Introduction
Today we are announcing a new Microsoft Sentinel Solution for Dynamics 365 Finance and Operations in public preview. This is a premium solution focused on monitoring, detecting threats and responding to incidents in customer's highly sensitive a business-critical ERP systems powered by Dynamics 365 Finance and Operations. The solution monitors and protects your Dynamics 365 Finance and Operations system: It collects audits and activity logs from the Dynamics 365 Finance and Operations environment, and detects threats, suspicious activities, illegitimate activities, and more.
Dynamics 365 for Finance and Operations is a comprehensive Enterprise Resource Planning (ERP) solution that combines financial and operational capabilities to help businesses manage their day-to-day operations. It offers a range of features that enable businesses to streamline workflows, automate tasks, and gain insights into operational performance.
Important
- The Microsoft Sentinel solution for Dynamics 365 Finance and Operations is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
- The solution is a premium offering. Pricing information will be available before the solution becomes generally available.
Dynamics 365 Finance and Operations is a major target for attackers
Finance and Operations applications are the crown jewels for attacker. They enable important business processes like finance, procurement, operations, and supply chain. They store and process sensitive business data, like payments, orders, account receivables, and suppliers.
Breaches in those applications could result in exposed customer data, disruption of key business processes, loss of revenues and major reputation impact.
Moreover, business applications such as those are even more exposed to risks as they are administered by non-security savvy business admins, they used by a wide range of users, internal and external and they integrate with many adjacent systems, both internal and external.
Prior to this launch, once an attacker is managing to breach those systems there were very few controls to monitor, detect and respond to data exfiltration, processes disruption or other bad acts and SOC teams had very little visibility into those business apps and the business processes they support.
How the solution addresses Dynamics 365 Finance and Operations security risks
To monitor and detect threats and security risks in Dynamics 365 Finance and operations you need:
- Visibility to user activities, like user logins and sign-ins, Create, Read, Update, Delete (CRUD) activities, configurations changes, or activities by external applications and APIs.
- Ability to detect suspicious or illegitimate activities, like suspicious logins, illegitimate changes of settings and user permissions, data exfiltration, or bypassing of SOD policies.
- Ability to investigate and respond to related incidents, like limiting user access, notifying business admins, or rolling back changes.
The solution includes:
- Dynamics 365 F&O data connector, which allows you to ingest Dynamics 365 Finance and Operations admin activities and audit logs as well as user business process and application activities logs into Microsoft Sentinel.
- Built-in analytics rules to detect suspicious activity in your Dynamics 365 Finance and Operations environment, like changes in bank account details, multiple user account updates or deletions, suspicious sign-in events, changes to workload identities, and more.
Prerequisites
To enable the solution on your Microsoft Sentinel workspace and start ingesting logs from your Dynamics 365 Finance and Operation environment you must have Microsoft Dynamics 365 Finance version 10.0.33 or above.
Out of the box content offered
The Microsoft Sentinel Solution for Dynamics 365 Finance and Operations includes initially the following built-in analytics rules:
|
Rule name |
Description |
What threat it detects? |
Source action |
Tactics |
|
F&O – Non-interactive account mapped to self or sensitive privileged user |
Identifies changes to Azure AD Client Apps registered for Finance & Operations, specifically when a new client is mapped to a predefined list of sensitive privileged user accounts, or when a user associates a client app with their own account.
To modify the list of sensitive privileged accounts, change the “priviliged_user_accounts” variable in the rule query. |
Access to F&O by external applications or APIs pose a major security risk. This will detect attackers suspiciously manipulating the list of allowed external applications to get non-interactive access to F&O. |
Mapping modifications in Finance and Operations portal, under Modules > System Administration > Azure Active Directory Applications.
|
Credential Access, Persistence, Privilege Escalation |
|
F&O – Mass update or deletion of user account records |
Identifies large delete or update operations on Finance and Operations user records based on predefined thresholds.
Default update threshold: 50 |
Attackers trying to disrupt the organization business processes will manipulate the system users and their permissions. They will usually do this in mass. This will detect suspicious mass changes to the system user records. |
Deletions or modifications in Finance and Operations portal, under Modules > System Administration > Users.
Data source: |
Impact |
|
F&O – Bank account change following network alias reassignment |
Identifies updates to bank account number by a user account which his alias was recently modified to a new value. |
Attackers that are trying to manipulate payments processes for financial gains will try to illegitimately manipulate vendor's bank account details. This detection will alert SOC analysts on bank account details manipulation that happened shortly after the user's alias manipulating the account was modified to a new value. |
Changes in bank account number, in Finance and Operations portal, under Workspaces > Bank management > All bank accounts correlated with a relevant change in the user account to alias mapping. |
Credential Access, Lateral Movement, Privilege Escalation |
|
F&O – Reverted bank account number modifications
|
Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later. |
Attackers that are trying to manipulate payments processes for financial gains will try to illegitimately manipulate vendor's bank account details. This detection will alert SOC analysts on detection evasion attempt by attacker trying to illegitimately transfer funds out of the organization. |
Changes in bank account number, in Finance and Operations portal, under Workspaces > Bank management > All bank accounts.
|
Impact |
|
F&O – Unusual sign-in activity using single factor authentication |
Identifies successful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from an Azure AD trusted network location, or from geolocations seen previously in the last 14 days are excluded. |
Threat actors will try to find ways to bypass multi-factor authentication and sign into F&O using single factor or password authentication. This will detect unusual and successful attempts to bypass Multi Factor Authentication controls and login to the system. |
Sign-ins to the monitored Finance and Operations environment
Data Source: |
Credential Access, Initial Access |
Getting started
This solution is available on content hub like any other solution. Search the solution and click on install.
All the solution content can be managed from the content hub manage view and will also be available in respective content galleries. Let us know your feedback using any of the channels listed in the questions or feedback section.
Full solution documentation can be found in the Microsoft Sentinel documentation: Microsoft Sentinel solution for D365 F&O overview | Microsoft Learn