Blog Post

Microsoft Sentinel Blog
5 MIN READ

What's new: Microsoft Sentinel Solution for Dynamics 365 Finance and Operations

yohasson's avatar
yohasson
Icon for Microsoft rankMicrosoft
Jul 06, 2023

Introduction

Today we are announcing a new Microsoft Sentinel Solution for Dynamics 365 Finance and Operations in public preview. This is a premium solution focused on monitoring, detecting threats and responding to incidents in customer's highly sensitive a business-critical ERP systems powered by Dynamics 365 Finance and Operations.  The solution monitors and protects your Dynamics 365 Finance and Operations system: It collects audits and activity logs from the Dynamics 365 Finance and Operations environment, and detects threats, suspicious activities, illegitimate activities, and more.

 

Dynamics 365 for Finance and Operations is a comprehensive Enterprise Resource Planning (ERP) solution that combines financial and operational capabilities to help businesses manage their day-to-day operations. It offers a range of features that enable businesses to streamline workflows, automate tasks, and gain insights into operational performance.

 

Important

  • The Microsoft Sentinel solution for Dynamics 365 Finance and Operations is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
  • The solution is a premium offering. Pricing information will be available before the solution becomes generally available.

 

Dynamics 365 Finance and Operations is a major target for attackers

Finance and Operations applications are the crown jewels for attacker. They enable important business processes like finance, procurement, operations, and supply chain. They store and process sensitive business data, like payments, orders, account receivables, and suppliers. 

Breaches in those applications could result in exposed customer data, disruption of key business processes, loss of revenues and major reputation impact.

Moreover, business applications such as those are even more exposed to risks as they are administered by non-security savvy business admins, they used by a wide range of users, internal and external and they integrate with many adjacent systems, both internal and external.

Prior to this launch, once an attacker is managing to breach those systems there were very few controls to monitor, detect and respond to data exfiltration, processes disruption or other bad acts and SOC teams had very little visibility into those business apps and the business processes they support.

 

How the solution addresses Dynamics 365 Finance and Operations security risks

To monitor and detect threats and security risks in Dynamics 365 Finance and operations you need:

  • Visibility to user activities, like user logins and sign-ins, Create, Read, Update, Delete (CRUD) activities, configurations changes, or activities by external applications and APIs.
  • Ability to detect suspicious or illegitimate activities, like suspicious logins, illegitimate changes of settings and user permissions, data exfiltration, or bypassing of SOD policies.
  • Ability to investigate and respond to related incidents, like limiting user access, notifying business admins, or rolling back changes.

The solution includes:

  • Dynamics 365 F&O data connector, which allows you to ingest Dynamics 365 Finance and Operations admin activities and audit logs as well as user business process and application activities logs into Microsoft Sentinel. 
  • Built-in analytics rules to detect suspicious activity in your Dynamics 365 Finance and Operations environment, like changes in bank account details, multiple user account updates or deletions, suspicious sign-in events, changes to workload identities, and more.

 

Prerequisites

To enable the solution on your Microsoft Sentinel workspace and start ingesting logs from your Dynamics 365 Finance and Operation environment you must have Microsoft Dynamics 365 Finance version 10.0.33 or above.

 

Out of the box content offered

The Microsoft Sentinel Solution for Dynamics 365 Finance and Operations includes initially the following built-in analytics rules:

 

Rule name

Description

What threat it detects?

Source action

Tactics

F&O – Non-interactive account mapped to self or sensitive privileged user

Identifies changes to Azure AD Client Apps registered for Finance & Operations, specifically when a new client is mapped to a predefined list of sensitive privileged user accounts, or when a user associates a client app with their own account.

 

To modify the list of sensitive privileged accounts, change the “priviliged_user_accounts” variable in the rule query.
(Refer to the example in the rule query)

Access to F&O by external applications or APIs pose a major security risk. This will detect attackers suspiciously manipulating the list of allowed external applications to get non-interactive access to F&O.

Mapping modifications in Finance and Operations portal, under Modules > System Administration > Azure Active Directory Applications.


Data source: FinanceOperationsActivity_CL

Credential Access, Persistence, Privilege Escalation

F&O – Mass update or deletion of user account records

Identifies large delete or update operations on Finance and Operations user records based on predefined thresholds.

 

Default update threshold: 50
Default delete threshold: 10

Attackers trying to disrupt the organization business processes will manipulate the system users and their permissions. They will usually do this in mass. This will detect suspicious mass changes to the system user records. 

Deletions or modifications in Finance and Operations portal, under Modules > System Administration > Users.

 

Data source: FinanceOperationsActivity_CL

Impact

F&O – Bank account change following network alias reassignment

Identifies updates to bank account number by a user account which his alias was recently modified to a new value.

Attackers that are trying to manipulate payments processes for financial gains will try to illegitimately manipulate vendor's bank account details. This detection will alert SOC analysts on bank account details manipulation that happened shortly after the user's alias manipulating the account was modified to a new value.

Changes in bank account number, in Finance and Operations portal, under Workspaces > Bank management > All bank accounts correlated with a relevant change in the user account to alias mapping.

Data source: FinanceOperationsActivity_CL

Credential Access, Lateral Movement, Privilege Escalation

F&O – Reverted bank account number modifications

 

Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later.

Attackers that are trying to manipulate payments processes for financial gains will try to illegitimately manipulate vendor's bank account details. This detection will alert SOC analysts on detection evasion attempt by attacker trying to illegitimately transfer funds out of the organization.

Changes in bank account number, in Finance and Operations portal, under Workspaces > Bank management > All bank accounts.


Data source: FinanceOperationsActivity_CL

Impact

F&O – Unusual sign-in activity using single factor authentication

Identifies successful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from an Azure AD trusted network location, or from geolocations seen previously in the last 14 days are excluded.

This detection uses logs ingested from Azure Active Directory. Therefore, you should enable the Azure Active Directory data connector.

Threat actors will try to find ways to bypass multi-factor authentication and sign into F&O using single factor or password authentication. This will detect unusual and successful attempts to bypass Multi Factor Authentication controls and login to the system.

Sign-ins to the monitored Finance and Operations environment

 

Data Source: SigninLogs

Credential Access, Initial Access

 

Getting started

This solution is available on content hub like any other solution. Search the solution and click on install. 

 

All the solution content can be managed from the content hub manage view and will also be available in respective content galleries. Let us know your feedback using any of the channels listed in the questions or feedback section 

 

Full solution documentation can be found in the Microsoft Sentinel documentation: Microsoft Sentinel solution for D365 F&O overview | Microsoft Learn 

 

 

Updated Nov 09, 2023
Version 4.0
  • Humayun-khan No major issues seen until now. We are targeting GA in the beginning of FY24 (uncommitted yet). Please reach out to me directly if you have any other questions or need assistance in deploying the preview.

  • Antony Paul's avatar
    Antony Paul
    Copper Contributor

    Interested to hear anyone's experiences of running this now that it has been In Preview for 6 months?

  • Humayun-khan's avatar
    Humayun-khan
    Copper Contributor

    How would be the pricing for data ingestion? or anything related to cost we should be thinking?

  • Humayun-khan's avatar
    Humayun-khan
    Copper Contributor

    Installing it in Preview mode, have you already seen some issues?

    when is the GA?