Today we are announcing a new Microsoft Sentinel Solution for Dynamics 365 Finance and Operations in public preview. This is a premium solution focused on monitoring, detecting threats and responding to incidents in customer's highly sensitive a business-critical ERP systems powered by Dynamics 365 Finance and Operations. The solution monitors and protects your Dynamics 365 Finance and Operations system: It collects audits and activity logs from the Dynamics 365 Finance and Operations environment, and detects threats, suspicious activities, illegitimate activities, and more.
Dynamics 365 for Finance and Operations is a comprehensive Enterprise Resource Planning (ERP) solution that combines financial and operational capabilities to help businesses manage their day-to-day operations. It offers a range of features that enable businesses to streamline workflows, automate tasks, and gain insights into operational performance.
The Microsoft Sentinel solution for Dynamics 365 Finance and Operations is currently in PREVIEW. TheAzure Preview Supplemental Termsinclude additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
The solution is a premium offering. Pricing information will be available before the solution becomes generally available.
Dynamics 365 Finance and Operations is a major target for attackers
Finance and Operations applications are the crown jewels for attacker. They enable important business processes like finance, procurement, operations, and supply chain. They store and process sensitive business data, like payments, orders, account receivables, and suppliers.
Breaches in those applications could result in exposed customer data, disruption of key business processes, loss of revenues and major reputation impact.
Moreover, business applications such as those are even more exposed to risks as they are administered by non-security savvy business admins, they used by a wide range of users, internal and external and they integrate with many adjacent systems, both internal and external.
Prior to this launch, once an attacker is managing to breach those systems there were very few controls to monitor, detect and respond to data exfiltration, processes disruption or other bad acts and SOC teams had very little visibility into those business apps and the business processes they support.
How the solution addresses Dynamics 365 Finance and Operations security risks
To monitor and detect threats and security risks in Dynamics 365 Finance and operations you need:
Visibility to user activities, like user logins and sign-ins, Create, Read, Update, Delete (CRUD) activities, configurations changes, or activities by external applications and APIs.
Ability to detect suspicious or illegitimate activities, like suspicious logins, illegitimate changes of settings and user permissions, data exfiltration, or bypassing of SOD policies.
Ability to investigate and respond to related incidents, like limiting user access, notifying business admins, or rolling back changes.
The solution includes:
Dynamics 365 F&O data connector, which allows you to ingest Dynamics 365 Finance and Operations admin activities and audit logs as well as user business process and application activities logs into Microsoft Sentinel.
Built-in analytics rules to detect suspicious activity in your Dynamics 365 Finance and Operations environment, like changes in bank account details, multiple user account updates or deletions, suspicious sign-in events, changes to workload identities, and more.
The Microsoft Sentinel Solution for Dynamics 365 Finance and Operations includes initially the following built-in analytics rules:
What threat it detects?
F&O – Non-interactive account mapped to self or sensitive privileged user
Identifies changes to Azure AD Client Apps registered for Finance & Operations, specifically when a new client is mapped to a predefined list of sensitive privileged user accounts, or when a user associates a client app with their own account.
To modify the list of sensitive privileged accounts, change the “priviliged_user_accounts” variable in the rule query. (Refer to the example in the rule query)
Access to F&O by external applications or APIs pose a major security risk. This will detect attackers suspiciously manipulating the list of allowed external applications to get non-interactive access to F&O.
Mapping modifications in Finance and Operations portal, under Modules > System Administration > Azure Active Directory Applications.
Attackers trying to disrupt the organization business processes will manipulate the system users and their permissions. They will usually do this in mass. This will detect suspicious mass changes to the system user records.
Deletions or modifications in Finance and Operations portal, under Modules > System Administration > Users.
Data source: FinanceOperationsActivity_CL
F&O – Bank account change following network alias reassignment
Identifies updates to bank account number by a user account which his alias was recently modified to a new value.
Attackers that are trying to manipulate payments processes for financial gains will try to illegitimately manipulate vendor's bank account details. This detection will alert SOC analysts on bank account details manipulation that happened shortly after the user's alias manipulating the account was modified to a new value.
Changes in bank account number, in Finance and Operations portal, under Workspaces > Bank management > All bank accounts correlated with a relevant change in the user account to alias mapping.
Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later.
Attackers that are trying to manipulate payments processes for financial gains will try to illegitimately manipulate vendor's bank account details. This detection will alert SOC analysts on detection evasion attempt by attacker trying to illegitimately transfer funds out of the organization.
Changes in bank account number, in Finance and Operations portal, under Workspaces > Bank management > All bank accounts.
Data source: FinanceOperationsActivity_CL
F&O – Unusual sign-in activity using single factor authentication
Identifies successful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from an Azure AD trusted network location, or from geolocations seen previously in the last 14 days are excluded.
This detection uses logs ingested from Azure Active Directory. Therefore, you should enable the Azure Active Directory data connector.
Threat actors will try to find ways to bypass multi-factor authentication and sign into F&O using single factor or password authentication. This will detect unusual and successful attempts to bypass Multi Factor Authentication controls and login to the system.
Sign-ins to the monitored Finance and Operations environment
Data Source: SigninLogs
Credential Access, Initial Access
This solution is available on content hub like any other solution. Search the solution and click on install.