displayName": "MSBizAppsNetworkAddresses", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '3.2.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '3.2.0')))]", - "version": "[variables('parserObject2').parserVersion2]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject2')._parserName2]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "MSBizAppsNetworkAddresses", - "category": "MSBizAppsFunctions", - "functionAlias": "MSBizAppsNetworkAddresses", - "query": "let MsBizAppsNetworkAddresses_definition = datatable (\n IPSubnet: string,\n RangeName: string,\n Tags: string\n) [\n '_', '_', '_'\n];\nlet MsBizAppsNetworkAddresses_data = (\n _GetWatchlist(NetworkAddressesWatchlistAlias)\n | project\n IPSubnet = tostring(column_ifexists('IP Subnet', '_')),\n RangeName = tostring(column_ifexists('Range Name', '_')),\n Tags = tostring(column_ifexists('Tags', '_'))\n );\nMsBizAppsNetworkAddresses_data\n| union isfuzzy = true (MsBizAppsNetworkAddresses_definition)\n| where IPSubnet != '_'\n| project IPSubnet, RangeName, Tags\n", - "functionParameters": "NetworkAddressesWatchlistAlias:string='NetworkAddresses'", - "version": 2, - "tags": [ - { - "name": "description", - "value": "MSBizAppsNetworkAddresses" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", - "dependsOn": [ - "[variables('parserObject2')._parserId2]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsNetworkAddresses')]", - "contentId": "[variables('parserObject2').parserContentId2]", - "kind": "Parser", - "version": "[variables('parserObject2').parserVersion2]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject3').parserTemplateSpecName3]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MSBizAppsOrgSettings Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject3').parserVersion3]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject3')._parserName3]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "MSBizAppsOrgSettings", - "category": "MSBizAppsFunctions", - "functionAlias": "MSBizAppsOrgSettings", - "query": "datatable (Field: string, DisplayName: string, Description: string)[\n \"ACIWebEndpointUrl\", \"ACI Tenant URL.\", \"ACI Web Endpoint URL.\",\n \"AcknowledgementTemplateId\", \"Acknowledgement Template\", \"Unique identifier of the template to be used for acknowledgement when a user unsubscribes.\",\n \"ActivityTypeFilter\", \"Enable Rich Editing Experience for Appointment\", \"Information on whether filtering activity based on entity in app.\",\n \"ActivityTypeFilterV2\", \"Show only activities configured in the app when accessing 'New activity' button\", \"Whether to show only activities configured in this app or all activities in the 'New activity' button.\",\n \"AdvancedColumnEditorEnabled\", \"Advanced column editor enabled\", \"Flag to indicate if the display column options on a view in model-driven apps is enabled\",\n \"AdvancedColumnFilteringEnabled\", \"Advanced column filtering enabled\", \"Flag to indicate if the advanced column filtering in a view in model-driven apps is enabled\",\n \"AdvancedFilteringEnabled\", \"Advanced filtering enabled\", \"Flag to indicate if the advanced filtering on all tables in a model-driven app is enabled\",\n \"AdvancedLookupEnabled\", \"Advanced lookup enabled\", \"Flag to indicate if the Advanced Lookup feature is enabled for lookup controls\",\n \"AdvancedLookupInEditFilter\", \"Enable Advanced Lookup In Edit Filter\", \"Enables advanced lookup in grid edit filter panel\",\n \"AllowAddressBookSyncs\", \"Allow Address Book Synchronization\", \"Indicates whether background address book synchronization in Microsoft Office Outlook is allowed.\",\n \"AllowApplicationUserAccess\", \"Allow All Application Users Access.\", \"Information that specifies whether all application users are allowed to access the environment\",\n \"AllowAutoResponseCreation\", \"Allow Automatic Response Creation\", \"Indicates whether automatic response creation is allowed.\",\n \"AllowAutoUnsubscribe\", \"Allow Automatic Unsubscribe\", \"Indicates whether automatic unsubscribe is allowed.\",\n \"AllowAutoUnsubscribeAcknowledgement\", \"Allow Automatic Unsubscribe Acknowledgement\", \"Indicates whether automatic unsubscribe acknowledgement email is allowed to send.\",\n \"AllowClientMessageBarAd\", \"Allow Outlook Client Message Bar Advertisement\", \"Indicates whether Outlook Client message bar advertisement is allowed.\",\n \"AllowConnectorsOnPowerFXActions\", \"Enable connectors on power fx actions.\", \"Information on whether connectors on power fx actions is enabled.\",\n \"AllowedIpRangeForFirewall\", \"List of IP Ranges to be allowed by the firewall rule\", \"Information that specifies the range of IP addresses that are in allow list for the firewall.\",\n \"AllowedIpRangeForStorageAccessSignatures\", \"List of IP Ranges to be allowed for generating the SAS URIs.\", \"Information that specifies the range of IP addresses that are in allowed list for generating the SAS URIs.\",\n \"AllowedMimeTypes\", \"List of allowed mime types.\", \"Allow upload or download of certain mime types.\",\n \"AllowedServiceTagsForFirewall\", \"List of Service Tags to be allowed by the firewall rule\", \"Information that specifies the List of Service Tags that should be allowed by the firewall.\",\n \"AllowEntityOnlyAudit\", \"Allow Entity Level Auditing\", \"Indicates whether auditing of changes to entity is allowed when no attributes have changed.\",\n \"AllowLeadingWildcardsInGridSearch\", \"Allow Leading Wildcards In Grid Search\", \"Enables ends-with searches in grids with the use of a leading wildcard on all tables in the environment\",\n \"AllowLeadingWildcardsInQuickFind\", \"Allow Leading Wildcards In Quick Find\", \"Enables ends-with searches in grids with the use of a leading wildcard on all tables in the environment\",\n \"AllowLegacyClientExperience\", \"Enable access to legacy web client UI\", \"Enable access to legacy web client UI\",\n \"AllowLegacyDialogsEmbedding\", \"Enable embedding of certain legacy dialogs in Unified Interface browser client\", \"Enable embedding of certain legacy dialogs in Unified Interface browser client\",\n \"AllowMarketingEmailExecution\", \"Allow Marketing Email Execution\", \"Indicates whether marketing emails execution is allowed.\",\n \"AllowMicrosoftTrustedServiceTags\", \"Allow Microsoft Trusted Service Tags\", \"Information that specifies whether Microsoft Trusted Service Tags are allowed\",\n \"AllowOfflineScheduledSyncs\", \"Allow Offline Scheduled Synchronization\", \"Indicates whether background offline synchronization in Microsoft Office Outlook is allowed.\",\n \"AllowOutlookScheduledSyncs\", \"Allow Scheduled Synchronization\", \"Indicates whether scheduled synchronizations to Outlook are allowed.\",\n \"AllowRedirectAdminSettingsToModernUI\", \"Allow Redirect Legacy Admin Settings To Modern UI\", \"Control whether the organization Allow Redirect Legacy Admin Settings To Modern UI\",\n \"AllowUnresolvedPartiesOnEmailSend\", \"Allow Unresolved Address Email Send\", \"Indicates whether users are allowed to send email to unresolved parties (parties must still have an email address).\",\n \"AllowUserFormModePreference\", \"Allow User Form Mode Preference\", \"Indicates whether individuals can select their form mode preference in their personal options.\",\n \"AllowUsersHidingSystemViews\", \"Allow users hiding system views\", \"Flag to indicate if allow end users to hide system views in model-driven apps is enabled\",\n \"AllowUsersSeeAppdownloadMessage\", \"Allow the showing tablet application notification bars in a browser.\", \"Indicates whether the showing tablet application notification bars in a browser is allowed.\",\n \"AllowWebExcelExport\", \"Allow Export to Excel\", \"Indicates whether Web-based export of grids to Microsoft Office Excel is allowed.\",\n \"AMDesignator\", \"AM Designator\", \"AM designator to use throughout Microsoft Dynamics CRM.\",\n \"AppDesignerExperienceEnabled\", \"Enable App Designer Experience for this Organization\", \"Indicates whether the appDesignerExperience is enabled for the organization.\",\n \"AppointmentRichEditorExperience\", \"Enable Rich Editing Experience for Appointment\", \"Information on whether rich editing experience for Appointment is enabled.\",\n \"AppointmentWithTeamsMeeting\", \"Enable teams Meeting experience for appointment\", \"Information on whether Teams meeting experience for Appointment is enabled.\",\n \"AppointmentWithTeamsMeetingV2\", \"Enable Teams meetings for appointments\", \"Whether Teams meetings experience for appointments is enabled.\",\n \"AuditRetentionPeriod\", \"Audit Retention Period Settings\", \"Audit Retention Period settings stored in Organization Database.\",\n \"AuditRetentionPeriodV2\", \"Audit Retention Period Settings\", \"Audit Retention Period settings stored in Organization Database.\",\n \"AutoApplyDefaultonCaseCreate\", \"Auto Apply Default Entitlement on Case Create\", \"Select whether to auto apply the default customer entitlement on case creation.\",\n \"AutoApplyDefaultonCaseUpdate\", \"Auto Apply Default Entitlement on Case Update\", \"Select whether to auto apply the default customer entitlement on case update.\",\n \"AutoApplySLA\", \"Is Auto-apply SLA After Manually Over-riding\", \"Indicates whether to Auto-apply SLA on case record update after SLA was manually applied.\",\n \"AzureSchedulerJobCollectionName\", \"For internal use only.\", \"For internal use only.\",\n \"BaseCurrencyId\", \"Currency\", \"Unique identifier of the base currency of the organization.\",\n \"BingMapsApiKey\", \"Bing Maps API Key\", \"Api Key to be used in requests to Bing Maps services.\",\n \"BlockedAttachments\", \"Block Attachments\", \"Prevent upload or download of certain attachment types that are considered dangerous.\",\n \"BlockedMimeTypes\", \"List of blocked mime types.\", \"Prevent upload or download of certain mime types that are considered dangerous.\",\n \"BoundDashboardDefaultCardExpanded\", \"Display cards in expanded state for Interactive Dashboard\", \"Display cards in expanded state for interactive dashboard\",\n \"BulkOperationPrefix\", \"Bulk Operation Prefix\", \"Prefix used for bulk operation numbering.\",\n \"BusinessCardOptions\", \"Enable New BusinessCardOptions\", \"BusinessCardOptions\",\n \"BusinessClosureCalendarId\", \"Business Closure Calendar\", \"Unique identifier of the business closure calendar of organization.\",\n \"CalendarType\", \"Calendar Type\", \"Calendar type for the system. Set to Gregorian US by default.\",\n \"CampaignPrefix\", \"Campaign Prefix\", \"Prefix used for campaign numbering.\",\n \"CanOptOutNewSearchExperience\", \"Can disable Oct 2020 Search\", \"Indicates whether the organization can opt out of the new Relevance search experience (released in Oct 2020)\",\n \"CascadeStatusUpdate\", \"Cascade Status Update\", \"Flag to cascade Update on incident.\",\n \"CasePrefix\", \"Case Prefix\", \"Prefix to use for all cases throughout Microsoft Dynamics 365.\",\n \"CategoryPrefix\", \"Category Prefix\", \"Type the prefix to use for all categories in Microsoft Dynamics 365.\",\n \"ClientFeatureSet\", \"Client Feature Set\", \"Client Features to be enabled as an XML BLOB.\",\n \"ContentSecurityPolicyConfiguration\", \"Content Security Policy Configuration\", \"Policy configuration for CSP\",\n \"ContentSecurityPolicyConfigurationForCanvas\", \"Content Security Policy Configuration for Canvas apps\", \"Content Security Policy configuration for Canvas apps.\",\n \"ContentSecurityPolicyOptions\", \"Content Security Policy Options\", \"Content Security Policy Options.\",\n \"ContentSecurityPolicyReportUri\", \"Content Security Policy Report Uri\", \"Content Security Policy Report Uri.\",\n \"ContractPrefix\", \"Contract Prefix\", \"Prefix to use for all contracts throughout Microsoft Dynamics 365.\",\n \"CopresenceRefreshRate\", \"CopresenceRefreshRate\", \"Refresh rate for copresence data in seconds.\",\n \"CortanaProactiveExperienceEnabled\", \"Enable Cortana Proactive Experience Flow processes for this Organization\", \"Indicates whether the feature CortanaProactiveExperience Flow processes should be enabled for the organization.\",\n \"CreateProductsWithoutParentInActiveState\", \"Enable Active Initial Product State\", \"Enable Initial state of newly created products to be Active instead of Draft\",\n \"CurrencyDecimalPrecision\", \"Currency Decimal Precision\", \"Number of decimal places that can be used for currency.\",\n \"CurrencyDisplayOption\", \"Display Currencies Using\", \"Indicates whether to display money fields with currency code or currency symbol.\",\n \"CurrencyFormatCode\", \"Currency Format Code\", \"Information about how currency symbols are placed throughout Microsoft Dynamics CRM.\",\n \"CurrencySymbol\", \"Currency Symbol\", \"Symbol used for currency throughout Microsoft Dynamics 365.\",\n \"CurrentBulkOperationNumber\", \"Current Bulk Operation Number\", \"Current bulk operation number. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCampaignNumber\", \"Current Campaign Number\", \"Current campaign number. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCaseNumber\", \"Current Case Number\", \"First case number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCategoryNumber\", \"Current Category Number\", \"Enter the first number to use for Categories. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentContractNumber\", \"Current Contract Number\", \"First contract number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentInvoiceNumber\", \"Current Invoice Number\", \"First invoice number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentKaNumber\", \"Current Knowledge Article Number\", \"Enter the first number to use for knowledge articles. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentKbNumber\", \"Current Article Number\", \"First article number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentOrderNumber\", \"Current Order Number\", \"First order number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentQuoteNumber\", \"Current Quote Number\", \"First quote number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"DateFormatCode\", \"Date Format Code\", \"Information about how the date is displayed throughout Microsoft CRM.\",\n \"DateFormatString\", \"Date Format String\", \"String showing how the date is displayed throughout Microsoft CRM.\",\n \"DateSeparator\", \"Date Separator\", \"Character used to separate the month, the day, and the year in dates throughout Microsoft Dynamics 365.\",\n \"DaysBeforeEmailDescriptionIsMigrated\", \"Number of days before we migrate email description to blob.\", \"Number of days before we migrate email description to blob.\",\n \"DaysBeforeInactiveTeamsChatSyncDisabled\", \"Days Before Inactive Teams Chat Sync Disabled\", \"Days of inactivity before sync is disabled for a Teams Chat.\",\n \"DecimalSymbol\", \"Decimal Symbol\", \"Symbol used for decimal in Microsoft Dynamics 365.\",\n \"DefaultCountryCode\", \"Default Country Code\", \"Text area to enter default country code.\",\n \"DefaultCrmCustomName\", \"Name of the default app\", \"Name of the default crm custom.\",\n \"DefaultEmailServerProfileId\", \"Email Server Profile\", \"Unique identifier of the default email server profile.\",\n \"DefaultEmailSettings\", \"Default Email Settings\", \"XML string containing the default email settings that are applied when a user or queue is created.\",\n \"DefaultMobileOfflineProfileId\", \"Default Mobile Offline Profile\", \"Unique identifier of the default mobile offline profile.\",\n \"DefaultRecurrenceEndRangeType\", \"Default Recurrence End Range Type\", \"Type of default recurrence end range date.\",\n \"DefaultThemeData\", \"Default Theme Data\", \"Default theme data for the organization.\",\n \"DelegatedAdminUserId\", \"Delegated Admin\", \"Unique identifier of the delegated admin user for the organization.\",\n \"DisableSocialCare\", \"Is Social Care disabled\", \"Indicates whether Social Care is disabled.\",\n \"DiscountCalculationMethod\", \"Discount calculation method\", \"Discount calculation method for the QOOI product.\",\n \"DisplayNavigationTour\", \"Display Navigation Tour\", \"Indicates whether or not navigation tour is displayed.\",\n \"EmailConnectionChannel\", \"Email Connection Channel\", \"Select if you want to use the Email Router or server-side synchronization for email processing.\",\n \"EmailCorrelationEnabled\", \"Use Email Correlation\", \"Flag to turn email correlation on or off.\",\n \"EmailSendPollingPeriod\", \"Email Send Polling Frequency\", \"Normal polling frequency used for sending email in Microsoft Office Outlook.\",\n \"EnableAsyncMergeAPIForUCI\", \"Asynchronous merge enabled for UCI\", \"Determines whether records merged through the merge dialog in UCI are merged asynchronously\",\n \"EnableBingMapsIntegration\", \"Enable Integration with Bing Maps\", \"Enable Integration with Bing Maps\",\n \"EnableCanvasAppsInSolutionsByDefault\", \"Enable the creation of Canvas apps in Dataverse / Solution by default\", \"Note: By enabling this feature, you will also enable the automatic creation of enviornment variables when adding data sources for your apps.\",\n \"EnableFlowsInSolutionByDefault\", \"Enable the creation of flows within a solution by default.\", \"Indicates whether the creation of flows is within a solution by default for this organization.\",\n \"EnableFlowsInSolutionByDefaultGracePeriod\", \"Indicates whether the organization is opted into a grace period for auto-enablement of 'creation of flows within a solution by default' functionality.\", \"Organizations with this attribute set to true will be granted a grace period and excluded from the initial world wide enablement of 'creation of flows within a solution by default' functionality. Once the grace period expires, the functionality will be enabled in your organization.\",\n \"EnableImmersiveSkypeIntegration\", \"Enable Integration with Immersive Skype\", \"Enable Integration with Immersive Skype\",\n \"EnableIpBasedCookieBinding\", \"Enable IP Address Based Cookie Binding\", \"Information that specifies whether IP based cookie binding is enabled\",\n \"EnableIpBasedFirewallRule\", \"Enable IP Range based Firewall\", \"Information that specifies whether IP based firewall rule is enabled\",\n \"EnableIpBasedFirewallRuleInAuditMode\", \"Enable IP Range based Firewall In Audit Only Mode\", \"Information that specifies whether IP based firewall rule is enabled in Audit Only Mode\",\n \"EnableIpBasedStorageAccessSignatureRule\", \"Enable IP SAS URI generation rule\", \"Information that specifies whether IP based SAS URI generation rule is enabled\",\n \"EnableLivePersonaCardUCI\", \"Indicates whether the user has enabled or disabled Live Persona Card feature in UCI.\", \"Indicates whether the user has enabled or disabled Live Persona Card feature in UCI.\",\n \"EnableLivePersonCardIntegrationInOffice\", \"Indicates whether the user has enabled or disabled LivePersonCardIntegration in Office.\", \"Indicates whether the user has enabled or disabled LivePersonCardIntegration in Office.\",\n \"EnableLPAuthoring\", \"Enable Learning Path Authoring\", \"Select to enable learning path auhtoring.\",\n \"EnableMakerSwitchToClassic\", \"Switch Maker Portal to Classic\", \"Control whether the organization Switch Maker Portal to Classic\",\n \"EnableMicrosoftFlowIntegration\", \"Enable Integration with Microsoft Flow\", \"Enable Integration with Microsoft Flow\",\n \"EnablePricingOnCreate\", \"Enable Pricing On Create\", \"Enable pricing calculations on a Create call.\",\n \"EnableSmartMatching\", \"Enable Smart Matching\", \"Use Smart Matching.\",\n \"EnableUnifiedClientCDN\", \"Enable UCI CDN for organization\", \"Leave empty to use default setting. Set to on/off to enable/disable CDN for UCI.\",\n \"EnableUnifiedInterfaceShellRefresh\", \"Enable site map and commanding update\", \"Enable site map and commanding update\",\n \"EnforceReadOnlyPlugins\", \"Organization setting to enforce read only plugins.\", \"Organization setting to enforce read only plugins.\",\n \"EntityImage\", \"Entity Image\", \"The default image for the entity.\",\n \"ExpireChangeTrackingInDays\", \"Days to Expire Change Tracking Deleted Records\", \"Maximum number of days to keep change tracking deleted records\",\n \"ExpireSubscriptionsInDays\", \"Days to Expire Subscriptions\", \"Maximum number of days before deleting inactive subscriptions.\",\n \"ExternalBaseUrl\", \"External Base URL\", \"Specify the base URL to use to look for external document suggestions.\",\n \"ExternalPartyCorrelationKeys\", \"ExternalPartyEnabled Entities correlation Keys\", \"XML string containing the ExternalPartyEnabled entities correlation keys for association of existing External Party instance entities to newly created IsExternalPartyEnabled entities.For internal use only\",\n \"ExternalPartyEntitySettings\", \"ExternalPartyEnabled Entities Settings.For internal use only\", \"XML string containing the ExternalPartyEnabled entities settings.\",\n \"FeatureSet\", \"Feature Set\", \"Features to be enabled as an XML BLOB.\",\n \"FiscalCalendarStart\", \"Fiscal Calendar Start\", \"Start date for the fiscal period that is to be used throughout Microsoft CRM.\",\n \"FiscalPeriodFormat\", \"Fiscal Period Format\", \"Information that specifies how the name of the fiscal period is displayed throughout Microsoft CRM.\",\n \"FiscalPeriodFormatPeriod\", \"Format for Fiscal Period\", \"Format in which the fiscal period will be displayed.\",\n \"FiscalPeriodType\", \"Fiscal Period Type\", \"Type of fiscal period used throughout Microsoft CRM.\",\n \"FiscalYearDisplayCode\", \"Fiscal Year Display\", \"Information that specifies whether the fiscal year should be displayed based on the start date or the end date of the fiscal year.\",\n \"FiscalYearFormat\", \"Fiscal Year Format\", \"Information that specifies how the name of the fiscal year is displayed throughout Microsoft CRM.\",\n \"FiscalYearFormatPrefix\", \"Prefix for Fiscal Year\", \"Prefix for the display of the fiscal year.\",\n \"FiscalYearFormatSuffix\", \"Suffix for Fiscal Year\", \"Suffix for the display of the fiscal year.\",\n \"FiscalYearFormatYear\", \"Fiscal Year Format Year\", \"Format for the year.\",\n \"FiscalYearPeriodConnect\", \"Fiscal Year Period Connector\", \"Information that specifies how the names of the fiscal year and the fiscal period should be connected when displayed together.\",\n \"FullNameConventionCode\", \"Full Name Display Order\", \"Order in which names are to be displayed throughout Microsoft CRM.\",\n \"FutureExpansionWindow\", \"Future Expansion Window\", \"Specifies the maximum number of months in future for which the recurring activities can be created.\",\n \"GenerateAlertsForErrors\", \"Generate Alerts For Errors\", \"Indicates whether alerts will be generated for errors.\",\n \"GenerateAlertsForInformation\", \"Generate Alerts For Information\", \"Indicates whether alerts will be generated for information.\",\n \"GenerateAlertsForWarnings\", \"Generate Alerts For Warnings\", \"Indicates whether alerts will be generated for warnings.\",\n \"GetStartedPaneContentEnabled\", \"Is Get Started Pane Content Enabled\", \"Indicates whether Get Started content is enabled for this organization.\",\n \"GlobalAppendUrlParametersEnabled\", \"Is AppendUrl Parameters enabled\", \"Indicates whether the append URL parameters is enabled.\",\n \"GlobalHelpUrl\", \"Global Help URL.\", \"URL for the web page global help.\",\n \"GlobalHelpUrlEnabled\", \"Is Customizable Global Help enabled\", \"Indicates whether the customizable global help is enabled.\",\n \"GoalRollupExpiryTime\", \"Rollup Expiration Time for Goal\", \"Number of days after the goal's end date after which the rollup of the goal stops automatically.\",\n \"GoalRollupFrequency\", \"Automatic Rollup Frequency for Goal\", \"Number of hours between automatic rollup jobs .\",\n \"GrantAccessToNetworkService\", \"Grant Access To Network Service\", \"For internal use only.\",\n \"HashDeltaSubjectCount\", \"Hash Delta Subject Count\", \"Maximum difference allowed between subject keywords count of the email messaged to be correlated\",\n \"HashFilterKeywords\", \"Hash Filter Keywords\", \"Filter Subject Keywords\",\n \"HashMaxCount\", \"Hash Max Count\", \"Maximum number of subject keywords or recipients used for correlation\",\n \"HashMinAddressCount\", \"Hash Min Address Count\", \"Minimum number of recipients required to match for email messaged to be correlated\",\n \"HighContrastThemeData\", \"High contrast Theme Data\", \"High contrast theme data for the organization.\",\n \"IgnoreInternalEmail\", \"Ignore Internal Email\", \"Indicates whether incoming email sent by internal Microsoft Dynamics 365 users or queues should be tracked.\",\n \"ImproveSearchLoggingEnabled\", \"Share search query data\", \"Indicates whether an organization has consented to sharing search query data to help improve search results\",\n \"InactivityTimeoutEnabled\", \"Inactivity timeout enabled\", \"Information that specifies whether Inactivity timeout is enabled\",\n \"InactivityTimeoutInMins\", \"Inactivity timeout in minutes\", \"Inactivity timeout in minutes\",\n \"InactivityTimeoutReminderInMins\", \"Inactivity timeout reminder in minutes\", \"Inactivity timeout reminder in minutes\",\n \"IncomingEmailExchangeEmailRetrievalBatchSize\", \"Exchange Email Retrieval Batch Size\", \"Setting for the Async Service Mailbox Queue. Defines the retrieval batch size of exchange server.\",\n \"InitialVersion\", \"Initial Version\", \"Initial version of the organization.\",\n \"IntegrationUserId\", \"Integration User\", \"Unique identifier of the integration user for the organization.\",\n \"InvoicePrefix\", \"Invoice Prefix\", \"Prefix to use for all invoice numbers throughout Microsoft Dynamics 365.\",\n \"IpBasedStorageAccessSignatureMode\", \"IP Based SAS mode\", \"IP Based SAS mode.\",\n \"IsActionCardEnabled\", \"Enable Action Card for this Organization\", \"Indicates whether the feature Action Card should be enabled for the organization.\",\n \"IsActionSupportFeatureEnabled\", \"Action Support Feature enabled\", \"Information that specifies whether Action Support Feature is enabled\",\n \"IsActivityAnalysisEnabled\", \"Enable Relationship Analytics for this Organization\", \"Indicates whether the feature Relationship Analytics should be enabled for the organization.\",\n \"IsAppMode\", \"Is Application Mode Enabled\", \"Indicates whether loading of Microsoft Dynamics 365 in a browser window that does not have address, tool, and menu bars is enabled.\",\n \"IsAppointmentAttachmentSyncEnabled\", \"Is Attachment Sync Enabled\", \"Enable or disable attachments sync for outlook and exchange.\",\n \"IsAssignedTasksSyncEnabled\", \"Is Assigned Tasks Sync Enabled\", \"Enable or disable assigned tasks sync for outlook and exchange.\",\n \"IsAuditEnabled\", \"Is Auditing Enabled\", \"Enable or disable auditing of changes.\",\n \"IsAutoDataCaptureEnabled\", \"Enable Auto Capture for this Organization\", \"Indicates whether the feature Auto Capture should be enabled for the organization.\",\n \"IsAutoDataCaptureV2Enabled\", \"Enable Auto Capture V2 for this Organization\", \"Indicates whether the V2 feature of Auto Capture should be enabled for the organization.\",\n \"IsAutoInstallAppForD365InTeamsEnabled\", \"IsAutoInstallAppForD365InTeamsEnabled\", \"\",\n \"IsAutoSaveEnabled\", \"Auto Save Enabled\", \"Information on whether auto save is enabled.\",\n \"IsBaseCardStaticFieldDataEnabled\", \"IsBaseCardStaticFieldDataEnabled\", \"\",\n \"IsBasicGeospatialIntegrationEnabled\", \"Enable the basic Geospatial features in Canvas Apps\", \"Determines whether users can make use of basic Geospatial featuers in Canvas apps.\",\n \"IsBPFEntityCustomizationFeatureEnabled\", \"BPF Entity Customization Feature enabled\", \"Information that specifies whether BPF Entity Customization Feature is enabled\",\n \"IsCollaborationExperienceEnabled\", \"IsCollaborationExperienceEnabled\", \"\",\n \"IsConflictDetectionEnabledForMobileClient\", \"Is Conflict Detection for Mobile Client enabled\", \"Information that specifies whether conflict detection for mobile client is enabled.\",\n \"IsContactMailingAddressSyncEnabled\", \"Is Mailing Address Sync Enabled\", \"Enable or disable mailing address sync for outlook and exchange.\",\n \"IsContentSecurityPolicyEnabled\", \"Enable Content Security Policy for this organization\", \"Indicates whether Content Security Policy has been enabled for the organization.\",\n \"IsContentSecurityPolicyEnabledForCanvas\", \"Enable Content Security Policy for this organization's Canvas apps\", \"Indicates whether Content Security Policy has been enabled for this organization's Canvas apps.\",\n \"IsContextualEmailEnabled\", \"Indicates whether Contextual email experience is enabled on this organization\", \"Indicates whether Contextual email experience is enabled on this organization\",\n \"IsContextualHelpEnabled\", \"Enables Contextual Help in UCI\", \"Select to enable Contextual Help in UCI.\",\n \"IsCopilotFeedbackEnabled\", \"Allow users to provide feedback for App Copilot\", \"Determines whether users can provide feedback for App Copilot.\",\n \"IsCustomControlsInCanvasAppsEnabled\", \"Enable Custom Controls in canvas PowerApps feature for this organization\", \"Indicates whether Custom Controls in canvas PowerApps feature has been enabled for the organization.\",\n \"IsDefaultCountryCodeCheckEnabled\", \"Enable or disable country code selection\", \"Enable or disable country code selection.\",\n \"IsDelegateAccessEnabled\", \"Is Delegation Access Enabled\", \"Enable Delegation Access content\",\n \"IsDelveActionHubIntegrationEnabled\", \"Enable Action Hub for this Organization\", \"Indicates whether the feature Action Hub should be enabled for the organization.\",\n \"IsDesktopFlowSchemaV2Enabled\", \"Enable v2 schema for Desktop Flows in this organization.\", \"Indicates whether v2 schema for Desktop Flows is enabled in this organization.\",\n \"IsDuplicateDetectionEnabled\", \"Is Duplicate Detection Enabled\", \"Indicates whether duplicate detection of records is enabled.\",\n \"IsDuplicateDetectionEnabledForImport\", \"Is Duplicate Detection Enabled For Import\", \"Indicates whether duplicate detection of records during import is enabled.\",\n \"IsDuplicateDetectionEnabledForOfflineSync\", \"Is Duplicate Detection Enabled For Offline Synchronization\", \"Indicates whether duplicate detection of records during offline synchronization is enabled.\",\n \"IsDuplicateDetectionEnabledForOnlineCreateUpdate\", \"Is Duplicate Detection Enabled for Online Create/Update\", \"Indicates whether duplicate detection during online create or update is enabled.\",\n \"IsEmailAddressValidationEnabled\", \"Enable Smart Email Address Validation.\", \"Information on whether Smart Email Address Validation is enabled.\",\n \"IsEmailMonitoringAllowed\", \"Allow tracking recipient activity on sent emails\", \"Allow tracking recipient activity on sent emails.\",\n \"IsEmailServerProfileContentFilteringEnabled\", \"Is Email Server Profile Content Filtering Enabled\", \"Enable Email Server Profile content filtering\",\n \"IsEnabledForAllRoles\", \"option set values for isenabledforallroles\", \"Indicates whether appmodule is enabled for all roles\",\n \"IsExternalFileStorageEnabled\", \"Enable external file storage\", \"Indicates whether the organization's files are being stored in Azure.\",\n \"IsExternalSearchIndexEnabled\", \"Enable external search data syncing\", \"Select whether data can be synchronized with an external search index.\",\n \"IsFiscalPeriodMonthBased\", \"Is Fiscal Period Monthly\", \"Indicates whether the fiscal period is displayed as the month number.\",\n \"IsFolderAutoCreatedonSP\", \"Automatically create folders\", \"Select whether folders should be automatically created on SharePoint.\",\n \"IsFolderBasedTrackingEnabled\", \"Is Folder Based Tracking Enabled\", \"Enable or disable folder based tracking for Server Side Sync.\",\n \"IsFullTextSearchEnabled\", \"Enable Full-text search for Quick Find\", \"Indicates whether full-text search for Quick Find entities should be enabled for the organization.\",\n \"IsGeospatialAzureMapsIntegrationEnabled\", \"Enable geospatial Azure Maps integration.\", \"Indicates whether geospatial capabilities leveraging Azure Maps are enabled.\",\n \"IsHierarchicalSecurityModelEnabled\", \"Enable Hierarchical Security Model\", \"Enable Hierarchical Security Model\",\n \"IsIdeasDataCollectionEnabled\", \"Enable Ideas data collection.\", \"Indicates whether data collection for ideas in canvas PowerApps has been enabled.\",\n \"IsLUISEnabledforD365Bot\", \"LUIS Consent for Dynamics 365 Bot\", \"Give Consent to use LUIS in Dynamics 365 Bot\",\n \"IsMailboxForcedUnlockingEnabled\", \"Is Mailbox Forced Unlocking Enabled\", \"Enable or disable forced unlocking for Server Side Sync mailboxes.\",\n \"IsMailboxInactiveBackoffEnabled\", \"Is Mailbox Keep Alive Enabled\", \"Enable or disable mailbox keep alive for Server Side Sync.\",\n \"IsManualSalesForecastingEnabled\", \"Enable Manual Sales Forecasting feature for this organization\", \"Indicates whether Manual Sales Forecasting feature has been enabled for the organization.\",\n \"IsMobileClientOnDemandSyncEnabled\", \"Is Mobile Client On Demand Sync enabled\", \"Information that specifies whether mobile client on demand sync is enabled.\",\n \"IsMobileOfflineEnabled\", \"Enable MobileOffline for this Organization\", \"Indicates whether the feature MobileOffline should be enabled for the organization.\",\n \"IsModelDrivenAppsInMSTeamsEnabled\", \"Enable embedding Model Apps in Microsoft Teams\", \"Indicates whether Model Apps can be embedded within Microsoft Teams. This is a tenant admin controlled preview/experimental feature.\",\n \"IsMSTeamsCollaborationEnabled\", \"Enable Microsoft Teams Collaboration for this organization\", \"Indicates whether Microsoft Teams Collaboration feature has been enabled for the organization.\",\n \"IsMSTeamsEnabled\", \"Enable Microsoft Teams integration\", \"Indicates whether Microsoft Teams integration has been enabled for the organization.\",\n \"IsMSTeamsSettingChangedByUser\", \"Microsoft Teams integration changed by user\", \"Indicates whether the user has enabled or disabled Microsoft Teams integration.\",\n \"IsMSTeamsUserSyncEnabled\", \"Enable Microsoft Teams User Sync for this organization\", \"Indicates whether Microsoft Teams User Sync feature has been enabled for the organization.\",\n \"IsNewAddProductExperienceEnabled\", \"Indicates whether new add product experience is enabled in opportunity form\", \"Indicates whether new add product experience is enabled.\",\n \"IsNotesAnalysisEnabled\", \"Enable Notes Analysis for this Organization\", \"Indicates whether the feature Notes Analysis should be enabled for the organization.\",\n \"IsNotificationForD365InTeamsEnabled\", \"IsNotificationForD365InTeamsEnabled\", \"\",\n \"IsOfficeGraphEnabled\", \"Enable OfficeGraph for this Organization\", \"Indicates whether the feature OfficeGraph should be enabled for the organization.\",\n \"IsOneDriveEnabled\", \"Enable One Drive for this Organization\", \"Indicates whether the feature One Drive should be enabled for the organization.\",\n \"IsPAIEnabled\", \"Enable PAI feature for this organization\", \"Indicates whether PAI feature has been enabled for the organization.\",\n \"IsPDFGenerationEnabled\", \"Enable PDF Generation feature for this organization\", \"Indicates whether PDF Generation feature has been enabled for the organization.\",\n \"IsPlaybookEnabled\", \"Enable playbook feature for this organization\", \"Indicates whether playbook feature has been enabled for the organization.\",\n \"IsPresenceEnabled\", \"Presence Enabled\", \"Information on whether IM presence is enabled.\",\n \"IsPreviewEnabledForActionCard\", \"Enable Preview Action Card feature for this Organization\", \"Indicates whether the Preview feature for Action Card should be enabled for the organization.\",\n \"IsPreviewForAutoCaptureEnabled\", \"Enable Auto Capture for this Organization at Preview Settings\", \"Indicates whether the feature Auto Capture should be enabled for the organization at Preview Settings.\",\n \"IsPreviewForEmailMonitoringAllowed\", \"Allows Preview For Email Monitoring\", \"Is Preview For Email Monitoring Allowed.\",\n \"IsPriceListMandatory\", \"Indicates whether PriceList is mandatory for adding existing products to sales entities\", \"Indicates whether PriceList is mandatory for adding existing products to sales entities.\",\n \"IsQuickCreateEnabledForOpportunityClose\", \"Enable quick create form for opportunity close feature for this organization\", \"Select whether to use the standard Out-of-box Opportunity Close experience or opt to for a customized experience.\",\n \"IsReadAuditEnabled\", \"Is Read Auditing Enabled\", \"Enable or disable auditing of read operations.\",\n \"IsRelationshipInsightsEnabled\", \"Enable Relationship Insights for this Organization\", \"Indicates whether the feature Relationship Insights should be enabled for the organization.\",\n \"IsResourceBookingExchangeSyncEnabled\", \"Resource booking synchronization enabled\", \"Indicates if the synchronization of user resource booking with Exchange is enabled at organization level.\",\n \"IsRichTextNotesEnabled\", \"Indicates whether rich text editor for notes experience is enabled on this organization\", \"Indicates whether rich text editor for notes experience is enabled on this organization\",\n \"IsRpaAutoscaleAadJoinEnabled\", \"Enable AAD Join for RPA Autoscale feature for this organization.\", \"Indicates whether AAD Join for RPA Autoscale is enabled in this organization..\",\n \"IsRpaAutoscaleEnabled\", \"Enable RPA Autoscale feature for this organization\", \"Indicates whether Autoscale feature for RPA is enabled in this organization.\",\n \"IsRpaBoxCrossGeoEnabled\", \"Enable RPA Box cross geo feature for this organization\", \"Indicates whether RPA Box feature is enabled in this organization in locations outside the tenant's geographical location.\",\n \"IsRpaBoxEnabled\", \"Enable RPA Box feature for this organization\", \"Indicates whether RPA Box feature is enabled in this organization.\",\n \"IsRpaUnattendedEnabled\", \"Enable RPA Unattended feature for this organization\", \"Indicates whether Unattended runs feature for RPA is enabled in this organization.\",\n \"IsSalesAssistantEnabled\", \"Enable Sales Assistant mobile app\", \"Indicates whether Sales Assistant mobile app has been enabled for the organization.\",\n \"IsSharingInOrgAllowed\", \"IsSharingInOrgAllowed\", \"\",\n \"IsSOPIntegrationEnabled\", \"Is Sales Order Integration Enabled\", \"Enable sales order processing integration.\",\n \"IsTextWrapEnabled\", \"Enable Text Wrap\", \"Information on whether text wrap is enabled.\",\n \"IsUserAccessAuditEnabled\", \"Is User Access Auditing Enabled\", \"Enable or disable auditing of user access.\",\n \"ISVIntegrationCode\", \"ISV Integration Mode\", \"Indicates whether loading of Microsoft Dynamics 365 in a browser window that does not have address, tool, and menu bars is enabled.\",\n \"IsWriteInProductsAllowed\", \"Indicates whether Write-in Products can be added to Opportunity/Quote/Order/Invoice or not\", \"Indicates whether Write-in Products can be added to Opportunity/Quote/Order/Invoice or not.\",\n \"KaPrefix\", \"Knowledge Article Prefix\", \"Type the prefix to use for all knowledge articles in Microsoft Dynamics 365.\",\n \"KbPrefix\", \"Article Prefix\", \"Prefix to use for all articles in Microsoft Dynamics 365.\",\n \"KMSettings\", \"Knowledge Management Settings\", \"XML string containing the Knowledge Management settings that are applied in Knowledge Management Wizard.\",\n \"LanguageCode\", \"Language\", \"Preferred language for the organization.\",\n \"LocaleId\", \"Locale\", \"Unique identifier of the locale of the organization.\",\n \"LongDateFormatCode\", \"Long Date Format\", \"Information that specifies how the Long Date format is displayed in Microsoft Dynamics 365.\",\n \"LookupCharacterCountBeforeResolve\", \"Minimum number of characters before resolving suggestions in lookup\", \"Minimum number of characters that should be entered in the lookup control before resolving for suggestions\",\n \"LookupResolveDelayMS\", \"Minimum delay (in milliseconds) for debouncing lookup control input\", \"Minimum delay (in milliseconds) between consecutive inputs in a lookup control that will trigger a search for suggestions\",\n \"MailboxIntermittentIssueMinRange\", \"Lower Threshold For Mailbox Intermittent Issue\", \"Lower Threshold For Mailbox Intermittent Issue.\",\n \"MailboxPermanentIssueMinRange\", \"Lower Threshold For Mailbox Permanent Issue.\", \"Lower Threshold For Mailbox Permanent Issue.\",\n \"MaxActionStepsInBPF\", \"Maximum number of actionsteps allowed in a BPF\", \"Maximum number of actionsteps allowed in a BPF\",\n \"MaxAllowedPendingRollupJobCount\", \"MaxAllowedPendingRollupJobCount\", \"Maximum Allowed Pending Rollup Job Count\",\n \"MaxAllowedPendingRollupJobPercentage\", \"MaxAllowedPendingRollupJobPercentage\", \"Percentage Of Entity Table Size For Kicking Off Bootstrap Job\",\n \"MaxAppointmentDurationDays\", \"Max Appointment Duration\", \"Maximum number of days an appointment can last.\",\n \"MaxConditionsForMobileOfflineFilters\", \"Maximum number of conditions allowed for mobile offline filters\", \"Maximum number of conditions allowed for mobile offline filters\",\n \"MaxDepthForHierarchicalSecurityModel\", \"Maximum depth for hierarchy security propagation.\", \"Maximum depth for hierarchy security propagation.\",\n \"MaxFolderBasedTrackingMappings\", \"Max Folder Based Tracking Mappings\", \"Maximum number of Folder Based Tracking mappings user can add\",\n \"MaximumActiveBusinessProcessFlowsAllowedPerEntity\", \"Maximum active business process flows per entity\", \"Maximum number of active business process flows allowed per entity\",\n \"MaximumDynamicPropertiesAllowed\", \"Product Properties Item Limit\", \"Restrict the maximum number of product properties for a product family/bundle\",\n \"MaximumEntitiesWithActiveSLA\", \"Maximum number of active SLA allowed per entity in online\", \"Maximum number of active SLA allowed per entity in online\",\n \"MaximumSLAKPIPerEntityWithActiveSLA\", \"Maximum number of active SLA KPI allowed per entity in online\", \"Maximum number of SLA KPI per active SLA allowed for entity in online\",\n \"MaximumTrackingNumber\", \"Max Tracking Number\", \"Maximum tracking number before recycling takes place.\",\n \"MaxProductsInBundle\", \"Bundle Item Limit\", \"Restrict the maximum no of items in a bundle\",\n \"MaxRecordsForExportToExcel\", \"Max Records For Excel Export\", \"Maximum number of records that will be exported to a static Microsoft Office Excel worksheet when exporting from the grid.\",\n \"MaxRecordsForLookupFilters\", \"Max Records Filter Selection\", \"Maximum number of lookup and picklist records that can be selected by user for filtering.\",\n \"MaxRollupFieldsPerEntity\", \"MaxRollupFieldsPerEntity\", \"Maximum Rollup Fields Per Entity\",\n \"MaxRollupFieldsPerOrg\", \"MaxRollupFieldsPerOrg\", \"Maximum Rollup Fields Per Organization\",\n \"MaxSLAItemsPerSLA\", \"Max SLA Items Per SLA\", \"\",\n \"MaxUploadFileSize\", \"Max Upload File Size\", \"Maximum allowed size of an attachment.\",\n \"MicrosoftFlowEnvironment\", \"(Deprecated) Environment selected for Integration with Microsoft Flow\", \"(Deprecated) Environment selected for Integration with Microsoft Flow\",\n \"MinAddressBookSyncInterval\", \"Min Address Synchronization Frequency\", \"Normal polling frequency used for address book synchronization in Microsoft Office Outlook.\",\n \"MinOfflineSyncInterval\", \"Min Offline Synchronization Frequency\", \"Normal polling frequency used for background offline synchronization in Microsoft Office Outlook.\",\n \"MinOutlookSyncInterval\", \"Min Synchronization Frequency\", \"Minimum allowed time between scheduled Outlook synchronizations.\",\n \"MobileOfflineSyncInterval\", \"Sync interval for mobile offline.\", \"Sync interval for mobile offline.\",\n \"ModernAdvancedFindFiltering\", \"Modern advanced find filtering\", \"Flag to indicate if the modern advanced find filtering on all tables in a model-driven app is enabled\",\n \"ModernAppDesignerCoauthoringEnabled\", \"Coauthoring in Modern App Designer Enabled\", \"Indicates whether coauthoring is enabled in modern app designer\",\n \"MultiColumnSortEnabled\", \"Enable Multi Column Sort Editor In Views\", \"Show the sort by button on views\",\n \"Name\", \"Organization Name\", \"Name of the organization. The name is set when Microsoft CRM is installed and should not be changed.\",\n \"NaturalLanguageAssistFilter\", \"Natural Language Assist\", \"Enables Natural Language Assist Filter.\",\n \"NegativeCurrencyFormatCode\", \"Negative Currency Format\", \"Information that specifies how negative currency numbers are displayed throughout Microsoft Dynamics 365.\",\n \"NegativeFormatCode\", \"Negative Format\", \"Information that specifies how negative numbers are displayed throughout Microsoft CRM.\",\n \"NewSearchExperienceEnabled\", \"Oct 2020 Search enabled\", \"Indicates whether an organization has enabled the new Relevance search experience (released in Oct 2020) for the organization\",\n \"NextTrackingNumber\", \"Next Tracking Number\", \"Next token to be placed on the subject line of an email message.\",\n \"NotifyMailboxOwnerOfEmailServerLevelAlerts\", \"Notify Mailbox Owner Of Email Server Level Alerts\", \"Indicates whether mailbox owners will be notified of email server profile level alerts.\",\n \"NumberFormat\", \"Number Format\", \"Specification of how numbers are displayed throughout Microsoft CRM.\",\n \"NumberGroupFormat\", \"Number Grouping Format\", \"Specifies how numbers are grouped in Microsoft Dynamics 365.\",\n \"NumberSeparator\", \"Number Separator\", \"Symbol used for number separation in Microsoft Dynamics 365.\",\n \"OfficeAppsAutoDeploymentEnabled\", \"Enable Office Apps Auto Deployment for this Organization\", \"Indicates whether the Office Apps auto deployment is enabled for the organization.\",\n \"OfficeGraphDelveUrl\", \"The url to open the Delve\", \"The url to open the Delve for the organization.\",\n \"OOBPriceCalculationEnabled\", \"Enable OOB Price calculation\", \"Enable OOB pricing calculation logic for Opportunity, Quote, Order and Invoice entities.\",\n \"OptOutSchemaV2EnabledByDefault\", \"Opt-out of schema v2 being automatically enabled for this organization.\", \"Indicates if this organization will opt-out from automatically enabling schema v2 on the organization.\",\n \"OrderPrefix\", \"Order Prefix\", \"Prefix to use for all orders throughout Microsoft Dynamics 365.\",\n \"OrgDbOrgSettings\", \"Organization Database Organization Settings\", \"Organization settings stored in Organization Database.\",\n \"OrgInsightsEnabled\", \"Enable OrgInsights for this Organization\", \"Select whether to turn on OrgInsights for the organization.\",\n \"PaiPreviewScenarioEnabled\", \"Display Preview Feature for this organization\", \"Indicates whether Preview feature has been enabled for the organization.\",\n \"PastExpansionWindow\", \"Past Expansion Window\", \"Specifies the maximum number of months in past for which the recurring activities can be created.\",\n \"PcfDatasetGridEnabled\", \"Enable modern grids in model-driven apps\", \"Leave empty to use default setting. Set to on/off to enable/disable replacement of default grids with modern ones in model-driven apps.\",\n \"PerformACTSyncAfter\", \"PerformACTSyncAfter\", \"This setting contains the date time before an ACT sync can execute.\",\n \"Picture\", \"Picture\", \"For internal use only.\",\n \"PinpointLanguageCode\", \"\", \"\",\n \"PluginTraceLogSetting\", \"Plug-in Trace Log Setting\", \"Plug-in Trace Log Setting for the Organization.\",\n \"PMDesignator\", \"PM Designator\", \"PM designator to use throughout Microsoft Dynamics 365.\",\n \"PostMessageWhitelistDomains\", \"For internal use only.\", \"For internal use only.\",\n \"PowerAppsMakerBotEnabled\", \"Enable bot for makers.\", \"Indicates whether bot for makers is enabled.\",\n \"PowerBIAllowCrossRegionOperations\", \"Power BI allow cross region operations\", \"Indicates whether cross region operations are allowed for the organization\",\n \"PowerBIAutomaticPermissionsAssignment\", \"Power BI automatic permissions assignment\", \"Indicates whether automatic permissions assignment to Power BI has been enabled for the organization\",\n \"PowerBIComponentsCreate\", \"Power BI components creation\", \"Indicates whether creation of Power BI components has been enabled for the organization\",\n \"PowerBiFeatureEnabled\", \"Enable Power BI feature for this Organization\", \"Indicates whether the Power BI feature should be enabled for the organization.\",\n \"PricingDecimalPrecision\", \"Pricing Decimal Precision\", \"Number of decimal places that can be used for prices.\",\n \"PrivacyStatementUrl\", \"Privacy Statement URL\", \"Privacy Statement URL\",\n \"PrivilegeUserGroupId\", \"Privilege User Group\", \"Unique identifier of the default privilege for users in the organization.\",\n \"PrivReportingGroupId\", \"Privilege Reporting Group\", \"For internal use only.\",\n \"PrivReportingGroupName\", \"Privilege Reporting Group Name\", \"For internal use only.\",\n \"ProductRecommendationsEnabled\", \"Enable Product Recommendations for this Organization\", \"Select whether to turn on product recommendations for the organization.\",\n \"QualifyLeadAdditionalOptions\", \"Enable New Qualify Lead Experience with configuration MDD\", \"Indicates whether prompt should be shown for new Qualify Lead Experience\",\n \"QuickActionToOpenRecordsInSidePaneEnabled\", \"Enable quick actions to open records in search side pane\", \"Flag to indicate if the feature to use quick action to open records in search side pane is enabled\",\n \"QuickFindRecordLimitEnabled\", \"Quick Find Record Limit Enabled\", \"Indicates whether a quick find record limit should be enabled for this organization (allows for faster Quick Find queries but prevents overly broad searches).\",\n \"QuotePrefix\", \"Quote Prefix\", \"Prefix to use for all quotes throughout Microsoft Dynamics 365.\",\n \"RecalculateSLA\", \"Indicates whether SLA Recalculation has been enabled for the organization\", \"Indicates whether SLA Recalculation has been enabled for the organization\",\n \"RecurrenceDefaultNumberOfOccurrences\", \"Recurrence Default Number of Occurrences\", \"Specifies the default value for number of occurrences field in the recurrence dialog.\",\n \"RecurrenceExpansionJobBatchInterval\", \"Recurrence Expansion Job Batch Interval\", \"Specifies the interval (in seconds) for pausing expansion job.\",\n \"RecurrenceExpansionJobBatchSize\", \"Recurrence Expansion On Demand Job Batch Size\", \"Specifies the value for number of instances created in on demand job in one shot.\",\n \"RecurrenceExpansionSynchCreateMax\", \"Recurrence Expansion Synchronization Create Maximum\", \"Specifies the maximum number of instances to be created synchronously after creating a recurring appointment.\",\n \"ReferenceSiteMapXml\", \"Reference SiteMap XML\", \"XML string that defines the navigation structure for the application. This is the site map from the previously upgraded build and is used in a 3-way merge during upgrade.\",\n \"ReleaseCadence\", \"Current orgnization release cadence value\", \"Current orgnization release cadence value\",\n \"ReleaseChannel\", \"Model app refresh channel\", \"Model app refresh channel\",\n \"ReleaseWaveName\", \"Release Wave\", \"Release Wave Applied to Environment.\",\n \"RelevanceSearchEnabledByPlatform\", \"Relevance search enabled automatically by Dataverse\", \"Indicates whether relevance search was enabled for the environment as part of Dataverse's relevance search on-by-default sweep\",\n \"RelevanceSearchModifiedOn\", \"RelevanceSearchModifiedOnDate\", \"This setting contains the last modified date for relevance search setting that appears as a toggle in PPAC.\",\n \"RenderSecureIFrameForEmail\", \"Render Secure Frame For Email\", \"Flag to render the body of email in the Web form in an IFRAME with the security='restricted' attribute set. This is additional security but can cause a credentials prompt.\",\n \"ReportingGroupId\", \"Reporting Group\", \"For internal use only.\",\n \"ReportingGroupName\", \"Reporting Group Name\", \"For internal use only.\",\n \"ReportScriptErrors\", \"Report Script Errors\", \"Picklist for selecting the organization preference for reporting scripting errors.\",\n \"RequireApprovalForQueueEmail\", \"Is Approval For Queue Email Required\", \"Indicates whether Send As Other User privilege is enabled.\",\n \"RequireApprovalForUserEmail\", \"Is Approval For User Email Required\", \"Indicates whether Send As Other User privilege is enabled.\",\n \"ResolveSimilarUnresolvedEmailAddress\", \"Apply same email address to all unresolved matches when you manually resolve it for one\", \"Apply same email address to all unresolved matches when you manually resolve it for one\",\n \"RestrictStatusUpdate\", \"Restrict Status Update\", \"Flag to restrict Update on incident.\",\n \"ReverseProxyIpAddresses\", \"List of reverse proxy IP addresses to be allowed.\", \"Information that specifies Reverse Proxy IP addresses from which requests have to be allowed.\",\n \"RiErrorStatus\", \"Error status of Relationship Insights provisioning.\", \"Error status of Relationship Insights provisioning.\",\n \"SampleDataImportId\", \"Sample Data Import\", \"Unique identifier of the sample data import job.\",\n \"SchemaNamePrefix\", \"Customization Name Prefix\", \"Prefix used for custom entities and attributes.\",\n \"SendBulkEmailInUCI\", \"Send Bulk Email in UCI\", \"Indicates whether Send Bulk Email in UCI is enabled for the org.\",\n \"ServeStaticResourcesFromAzureCDN\", \"Serve Static Content From CDN\", \"Serve Static Content From CDN\",\n \"SessionRecordingEnabled\", \"Enable the session recording feature\", \"Enable the session recording feature to record user sessions in UCI\",\n \"SessionTimeoutEnabled\", \"Session timeout enabled\", \"Information that specifies whether session timeout is enabled\",\n \"SessionTimeoutInMins\", \"Session timeout in minutes\", \"Session timeout in minutes\",\n \"SessionTimeoutReminderInMins\", \"Session timeout reminder in minutes\", \"Session timeout reminder in minutes\",\n \"SharePointDeploymentType\", \"Choose SharePoint Deployment Type\", \"Indicates which SharePoint deployment type is configured for Server to Server. (Online or On-Premises)\",\n \"ShareToPreviousOwnerOnAssign\", \"Share To Previous Owner On Assign\", \"Information that specifies whether to share to previous owner on assign.\",\n \"ShowKBArticleDeprecationNotification\", \"Show KBArticle deprecation message to user\", \"Select whether to display a KB article deprecation notification to the user.\",\n \"ShowWeekNumber\", \"Show Week Number\", \"Information that specifies whether to display the week number in calendar displays throughout Microsoft CRM.\",\n \"SignupOutlookDownloadFWLink\", \"CRMForOutlookDownloadURL\", \"CRM for Outlook Download URL\",\n \"SiteMapXml\", \"SiteMap XML\", \"XML string that defines the navigation structure for the application.\",\n \"SlaPauseStates\", \"SLA pause states\", \"Contains the on hold case status values.\",\n \"SocialInsightsEnabled\", \"Social Insights Enabled\", \"Flag for whether the organization is using Social Insights.\",\n \"SocialInsightsInstance\", \"Social Insights instance identifier\", \"Identifier for the Social Insights instance for the organization.\",\n \"SocialInsightsTermsAccepted\", \"Social Insights Terms of Use\", \"Flag for whether the organization has accepted the Social Insights terms of use.\",\n \"SortId\", \"Sort\", \"For internal use only.\",\n \"SqlAccessGroupId\", \"SQL Access Group\", \"For internal use only.\",\n \"SqlAccessGroupName\", \"SQL Access Group Name\", \"For internal use only.\",\n \"SQMEnabled\", \"Is SQM Enabled\", \"Setting for SQM data collection, 0 no, 1 yes enabled\",\n \"SupportUserId\", \"Support User\", \"Unique identifier of the support user for the organization.\",\n \"SuppressSLA\", \"Is SLA suppressed\", \"Indicates whether SLA is suppressed.\",\n \"SuppressValidationEmails\", \"Whether Admin emails are sent when Solution Checker validation fails\", \"Leave empty to use default setting. Set to on/off to enable/disable Admin emails when Solution Checker validation fails.\",\n \"SyncBulkOperationBatchSize\", \"Number of records to update per operation in Sync Bulk Pause/Resume/Cancel\", \"Number of records to update per operation in Sync Bulk Pause/Resume/Cancel\",\n \"SyncBulkOperationMaxLimit\", \"Max total number of records to update in database for Sync Bulk Pause/Resume/Cancel\", \"Max total number of records to update in database for Sync Bulk Pause/Resume/Cancel\",\n \"SyncOptInSelection\", \"Enable dynamics 365 azure sync framework for this organization.\", \"Indicates the selection to use the dynamics 365 azure sync framework or server side sync.\",\n \"SyncOptInSelectionStatus\", \"Status of opt-in or opt-out operation for dynamics 365 azure sync.\", \"Indicates the status of the opt-in or opt-out operation for dynamics 365 azure sync.\",\n \"SystemUserId\", \"System User\", \"Unique identifier of the system user for the organization.\",\n \"TableScopedDVSearchInApps\", \"Table Scoped Dataverse Search In Apps\", \"Controls the appearance of option to search over a single DV search indexed table in model-driven apps global search in the header.\",\n \"TagMaxAggressiveCycles\", \"Auto-Tag Max Cycles\", \"Maximum number of aggressive polling cycles executed for email auto-tagging when a new email is received.\",\n \"TagPollingPeriod\", \"Auto-Tag Interval\", \"Normal polling frequency used for email receive auto-tagging in outlook.\",\n \"TaskBasedFlowEnabled\", \"Enable Task Flow processes for this Organization\", \"Select whether to turn on task flows for the organization.\",\n \"TeamsChatDataSync\", \"Enable Teams Chat Data Sync.\", \"Information on whether Teams Chat Data Sync is enabled.\",\n \"TelemetryInstrumentationKey\", \"Telemetry Instrumentation Key\", \"Instrumentation key for Application Insights used to log plugins telemetry.\",\n \"TextAnalyticsEnabled\", \"Enable Text Analytics for this Organization\", \"Select whether to turn on text analytics for the organization.\",\n \"TimeFormatCode\", \"Time Format Code\", \"Information that specifies how the time is displayed throughout Microsoft CRM.\",\n \"TimeFormatString\", \"Time Format String\", \"Text for how time is displayed in Microsoft Dynamics 365.\",\n \"TimeSeparator\", \"Time Separator\", \"Text for how the time separator is displayed throughout Microsoft Dynamics 365.\",\n \"TimeZoneRuleVersionNumber\", \"Time Zone Rule Version Number\", \"For internal use only.\",\n \"TokenExpiry\", \"Token Expiration Duration\", \"Duration used for token expiration.\",\n \"TokenKey\", \"Token Key\", \"Token key.\",\n \"TraceLogMaximumAgeInDays\", \"Tracelog record maximum age in days\", \"Tracelog record maximum age in days\",\n \"TrackingPrefix\", \"Tracking Prefix\", \"History list of tracking token prefixes.\",\n \"TrackingTokenIdBase\", \"Tracking Token Base\", \"Base number used to provide separate tracking token identifiers to users belonging to different deployments.\",\n \"TrackingTokenIdDigits\", \"Tracking Token Digits\", \"Number of digits used to represent a tracking token identifier.\",\n \"UniqueSpecifierLength\", \"Unique String Length\", \"Number of characters appended to invoice, quote, and order numbers.\",\n \"UnresolveEmailAddressIfMultipleMatch\", \"Set To,cc,bcc fields as unresolved if multiple matches are found\", \"Indicates whether email address should be unresolved if multiple matches are found\",\n \"UseInbuiltRuleForDefaultPricelistSelection\", \"Use Inbuilt Rule For Default Pricelist Selection\", \"Flag indicates whether to Use Inbuilt Rule For DefaultPricelist.\",\n \"UseLegacyRendering\", \"Legacy Form Rendering\", \"Select whether to use legacy form rendering.\",\n \"UsePositionHierarchy\", \"Use position hierarchy\", \"Use position hierarchy\",\n \"UseQuickFindViewForGridSearch\", \"Use Quick Find view when searching in grids\", \"Indicates whether searching in a grid should use the Quick Find view for the entity.\",\n \"UserAccessAuditingInterval\", \"User Authentication Auditing Interval\", \"The interval at which user access is checked for auditing.\",\n \"UseReadForm\", \"Use Read-Optimized Form\", \"Indicates whether the read-optimized form should be enabled for this organization.\",\n \"UserGroupId\", \"User Group\", \"Unique identifier of the default group of users in the organization.\",\n \"UserRatingEnabled\", \"Enable the user rating feature\", \"Enable the user rating feature to show the NSAT score and comment to maker\",\n \"UseSkypeProtocol\", \"User Skype Protocol\", \"Indicates default protocol selected for organization.\",\n \"UTCConversionTimeZoneCode\", \"UTC Conversion Time Zone Code\", \"Time zone code that was in use when the record was created.\",\n \"ValidationMode\", \"Validation mode for apps in this environment\", \"Validation mode for apps in this environment\",\n \"WebResourceHash\", \"Web resource hash\", \"Hash value of web resources.\",\n \"WeekStartDayCode\", \"Week Start Day Code\", \"Designated first day of the week throughout Microsoft Dynamics 365.\",\n \"WidgetProperties\", \"For Internal use only.\", \"For Internal use only.\",\n \"YammerGroupId\", \"Yammer Group Id\", \"Denotes the Yammer group ID\",\n \"YammerNetworkPermalink\", \"Yammer Network Permalink\", \"Denotes the Yammer network permalink\",\n \"YammerOAuthAccessTokenExpired\", \"Yammer OAuth Access Token Expired\", \"Denotes whether the OAuth access token for Yammer network has expired\",\n \"YammerPostMethod\", \"Internal Use Only\", \"Internal Use Only\",\n \"YearStartWeekCode\", \"Year Start Week Code\", \"Information that specifies how the first week of the year is specified in Microsoft Dynamics 365.\",\n \"AcknowledgementTemplateIdName\", \"\", \"Name of the template to be used for unsubscription acknowledgement.\",\n \"BaseCurrencyIdName\", \"\", \"\",\n \"BaseCurrencyPrecision\", \"Base Currency Precision\", \"Number of decimal places that can be used for the base currency.\",\n \"BaseCurrencySymbol\", \"Base Currency Symbol\", \"Symbol used for the base currency.\",\n \"BaseISOCurrencyCode\", \"Base ISO Currency Code\", \"\",\n \"CreatedBy\", \"Created By\", \"Unique identifier of the user who created the organization.\",\n \"CreatedByName\", \"\", \"\",\n \"CreatedByYomiName\", \"\", \"\",\n \"CreatedOn\", \"Created On\", \"Date and time when the organization was created.\",\n \"CreatedOnBehalfBy\", \"Created By (Delegate)\", \"Unique identifier of the delegate user who created the organization.\",\n \"CreatedOnBehalfByName\", \"\", \"\",\n \"CreatedOnBehalfByYomiName\", \"\", \"\",\n \"CurrentImportSequenceNumber\", \"Current Import Sequence Number\", \"Import sequence to use.\",\n \"CurrentParsedTableNumber\", \"Current Parsed Table Number\", \"First parsed table number to use.\",\n \"DaysSinceRecordLastModifiedMaxValue\", \"Max value of Days since record last modified\", \"The maximum value for the Mobile Offline setting Days since record last modified\",\n \"DefaultEmailServerProfileIdName\", \"\", \"Name of the email server profile to be used as default profile for the mailboxes.\",\n \"DefaultMobileOfflineProfileIdName\", \"\", \"Name of the default mobile offline profile to be used as default profile for mobile offline.\",\n \"DisabledReason\", \"Disabled Reason\", \"Reason for disabling the organization.\",\n \"EntityImage_Timestamp\", \"\", \"\",\n \"EntityImage_URL\", \"\", \"\",\n \"EntityImageId\", \"Entity Image Id\", \"For internal use only.\",\n \"FiscalSettingsUpdated\", \"Is Fiscal Settings Updated\", \"Information that specifies whether the fiscal settings have been updated.\",\n \"IsAllMoneyDecimal\", \"Set if all money attributes are converted to decimal\", \"Indicates whether all money attributes are converted to decimal.\",\n \"IsDisabled\", \"Is Organization Disabled\", \"Information that specifies whether the organization is disabled.\",\n \"MaxSupportedInternetExplorerVersion\", \"Max supported IE version\", \"The maximum version of IE to run browser emulation for in Outlook client\",\n \"MaxVerboseLoggingMailbox\", \"Max No Of Mailboxes To Enable For Verbose Logging\", \"Maximum number of mailboxes that can be toggled for verbose logging\",\n \"MaxVerboseLoggingSyncCycles\", \"Maximum number of sync cycles for which verbose logging will be enabled by default\", \"Maximum number of sync cycles for which verbose logging will be enabled by default\",\n \"MetadataSyncLastTimeOfNeverExpiredDeletedObjects\", \"The last date/time for never expired metadata tracking deleted objects\", \"What is the last date/time where there are metadata tracking deleted objects that have never been outside of the expiration period.\",\n \"MetadataSyncTimestamp\", \"Metadata sync version\", \"Contains the maximum version number for attributes used by metadata synchronization that have changed.\",\n \"MobileOfflineMinLicenseProd\", \"Minimum number of user license required for mobile offline service by production/preview organization\", \"Minimum number of user license required for mobile offline service by production/preview organization\",\n \"MobileOfflineMinLicenseTrial\", \"Minimum number of user license required for mobile offline service by trial organization\", \"Minimum number of user license required for mobile offline service by trial organization\",\n \"ModifiedBy\", \"Modified By\", \"Unique identifier of the user who last modified the organization.\",\n \"ModifiedByName\", \"\", \"\",\n \"ModifiedByYomiName\", \"\", \"\",\n \"ModifiedOn\", \"Modified On\", \"Date and time when the organization was last modified.\",\n \"ModifiedOnBehalfBy\", \"Modified By (Delegate)\", \"Unique identifier of the delegate user who last modified the organization.\",\n \"ModifiedOnBehalfByName\", \"\", \"\",\n \"ModifiedOnBehalfByYomiName\", \"\", \"\",\n \"NextCustomObjectTypeCode\", \"Next Entity Type Code\", \"Next entity type code to use for custom entities.\",\n \"OrganizationId\", \"Organization\", \"Unique identifier of the organization.\",\n \"OrganizationState\", \"Organization State\", \"Indicates the organization lifecycle state\",\n \"ParsedTableColumnPrefix\", \"Parsed Table Column Prefix\", \"Prefix used for parsed table columns.\",\n \"ParsedTablePrefix\", \"Parsed Table Prefix\", \"Prefix used for parsed tables.\",\n \"V3CalloutConfigHash\", \"V3 Callout Hash\", \"Hash of the V3 callout configuration file.\",\n \"VersionNumber\", \"Version Number\", \"Version number of the organization.\"\n]\n| project FieldName = tolower(Field), DisplayName, Description\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "MSBizAppsOrgSettings" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", - "dependsOn": [ - "[variables('parserObject3')._parserId3]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsOrgSettings')]", - "contentId": "[variables('parserObject3').parserContentId3]", - "kind": "Parser", - "version": "[variables('parserObject3').parserVersion3]", + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentId15')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentId15'))]", + "contentId": "[variables('_dataConnectorContentId15')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion15')]", "source": { - "name": "Microsoft Business Applications", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Microsoft" + "name": "Microsoft" }, "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections15')]", + "contentId": "[variables('_dataConnectorContentIdConnections15')]", + "kind": "ResourcesDataConnector" + } + ] } - } } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject3').parserContentId3]", - "contentKind": "Parser", - "displayName": "MSBizAppsOrgSettings", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '3.2.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '3.2.0')))]", - "version": "[variables('parserObject3').parserVersion3]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject3')._parserName3]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "MSBizAppsOrgSettings", - "category": "MSBizAppsFunctions", - "functionAlias": "MSBizAppsOrgSettings", - "query": "datatable (Field: string, DisplayName: string, Description: string)[\n \"ACIWebEndpointUrl\", \"ACI Tenant URL.\", \"ACI Web Endpoint URL.\",\n \"AcknowledgementTemplateId\", \"Acknowledgement Template\", \"Unique identifier of the template to be used for acknowledgement when a user unsubscribes.\",\n \"ActivityTypeFilter\", \"Enable Rich Editing Experience for Appointment\", \"Information on whether filtering activity based on entity in app.\",\n \"ActivityTypeFilterV2\", \"Show only activities configured in the app when accessing 'New activity' button\", \"Whether to show only activities configured in this app or all activities in the 'New activity' button.\",\n \"AdvancedColumnEditorEnabled\", \"Advanced column editor enabled\", \"Flag to indicate if the display column options on a view in model-driven apps is enabled\",\n \"AdvancedColumnFilteringEnabled\", \"Advanced column filtering enabled\", \"Flag to indicate if the advanced column filtering in a view in model-driven apps is enabled\",\n \"AdvancedFilteringEnabled\", \"Advanced filtering enabled\", \"Flag to indicate if the advanced filtering on all tables in a model-driven app is enabled\",\n \"AdvancedLookupEnabled\", \"Advanced lookup enabled\", \"Flag to indicate if the Advanced Lookup feature is enabled for lookup controls\",\n \"AdvancedLookupInEditFilter\", \"Enable Advanced Lookup In Edit Filter\", \"Enables advanced lookup in grid edit filter panel\",\n \"AllowAddressBookSyncs\", \"Allow Address Book Synchronization\", \"Indicates whether background address book synchronization in Microsoft Office Outlook is allowed.\",\n \"AllowApplicationUserAccess\", \"Allow All Application Users Access.\", \"Information that specifies whether all application users are allowed to access the environment\",\n \"AllowAutoResponseCreation\", \"Allow Automatic Response Creation\", \"Indicates whether automatic response creation is allowed.\",\n \"AllowAutoUnsubscribe\", \"Allow Automatic Unsubscribe\", \"Indicates whether automatic unsubscribe is allowed.\",\n \"AllowAutoUnsubscribeAcknowledgement\", \"Allow Automatic Unsubscribe Acknowledgement\", \"Indicates whether automatic unsubscribe acknowledgement email is allowed to send.\",\n \"AllowClientMessageBarAd\", \"Allow Outlook Client Message Bar Advertisement\", \"Indicates whether Outlook Client message bar advertisement is allowed.\",\n \"AllowConnectorsOnPowerFXActions\", \"Enable connectors on power fx actions.\", \"Information on whether connectors on power fx actions is enabled.\",\n \"AllowedIpRangeForFirewall\", \"List of IP Ranges to be allowed by the firewall rule\", \"Information that specifies the range of IP addresses that are in allow list for the firewall.\",\n \"AllowedIpRangeForStorageAccessSignatures\", \"List of IP Ranges to be allowed for generating the SAS URIs.\", \"Information that specifies the range of IP addresses that are in allowed list for generating the SAS URIs.\",\n \"AllowedMimeTypes\", \"List of allowed mime types.\", \"Allow upload or download of certain mime types.\",\n \"AllowedServiceTagsForFirewall\", \"List of Service Tags to be allowed by the firewall rule\", \"Information that specifies the List of Service Tags that should be allowed by the firewall.\",\n \"AllowEntityOnlyAudit\", \"Allow Entity Level Auditing\", \"Indicates whether auditing of changes to entity is allowed when no attributes have changed.\",\n \"AllowLeadingWildcardsInGridSearch\", \"Allow Leading Wildcards In Grid Search\", \"Enables ends-with searches in grids with the use of a leading wildcard on all tables in the environment\",\n \"AllowLeadingWildcardsInQuickFind\", \"Allow Leading Wildcards In Quick Find\", \"Enables ends-with searches in grids with the use of a leading wildcard on all tables in the environment\",\n \"AllowLegacyClientExperience\", \"Enable access to legacy web client UI\", \"Enable access to legacy web client UI\",\n \"AllowLegacyDialogsEmbedding\", \"Enable embedding of certain legacy dialogs in Unified Interface browser client\", \"Enable embedding of certain legacy dialogs in Unified Interface browser client\",\n \"AllowMarketingEmailExecution\", \"Allow Marketing Email Execution\", \"Indicates whether marketing emails execution is allowed.\",\n \"AllowMicrosoftTrustedServiceTags\", \"Allow Microsoft Trusted Service Tags\", \"Information that specifies whether Microsoft Trusted Service Tags are allowed\",\n \"AllowOfflineScheduledSyncs\", \"Allow Offline Scheduled Synchronization\", \"Indicates whether background offline synchronization in Microsoft Office Outlook is allowed.\",\n \"AllowOutlookScheduledSyncs\", \"Allow Scheduled Synchronization\", \"Indicates whether scheduled synchronizations to Outlook are allowed.\",\n \"AllowRedirectAdminSettingsToModernUI\", \"Allow Redirect Legacy Admin Settings To Modern UI\", \"Control whether the organization Allow Redirect Legacy Admin Settings To Modern UI\",\n \"AllowUnresolvedPartiesOnEmailSend\", \"Allow Unresolved Address Email Send\", \"Indicates whether users are allowed to send email to unresolved parties (parties must still have an email address).\",\n \"AllowUserFormModePreference\", \"Allow User Form Mode Preference\", \"Indicates whether individuals can select their form mode preference in their personal options.\",\n \"AllowUsersHidingSystemViews\", \"Allow users hiding system views\", \"Flag to indicate if allow end users to hide system views in model-driven apps is enabled\",\n \"AllowUsersSeeAppdownloadMessage\", \"Allow the showing tablet application notification bars in a browser.\", \"Indicates whether the showing tablet application notification bars in a browser is allowed.\",\n \"AllowWebExcelExport\", \"Allow Export to Excel\", \"Indicates whether Web-based export of grids to Microsoft Office Excel is allowed.\",\n \"AMDesignator\", \"AM Designator\", \"AM designator to use throughout Microsoft Dynamics CRM.\",\n \"AppDesignerExperienceEnabled\", \"Enable App Designer Experience for this Organization\", \"Indicates whether the appDesignerExperience is enabled for the organization.\",\n \"AppointmentRichEditorExperience\", \"Enable Rich Editing Experience for Appointment\", \"Information on whether rich editing experience for Appointment is enabled.\",\n \"AppointmentWithTeamsMeeting\", \"Enable teams Meeting experience for appointment\", \"Information on whether Teams meeting experience for Appointment is enabled.\",\n \"AppointmentWithTeamsMeetingV2\", \"Enable Teams meetings for appointments\", \"Whether Teams meetings experience for appointments is enabled.\",\n \"AuditRetentionPeriod\", \"Audit Retention Period Settings\", \"Audit Retention Period settings stored in Organization Database.\",\n \"AuditRetentionPeriodV2\", \"Audit Retention Period Settings\", \"Audit Retention Period settings stored in Organization Database.\",\n \"AutoApplyDefaultonCaseCreate\", \"Auto Apply Default Entitlement on Case Create\", \"Select whether to auto apply the default customer entitlement on case creation.\",\n \"AutoApplyDefaultonCaseUpdate\", \"Auto Apply Default Entitlement on Case Update\", \"Select whether to auto apply the default customer entitlement on case update.\",\n \"AutoApplySLA\", \"Is Auto-apply SLA After Manually Over-riding\", \"Indicates whether to Auto-apply SLA on case record update after SLA was manually applied.\",\n \"AzureSchedulerJobCollectionName\", \"For internal use only.\", \"For internal use only.\",\n \"BaseCurrencyId\", \"Currency\", \"Unique identifier of the base currency of the organization.\",\n \"BingMapsApiKey\", \"Bing Maps API Key\", \"Api Key to be used in requests to Bing Maps services.\",\n \"BlockedAttachments\", \"Block Attachments\", \"Prevent upload or download of certain attachment types that are considered dangerous.\",\n \"BlockedMimeTypes\", \"List of blocked mime types.\", \"Prevent upload or download of certain mime types that are considered dangerous.\",\n \"BoundDashboardDefaultCardExpanded\", \"Display cards in expanded state for Interactive Dashboard\", \"Display cards in expanded state for interactive dashboard\",\n \"BulkOperationPrefix\", \"Bulk Operation Prefix\", \"Prefix used for bulk operation numbering.\",\n \"BusinessCardOptions\", \"Enable New BusinessCardOptions\", \"BusinessCardOptions\",\n \"BusinessClosureCalendarId\", \"Business Closure Calendar\", \"Unique identifier of the business closure calendar of organization.\",\n \"CalendarType\", \"Calendar Type\", \"Calendar type for the system. Set to Gregorian US by default.\",\n \"CampaignPrefix\", \"Campaign Prefix\", \"Prefix used for campaign numbering.\",\n \"CanOptOutNewSearchExperience\", \"Can disable Oct 2020 Search\", \"Indicates whether the organization can opt out of the new Relevance search experience (released in Oct 2020)\",\n \"CascadeStatusUpdate\", \"Cascade Status Update\", \"Flag to cascade Update on incident.\",\n \"CasePrefix\", \"Case Prefix\", \"Prefix to use for all cases throughout Microsoft Dynamics 365.\",\n \"CategoryPrefix\", \"Category Prefix\", \"Type the prefix to use for all categories in Microsoft Dynamics 365.\",\n \"ClientFeatureSet\", \"Client Feature Set\", \"Client Features to be enabled as an XML BLOB.\",\n \"ContentSecurityPolicyConfiguration\", \"Content Security Policy Configuration\", \"Policy configuration for CSP\",\n \"ContentSecurityPolicyConfigurationForCanvas\", \"Content Security Policy Configuration for Canvas apps\", \"Content Security Policy configuration for Canvas apps.\",\n \"ContentSecurityPolicyOptions\", \"Content Security Policy Options\", \"Content Security Policy Options.\",\n \"ContentSecurityPolicyReportUri\", \"Content Security Policy Report Uri\", \"Content Security Policy Report Uri.\",\n \"ContractPrefix\", \"Contract Prefix\", \"Prefix to use for all contracts throughout Microsoft Dynamics 365.\",\n \"CopresenceRefreshRate\", \"CopresenceRefreshRate\", \"Refresh rate for copresence data in seconds.\",\n \"CortanaProactiveExperienceEnabled\", \"Enable Cortana Proactive Experience Flow processes for this Organization\", \"Indicates whether the feature CortanaProactiveExperience Flow processes should be enabled for the organization.\",\n \"CreateProductsWithoutParentInActiveState\", \"Enable Active Initial Product State\", \"Enable Initial state of newly created products to be Active instead of Draft\",\n \"CurrencyDecimalPrecision\", \"Currency Decimal Precision\", \"Number of decimal places that can be used for currency.\",\n \"CurrencyDisplayOption\", \"Display Currencies Using\", \"Indicates whether to display money fields with currency code or currency symbol.\",\n \"CurrencyFormatCode\", \"Currency Format Code\", \"Information about how currency symbols are placed throughout Microsoft Dynamics CRM.\",\n \"CurrencySymbol\", \"Currency Symbol\", \"Symbol used for currency throughout Microsoft Dynamics 365.\",\n \"CurrentBulkOperationNumber\", \"Current Bulk Operation Number\", \"Current bulk operation number. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCampaignNumber\", \"Current Campaign Number\", \"Current campaign number. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCaseNumber\", \"Current Case Number\", \"First case number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentCategoryNumber\", \"Current Category Number\", \"Enter the first number to use for Categories. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentContractNumber\", \"Current Contract Number\", \"First contract number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentInvoiceNumber\", \"Current Invoice Number\", \"First invoice number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentKaNumber\", \"Current Knowledge Article Number\", \"Enter the first number to use for knowledge articles. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentKbNumber\", \"Current Article Number\", \"First article number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentOrderNumber\", \"Current Order Number\", \"First order number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"CurrentQuoteNumber\", \"Current Quote Number\", \"First quote number to use. Deprecated. Use SetAutoNumberSeed message.\",\n \"DateFormatCode\", \"Date Format Code\", \"Information about how the date is displayed throughout Microsoft CRM.\",\n \"DateFormatString\", \"Date Format String\", \"String showing how the date is displayed throughout Microsoft CRM.\",\n \"DateSeparator\", \"Date Separator\", \"Character used to separate the month, the day, and the year in dates throughout Microsoft Dynamics 365.\",\n \"DaysBeforeEmailDescriptionIsMigrated\", \"Number of days before we migrate email description to blob.\", \"Number of days before we migrate email description to blob.\",\n \"DaysBeforeInactiveTeamsChatSyncDisabled\", \"Days Before Inactive Teams Chat Sync Disabled\", \"Days of inactivity before sync is disabled for a Teams Chat.\",\n \"DecimalSymbol\", \"Decimal Symbol\", \"Symbol used for decimal in Microsoft Dynamics 365.\",\n \"DefaultCountryCode\", \"Default Country Code\", \"Text area to enter default country code.\",\n \"DefaultCrmCustomName\", \"Name of the default app\", \"Name of the default crm custom.\",\n \"DefaultEmailServerProfileId\", \"Email Server Profile\", \"Unique identifier of the default email server profile.\",\n \"DefaultEmailSettings\", \"Default Email Settings\", \"XML string containing the default email settings that are applied when a user or queue is created.\",\n \"DefaultMobileOfflineProfileId\", \"Default Mobile Offline Profile\", \"Unique identifier of the default mobile offline profile.\",\n \"DefaultRecurrenceEndRangeType\", \"Default Recurrence End Range Type\", \"Type of default recurrence end range date.\",\n \"DefaultThemeData\", \"Default Theme Data\", \"Default theme data for the organization.\",\n \"DelegatedAdminUserId\", \"Delegated Admin\", \"Unique identifier of the delegated admin user for the organization.\",\n \"DisableSocialCare\", \"Is Social Care disabled\", \"Indicates whether Social Care is disabled.\",\n \"DiscountCalculationMethod\", \"Discount calculation method\", \"Discount calculation method for the QOOI product.\",\n \"DisplayNavigationTour\", \"Display Navigation Tour\", \"Indicates whether or not navigation tour is displayed.\",\n \"EmailConnectionChannel\", \"Email Connection Channel\", \"Select if you want to use the Email Router or server-side synchronization for email processing.\",\n \"EmailCorrelationEnabled\", \"Use Email Correlation\", \"Flag to turn email correlation on or off.\",\n \"EmailSendPollingPeriod\", \"Email Send Polling Frequency\", \"Normal polling frequency used for sending email in Microsoft Office Outlook.\",\n \"EnableAsyncMergeAPIForUCI\", \"Asynchronous merge enabled for UCI\", \"Determines whether records merged through the merge dialog in UCI are merged asynchronously\",\n \"EnableBingMapsIntegration\", \"Enable Integration with Bing Maps\", \"Enable Integration with Bing Maps\",\n \"EnableCanvasAppsInSolutionsByDefault\", \"Enable the creation of Canvas apps in Dataverse / Solution by default\", \"Note: By enabling this feature, you will also enable the automatic creation of enviornment variables when adding data sources for your apps.\",\n \"EnableFlowsInSolutionByDefault\", \"Enable the creation of flows within a solution by default.\", \"Indicates whether the creation of flows is within a solution by default for this organization.\",\n \"EnableFlowsInSolutionByDefaultGracePeriod\", \"Indicates whether the organization is opted into a grace period for auto-enablement of 'creation of flows within a solution by default' functionality.\", \"Organizations with this attribute set to true will be granted a grace period and excluded from the initial world wide enablement of 'creation of flows within a solution by default' functionality. Once the grace period expires, the functionality will be enabled in your organization.\",\n \"EnableImmersiveSkypeIntegration\", \"Enable Integration with Immersive Skype\", \"Enable Integration with Immersive Skype\",\n \"EnableIpBasedCookieBinding\", \"Enable IP Address Based Cookie Binding\", \"Information that specifies whether IP based cookie binding is enabled\",\n \"EnableIpBasedFirewallRule\", \"Enable IP Range based Firewall\", \"Information that specifies whether IP based firewall rule is enabled\",\n \"EnableIpBasedFirewallRuleInAuditMode\", \"Enable IP Range based Firewall In Audit Only Mode\", \"Information that specifies whether IP based firewall rule is enabled in Audit Only Mode\",\n \"EnableIpBasedStorageAccessSignatureRule\", \"Enable IP SAS URI generation rule\", \"Information that specifies whether IP based SAS URI generation rule is enabled\",\n \"EnableLivePersonaCardUCI\", \"Indicates whether the user has enabled or disabled Live Persona Card feature in UCI.\", \"Indicates whether the user has enabled or disabled Live Persona Card feature in UCI.\",\n \"EnableLivePersonCardIntegrationInOffice\", \"Indicates whether the user has enabled or disabled LivePersonCardIntegration in Office.\", \"Indicates whether the user has enabled or disabled LivePersonCardIntegration in Office.\",\n \"EnableLPAuthoring\", \"Enable Learning Path Authoring\", \"Select to enable learning path auhtoring.\",\n \"EnableMakerSwitchToClassic\", \"Switch Maker Portal to Classic\", \"Control whether the organization Switch Maker Portal to Classic\",\n \"EnableMicrosoftFlowIntegration\", \"Enable Integration with Microsoft Flow\", \"Enable Integration with Microsoft Flow\",\n \"EnablePricingOnCreate\", \"Enable Pricing On Create\", \"Enable pricing calculations on a Create call.\",\n \"EnableSmartMatching\", \"Enable Smart Matching\", \"Use Smart Matching.\",\n \"EnableUnifiedClientCDN\", \"Enable UCI CDN for organization\", \"Leave empty to use default setting. Set to on/off to enable/disable CDN for UCI.\",\n \"EnableUnifiedInterfaceShellRefresh\", \"Enable site map and commanding update\", \"Enable site map and commanding update\",\n \"EnforceReadOnlyPlugins\", \"Organization setting to enforce read only plugins.\", \"Organization setting to enforce read only plugins.\",\n \"EntityImage\", \"Entity Image\", \"The default image for the entity.\",\n \"ExpireChangeTrackingInDays\", \"Days to Expire Change Tracking Deleted Records\", \"Maximum number of days to keep change tracking deleted records\",\n \"ExpireSubscriptionsInDays\", \"Days to Expire Subscriptions\", \"Maximum number of days before deleting inactive subscriptions.\",\n \"ExternalBaseUrl\", \"External Base URL\", \"Specify the base URL to use to look for external document suggestions.\",\n \"ExternalPartyCorrelationKeys\", \"ExternalPartyEnabled Entities correlation Keys\", \"XML string containing the ExternalPartyEnabled entities correlation keys for association of existing External Party instance entities to newly created IsExternalPartyEnabled entities.For internal use only\",\n \"ExternalPartyEntitySettings\", \"ExternalPartyEnabled Entities Settings.For internal use only\", \"XML string containing the ExternalPartyEnabled entities settings.\",\n \"FeatureSet\", \"Feature Set\", \"Features to be enabled as an XML BLOB.\",\n \"FiscalCalendarStart\", \"Fiscal Calendar Start\", \"Start date for the fiscal period that is to be used throughout Microsoft CRM.\",\n \"FiscalPeriodFormat\", \"Fiscal Period Format\", \"Information that specifies how the name of the fiscal period is displayed throughout Microsoft CRM.\",\n \"FiscalPeriodFormatPeriod\", \"Format for Fiscal Period\", \"Format in which the fiscal period will be displayed.\",\n \"FiscalPeriodType\", \"Fiscal Period Type\", \"Type of fiscal period used throughout Microsoft CRM.\",\n \"FiscalYearDisplayCode\", \"Fiscal Year Display\", \"Information that specifies whether the fiscal year should be displayed based on the start date or the end date of the fiscal year.\",\n \"FiscalYearFormat\", \"Fiscal Year Format\", \"Information that specifies how the name of the fiscal year is displayed throughout Microsoft CRM.\",\n \"FiscalYearFormatPrefix\", \"Prefix for Fiscal Year\", \"Prefix for the display of the fiscal year.\",\n \"FiscalYearFormatSuffix\", \"Suffix for Fiscal Year\", \"Suffix for the display of the fiscal year.\",\n \"FiscalYearFormatYear\", \"Fiscal Year Format Year\", \"Format for the year.\",\n \"FiscalYearPeriodConnect\", \"Fiscal Year Period Connector\", \"Information that specifies how the names of the fiscal year and the fiscal period should be connected when displayed together.\",\n \"FullNameConventionCode\", \"Full Name Display Order\", \"Order in which names are to be displayed throughout Microsoft CRM.\",\n \"FutureExpansionWindow\", \"Future Expansion Window\", \"Specifies the maximum number of months in future for which the recurring activities can be created.\",\n \"GenerateAlertsForErrors\", \"Generate Alerts For Errors\", \"Indicates whether alerts will be generated for errors.\",\n \"GenerateAlertsForInformation\", \"Generate Alerts For Information\", \"Indicates whether alerts will be generated for information.\",\n \"GenerateAlertsForWarnings\", \"Generate Alerts For Warnings\", \"Indicates whether alerts will be generated for warnings.\",\n \"GetStartedPaneContentEnabled\", \"Is Get Started Pane Content Enabled\", \"Indicates whether Get Started content is enabled for this organization.\",\n \"GlobalAppendUrlParametersEnabled\", \"Is AppendUrl Parameters enabled\", \"Indicates whether the append URL parameters is enabled.\",\n \"GlobalHelpUrl\", \"Global Help URL.\", \"URL for the web page global help.\",\n \"GlobalHelpUrlEnabled\", \"Is Customizable Global Help enabled\", \"Indicates whether the customizable global help is enabled.\",\n \"GoalRollupExpiryTime\", \"Rollup Expiration Time for Goal\", \"Number of days after the goal's end date after which the rollup of the goal stops automatically.\",\n \"GoalRollupFrequency\", \"Automatic Rollup Frequency for Goal\", \"Number of hours between automatic rollup jobs .\",\n \"GrantAccessToNetworkService\", \"Grant Access To Network Service\", \"For internal use only.\",\n \"HashDeltaSubjectCount\", \"Hash Delta Subject Count\", \"Maximum difference allowed between subject keywords count of the email messaged to be correlated\",\n \"HashFilterKeywords\", \"Hash Filter Keywords\", \"Filter Subject Keywords\",\n \"HashMaxCount\", \"Hash Max Count\", \"Maximum number of subject keywords or recipients used for correlation\",\n \"HashMinAddressCount\", \"Hash Min Address Count\", \"Minimum number of recipients required to match for email messaged to be correlated\",\n \"HighContrastThemeData\", \"High contrast Theme Data\", \"High contrast theme data for the organization.\",\n \"IgnoreInternalEmail\", \"Ignore Internal Email\", \"Indicates whether incoming email sent by internal Microsoft Dynamics 365 users or queues should be tracked.\",\n \"ImproveSearchLoggingEnabled\", \"Share search query data\", \"Indicates whether an organization has consented to sharing search query data to help improve search results\",\n \"InactivityTimeoutEnabled\", \"Inactivity timeout enabled\", \"Information that specifies whether Inactivity timeout is enabled\",\n \"InactivityTimeoutInMins\", \"Inactivity timeout in minutes\", \"Inactivity timeout in minutes\",\n \"InactivityTimeoutReminderInMins\", \"Inactivity timeout reminder in minutes\", \"Inactivity timeout reminder in minutes\",\n \"IncomingEmailExchangeEmailRetrievalBatchSize\", \"Exchange Email Retrieval Batch Size\", \"Setting for the Async Service Mailbox Queue. Defines the retrieval batch size of exchange server.\",\n \"InitialVersion\", \"Initial Version\", \"Initial version of the organization.\",\n \"IntegrationUserId\", \"Integration User\", \"Unique identifier of the integration user for the organization.\",\n \"InvoicePrefix\", \"Invoice Prefix\", \"Prefix to use for all invoice numbers throughout Microsoft Dynamics 365.\",\n \"IpBasedStorageAccessSignatureMode\", \"IP Based SAS mode\", \"IP Based SAS mode.\",\n \"IsActionCardEnabled\", \"Enable Action Card for this Organization\", \"Indicates whether the feature Action Card should be enabled for the organization.\",\n \"IsActionSupportFeatureEnabled\", \"Action Support Feature enabled\", \"Information that specifies whether Action Support Feature is enabled\",\n \"IsActivityAnalysisEnabled\", \"Enable Relationship Analytics for this Organization\", \"Indicates whether the feature Relationship Analytics should be enabled for the organization.\",\n \"IsAppMode\", \"Is Application Mode Enabled\", \"Indicates whether loading of Microsoft Dynamics 365 in a browser window that does not have address, tool, and menu bars is enabled.\",\n \"IsAppointmentAttachmentSyncEnabled\", \"Is Attachment Sync Enabled\", \"Enable or disable attachments sync for outlook and exchange.\",\n \"IsAssignedTasksSyncEnabled\", \"Is Assigned Tasks Sync Enabled\", \"Enable or disable assigned tasks sync for outlook and exchange.\",\n \"IsAuditEnabled\", \"Is Auditing Enabled\", \"Enable or disable auditing of changes.\",\n \"IsAutoDataCaptureEnabled\", \"Enable Auto Capture for this Organization\", \"Indicates whether the feature Auto Capture should be enabled for the organization.\",\n \"IsAutoDataCaptureV2Enabled\", \"Enable Auto Capture V2 for this Organization\", \"Indicates whether the V2 feature of Auto Capture should be enabled for the organization.\",\n \"IsAutoInstallAppForD365InTeamsEnabled\", \"IsAutoInstallAppForD365InTeamsEnabled\", \"\",\n \"IsAutoSaveEnabled\", \"Auto Save Enabled\", \"Information on whether auto save is enabled.\",\n \"IsBaseCardStaticFieldDataEnabled\", \"IsBaseCardStaticFieldDataEnabled\", \"\",\n \"IsBasicGeospatialIntegrationEnabled\", \"Enable the basic Geospatial features in Canvas Apps\", \"Determines whether users can make use of basic Geospatial featuers in Canvas apps.\",\n \"IsBPFEntityCustomizationFeatureEnabled\", \"BPF Entity Customization Feature enabled\", \"Information that specifies whether BPF Entity Customization Feature is enabled\",\n \"IsCollaborationExperienceEnabled\", \"IsCollaborationExperienceEnabled\", \"\",\n \"IsConflictDetectionEnabledForMobileClient\", \"Is Conflict Detection for Mobile Client enabled\", \"Information that specifies whether conflict detection for mobile client is enabled.\",\n \"IsContactMailingAddressSyncEnabled\", \"Is Mailing Address Sync Enabled\", \"Enable or disable mailing address sync for outlook and exchange.\",\n \"IsContentSecurityPolicyEnabled\", \"Enable Content Security Policy for this organization\", \"Indicates whether Content Security Policy has been enabled for the organization.\",\n \"IsContentSecurityPolicyEnabledForCanvas\", \"Enable Content Security Policy for this organization's Canvas apps\", \"Indicates whether Content Security Policy has been enabled for this organization's Canvas apps.\",\n \"IsContextualEmailEnabled\", \"Indicates whether Contextual email experience is enabled on this organization\", \"Indicates whether Contextual email experience is enabled on this organization\",\n \"IsContextualHelpEnabled\", \"Enables Contextual Help in UCI\", \"Select to enable Contextual Help in UCI.\",\n \"IsCopilotFeedbackEnabled\", \"Allow users to provide feedback for App Copilot\", \"Determines whether users can provide feedback for App Copilot.\",\n \"IsCustomControlsInCanvasAppsEnabled\", \"Enable Custom Controls in canvas PowerApps feature for this organization\", \"Indicates whether Custom Controls in canvas PowerApps feature has been enabled for the organization.\",\n \"IsDefaultCountryCodeCheckEnabled\", \"Enable or disable country code selection\", \"Enable or disable country code selection.\",\n \"IsDelegateAccessEnabled\", \"Is Delegation Access Enabled\", \"Enable Delegation Access content\",\n \"IsDelveActionHubIntegrationEnabled\", \"Enable Action Hub for this Organization\", \"Indicates whether the feature Action Hub should be enabled for the organization.\",\n \"IsDesktopFlowSchemaV2Enabled\", \"Enable v2 schema for Desktop Flows in this organization.\", \"Indicates whether v2 schema for Desktop Flows is enabled in this organization.\",\n \"IsDuplicateDetectionEnabled\", \"Is Duplicate Detection Enabled\", \"Indicates whether duplicate detection of records is enabled.\",\n \"IsDuplicateDetectionEnabledForImport\", \"Is Duplicate Detection Enabled For Import\", \"Indicates whether duplicate detection of records during import is enabled.\",\n \"IsDuplicateDetectionEnabledForOfflineSync\", \"Is Duplicate Detection Enabled For Offline Synchronization\", \"Indicates whether duplicate detection of records during offline synchronization is enabled.\",\n \"IsDuplicateDetectionEnabledForOnlineCreateUpdate\", \"Is Duplicate Detection Enabled for Online Create/Update\", \"Indicates whether duplicate detection during online create or update is enabled.\",\n \"IsEmailAddressValidationEnabled\", \"Enable Smart Email Address Validation.\", \"Information on whether Smart Email Address Validation is enabled.\",\n \"IsEmailMonitoringAllowed\", \"Allow tracking recipient activity on sent emails\", \"Allow tracking recipient activity on sent emails.\",\n \"IsEmailServerProfileContentFilteringEnabled\", \"Is Email Server Profile Content Filtering Enabled\", \"Enable Email Server Profile content filtering\",\n \"IsEnabledForAllRoles\", \"option set values for isenabledforallroles\", \"Indicates whether appmodule is enabled for all roles\",\n \"IsExternalFileStorageEnabled\", \"Enable external file storage\", \"Indicates whether the organization's files are being stored in Azure.\",\n \"IsExternalSearchIndexEnabled\", \"Enable external search data syncing\", \"Select whether data can be synchronized with an external search index.\",\n \"IsFiscalPeriodMonthBased\", \"Is Fiscal Period Monthly\", \"Indicates whether the fiscal period is displayed as the month number.\",\n \"IsFolderAutoCreatedonSP\", \"Automatically create folders\", \"Select whether folders should be automatically created on SharePoint.\",\n \"IsFolderBasedTrackingEnabled\", \"Is Folder Based Tracking Enabled\", \"Enable or disable folder based tracking for Server Side Sync.\",\n \"IsFullTextSearchEnabled\", \"Enable Full-text search for Quick Find\", \"Indicates whether full-text search for Quick Find entities should be enabled for the organization.\",\n \"IsGeospatialAzureMapsIntegrationEnabled\", \"Enable geospatial Azure Maps integration.\", \"Indicates whether geospatial capabilities leveraging Azure Maps are enabled.\",\n \"IsHierarchicalSecurityModelEnabled\", \"Enable Hierarchical Security Model\", \"Enable Hierarchical Security Model\",\n \"IsIdeasDataCollectionEnabled\", \"Enable Ideas data collection.\", \"Indicates whether data collection for ideas in canvas PowerApps has been enabled.\",\n \"IsLUISEnabledforD365Bot\", \"LUIS Consent for Dynamics 365 Bot\", \"Give Consent to use LUIS in Dynamics 365 Bot\",\n \"IsMailboxForcedUnlockingEnabled\", \"Is Mailbox Forced Unlocking Enabled\", \"Enable or disable forced unlocking for Server Side Sync mailboxes.\",\n \"IsMailboxInactiveBackoffEnabled\", \"Is Mailbox Keep Alive Enabled\", \"Enable or disable mailbox keep alive for Server Side Sync.\",\n \"IsManualSalesForecastingEnabled\", \"Enable Manual Sales Forecasting feature for this organization\", \"Indicates whether Manual Sales Forecasting feature has been enabled for the organization.\",\n \"IsMobileClientOnDemandSyncEnabled\", \"Is Mobile Client On Demand Sync enabled\", \"Information that specifies whether mobile client on demand sync is enabled.\",\n \"IsMobileOfflineEnabled\", \"Enable MobileOffline for this Organization\", \"Indicates whether the feature MobileOffline should be enabled for the organization.\",\n \"IsModelDrivenAppsInMSTeamsEnabled\", \"Enable embedding Model Apps in Microsoft Teams\", \"Indicates whether Model Apps can be embedded within Microsoft Teams. This is a tenant admin controlled preview/experimental feature.\",\n \"IsMSTeamsCollaborationEnabled\", \"Enable Microsoft Teams Collaboration for this organization\", \"Indicates whether Microsoft Teams Collaboration feature has been enabled for the organization.\",\n \"IsMSTeamsEnabled\", \"Enable Microsoft Teams integration\", \"Indicates whether Microsoft Teams integration has been enabled for the organization.\",\n \"IsMSTeamsSettingChangedByUser\", \"Microsoft Teams integration changed by user\", \"Indicates whether the user has enabled or disabled Microsoft Teams integration.\",\n \"IsMSTeamsUserSyncEnabled\", \"Enable Microsoft Teams User Sync for this organization\", \"Indicates whether Microsoft Teams User Sync feature has been enabled for the organization.\",\n \"IsNewAddProductExperienceEnabled\", \"Indicates whether new add product experience is enabled in opportunity form\", \"Indicates whether new add product experience is enabled.\",\n \"IsNotesAnalysisEnabled\", \"Enable Notes Analysis for this Organization\", \"Indicates whether the feature Notes Analysis should be enabled for the organization.\",\n \"IsNotificationForD365InTeamsEnabled\", \"IsNotificationForD365InTeamsEnabled\", \"\",\n \"IsOfficeGraphEnabled\", \"Enable OfficeGraph for this Organization\", \"Indicates whether the feature OfficeGraph should be enabled for the organization.\",\n \"IsOneDriveEnabled\", \"Enable One Drive for this Organization\", \"Indicates whether the feature One Drive should be enabled for the organization.\",\n \"IsPAIEnabled\", \"Enable PAI feature for this organization\", \"Indicates whether PAI feature has been enabled for the organization.\",\n \"IsPDFGenerationEnabled\", \"Enable PDF Generation feature for this organization\", \"Indicates whether PDF Generation feature has been enabled for the organization.\",\n \"IsPlaybookEnabled\", \"Enable playbook feature for this organization\", \"Indicates whether playbook feature has been enabled for the organization.\",\n \"IsPresenceEnabled\", \"Presence Enabled\", \"Information on whether IM presence is enabled.\",\n \"IsPreviewEnabledForActionCard\", \"Enable Preview Action Card feature for this Organization\", \"Indicates whether the Preview feature for Action Card should be enabled for the organization.\",\n \"IsPreviewForAutoCaptureEnabled\", \"Enable Auto Capture for this Organization at Preview Settings\", \"Indicates whether the feature Auto Capture should be enabled for the organization at Preview Settings.\",\n \"IsPreviewForEmailMonitoringAllowed\", \"Allows Preview For Email Monitoring\", \"Is Preview For Email Monitoring Allowed.\",\n \"IsPriceListMandatory\", \"Indicates whether PriceList is mandatory for adding existing products to sales entities\", \"Indicates whether PriceList is mandatory for adding existing products to sales entities.\",\n \"IsQuickCreateEnabledForOpportunityClose\", \"Enable quick create form for opportunity close feature for this organization\", \"Select whether to use the standard Out-of-box Opportunity Close experience or opt to for a customized experience.\",\n \"IsReadAuditEnabled\", \"Is Read Auditing Enabled\", \"Enable or disable auditing of read operations.\",\n \"IsRelationshipInsightsEnabled\", \"Enable Relationship Insights for this Organization\", \"Indicates whether the feature Relationship Insights should be enabled for the organization.\",\n \"IsResourceBookingExchangeSyncEnabled\", \"Resource booking synchronization enabled\", \"Indicates if the synchronization of user resource booking with Exchange is enabled at organization level.\",\n \"IsRichTextNotesEnabled\", \"Indicates whether rich text editor for notes experience is enabled on this organization\", \"Indicates whether rich text editor for notes experience is enabled on this organization\",\n \"IsRpaAutoscaleAadJoinEnabled\", \"Enable AAD Join for RPA Autoscale feature for this organization.\", \"Indicates whether AAD Join for RPA Autoscale is enabled in this organization..\",\n \"IsRpaAutoscaleEnabled\", \"Enable RPA Autoscale feature for this organization\", \"Indicates whether Autoscale feature for RPA is enabled in this organization.\",\n \"IsRpaBoxCrossGeoEnabled\", \"Enable RPA Box cross geo feature for this organization\", \"Indicates whether RPA Box feature is enabled in this organization in locations outside the tenant's geographical location.\",\n \"IsRpaBoxEnabled\", \"Enable RPA Box feature for this organization\", \"Indicates whether RPA Box feature is enabled in this organization.\",\n \"IsRpaUnattendedEnabled\", \"Enable RPA Unattended feature for this organization\", \"Indicates whether Unattended runs feature for RPA is enabled in this organization.\",\n \"IsSalesAssistantEnabled\", \"Enable Sales Assistant mobile app\", \"Indicates whether Sales Assistant mobile app has been enabled for the organization.\",\n \"IsSharingInOrgAllowed\", \"IsSharingInOrgAllowed\", \"\",\n \"IsSOPIntegrationEnabled\", \"Is Sales Order Integration Enabled\", \"Enable sales order processing integration.\",\n \"IsTextWrapEnabled\", \"Enable Text Wrap\", \"Information on whether text wrap is enabled.\",\n \"IsUserAccessAuditEnabled\", \"Is User Access Auditing Enabled\", \"Enable or disable auditing of user access.\",\n \"ISVIntegrationCode\", \"ISV Integration Mode\", \"Indicates whether loading of Microsoft Dynamics 365 in a browser window that does not have address, tool, and menu bars is enabled.\",\n \"IsWriteInProductsAllowed\", \"Indicates whether Write-in Products can be added to Opportunity/Quote/Order/Invoice or not\", \"Indicates whether Write-in Products can be added to Opportunity/Quote/Order/Invoice or not.\",\n \"KaPrefix\", \"Knowledge Article Prefix\", \"Type the prefix to use for all knowledge articles in Microsoft Dynamics 365.\",\n \"KbPrefix\", \"Article Prefix\", \"Prefix to use for all articles in Microsoft Dynamics 365.\",\n \"KMSettings\", \"Knowledge Management Settings\", \"XML string containing the Knowledge Management settings that are applied in Knowledge Management Wizard.\",\n \"LanguageCode\", \"Language\", \"Preferred language for the organization.\",\n \"LocaleId\", \"Locale\", \"Unique identifier of the locale of the organization.\",\n \"LongDateFormatCode\", \"Long Date Format\", \"Information that specifies how the Long Date format is displayed in Microsoft Dynamics 365.\",\n \"LookupCharacterCountBeforeResolve\", \"Minimum number of characters before resolving suggestions in lookup\", \"Minimum number of characters that should be entered in the lookup control before resolving for suggestions\",\n \"LookupResolveDelayMS\", \"Minimum delay (in milliseconds) for debouncing lookup control input\", \"Minimum delay (in milliseconds) between consecutive inputs in a lookup control that will trigger a search for suggestions\",\n \"MailboxIntermittentIssueMinRange\", \"Lower Threshold For Mailbox Intermittent Issue\", \"Lower Threshold For Mailbox Intermittent Issue.\",\n \"MailboxPermanentIssueMinRange\", \"Lower Threshold For Mailbox Permanent Issue.\", \"Lower Threshold For Mailbox Permanent Issue.\",\n \"MaxActionStepsInBPF\", \"Maximum number of actionsteps allowed in a BPF\", \"Maximum number of actionsteps allowed in a BPF\",\n \"MaxAllowedPendingRollupJobCount\", \"MaxAllowedPendingRollupJobCount\", \"Maximum Allowed Pending Rollup Job Count\",\n \"MaxAllowedPendingRollupJobPercentage\", \"MaxAllowedPendingRollupJobPercentage\", \"Percentage Of Entity Table Size For Kicking Off Bootstrap Job\",\n \"MaxAppointmentDurationDays\", \"Max Appointment Duration\", \"Maximum number of days an appointment can last.\",\n \"MaxConditionsForMobileOfflineFilters\", \"Maximum number of conditions allowed for mobile offline filters\", \"Maximum number of conditions allowed for mobile offline filters\",\n \"MaxDepthForHierarchicalSecurityModel\", \"Maximum depth for hierarchy security propagation.\", \"Maximum depth for hierarchy security propagation.\",\n \"MaxFolderBasedTrackingMappings\", \"Max Folder Based Tracking Mappings\", \"Maximum number of Folder Based Tracking mappings user can add\",\n \"MaximumActiveBusinessProcessFlowsAllowedPerEntity\", \"Maximum active business process flows per entity\", \"Maximum number of active business process flows allowed per entity\",\n \"MaximumDynamicPropertiesAllowed\", \"Product Properties Item Limit\", \"Restrict the maximum number of product properties for a product family/bundle\",\n \"MaximumEntitiesWithActiveSLA\", \"Maximum number of active SLA allowed per entity in online\", \"Maximum number of active SLA allowed per entity in online\",\n \"MaximumSLAKPIPerEntityWithActiveSLA\", \"Maximum number of active SLA KPI allowed per entity in online\", \"Maximum number of SLA KPI per active SLA allowed for entity in online\",\n \"MaximumTrackingNumber\", \"Max Tracking Number\", \"Maximum tracking number before recycling takes place.\",\n \"MaxProductsInBundle\", \"Bundle Item Limit\", \"Restrict the maximum no of items in a bundle\",\n \"MaxRecordsForExportToExcel\", \"Max Records For Excel Export\", \"Maximum number of records that will be exported to a static Microsoft Office Excel worksheet when exporting from the grid.\",\n \"MaxRecordsForLookupFilters\", \"Max Records Filter Selection\", \"Maximum number of lookup and picklist records that can be selected by user for filtering.\",\n \"MaxRollupFieldsPerEntity\", \"MaxRollupFieldsPerEntity\", \"Maximum Rollup Fields Per Entity\",\n \"MaxRollupFieldsPerOrg\", \"MaxRollupFieldsPerOrg\", \"Maximum Rollup Fields Per Organization\",\n \"MaxSLAItemsPerSLA\", \"Max SLA Items Per SLA\", \"\",\n \"MaxUploadFileSize\", \"Max Upload File Size\", \"Maximum allowed size of an attachment.\",\n \"MicrosoftFlowEnvironment\", \"(Deprecated) Environment selected for Integration with Microsoft Flow\", \"(Deprecated) Environment selected for Integration with Microsoft Flow\",\n \"MinAddressBookSyncInterval\", \"Min Address Synchronization Frequency\", \"Normal polling frequency used for address book synchronization in Microsoft Office Outlook.\",\n \"MinOfflineSyncInterval\", \"Min Offline Synchronization Frequency\", \"Normal polling frequency used for background offline synchronization in Microsoft Office Outlook.\",\n \"MinOutlookSyncInterval\", \"Min Synchronization Frequency\", \"Minimum allowed time between scheduled Outlook synchronizations.\",\n \"MobileOfflineSyncInterval\", \"Sync interval for mobile offline.\", \"Sync interval for mobile offline.\",\n \"ModernAdvancedFindFiltering\", \"Modern advanced find filtering\", \"Flag to indicate if the modern advanced find filtering on all tables in a model-driven app is enabled\",\n \"ModernAppDesignerCoauthoringEnabled\", \"Coauthoring in Modern App Designer Enabled\", \"Indicates whether coauthoring is enabled in modern app designer\",\n \"MultiColumnSortEnabled\", \"Enable Multi Column Sort Editor In Views\", \"Show the sort by button on views\",\n \"Name\", \"Organization Name\", \"Name of the organization. The name is set when Microsoft CRM is installed and should not be changed.\",\n \"NaturalLanguageAssistFilter\", \"Natural Language Assist\", \"Enables Natural Language Assist Filter.\",\n \"NegativeCurrencyFormatCode\", \"Negative Currency Format\", \"Information that specifies how negative currency numbers are displayed throughout Microsoft Dynamics 365.\",\n \"NegativeFormatCode\", \"Negative Format\", \"Information that specifies how negative numbers are displayed throughout Microsoft CRM.\",\n \"NewSearchExperienceEnabled\", \"Oct 2020 Search enabled\", \"Indicates whether an organization has enabled the new Relevance search experience (released in Oct 2020) for the organization\",\n \"NextTrackingNumber\", \"Next Tracking Number\", \"Next token to be placed on the subject line of an email message.\",\n \"NotifyMailboxOwnerOfEmailServerLevelAlerts\", \"Notify Mailbox Owner Of Email Server Level Alerts\", \"Indicates whether mailbox owners will be notified of email server profile level alerts.\",\n \"NumberFormat\", \"Number Format\", \"Specification of how numbers are displayed throughout Microsoft CRM.\",\n \"NumberGroupFormat\", \"Number Grouping Format\", \"Specifies how numbers are grouped in Microsoft Dynamics 365.\",\n \"NumberSeparator\", \"Number Separator\", \"Symbol used for number separation in Microsoft Dynamics 365.\",\n \"OfficeAppsAutoDeploymentEnabled\", \"Enable Office Apps Auto Deployment for this Organization\", \"Indicates whether the Office Apps auto deployment is enabled for the organization.\",\n \"OfficeGraphDelveUrl\", \"The url to open the Delve\", \"The url to open the Delve for the organization.\",\n \"OOBPriceCalculationEnabled\", \"Enable OOB Price calculation\", \"Enable OOB pricing calculation logic for Opportunity, Quote, Order and Invoice entities.\",\n \"OptOutSchemaV2EnabledByDefault\", \"Opt-out of schema v2 being automatically enabled for this organization.\", \"Indicates if this organization will opt-out from automatically enabling schema v2 on the organization.\",\n \"OrderPrefix\", \"Order Prefix\", \"Prefix to use for all orders throughout Microsoft Dynamics 365.\",\n \"OrgDbOrgSettings\", \"Organization Database Organization Settings\", \"Organization settings stored in Organization Database.\",\n \"OrgInsightsEnabled\", \"Enable OrgInsights for this Organization\", \"Select whether to turn on OrgInsights for the organization.\",\n \"PaiPreviewScenarioEnabled\", \"Display Preview Feature for this organization\", \"Indicates whether Preview feature has been enabled for the organization.\",\n \"PastExpansionWindow\", \"Past Expansion Window\", \"Specifies the maximum number of months in past for which the recurring activities can be created.\",\n \"PcfDatasetGridEnabled\", \"Enable modern grids in model-driven apps\", \"Leave empty to use default setting. Set to on/off to enable/disable replacement of default grids with modern ones in model-driven apps.\",\n \"PerformACTSyncAfter\", \"PerformACTSyncAfter\", \"This setting contains the date time before an ACT sync can execute.\",\n \"Picture\", \"Picture\", \"For internal use only.\",\n \"PinpointLanguageCode\", \"\", \"\",\n \"PluginTraceLogSetting\", \"Plug-in Trace Log Setting\", \"Plug-in Trace Log Setting for the Organization.\",\n \"PMDesignator\", \"PM Designator\", \"PM designator to use throughout Microsoft Dynamics 365.\",\n \"PostMessageWhitelistDomains\", \"For internal use only.\", \"For internal use only.\",\n \"PowerAppsMakerBotEnabled\", \"Enable bot for makers.\", \"Indicates whether bot for makers is enabled.\",\n \"PowerBIAllowCrossRegionOperations\", \"Power BI allow cross region operations\", \"Indicates whether cross region operations are allowed for the organization\",\n \"PowerBIAutomaticPermissionsAssignment\", \"Power BI automatic permissions assignment\", \"Indicates whether automatic permissions assignment to Power BI has been enabled for the organization\",\n \"PowerBIComponentsCreate\", \"Power BI components creation\", \"Indicates whether creation of Power BI components has been enabled for the organization\",\n \"PowerBiFeatureEnabled\", \"Enable Power BI feature for this Organization\", \"Indicates whether the Power BI feature should be enabled for the organization.\",\n \"PricingDecimalPrecision\", \"Pricing Decimal Precision\", \"Number of decimal places that can be used for prices.\",\n \"PrivacyStatementUrl\", \"Privacy Statement URL\", \"Privacy Statement URL\",\n \"PrivilegeUserGroupId\", \"Privilege User Group\", \"Unique identifier of the default privilege for users in the organization.\",\n \"PrivReportingGroupId\", \"Privilege Reporting Group\", \"For internal use only.\",\n \"PrivReportingGroupName\", \"Privilege Reporting Group Name\", \"For internal use only.\",\n \"ProductRecommendationsEnabled\", \"Enable Product Recommendations for this Organization\", \"Select whether to turn on product recommendations for the organization.\",\n \"QualifyLeadAdditionalOptions\", \"Enable New Qualify Lead Experience with configuration MDD\", \"Indicates whether prompt should be shown for new Qualify Lead Experience\",\n \"QuickActionToOpenRecordsInSidePaneEnabled\", \"Enable quick actions to open records in search side pane\", \"Flag to indicate if the feature to use quick action to open records in search side pane is enabled\",\n \"QuickFindRecordLimitEnabled\", \"Quick Find Record Limit Enabled\", \"Indicates whether a quick find record limit should be enabled for this organization (allows for faster Quick Find queries but prevents overly broad searches).\",\n \"QuotePrefix\", \"Quote Prefix\", \"Prefix to use for all quotes throughout Microsoft Dynamics 365.\",\n \"RecalculateSLA\", \"Indicates whether SLA Recalculation has been enabled for the organization\", \"Indicates whether SLA Recalculation has been enabled for the organization\",\n \"RecurrenceDefaultNumberOfOccurrences\", \"Recurrence Default Number of Occurrences\", \"Specifies the default value for number of occurrences field in the recurrence dialog.\",\n \"RecurrenceExpansionJobBatchInterval\", \"Recurrence Expansion Job Batch Interval\", \"Specifies the interval (in seconds) for pausing expansion job.\",\n \"RecurrenceExpansionJobBatchSize\", \"Recurrence Expansion On Demand Job Batch Size\", \"Specifies the value for number of instances created in on demand job in one shot.\",\n \"RecurrenceExpansionSynchCreateMax\", \"Recurrence Expansion Synchronization Create Maximum\", \"Specifies the maximum number of instances to be created synchronously after creating a recurring appointment.\",\n \"ReferenceSiteMapXml\", \"Reference SiteMap XML\", \"XML string that defines the navigation structure for the application. This is the site map from the previously upgraded build and is used in a 3-way merge during upgrade.\",\n \"ReleaseCadence\", \"Current orgnization release cadence value\", \"Current orgnization release cadence value\",\n \"ReleaseChannel\", \"Model app refresh channel\", \"Model app refresh channel\",\n \"ReleaseWaveName\", \"Release Wave\", \"Release Wave Applied to Environment.\",\n \"RelevanceSearchEnabledByPlatform\", \"Relevance search enabled automatically by Dataverse\", \"Indicates whether relevance search was enabled for the environment as part of Dataverse's relevance search on-by-default sweep\",\n \"RelevanceSearchModifiedOn\", \"RelevanceSearchModifiedOnDate\", \"This setting contains the last modified date for relevance search setting that appears as a toggle in PPAC.\",\n \"RenderSecureIFrameForEmail\", \"Render Secure Frame For Email\", \"Flag to render the body of email in the Web form in an IFRAME with the security='restricted' attribute set. This is additional security but can cause a credentials prompt.\",\n \"ReportingGroupId\", \"Reporting Group\", \"For internal use only.\",\n \"ReportingGroupName\", \"Reporting Group Name\", \"For internal use only.\",\n \"ReportScriptErrors\", \"Report Script Errors\", \"Picklist for selecting the organization preference for reporting scripting errors.\",\n \"RequireApprovalForQueueEmail\", \"Is Approval For Queue Email Required\", \"Indicates whether Send As Other User privilege is enabled.\",\n \"RequireApprovalForUserEmail\", \"Is Approval For User Email Required\", \"Indicates whether Send As Other User privilege is enabled.\",\n \"ResolveSimilarUnresolvedEmailAddress\", \"Apply same email address to all unresolved matches when you manually resolve it for one\", \"Apply same email address to all unresolved matches when you manually resolve it for one\",\n \"RestrictStatusUpdate\", \"Restrict Status Update\", \"Flag to restrict Update on incident.\",\n \"ReverseProxyIpAddresses\", \"List of reverse proxy IP addresses to be allowed.\", \"Information that specifies Reverse Proxy IP addresses from which requests have to be allowed.\",\n \"RiErrorStatus\", \"Error status of Relationship Insights provisioning.\", \"Error status of Relationship Insights provisioning.\",\n \"SampleDataImportId\", \"Sample Data Import\", \"Unique identifier of the sample data import job.\",\n \"SchemaNamePrefix\", \"Customization Name Prefix\", \"Prefix used for custom entities and attributes.\",\n \"SendBulkEmailInUCI\", \"Send Bulk Email in UCI\", \"Indicates whether Send Bulk Email in UCI is enabled for the org.\",\n \"ServeStaticResourcesFromAzureCDN\", \"Serve Static Content From CDN\", \"Serve Static Content From CDN\",\n \"SessionRecordingEnabled\", \"Enable the session recording feature\", \"Enable the session recording feature to record user sessions in UCI\",\n \"SessionTimeoutEnabled\", \"Session timeout enabled\", \"Information that specifies whether session timeout is enabled\",\n \"SessionTimeoutInMins\", \"Session timeout in minutes\", \"Session timeout in minutes\",\n \"SessionTimeoutReminderInMins\", \"Session timeout reminder in minutes\", \"Session timeout reminder in minutes\",\n \"SharePointDeploymentType\", \"Choose SharePoint Deployment Type\", \"Indicates which SharePoint deployment type is configured for Server to Server. (Online or On-Premises)\",\n \"ShareToPreviousOwnerOnAssign\", \"Share To Previous Owner On Assign\", \"Information that specifies whether to share to previous owner on assign.\",\n \"ShowKBArticleDeprecationNotification\", \"Show KBArticle deprecation message to user\", \"Select whether to display a KB article deprecation notification to the user.\",\n \"ShowWeekNumber\", \"Show Week Number\", \"Information that specifies whether to display the week number in calendar displays throughout Microsoft CRM.\",\n \"SignupOutlookDownloadFWLink\", \"CRMForOutlookDownloadURL\", \"CRM for Outlook Download URL\",\n \"SiteMapXml\", \"SiteMap XML\", \"XML string that defines the navigation structure for the application.\",\n \"SlaPauseStates\", \"SLA pause states\", \"Contains the on hold case status values.\",\n \"SocialInsightsEnabled\", \"Social Insights Enabled\", \"Flag for whether the organization is using Social Insights.\",\n \"SocialInsightsInstance\", \"Social Insights instance identifier\", \"Identifier for the Social Insights instance for the organization.\",\n \"SocialInsightsTermsAccepted\", \"Social Insights Terms of Use\", \"Flag for whether the organization has accepted the Social Insights terms of use.\",\n \"SortId\", \"Sort\", \"For internal use only.\",\n \"SqlAccessGroupId\", \"SQL Access Group\", \"For internal use only.\",\n \"SqlAccessGroupName\", \"SQL Access Group Name\", \"For internal use only.\",\n \"SQMEnabled\", \"Is SQM Enabled\", \"Setting for SQM data collection, 0 no, 1 yes enabled\",\n \"SupportUserId\", \"Support User\", \"Unique identifier of the support user for the organization.\",\n \"SuppressSLA\", \"Is SLA suppressed\", \"Indicates whether SLA is suppressed.\",\n \"SuppressValidationEmails\", \"Whether Admin emails are sent when Solution Checker validation fails\", \"Leave empty to use default setting. Set to on/off to enable/disable Admin emails when Solution Checker validation fails.\",\n \"SyncBulkOperationBatchSize\", \"Number of records to update per operation in Sync Bulk Pause/Resume/Cancel\", \"Number of records to update per operation in Sync Bulk Pause/Resume/Cancel\",\n \"SyncBulkOperationMaxLimit\", \"Max total number of records to update in database for Sync Bulk Pause/Resume/Cancel\", \"Max total number of records to update in database for Sync Bulk Pause/Resume/Cancel\",\n \"SyncOptInSelection\", \"Enable dynamics 365 azure sync framework for this organization.\", \"Indicates the selection to use the dynamics 365 azure sync framework or server side sync.\",\n \"SyncOptInSelectionStatus\", \"Status of opt-in or opt-out operation for dynamics 365 azure sync.\", \"Indicates the status of the opt-in or opt-out operation for dynamics 365 azure sync.\",\n \"SystemUserId\", \"System User\", \"Unique identifier of the system user for the organization.\",\n \"TableScopedDVSearchInApps\", \"Table Scoped Dataverse Search In Apps\", \"Controls the appearance of option to search over a single DV search indexed table in model-driven apps global search in the header.\",\n \"TagMaxAggressiveCycles\", \"Auto-Tag Max Cycles\", \"Maximum number of aggressive polling cycles executed for email auto-tagging when a new email is received.\",\n \"TagPollingPeriod\", \"Auto-Tag Interval\", \"Normal polling frequency used for email receive auto-tagging in outlook.\",\n \"TaskBasedFlowEnabled\", \"Enable Task Flow processes for this Organization\", \"Select whether to turn on task flows for the organization.\",\n \"TeamsChatDataSync\", \"Enable Teams Chat Data Sync.\", \"Information on whether Teams Chat Data Sync is enabled.\",\n \"TelemetryInstrumentationKey\", \"Telemetry Instrumentation Key\", \"Instrumentation key for Application Insights used to log plugins telemetry.\",\n \"TextAnalyticsEnabled\", \"Enable Text Analytics for this Organization\", \"Select whether to turn on text analytics for the organization.\",\n \"TimeFormatCode\", \"Time Format Code\", \"Information that specifies how the time is displayed throughout Microsoft CRM.\",\n \"TimeFormatString\", \"Time Format String\", \"Text for how time is displayed in Microsoft Dynamics 365.\",\n \"TimeSeparator\", \"Time Separator\", \"Text for how the time separator is displayed throughout Microsoft Dynamics 365.\",\n \"TimeZoneRuleVersionNumber\", \"Time Zone Rule Version Number\", \"For internal use only.\",\n \"TokenExpiry\", \"Token Expiration Duration\", \"Duration used for token expiration.\",\n \"TokenKey\", \"Token Key\", \"Token key.\",\n \"TraceLogMaximumAgeInDays\", \"Tracelog record maximum age in days\", \"Tracelog record maximum age in days\",\n \"TrackingPrefix\", \"Tracking Prefix\", \"History list of tracking token prefixes.\",\n \"TrackingTokenIdBase\", \"Tracking Token Base\", \"Base number used to provide separate tracking token identifiers to users belonging to different deployments.\",\n \"TrackingTokenIdDigits\", \"Tracking Token Digits\", \"Number of digits used to represent a tracking token identifier.\",\n \"UniqueSpecifierLength\", \"Unique String Length\", \"Number of characters appended to invoice, quote, and order numbers.\",\n \"UnresolveEmailAddressIfMultipleMatch\", \"Set To,cc,bcc fields as unresolved if multiple matches are found\", \"Indicates whether email address should be unresolved if multiple matches are found\",\n \"UseInbuiltRuleForDefaultPricelistSelection\", \"Use Inbuilt Rule For Default Pricelist Selection\", \"Flag indicates whether to Use Inbuilt Rule For DefaultPricelist.\",\n \"UseLegacyRendering\", \"Legacy Form Rendering\", \"Select whether to use legacy form rendering.\",\n \"UsePositionHierarchy\", \"Use position hierarchy\", \"Use position hierarchy\",\n \"UseQuickFindViewForGridSearch\", \"Use Quick Find view when searching in grids\", \"Indicates whether searching in a grid should use the Quick Find view for the entity.\",\n \"UserAccessAuditingInterval\", \"User Authentication Auditing Interval\", \"The interval at which user access is checked for auditing.\",\n \"UseReadForm\", \"Use Read-Optimized Form\", \"Indicates whether the read-optimized form should be enabled for this organization.\",\n \"UserGroupId\", \"User Group\", \"Unique identifier of the default group of users in the organization.\",\n \"UserRatingEnabled\", \"Enable the user rating feature\", \"Enable the user rating feature to show the NSAT score and comment to maker\",\n \"UseSkypeProtocol\", \"User Skype Protocol\", \"Indicates default protocol selected for organization.\",\n \"UTCConversionTimeZoneCode\", \"UTC Conversion Time Zone Code\", \"Time zone code that was in use when the record was created.\",\n \"ValidationMode\", \"Validation mode for apps in this environment\", \"Validation mode for apps in this environment\",\n \"WebResourceHash\", \"Web resource hash\", \"Hash value of web resources.\",\n \"WeekStartDayCode\", \"Week Start Day Code\", \"Designated first day of the week throughout Microsoft Dynamics 365.\",\n \"WidgetProperties\", \"For Internal use only.\", \"For Internal use only.\",\n \"YammerGroupId\", \"Yammer Group Id\", \"Denotes the Yammer group ID\",\n \"YammerNetworkPermalink\", \"Yammer Network Permalink\", \"Denotes the Yammer network permalink\",\n \"YammerOAuthAccessTokenExpired\", \"Yammer OAuth Access Token Expired\", \"Denotes whether the OAuth access token for Yammer network has expired\",\n \"YammerPostMethod\", \"Internal Use Only\", \"Internal Use Only\",\n \"YearStartWeekCode\", \"Year Start Week Code\", \"Information that specifies how the first week of the year is specified in Microsoft Dynamics 365.\",\n \"AcknowledgementTemplateIdName\", \"\", \"Name of the template to be used for unsubscription acknowledgement.\",\n \"BaseCurrencyIdName\", \"\", \"\",\n \"BaseCurrencyPrecision\", \"Base Currency Precision\", \"Number of decimal places that can be used for the base currency.\",\n \"BaseCurrencySymbol\", \"Base Currency Symbol\", \"Symbol used for the base currency.\",\n \"BaseISOCurrencyCode\", \"Base ISO Currency Code\", \"\",\n \"CreatedBy\", \"Created By\", \"Unique identifier of the user who created the organization.\",\n \"CreatedByName\", \"\", \"\",\n \"CreatedByYomiName\", \"\", \"\",\n \"CreatedOn\", \"Created On\", \"Date and time when the organization was created.\",\n \"CreatedOnBehalfBy\", \"Created By (Delegate)\", \"Unique identifier of the delegate user who created the organization.\",\n \"CreatedOnBehalfByName\", \"\", \"\",\n \"CreatedOnBehalfByYomiName\", \"\", \"\",\n \"CurrentImportSequenceNumber\", \"Current Import Sequence Number\", \"Import sequence to use.\",\n \"CurrentParsedTableNumber\", \"Current Parsed Table Number\", \"First parsed table number to use.\",\n \"DaysSinceRecordLastModifiedMaxValue\", \"Max value of Days since record last modified\", \"The maximum value for the Mobile Offline setting Days since record last modified\",\n \"DefaultEmailServerProfileIdName\", \"\", \"Name of the email server profile to be used as default profile for the mailboxes.\",\n \"DefaultMobileOfflineProfileIdName\", \"\", \"Name of the default mobile offline profile to be used as default profile for mobile offline.\",\n \"DisabledReason\", \"Disabled Reason\", \"Reason for disabling the organization.\",\n \"EntityImage_Timestamp\", \"\", \"\",\n \"EntityImage_URL\", \"\", \"\",\n \"EntityImageId\", \"Entity Image Id\", \"For internal use only.\",\n \"FiscalSettingsUpdated\", \"Is Fiscal Settings Updated\", \"Information that specifies whether the fiscal settings have been updated.\",\n \"IsAllMoneyDecimal\", \"Set if all money attributes are converted to decimal\", \"Indicates whether all money attributes are converted to decimal.\",\n \"IsDisabled\", \"Is Organization Disabled\", \"Information that specifies whether the organization is disabled.\",\n \"MaxSupportedInternetExplorerVersion\", \"Max supported IE version\", \"The maximum version of IE to run browser emulation for in Outlook client\",\n \"MaxVerboseLoggingMailbox\", \"Max No Of Mailboxes To Enable For Verbose Logging\", \"Maximum number of mailboxes that can be toggled for verbose logging\",\n \"MaxVerboseLoggingSyncCycles\", \"Maximum number of sync cycles for which verbose logging will be enabled by default\", \"Maximum number of sync cycles for which verbose logging will be enabled by default\",\n \"MetadataSyncLastTimeOfNeverExpiredDeletedObjects\", \"The last date/time for never expired metadata tracking deleted objects\", \"What is the last date/time where there are metadata tracking deleted objects that have never been outside of the expiration period.\",\n \"MetadataSyncTimestamp\", \"Metadata sync version\", \"Contains the maximum version number for attributes used by metadata synchronization that have changed.\",\n \"MobileOfflineMinLicenseProd\", \"Minimum number of user license required for mobile offline service by production/preview organization\", \"Minimum number of user license required for mobile offline service by production/preview organization\",\n \"MobileOfflineMinLicenseTrial\", \"Minimum number of user license required for mobile offline service by trial organization\", \"Minimum number of user license required for mobile offline service by trial organization\",\n \"ModifiedBy\", \"Modified By\", \"Unique identifier of the user who last modified the organization.\",\n \"ModifiedByName\", \"\", \"\",\n \"ModifiedByYomiName\", \"\", \"\",\n \"ModifiedOn\", \"Modified On\", \"Date and time when the organization was last modified.\",\n \"ModifiedOnBehalfBy\", \"Modified By (Delegate)\", \"Unique identifier of the delegate user who last modified the organization.\",\n \"ModifiedOnBehalfByName\", \"\", \"\",\n \"ModifiedOnBehalfByYomiName\", \"\", \"\",\n \"NextCustomObjectTypeCode\", \"Next Entity Type Code\", \"Next entity type code to use for custom entities.\",\n \"OrganizationId\", \"Organization\", \"Unique identifier of the organization.\",\n \"OrganizationState\", \"Organization State\", \"Indicates the organization lifecycle state\",\n \"ParsedTableColumnPrefix\", \"Parsed Table Column Prefix\", \"Prefix used for parsed table columns.\",\n \"ParsedTablePrefix\", \"Parsed Table Prefix\", \"Prefix used for parsed tables.\",\n \"V3CalloutConfigHash\", \"V3 Callout Hash\", \"Hash of the V3 callout configuration file.\",\n \"VersionNumber\", \"Version Number\", \"Version number of the organization.\"\n]\n| project FieldName = tolower(Field), DisplayName, Description\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "MSBizAppsOrgSettings" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", - "dependsOn": [ - "[variables('parserObject3')._parserId3]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsOrgSettings')]", - "contentId": "[variables('parserObject3').parserContentId3]", - "kind": "Parser", - "version": "[variables('parserObject3').parserVersion3]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject4').parserTemplateSpecName4]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MSBizAppsTerminatedEmployees Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject4').parserVersion4]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject4')._parserName4]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "MSBizAppsTerminatedEmployees", - "category": "MSBizAppsFunctions", - "functionAlias": "MSBizAppsTerminatedEmployees", - "query": "let TerminatedEmployees_definition = datatable (\n UserIdentifier: string,\n UserAADObjectId: string,\n UserOnPremSid: string,\n UserPrincipalName: string,\n UserState: string,\n NotificationDate: datetime,\n TerminationDate: datetime,\n Tags: string\n) [\n '_', '_', '_', '_', '_', datetime(null), datetime(null), '_'\n];\nlet TerminatedEmployees_data = (\n _GetWatchlist(TerminatedEmployeesWatchlistAlias)\n | project\n UserIdentifier = column_ifexists('User Identifier', '_'),\n UserAADObjectId = column_ifexists('User AAD Object Id', '_'),\n UserOnPremSid = column_ifexists('User On-Prem Sid', '_'),\n UserPrincipalName = column_ifexists('User Principal Name', '_'),\n UserState = column_ifexists('UserState', '_'),\n NotificationDate = todatetime(column_ifexists('Notification date', datetime(null))),\n TerminationDate = todatetime(column_ifexists('Termination date', datetime(null))),\n Tags = column_ifexists('Tags', '_')\n );\nTerminatedEmployees_data\n| union isfuzzy = true (TerminatedEmployees_definition)\n| where UserPrincipalName != '_'\n| project\n UserIdentifier = tostring(UserIdentifier),\n UserAADObjectId = tostring(UserAADObjectId),\n UserOnPremSid = tostring(UserOnPremSid),\n UserPrincipalName = tostring(UserPrincipalName),\n UserState = tostring(UserState),\n NotificationDate = todatetime(NotificationDate),\n TerminationDate = todatetime(TerminationDate),\n Tags = tostring(Tags)\n", - "functionParameters": "TerminatedEmployeesWatchlistAlias:string='TerminatedEmployees'", - "version": 2, - "tags": [ - { - "name": "description", - "value": "MSBizAppsTerminatedEmployees" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", - "dependsOn": [ - "[variables('parserObject4')._parserId4]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsTerminatedEmployees')]", - "contentId": "[variables('parserObject4').parserContentId4]", - "kind": "Parser", - "version": "[variables('parserObject4').parserVersion4]", - "source": { - "name": "Microsoft Business Applications", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections15'), variables('dataConnectorVersionConnections15'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections15')]", + "displayName": "[concat(variables('_solutionName'), variables('dataConnectorTemplateNameConnections15'))]", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersionConnections15')]", + "parameters": { + "connectorDefinitionName": { + "defaultValue": "connectorDefinitionName", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + } + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections15')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections15'))]", + "contentId": "[variables('_dataConnectorContentIdConnections15')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorVersionConnections15')]", + "source": { + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_uiConfigId15'))]", + "apiVersion": "2022-12-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "PurviewAudit", + "properties": { + "TenantId": "[[subscription().tenantId]", + "SourceType": "PowerPlatformAdministratorActivity", + "ConnectorDefinitionName": "[[parameters('connectorDefinitionName')]", + "DataTypes": { + "Logs": { + "state": "Enabled" + } + }, + "DcrConfig": { + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]", + "StreamName": "OFFICEPOWERPLATFORMADMIN_RESTAPI" + } + } + } + ] }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections15'),'-', variables('dataConnectorVersionConnections15'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorVersionConnections15')]" } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject4').parserContentId4]", - "contentKind": "Parser", - "displayName": "MSBizAppsTerminatedEmployees", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '3.0.1')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '3.0.1')))]", - "version": "[variables('parserObject4').parserVersion4]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject4')._parserName4]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "MSBizAppsTerminatedEmployees", - "category": "MSBizAppsFunctions", - "functionAlias": "MSBizAppsTerminatedEmployees", - "query": "let TerminatedEmployees_definition = datatable (\n UserIdentifier: string,\n UserAADObjectId: string,\n UserOnPremSid: string,\n UserPrincipalName: string,\n UserState: string,\n NotificationDate: datetime,\n TerminationDate: datetime,\n Tags: string\n) [\n '_', '_', '_', '_', '_', datetime(null), datetime(null), '_'\n];\nlet TerminatedEmployees_data = (\n _GetWatchlist(TerminatedEmployeesWatchlistAlias)\n | project\n UserIdentifier = column_ifexists('User Identifier', '_'),\n UserAADObjectId = column_ifexists('User AAD Object Id', '_'),\n UserOnPremSid = column_ifexists('User On-Prem Sid', '_'),\n UserPrincipalName = column_ifexists('User Principal Name', '_'),\n UserState = column_ifexists('UserState', '_'),\n NotificationDate = todatetime(column_ifexists('Notification date', datetime(null))),\n TerminationDate = todatetime(column_ifexists('Termination date', datetime(null))),\n Tags = column_ifexists('Tags', '_')\n );\nTerminatedEmployees_data\n| union isfuzzy = true (TerminatedEmployees_definition)\n| where UserPrincipalName != '_'\n| project\n UserIdentifier = tostring(UserIdentifier),\n UserAADObjectId = tostring(UserAADObjectId),\n UserOnPremSid = tostring(UserOnPremSid),\n UserPrincipalName = tostring(UserPrincipalName),\n UserState = tostring(UserState),\n NotificationDate = todatetime(NotificationDate),\n TerminationDate = todatetime(TerminationDate),\n Tags = tostring(Tags)\n", - "functionParameters": "TerminatedEmployeesWatchlistAlias:string='TerminatedEmployees'", - "version": 2, - "tags": [ - { - "name": "description", - "value": "MSBizAppsTerminatedEmployees" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", - "dependsOn": [ - "[variables('parserObject4')._parserId4]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsTerminatedEmployees')]", - "contentId": "[variables('parserObject4').parserContentId4]", - "kind": "Parser", - "version": "[variables('parserObject4').parserVersion4]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject5').parserTemplateSpecName5]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MSBizAppsVIPUsers Data Parser with template version 3.2.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject5').parserVersion5]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject5')._parserName5]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "MSBizAppsVIPUsers", - "category": "MSBizAppsFunctions", - "functionAlias": "MSBizAppsVIPUsers", - "query": "let MSBizAppsVIPUsers_definition = datatable (\n UserIdentifier: string,\n UserAADObjectId: string,\n UserOnPremSid: string,\n UserPrincipalName: string,\n Tags: string\n) [\n '_', '_', '_', '_', '_'\n];\nlet MSBizAppsVIPUsers_data = (\n _GetWatchlist(VIPUsersWatchlistAlias)\n | project\n UserIdentifier = tostring(column_ifexists('User Identifier', '_')),\n UserAADObjectId = tostring(column_ifexists('User AAD Object Id', '_')),\n UserOnPremSid = tostring(column_ifexists('User On-Prem Sid', '_')),\n UserPrincipalName = tostring(column_ifexists('User Principal Name', '_')),\n Tags = tostring(column_ifexists('Tags', '_'))\n );\nMSBizAppsVIPUsers_data\n| union isfuzzy = true (MSBizAppsVIPUsers_definition)\n| where UserPrincipalName != '_'\n| project\n UserIdentifier,\n UserAADObjectId,\n UserOnPremSid,\n UserPrincipalName,\n Tags\n", - "functionParameters": "VIPUsersWatchlistAlias:string='VIPUsers'", - "version": 2, - "tags": [ - { - "name": "description", - "value": "MSBizAppsVIPUsers" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", - "dependsOn": [ - "[variables('parserObject5')._parserId5]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsVIPUsers')]", - "contentId": "[variables('parserObject5').parserContentId5]", - "kind": "Parser", - "version": "[variables('parserObject5').parserVersion5]", + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.2.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Microsoft Business Applications", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Microsoft Power Platform provides a wide range of tools for citizen developers to build, run and manage low-code and no-code applications quickly, simply and at scale. With that, it also introduces a concern around the risk of security vulnerabilities introduced by citizen developers, some of whom may lack the security awareness of traditional pro-dev community. To counter this, early threat detection is crucial and can complement preventative guardrails to enable frictionless productivity while minimizing cyber risk.

\n

The Microsoft Sentinel solution for Microsoft Power Platform allows customers to monitor and detect various suspicious or malicious activities in their Power Platform environments.

\n

It collects activity logs from the different Power Platform components (Power Apps, Power Automate, Power Platform Connectors, Power Platform DLP, Dataverse) as well as the Power Platform inventory data and analyzes those activity logs to detect threats and suspicious activities such as: Power Apps execution from unauthorized geographies, suspicious data destruction by Power Apps, mass deletion of Power Apps, phishing attacks made possible through Power Apps, Power Automate flows activity by departing employees, Microsoft Power Platform connectors added to the an environment, and the update or removal of Microsoft Power Platform data loss prevention policies.

\n

Due to the integration of the Power Platform inventory data, in addition to the activity logs, the solution also allows customers to investigate the detected threats in a full human readable context and understand for example what the name of the suspicious app is, the name of Power Platform environment it belongs to, the details of the user who created or modified the suspicious app, the details of the users using the app, and more.

\n

Important

\n\n

Please review the solution documentation to learn more about deploying, configuring and using this solution.

\n

Data Connectors: 4, Parsers: 5, Workbooks: 1, Analytic Rules: 49, Hunting Queries: 8, Watchlists: 1, Playbooks: 8

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", "source": { - "name": "Microsoft Business Applications", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" + "kind": "Solution", + "name": "Microsoft Business Applications", + "sourceId": "[variables('_solutionId')]" }, "author": { - "name": "Microsoft" + "name": "Microsoft" }, "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", + "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", + "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", + "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", + "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", + "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", + "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", + "version": "[variables('analyticRuleObject20').analyticRuleVersion20]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", + "version": "[variables('analyticRuleObject21').analyticRuleVersion21]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", + "version": "[variables('analyticRuleObject22').analyticRuleVersion22]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", + "version": "[variables('analyticRuleObject23').analyticRuleVersion23]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", + "version": "[variables('analyticRuleObject24').analyticRuleVersion24]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", + "version": "[variables('analyticRuleObject25').analyticRuleVersion25]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", + "version": "[variables('analyticRuleObject26').analyticRuleVersion26]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", + "version": "[variables('analyticRuleObject27').analyticRuleVersion27]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", + "version": "[variables('analyticRuleObject28').analyticRuleVersion28]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", + "version": "[variables('analyticRuleObject29').analyticRuleVersion29]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", + "version": "[variables('analyticRuleObject30').analyticRuleVersion30]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", + "version": "[variables('analyticRuleObject31').analyticRuleVersion31]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", + "version": "[variables('analyticRuleObject32').analyticRuleVersion32]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", + "version": "[variables('analyticRuleObject33').analyticRuleVersion33]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", + "version": "[variables('analyticRuleObject34').analyticRuleVersion34]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", + "version": "[variables('analyticRuleObject35').analyticRuleVersion35]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", + "version": "[variables('analyticRuleObject36').analyticRuleVersion36]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", + "version": "[variables('analyticRuleObject37').analyticRuleVersion37]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", + "version": "[variables('analyticRuleObject38').analyticRuleVersion38]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", + "version": "[variables('analyticRuleObject39').analyticRuleVersion39]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", + "version": "[variables('analyticRuleObject40').analyticRuleVersion40]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", + "version": "[variables('analyticRuleObject41').analyticRuleVersion41]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", + "version": "[variables('analyticRuleObject42').analyticRuleVersion42]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", + "version": "[variables('analyticRuleObject43').analyticRuleVersion43]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", + "version": "[variables('analyticRuleObject44').analyticRuleVersion44]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", + "version": "[variables('analyticRuleObject45').analyticRuleVersion45]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", + "version": "[variables('analyticRuleObject46').analyticRuleVersion46]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", + "version": "[variables('analyticRuleObject47').analyticRuleVersion47]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", + "version": "[variables('analyticRuleObject48').analyticRuleVersion48]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", + "version": "[variables('analyticRuleObject49').analyticRuleVersion49]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "version": "[variables('huntingQueryObject8').huntingQueryVersion8]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Dataverse-Add-SharePoint-Site')]", + "version": "[variables('playbookVersion1')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Dataverse-Blocklist-Add-User-AlertTrigger')]", + "version": "[variables('playbookVersion2')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Dataverse-Blocklist-Add-User-Via-Outlook')]", + "version": "[variables('playbookVersion3')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Dataverse-Blocklist-Add-User-Via-Teams')]", + "version": "[variables('playbookVersion4')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Dataverse-Blocklist-Add-User')]", + "version": "[variables('playbookVersion5')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Dataverse-Blocklist-Remove-User-AlertTrigger')]", + "version": "[variables('playbookVersion6')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Dataverse-Send-Manager-Notification')]", + "version": "[variables('playbookVersion7')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_MSBizApps-Incident-From-Alert-Teams')]", + "version": "[variables('playbookVersion8')]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject1').parserContentId1]", + "version": "[variables('parserObject1').parserVersion1]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject2').parserContentId2]", + "version": "[variables('parserObject2').parserVersion2]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject3').parserContentId3]", + "version": "[variables('parserObject3').parserVersion3]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject4').parserContentId4]", + "version": "[variables('parserObject4').parserVersion4]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject5').parserContentId5]", + "version": "[variables('parserObject5').parserVersion5]" + }, + { + "kind": "Watchlist", + "contentId": "[variables('_MSBizApps-Configuration')]", + "version": "3.2.0" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections10')]", + "version": "[variables('dataConnectorVersionConnections10')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections14')]", + "version": "[variables('dataConnectorVersionConnections14')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections15')]", + "version": "[variables('dataConnectorVersionConnections15')]" + } + ] + }, + "firstPublishDate": "2023-04-19", + "providers": [ + "Microsoft" + ], + "categories": { + "domains": [ + "Application", + "Cloud Provider" + ] } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject5').parserContentId5]", - "contentKind": "Parser", - "displayName": "MSBizAppsVIPUsers", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '3.2.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '3.2.0')))]", - "version": "[variables('parserObject5').parserVersion5]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject5')._parserName5]", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "MSBizAppsVIPUsers", - "category": "MSBizAppsFunctions", - "functionAlias": "MSBizAppsVIPUsers", - "query": "let MSBizAppsVIPUsers_definition = datatable (\n UserIdentifier: string,\n UserAADObjectId: string,\n UserOnPremSid: string,\n UserPrincipalName: string,\n Tags: string\n) [\n '_', '_', '_', '_', '_'\n];\nlet MSBizAppsVIPUsers_data = (\n _GetWatchlist(VIPUsersWatchlistAlias)\n | project\n UserIdentifier = tostring(column_ifexists('User Identifier', '_')),\n UserAADObjectId = tostring(column_ifexists('User AAD Object Id', '_')),\n UserOnPremSid = tostring(column_ifexists('User On-Prem Sid', '_')),\n UserPrincipalName = tostring(column_ifexists('User Principal Name', '_')),\n Tags = tostring(column_ifexists('Tags', '_'))\n );\nMSBizAppsVIPUsers_data\n| union isfuzzy = true (MSBizAppsVIPUsers_definition)\n| where UserPrincipalName != '_'\n| project\n UserIdentifier,\n UserAADObjectId,\n UserOnPremSid,\n UserPrincipalName,\n Tags\n", - "functionParameters": "VIPUsersWatchlistAlias:string='VIPUsers'", - "version": 2, - "tags": [ - { - "name": "description", - "value": "MSBizAppsVIPUsers" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", - "dependsOn": [ - "[variables('parserObject5')._parserId5]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MSBizAppsVIPUsers')]", - "contentId": "[variables('parserObject5').parserContentId5]", - "kind": "Parser", - "version": "[variables('parserObject5').parserVersion5]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('watchlist1-id'))]", - "apiVersion": "2023-02-01", - "properties": { - "description": "Configuration for Microsoft Business Applications solution", - "displayName": "MSBizApps-Configuration", - "source": "ContentHub", - "provider": "Microsoft", - "numberOfLinesToSkip": 0, - "itemsSearchKey": "Category", - "rawContent": "Category,Data\n_,_\n", - "watchlistAlias": "MSBizApps-Configuration", - "contentType": "text/csv" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", - "apiVersion": "2023-04-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "3.2.0", - "kind": "Solution", - "contentSchemaVersion": "3.0.0", - "displayName": "Microsoft Business Applications", - "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Microsoft Power Platform provides a wide range of tools for citizen developers to build, run and manage low-code and no-code applications quickly, simply and at scale. With that, it also introduces a concern around the risk of security vulnerabilities introduced by citizen developers, some of whom may lack the security awareness of traditional pro-dev community. To counter this, early threat detection is crucial and can complement preventative guardrails to enable frictionless productivity while minimizing cyber risk.

\n

The Microsoft Sentinel solution for Microsoft Power Platform allows customers to monitor and detect various suspicious or malicious activities in their Power Platform environments.

\n

It collects activity logs from the different Power Platform components (Power Apps, Power Automate, Power Platform Connectors, Power Platform DLP, Dataverse) as well as the Power Platform inventory data and analyzes those activity logs to detect threats and suspicious activities such as: Power Apps execution from unauthorized geographies, suspicious data destruction by Power Apps, mass deletion of Power Apps, phishing attacks made possible through Power Apps, Power Automate flows activity by departing employees, Microsoft Power Platform connectors added to the an environment, and the update or removal of Microsoft Power Platform data loss prevention policies.

\n

Due to the integration of the Power Platform inventory data, in addition to the activity logs, the solution also allows customers to investigate the detected threats in a full human readable context and understand for example what the name of the suspicious app is, the name of Power Platform environment it belongs to, the details of the user who created or modified the suspicious app, the details of the users using the app, and more.

\n

Important

\n\n

Please review the solution documentation to learn more about deploying, configuring and using this solution.

\n

Data Connectors: 1, Parsers: 5, Workbooks: 1, Analytic Rules: 49, Hunting Queries: 8, Watchlists: 1, Playbooks: 8

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", - "contentKind": "Solution", - "contentProductId": "[variables('_solutioncontentProductId')]", - "id": "[variables('_solutioncontentProductId')]", - "icon": "", - "contentId": "[variables('_solutionId')]", - "parentId": "[variables('_solutionId')]", - "source": { - "kind": "Solution", - "name": "Microsoft Business Applications", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - }, - "dependencies": { - "operator": "AND", - "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentIdConnections1')]", - "version": "[variables('dataConnectorCCPVersion')]" - }, - { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId1')]", - "version": "[variables('workbookVersion1')]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", - "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", - "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", - "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", - "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", - "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject14')._analyticRulecontentId14]", - "version": "[variables('analyticRuleObject14').analyticRuleVersion14]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject15')._analyticRulecontentId15]", - "version": "[variables('analyticRuleObject15').analyticRuleVersion15]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject16')._analyticRulecontentId16]", - "version": "[variables('analyticRuleObject16').analyticRuleVersion16]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", - "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", - "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", - "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject20')._analyticRulecontentId20]", - "version": "[variables('analyticRuleObject20').analyticRuleVersion20]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject21')._analyticRulecontentId21]", - "version": "[variables('analyticRuleObject21').analyticRuleVersion21]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject22')._analyticRulecontentId22]", - "version": "[variables('analyticRuleObject22').analyticRuleVersion22]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject23')._analyticRulecontentId23]", - "version": "[variables('analyticRuleObject23').analyticRuleVersion23]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject24')._analyticRulecontentId24]", - "version": "[variables('analyticRuleObject24').analyticRuleVersion24]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject25')._analyticRulecontentId25]", - "version": "[variables('analyticRuleObject25').analyticRuleVersion25]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject26')._analyticRulecontentId26]", - "version": "[variables('analyticRuleObject26').analyticRuleVersion26]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject27')._analyticRulecontentId27]", - "version": "[variables('analyticRuleObject27').analyticRuleVersion27]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject28')._analyticRulecontentId28]", - "version": "[variables('analyticRuleObject28').analyticRuleVersion28]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject29')._analyticRulecontentId29]", - "version": "[variables('analyticRuleObject29').analyticRuleVersion29]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject30')._analyticRulecontentId30]", - "version": "[variables('analyticRuleObject30').analyticRuleVersion30]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject31')._analyticRulecontentId31]", - "version": "[variables('analyticRuleObject31').analyticRuleVersion31]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject32')._analyticRulecontentId32]", - "version": "[variables('analyticRuleObject32').analyticRuleVersion32]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject33')._analyticRulecontentId33]", - "version": "[variables('analyticRuleObject33').analyticRuleVersion33]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject34')._analyticRulecontentId34]", - "version": "[variables('analyticRuleObject34').analyticRuleVersion34]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject35')._analyticRulecontentId35]", - "version": "[variables('analyticRuleObject35').analyticRuleVersion35]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject36')._analyticRulecontentId36]", - "version": "[variables('analyticRuleObject36').analyticRuleVersion36]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject37')._analyticRulecontentId37]", - "version": "[variables('analyticRuleObject37').analyticRuleVersion37]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject38')._analyticRulecontentId38]", - "version": "[variables('analyticRuleObject38').analyticRuleVersion38]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject39')._analyticRulecontentId39]", - "version": "[variables('analyticRuleObject39').analyticRuleVersion39]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject40')._analyticRulecontentId40]", - "version": "[variables('analyticRuleObject40').analyticRuleVersion40]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject41')._analyticRulecontentId41]", - "version": "[variables('analyticRuleObject41').analyticRuleVersion41]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject42')._analyticRulecontentId42]", - "version": "[variables('analyticRuleObject42').analyticRuleVersion42]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject43')._analyticRulecontentId43]", - "version": "[variables('analyticRuleObject43').analyticRuleVersion43]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject44')._analyticRulecontentId44]", - "version": "[variables('analyticRuleObject44').analyticRuleVersion44]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject45')._analyticRulecontentId45]", - "version": "[variables('analyticRuleObject45').analyticRuleVersion45]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject46')._analyticRulecontentId46]", - "version": "[variables('analyticRuleObject46').analyticRuleVersion46]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject47')._analyticRulecontentId47]", - "version": "[variables('analyticRuleObject47').analyticRuleVersion47]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject48')._analyticRulecontentId48]", - "version": "[variables('analyticRuleObject48').analyticRuleVersion48]" - }, - { - "kind": "AnalyticsRule", - "contentId": "[variables('analyticRuleObject49')._analyticRulecontentId49]", - "version": "[variables('analyticRuleObject49').analyticRuleVersion49]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", - "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", - "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", - "version": "[variables('huntingQueryObject3').huntingQueryVersion3]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", - "version": "[variables('huntingQueryObject4').huntingQueryVersion4]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", - "version": "[variables('huntingQueryObject5').huntingQueryVersion5]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", - "version": "[variables('huntingQueryObject6').huntingQueryVersion6]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", - "version": "[variables('huntingQueryObject7').huntingQueryVersion7]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", - "version": "[variables('huntingQueryObject8').huntingQueryVersion8]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Dataverse-Add-SharePoint-Site')]", - "version": "[variables('playbookVersion1')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Dataverse-Blocklist-Add-User-AlertTrigger')]", - "version": "[variables('playbookVersion2')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Dataverse-Blocklist-Add-User-Via-Outlook')]", - "version": "[variables('playbookVersion3')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Dataverse-Blocklist-Add-User-Via-Teams')]", - "version": "[variables('playbookVersion4')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Dataverse-Blocklist-Add-User')]", - "version": "[variables('playbookVersion5')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Dataverse-Blocklist-Remove-User-AlertTrigger')]", - "version": "[variables('playbookVersion6')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_Dataverse-Send-Manager-Notification')]", - "version": "[variables('playbookVersion7')]" - }, - { - "kind": "Playbook", - "contentId": "[variables('_MSBizApps-Incident-From-Alert-Teams')]", - "version": "[variables('playbookVersion8')]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject1').parserContentId1]", - "version": "[variables('parserObject1').parserVersion1]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject2').parserContentId2]", - "version": "[variables('parserObject2').parserVersion2]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject3').parserContentId3]", - "version": "[variables('parserObject3').parserVersion3]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject4').parserContentId4]", - "version": "[variables('parserObject4').parserVersion4]" - }, - { - "kind": "Parser", - "contentId": "[variables('parserObject5').parserContentId5]", - "version": "[variables('parserObject5').parserVersion5]" - }, - { - "kind": "Watchlist", - "contentId": "[variables('_MSBizApps-Configuration')]", - "version": "3.2.0" - } - ] - }, - "firstPublishDate": "2023-04-19", - "providers": [ - "Microsoft" - ], - "categories": { - "domains": [ - "Application", - "Cloud Provider" - ] + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" } - }, - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" - } - ], - "outputs": {} -} + ], + "outputs": {} +} \ No newline at end of file diff --git a/Workbooks/Images/Preview/Dynamics365ActivityBlack.png b/Workbooks/Images/Preview/Dynamics365ActivityBlack.png new file mode 100644 index 00000000000..e7e2b79de3b Binary files /dev/null and b/Workbooks/Images/Preview/Dynamics365ActivityBlack.png differ diff --git a/Workbooks/Images/Preview/Dynamics365ActivityWhite.png b/Workbooks/Images/Preview/Dynamics365ActivityWhite.png new file mode 100644 index 00000000000..b12e8f5e8e8 Binary files /dev/null and b/Workbooks/Images/Preview/Dynamics365ActivityWhite.png differ diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 94f9a45a956..903118b9495 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -8421,7 +8421,10 @@ "dataConnectorsDependencies": [ "Dataverse" ], - "previewImagesFileNames": [], + "previewImagesFileNames": [ + "Dynamics365ActivityBlack.png", + "Dynamics365ActivityWhite.png" + ], "version": "1.0.4", "title": "Dynamics 365 Activity", "templateRelativePath": "Dynamics365Activity.json",