diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Guest user exfiltration following Power Platform defense impairment.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Guest user exfiltration following Power Platform defense impairment.yaml index f9fe14c05e..493765051a 100644 --- a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Guest user exfiltration following Power Platform defense impairment.yaml +++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Guest user exfiltration following Power Platform defense impairment.yaml @@ -92,6 +92,7 @@ query: | TenantIsolationRemovalTimestamp, GroupRemovalTimestamp, InstanceUrl, + EnvironmentId, AccountName, UPNSuffix, GuestAccountName, @@ -125,5 +126,5 @@ alertDetailsOverride: isolation and removed the security group used to control access to {{{InstanceUrl}}. Exfiltration alerts associated with guest users were then detected from user {{{GuestUser}}' customDetails: - EnvironmentId: EnvironmentId + Environment: EnvironmentId version: 3.2.0 diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - App activity from unauthorized geo.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - App activity from unauthorized geo.yaml index 1679b4ef8b..fe33b485f8 100644 --- a/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - App activity from unauthorized geo.yaml +++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - App activity from unauthorized geo.yaml @@ -79,7 +79,6 @@ alertDetailsOverride: alertDescriptionFormat: 'User {{ActorName}} activity associated with app {{AppName}} from an unauthorized geolocation: {{Location}}' customDetails: - EnvironmentId: EnvironmentId - PowerAppsAppName: AppName - PowerAppsAppId: AppId + Environment: EnvironmentId + App: AppId version: 3.2.0 diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Bulk sharing of Power Apps to newly created guest users.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Bulk sharing of Power Apps to newly created guest users.yaml index abe5745690..bf5e986a9b 100644 --- a/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Bulk sharing of Power Apps to newly created guest users.yaml +++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Bulk sharing of Power Apps to newly created guest users.yaml @@ -109,6 +109,6 @@ alertDetailsOverride: domains. List of domain s {{InvitedDomains}}' customDetails: EnvironmentName: EnvironmentName - EnvironmentId: EnvironmentId + Environment: EnvironmentId PowerAppsAppName: AppName -version: 3.1.3 +version: 3.2.0 diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Multiple users access a malicious link after launching new app.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Multiple users access a malicious link after launching new app.yaml index 3b7363021a..14eafd5cf3 100644 --- a/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Multiple users access a malicious link after launching new app.yaml +++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Multiple users access a malicious link after launching new app.yaml @@ -188,8 +188,8 @@ alertDetailsOverride: app {{AppName}}. Click here to navigate to the Power Apps Portal to examine the app: https://make.powerapps.com/environments/{{EnvironmentId}}/apps' customDetails: - EnvironmentId: EnvironmentId + Environment: EnvironmentId PowerAppsAppName: AppName - PowerAppsAppId: AppId + PowerAppsApp: AppId AppCreator: AppCreator version: 3.2.0 diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Automate - Departing employee flow activity.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Automate - Departing employee flow activity.yaml index 50add30796..afec33504a 100644 --- a/Solutions/Microsoft Business Applications/Analytic Rules/Power Automate - Departing employee flow activity.yaml +++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Automate - Departing employee flow activity.yaml @@ -66,6 +66,6 @@ alertDetailsOverride: alertDescriptionFormat: '{{ActorName}} is on the terminated employees watchlist and carried out {{EventOriginalType}} in environment id {{EnvironmentId}}.' customDetails: - EnvironmentId: EnvironmentId + Environment: EnvironmentId FlowDetails: FlowId version: 3.2.0 diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Connector added to a sensitive environment.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Connector added to a sensitive environment.yaml index 00a7076176..a4de14612b 100644 --- a/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Connector added to a sensitive environment.yaml +++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Connector added to a sensitive environment.yaml @@ -61,6 +61,6 @@ alertDetailsOverride: alertDescriptionFormat: '{{ActorName}} added a new API connector in environment id {{EnvironmentId}}. This environment has been listed as sensitive.' customDetails: - EnvironmentId: EnvironmentId - ConnectionId: ConnectionId + Environment: EnvironmentId + Connection: ConnectionId version: 3.2.0 diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - DLP policy updated or removed.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - DLP policy updated or removed.yaml index a081bbcc2a..3428a45258 100644 --- a/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - DLP policy updated or removed.yaml +++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - DLP policy updated or removed.yaml @@ -82,6 +82,6 @@ alertDetailsOverride: alertDescriptionFormat: A DLP policy {{PolicyName}} was as modfiied or deleted. Event type {{EventType}} customDetails: - PolicyId: PolicyId + Policy: PolicyId PolicyName: PolicyName -version: 3.1.3 +version: 3.2.0 diff --git a/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_PollingConfig.json b/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_PollingConfig.json index 2a8b75854a..7a83e5c901 100644 --- a/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_PollingConfig.json +++ b/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_PollingConfig.json @@ -21,7 +21,7 @@ "ClientSecret": "[[parameters('clientSecret')]", "ClientId": "[[parameters('clientId')]", "GrantType": "client_credentials", - "TokenEndpoint": "[[concat('https://login.microsoftonline.com/', parameters('tenantId'), '/oauth2/v2.0/token')]", + "TokenEndpoint": "[[concat('https://login.', 'microsoftonline.com/', parameters('tenantId'), '/oauth2/v2.0/token')]", "TokenEndpointHeaders": { "Content-Type": "application/x-www-form-urlencoded" }, diff --git a/Solutions/Microsoft Business Applications/Package/3.2.0.zip b/Solutions/Microsoft Business Applications/Package/3.2.0.zip index c080a470ea..ca4f01ff21 100644 Binary files a/Solutions/Microsoft Business Applications/Package/3.2.0.zip and b/Solutions/Microsoft Business Applications/Package/3.2.0.zip differ diff --git a/Solutions/Microsoft Business Applications/Package/mainTemplate.json b/Solutions/Microsoft Business Applications/Package/mainTemplate.json index eb09f2592f..3dbbefd4e0 100644 --- a/Solutions/Microsoft Business Applications/Package/mainTemplate.json +++ b/Solutions/Microsoft Business Applications/Package/mainTemplate.json @@ -360,11 +360,11 @@ "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7ec1e61d-f3b7-4f40-bb1a-357a63913c23','-', '3.2.0')))]" }, "analyticRuleObject41": { - "analyticRuleVersion41": "3.1.3", + "analyticRuleVersion41": "3.2.0", "_analyticRulecontentId41": "943acfa0-9285-4eb0-a9c0-42e36177ef19", "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '943acfa0-9285-4eb0-a9c0-42e36177ef19')]", "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('943acfa0-9285-4eb0-a9c0-42e36177ef19')))]", - "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','943acfa0-9285-4eb0-a9c0-42e36177ef19','-', '3.1.3')))]" + "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','943acfa0-9285-4eb0-a9c0-42e36177ef19','-', '3.2.0')))]" }, "analyticRuleObject42": { "analyticRuleVersion42": "3.1.3", @@ -409,11 +409,11 @@ "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','886a5655-3d12-42f1-8927-4095789c575e','-', '3.2.0')))]" }, "analyticRuleObject48": { - "analyticRuleVersion48": "3.1.3", + "analyticRuleVersion48": "3.2.0", "_analyticRulecontentId48": "1b2e6172-85c5-417a-90c3-7cc80cb787f5", "analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1b2e6172-85c5-417a-90c3-7cc80cb787f5')]", "analyticRuleTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1b2e6172-85c5-417a-90c3-7cc80cb787f5')))]", - "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1b2e6172-85c5-417a-90c3-7cc80cb787f5','-', '3.1.3')))]" + "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1b2e6172-85c5-417a-90c3-7cc80cb787f5','-', '3.2.0')))]" }, "analyticRuleObject49": { "analyticRuleVersion49": "3.0.0", @@ -1356,7 +1356,7 @@ "ClientSecret": "[[parameters('clientSecret')]", "ClientId": "[[parameters('clientId')]", "GrantType": "client_credentials", - "TokenEndpoint": "[[concat('https://login.microsoftonline.com/', parameters('tenantId'), '/oauth2/v2.0/token')]", + "TokenEndpoint": "[[concat('https://login.', 'microsoftonline.com/', parameters('tenantId'), '/oauth2/v2.0/token')]", "TokenEndpointHeaders": { "Content-Type": "application/x-www-form-urlencoded" }, @@ -2348,7 +2348,7 @@ "description": "Identifies a chain of events starting with disablement of Power Platform tenant isolation and removal of an environment's access security group. These events are correlated with Dataverse exfiltration alerts associated with the impacted environment and recently created Microsoft Entra guest users.\n\nNote: Activate other Dataverse analytics rules with the MITRE tactic 'Exfiltration' before enabling this rule.", "displayName": "Dataverse - Guest user exfiltration following Power Platform defense impairment", "enabled": false, - "query": "let query_lookback = 14d;\nlet query_frequncy = 1h;\nlet defense_evasion_events = PowerPlatformAdminActivity\n | where TimeGenerated >= ago(query_lookback)\n | where EventOriginalType == \"TenantIsolationOperation\"\n | mv-expand PropertyCollection\n | where PropertyCollection.Name == \"powerplatform.analytics.resource.tenant.isolation_policy.enabled\"\n | where PropertyCollection.Value == \"False\"\n | summarize\n TenantIsolationRemovalTimestamp = max(TimeGenerated)\n by SecurityDisablingUser = ActorName\n | join kind=inner (\n PowerPlatformAdminActivity\n | where TimeGenerated >= ago(query_lookback)\n | where EventOriginalType == \"EnvironmentPropertyChange\"\n | where PropertyCollection has \"Property: SecurityGroupId, Old Value: , New Value: \"\n | mv-expand PropertyCollection\n | extend\n GroupRemovalTimestamp = TimeGenerated,\n InstanceUrl = tostring(iif(PropertyCollection.Name == \"powerplatform.analytics.resource.environment.url\", PropertyCollection.Value, \"\")),\n EnvironmentId = tostring(iif(PropertyCollection.Name == \"powerplatform.analytics.resource.environment.name\", PropertyCollection.Value, \"\"))\n | summarize InstanceUrl = max(InstanceUrl), EnvironmentId = max(EnvironmentId) by GroupRemovalTimestamp, SecurityDisablingUser = ActorName)\n on SecurityDisablingUser\n | summarize\n GroupRemovalTimestamp = max(GroupRemovalTimestamp),\n TenantIsolationRemovalTimestamp = max(TenantIsolationRemovalTimestamp)\n by SecurityDisablingUser, InstanceUrl, EnvironmentId;\nlet exfiltration_alerts = SecurityAlert\n | where TimeGenerated >= ago(query_frequncy)\n | where Tactics has \"Exfiltration\"\n | where Entities has ('\"AppId\":32780')\n | mv-expand todynamic(Entities)\n | extend AlertUPN = iif(Entities.Type == \"account\", strcat(Entities.Name, \"@\", Entities.UPNSuffix), \"\")\n | extend InstanceUrl = tostring(iif(Entities.AppId == 32780, Entities.InstanceName, \"\"))\n | join kind=inner defense_evasion_events on InstanceUrl\n | where StartTime > TenantIsolationRemovalTimestamp and StartTime > GroupRemovalTimestamp\n | summarize InstanceUrl = max(InstanceUrl), AlertUPN = max(AlertUPN) by AlertName, SystemAlertId\n | extend AlertDetails = bag_pack_columns(AlertName, SystemAlertId)\n | summarize AlertDetails = make_set(AlertDetails, 100) by AlertUPN, InstanceUrl\n | join kind=inner (\n AuditLogs\n | where OperationName == \"Update user\"\n | where Identity == \"Microsoft Invitation Acceptance Portal\"\n | mv-expand TargetResources\n | extend ModifiedProperties = TargetResources.modifiedProperties\n | mv-expand ModifiedProperties\n | where ModifiedProperties.displayName == \"AcceptedAs\"\n | summarize RedeemTime = max(TimeGenerated) by GuestUser = tostring(parse_json(replace_regex(tostring(ModifiedProperties.newValue), \"\\\\r\", \"\"))[0]))\n on $left.AlertUPN == $right.GuestUser;\ndefense_evasion_events\n| join kind=inner exfiltration_alerts on InstanceUrl\n| extend\n AccountName = tostring(split(SecurityDisablingUser, \"@\")[0]),\n UPNSuffix = tostring(split(SecurityDisablingUser, \"@\")[1]),\n GuestAccountName = tostring(split(GuestUser, \"@\")[0]),\n GuestUPNSuffix = tostring(split(GuestUser, \"@\")[0]),\n DataverseId = 32780\n| project\n SecurityDisablingUser,\n GuestUser,\n AlertDetails,\n TenantIsolationRemovalTimestamp,\n GroupRemovalTimestamp,\n InstanceUrl,\n AccountName,\n UPNSuffix,\n GuestAccountName,\n GuestUPNSuffix,\n DataverseId\n", + "query": "let query_lookback = 14d;\nlet query_frequncy = 1h;\nlet defense_evasion_events = PowerPlatformAdminActivity\n | where TimeGenerated >= ago(query_lookback)\n | where EventOriginalType == \"TenantIsolationOperation\"\n | mv-expand PropertyCollection\n | where PropertyCollection.Name == \"powerplatform.analytics.resource.tenant.isolation_policy.enabled\"\n | where PropertyCollection.Value == \"False\"\n | summarize\n TenantIsolationRemovalTimestamp = max(TimeGenerated)\n by SecurityDisablingUser = ActorName\n | join kind=inner (\n PowerPlatformAdminActivity\n | where TimeGenerated >= ago(query_lookback)\n | where EventOriginalType == \"EnvironmentPropertyChange\"\n | where PropertyCollection has \"Property: SecurityGroupId, Old Value: , New Value: \"\n | mv-expand PropertyCollection\n | extend\n GroupRemovalTimestamp = TimeGenerated,\n InstanceUrl = tostring(iif(PropertyCollection.Name == \"powerplatform.analytics.resource.environment.url\", PropertyCollection.Value, \"\")),\n EnvironmentId = tostring(iif(PropertyCollection.Name == \"powerplatform.analytics.resource.environment.name\", PropertyCollection.Value, \"\"))\n | summarize InstanceUrl = max(InstanceUrl), EnvironmentId = max(EnvironmentId) by GroupRemovalTimestamp, SecurityDisablingUser = ActorName)\n on SecurityDisablingUser\n | summarize\n GroupRemovalTimestamp = max(GroupRemovalTimestamp),\n TenantIsolationRemovalTimestamp = max(TenantIsolationRemovalTimestamp)\n by SecurityDisablingUser, InstanceUrl, EnvironmentId;\nlet exfiltration_alerts = SecurityAlert\n | where TimeGenerated >= ago(query_frequncy)\n | where Tactics has \"Exfiltration\"\n | where Entities has ('\"AppId\":32780')\n | mv-expand todynamic(Entities)\n | extend AlertUPN = iif(Entities.Type == \"account\", strcat(Entities.Name, \"@\", Entities.UPNSuffix), \"\")\n | extend InstanceUrl = tostring(iif(Entities.AppId == 32780, Entities.InstanceName, \"\"))\n | join kind=inner defense_evasion_events on InstanceUrl\n | where StartTime > TenantIsolationRemovalTimestamp and StartTime > GroupRemovalTimestamp\n | summarize InstanceUrl = max(InstanceUrl), AlertUPN = max(AlertUPN) by AlertName, SystemAlertId\n | extend AlertDetails = bag_pack_columns(AlertName, SystemAlertId)\n | summarize AlertDetails = make_set(AlertDetails, 100) by AlertUPN, InstanceUrl\n | join kind=inner (\n AuditLogs\n | where OperationName == \"Update user\"\n | where Identity == \"Microsoft Invitation Acceptance Portal\"\n | mv-expand TargetResources\n | extend ModifiedProperties = TargetResources.modifiedProperties\n | mv-expand ModifiedProperties\n | where ModifiedProperties.displayName == \"AcceptedAs\"\n | summarize RedeemTime = max(TimeGenerated) by GuestUser = tostring(parse_json(replace_regex(tostring(ModifiedProperties.newValue), \"\\\\r\", \"\"))[0]))\n on $left.AlertUPN == $right.GuestUser;\ndefense_evasion_events\n| join kind=inner exfiltration_alerts on InstanceUrl\n| extend\n AccountName = tostring(split(SecurityDisablingUser, \"@\")[0]),\n UPNSuffix = tostring(split(SecurityDisablingUser, \"@\")[1]),\n GuestAccountName = tostring(split(GuestUser, \"@\")[0]),\n GuestUPNSuffix = tostring(split(GuestUser, \"@\")[0]),\n DataverseId = 32780\n| project\n SecurityDisablingUser,\n GuestUser,\n AlertDetails,\n TenantIsolationRemovalTimestamp,\n GroupRemovalTimestamp,\n InstanceUrl,\n EnvironmentId,\n AccountName,\n UPNSuffix,\n GuestAccountName,\n GuestUPNSuffix,\n DataverseId\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "High", @@ -2430,7 +2430,7 @@ "aggregationKind": "SingleAlert" }, "customDetails": { - "EnvironmentId": "EnvironmentId" + "Environment": "EnvironmentId" }, "alertDetailsOverride": { "alertDescriptionFormat": "{{SecurityDisablingUser}} disabled Power Platform tenant isolation and removed the security group used to control access to {{{InstanceUrl}}. Exfiltration alerts associated with guest users were then detected from user {{{GuestUser}}", @@ -7161,9 +7161,8 @@ "aggregationKind": "SingleAlert" }, "customDetails": { - "EnvironmentId": "EnvironmentId", - "PowerAppsAppId": "AppId", - "PowerAppsAppName": "AppName" + "App": "AppId", + "Environment": "EnvironmentId" }, "alertDetailsOverride": { "alertDescriptionFormat": "User {{ActorName}} activity associated with app {{AppName}} from an unauthorized geolocation: {{Location}}", @@ -7303,7 +7302,7 @@ "aggregationKind": "SingleAlert" }, "customDetails": { - "EnvironmentId": "EnvironmentId", + "Environment": "EnvironmentId", "EnvironmentName": "EnvironmentName", "PowerAppsAppName": "AppName" }, @@ -7648,8 +7647,8 @@ }, "customDetails": { "AppCreator": "AppCreator", - "EnvironmentId": "EnvironmentId", - "PowerAppsAppId": "AppId", + "Environment": "EnvironmentId", + "PowerAppsApp": "AppId", "PowerAppsAppName": "AppName" }, "alertDetailsOverride": { @@ -7782,7 +7781,7 @@ "aggregationKind": "SingleAlert" }, "customDetails": { - "EnvironmentId": "EnvironmentId", + "Environment": "EnvironmentId", "FlowDetails": "FlowId" }, "alertDetailsOverride": { @@ -8166,8 +8165,8 @@ "aggregationKind": "SingleAlert" }, "customDetails": { - "ConnectionId": "ConnectionId", - "EnvironmentId": "EnvironmentId" + "Connection": "ConnectionId", + "Environment": "EnvironmentId" }, "alertDetailsOverride": { "alertDescriptionFormat": "{{ActorName}} added a new API connector in environment id {{EnvironmentId}}. This environment has been listed as sensitive.", @@ -8284,7 +8283,7 @@ "aggregationKind": "SingleAlert" }, "customDetails": { - "PolicyId": "PolicyId", + "Policy": "PolicyId", "PolicyName": "PolicyName" }, "alertDetailsOverride": {