Introduction
Late last year Microsoft Sentinel released a solution for Dynamics 365 threat monitoring, detection, and incident response.
Today we are thrilled to add 10 new OOB analytics rule templates to the solution, spanning from detections of suspicious configuration changes and admin activities all the way to high-risk logins and sign-ins.
Dynamics 365 Sales is an advanced cloud-based Customer Relation Management (CRM) platform that enables organizations and sellers to manage the full product, customer and deal lifecycle:
- Managing accounts and contacts information
- Identifying leads and creating opportunities
- Documenting customer interactions
- Building quotes
- Managing product entities and pricing and much more
Why should you care about detecting threats in Dynamics 365?
The information stored on the Dynamics 365 platform is extremely sensitive and the processes it enables are critical to the organization’s success. As such, Dynamics 365 is a prime target to attackers and threats, both internal and external.
Attacks targeting Dynamics 365 Sales could result in exposed customer data, disruption to customer engagement processes, loss of revenues and irreparable reputation damages.
A key challenge today in securing CRM platforms is that SOC teams traditionally have very little visibility into those systems and the Dynamics 365 users and admins usually lack security expertise.
Until the introduction of the Sentinel solution for Dynamics 365, once an attacker was in the system, there were almost no controls to monitor, detect, investigate, and respond to data exfiltration attempts or other bad acts.
So, what exactly are we announcing today?
In this updated public preview version of the Sentinel solution for Dynamics 365 we released 10 new OOB analytics rule templates covering 5 key suspicious use cases and activities in Dynamics 365:
- Audit logs data and settings manipulation detection
User activity auditing is the main tool used by security analysts to monitor and detect suspicious activities. A potential adversary will try to clear his traces by deleting audit logs of his malicious activities or even modify the auditing settings in advance to hide his activities.
Two analytics rules monitoring and detecting audit logs data and settings manipulation were added to the solution:
- Detection of monitored security and user configuration changes
Attackers who gained access to the systems will potentially try to modify certain security and user configurations in order to gain access to sensitive information and provide illegitimate permissions to certain users involved in the attack attempt.
Those configuration changes can span updates to business units and team's entities as well as security roles and privileges.
Two analytics rules monitoring and detecting security and user configuration changes were added to the solution:
These rules leverage two watchlists detailing the monitored changes to security and user configurations. Detections on several suspicious and high-risk changes are enabled in the watch list by-default.
For example, updating a user's access mode is a high-risk event as it might provide strong capabilities for users who shouldn't have them (e.g. a CRM user shouldn't have system admin capabilities and a system admin user shouldn't have read/write access to sensitive CRM data). As it is a high-risk event, monitoring updates to the user's access mode is enabled by default in the watchlist, as this is something the SOC analyst would usually like to be alerted on.
Customers can update the “IsEnable” field to define additional suspicious configuration changes to monitor and detect.
- Detection of dormant admin or previously non-admin user conducting admin activity
A typical attack tactic is to illegitimately (via social engineering or other means) gain admin permissions to the system and leverage those elevated permissions to execute malicious administrative activities. Another tactic will be to take control of a dormant admin user and use his privileges to conduct illegitimate activities.
This analytics rule will monitor and detect dormant admins or previously non-admin users currently conducting admin activities:
- Suspicious logins and sign-ins to Dynamics 365
Attacks to Dynamics 365 system are very likely to originate from certain IP subnets and domains which usually should not have any Dynamics 365 activity. It is a good security practice to monitor and detect logins originating from subnets outside certain IP subnets allow list or specific IP subnets block list.
In addition, monitoring and detecting sign-ins from domains that are not likely to have legitimate reason to sign into Dynamics 365 can add another layer of early detection.
Although logins to Dynamics 365 by defined sensitive privileged users ("VIP Users") will be legitimate in most cases, closely monitoring those logins and alerting the SOC on them is another bast practice that can help detecting security incidents well in advance.
Four analytics rules monitoring and detecting the above suspicious logins and sign-ins to Dynamics 365 were added to the solution:
Those rules leverage the Sentinel built in “VIP Users” and “Network Addresses” watchlist templates:
- Detection of new permissions granted to an application identity
Another very dangerous attack tactic is to illegitimately grant permissions to potentially malicious application identities which can be leveraged and used in stealth attacks. Due to the nature of application identities, activities done on their behalf are less likely to be regarded by SOC analysts as malicious activities that are part of a cyber-attack. As such, it is crucial to alert SOC engineers on new permissions granted to application identities.
This analytics rule identifies API level permission grants, either via the delegated permissions of an Azure AD application or direct assignment within Dynamics 365 as an application user:
In summary, what can the SOC team do today with Microsoft Sentinel solution for Dynamics 365?
- Collect detailed Dynamics 365 user and admin activity audits, sign-in events, and configuration changes with the Dynamics 365 Sentinel data connector:
- Monitor Dynamics 365 risky and anomalous activities and events such as record retrievals, deletions, and exports with the Sentinel Dynamics 365 activity workbook:
- Analyze and detect illegitimate, suspicious and malicious Dynamics 365 activities and threats by leveraging OOB analytics rules:
- Investigate and hunt for threats using OOB threat hunting queries that cross correlate Dynamics 365 activities with failed AD logons and identity protection alerts:
What else should you know?
Starting from this update, the solution uses analytics rule templates which means you will see new or updated content notifications directly in the portal and you will be able to upgrade the content to the latest version, enabling you to stay current.
Read more about managing analytics rules templates versions here: Manage template versions for your scheduled analytics rules in Microsoft Sentinel | Microsoft Docs
If you installed a previous version of the solution, we recommend deleting the existing solution content elements to avoid duplication and only then deploy the new solution. Due to the solution migration to analytics rule templates this will no longer be an issue for future updates.
Use the following instructions to enable the solution content items: Centrally discover and deploy Microsoft Sentinel out-of-the-box content and solutions | Microsoft Do...
Call to action
Get the Sentinel solution for Dynamics 365: Microsoft Azure Marketplace
Learn about using the Sentinel Dynamics 365 data connector: Find your Microsoft Sentinel data connector | Microsoft Docs
If you have any feedback about this solution or want us to cover additional CRM security use cases, please get in touch at sentinel4dynamics365@microsoft.com.
