diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Guest user exfiltration following Power Platform defense impairment.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Guest user exfiltration following Power Platform defense impairment.yaml index f9fe14c05eb..493765051a8 100644 --- a/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Guest user exfiltration following Power Platform defense impairment.yaml +++ b/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Guest user exfiltration following Power Platform defense impairment.yaml @@ -92,6 +92,7 @@ query: | TenantIsolationRemovalTimestamp, GroupRemovalTimestamp, InstanceUrl, + EnvironmentId, AccountName, UPNSuffix, GuestAccountName, @@ -125,5 +126,5 @@ alertDetailsOverride: isolation and removed the security group used to control access to {{{InstanceUrl}}. Exfiltration alerts associated with guest users were then detected from user {{{GuestUser}}' customDetails: - EnvironmentId: EnvironmentId + Environment: EnvironmentId version: 3.2.0 diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - App activity from unauthorized geo.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - App activity from unauthorized geo.yaml index 1679b4ef8b2..fe33b485f87 100644 --- a/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - App activity from unauthorized geo.yaml +++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - App activity from unauthorized geo.yaml @@ -79,7 +79,6 @@ alertDetailsOverride: alertDescriptionFormat: 'User {{ActorName}} activity associated with app {{AppName}} from an unauthorized geolocation: {{Location}}' customDetails: - EnvironmentId: EnvironmentId - PowerAppsAppName: AppName - PowerAppsAppId: AppId + Environment: EnvironmentId + App: AppId version: 3.2.0 diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Bulk sharing of Power Apps to newly created guest users.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Bulk sharing of Power Apps to newly created guest users.yaml index abe5745690e..bf5e986a9b6 100644 --- a/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Bulk sharing of Power Apps to newly created guest users.yaml +++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Bulk sharing of Power Apps to newly created guest users.yaml @@ -109,6 +109,6 @@ alertDetailsOverride: domains. List of domain s {{InvitedDomains}}' customDetails: EnvironmentName: EnvironmentName - EnvironmentId: EnvironmentId + Environment: EnvironmentId PowerAppsAppName: AppName -version: 3.1.3 +version: 3.2.0 diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Multiple users access a malicious link after launching new app.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Multiple users access a malicious link after launching new app.yaml index 3b7363021ae..14eafd5cf32 100644 --- a/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Multiple users access a malicious link after launching new app.yaml +++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - Multiple users access a malicious link after launching new app.yaml @@ -188,8 +188,8 @@ alertDetailsOverride: app {{AppName}}. Click here to navigate to the Power Apps Portal to examine the app: https://make.powerapps.com/environments/{{EnvironmentId}}/apps' customDetails: - EnvironmentId: EnvironmentId + Environment: EnvironmentId PowerAppsAppName: AppName - PowerAppsAppId: AppId + PowerAppsApp: AppId AppCreator: AppCreator version: 3.2.0 diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Automate - Departing employee flow activity.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Automate - Departing employee flow activity.yaml index 50add307962..afec33504a0 100644 --- a/Solutions/Microsoft Business Applications/Analytic Rules/Power Automate - Departing employee flow activity.yaml +++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Automate - Departing employee flow activity.yaml @@ -66,6 +66,6 @@ alertDetailsOverride: alertDescriptionFormat: '{{ActorName}} is on the terminated employees watchlist and carried out {{EventOriginalType}} in environment id {{EnvironmentId}}.' customDetails: - EnvironmentId: EnvironmentId + Environment: EnvironmentId FlowDetails: FlowId version: 3.2.0 diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Connector added to a sensitive environment.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Connector added to a sensitive environment.yaml index 00a70761766..a4de14612b8 100644 --- a/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Connector added to a sensitive environment.yaml +++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Connector added to a sensitive environment.yaml @@ -61,6 +61,6 @@ alertDetailsOverride: alertDescriptionFormat: '{{ActorName}} added a new API connector in environment id {{EnvironmentId}}. This environment has been listed as sensitive.' customDetails: - EnvironmentId: EnvironmentId - ConnectionId: ConnectionId + Environment: EnvironmentId + Connection: ConnectionId version: 3.2.0 diff --git a/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - DLP policy updated or removed.yaml b/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - DLP policy updated or removed.yaml index a081bbcc2aa..3428a45258e 100644 --- a/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - DLP policy updated or removed.yaml +++ b/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - DLP policy updated or removed.yaml @@ -82,6 +82,6 @@ alertDetailsOverride: alertDescriptionFormat: A DLP policy {{PolicyName}} was as modfiied or deleted. Event type {{EventType}} customDetails: - PolicyId: PolicyId + Policy: PolicyId PolicyName: PolicyName -version: 3.1.3 +version: 3.2.0 diff --git a/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_PollingConfig.json b/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_PollingConfig.json index 2a8b75854a4..7a83e5c9010 100644 --- a/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_PollingConfig.json +++ b/Solutions/Microsoft Business Applications/Data Connectors/DynamicsFinOpsPollerConnector/DynamicsFinOps_PollingConfig.json @@ -21,7 +21,7 @@ "ClientSecret": "[[parameters('clientSecret')]", "ClientId": "[[parameters('clientId')]", "GrantType": "client_credentials", - "TokenEndpoint": "[[concat('https://login.microsoftonline.com/', parameters('tenantId'), '/oauth2/v2.0/token')]", + "TokenEndpoint": "[[concat('https://login.', 'microsoftonline.com/', parameters('tenantId'), '/oauth2/v2.0/token')]", "TokenEndpointHeaders": { "Content-Type": "application/x-www-form-urlencoded" }, diff --git a/Solutions/Microsoft Business Applications/Package/3.2.0.zip b/Solutions/Microsoft Business Applications/Package/3.2.0.zip index c080a470ea0..ca4f01ff21d 100644 Binary files a/Solutions/Microsoft Business Applications/Package/3.2.0.zip and b/Solutions/Microsoft Business Applications/Package/3.2.0.zip differ diff --git a/Solutions/Microsoft Business Applications/Package/mainTemplate.json b/Solutions/Microsoft Business Applications/Package/mainTemplate.json index eb09f2592f6..3dbbefd4e0e 100644 --- a/Solutions/Microsoft Business Applications/Package/mainTemplate.json +++ b/Solutions/Microsoft Business Applications/Package/mainTemplate.json @@ -360,11 +360,11 @@ "_analyticRulecontentProductId40": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7ec1e61d-f3b7-4f40-bb1a-357a63913c23','-', '3.2.0')))]" }, "analyticRuleObject41": { - "analyticRuleVersion41": "3.1.3", + "analyticRuleVersion41": "3.2.0", "_analyticRulecontentId41": "943acfa0-9285-4eb0-a9c0-42e36177ef19", "analyticRuleId41": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '943acfa0-9285-4eb0-a9c0-42e36177ef19')]", "analyticRuleTemplateSpecName41": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('943acfa0-9285-4eb0-a9c0-42e36177ef19')))]", - "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','943acfa0-9285-4eb0-a9c0-42e36177ef19','-', '3.1.3')))]" + "_analyticRulecontentProductId41": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','943acfa0-9285-4eb0-a9c0-42e36177ef19','-', '3.2.0')))]" }, "analyticRuleObject42": { "analyticRuleVersion42": "3.1.3", @@ -409,11 +409,11 @@ "_analyticRulecontentProductId47": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','886a5655-3d12-42f1-8927-4095789c575e','-', '3.2.0')))]" }, "analyticRuleObject48": { - "analyticRuleVersion48": "3.1.3", + "analyticRuleVersion48": "3.2.0", "_analyticRulecontentId48": "1b2e6172-85c5-417a-90c3-7cc80cb787f5", "analyticRuleId48": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1b2e6172-85c5-417a-90c3-7cc80cb787f5')]", "analyticRuleTemplateSpecName48": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1b2e6172-85c5-417a-90c3-7cc80cb787f5')))]", - "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1b2e6172-85c5-417a-90c3-7cc80cb787f5','-', '3.1.3')))]" + "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1b2e6172-85c5-417a-90c3-7cc80cb787f5','-', '3.2.0')))]" }, "analyticRuleObject49": { "analyticRuleVersion49": "3.0.0", @@ -1356,7 +1356,7 @@ "ClientSecret": "[[parameters('clientSecret')]", "ClientId": "[[parameters('clientId')]", "GrantType": "client_credentials", - "TokenEndpoint": "[[concat('https://login.microsoftonline.com/', parameters('tenantId'), '/oauth2/v2.0/token')]", + "TokenEndpoint": "[[concat('https://login.', 'microsoftonline.com/', parameters('tenantId'), '/oauth2/v2.0/token')]", "TokenEndpointHeaders": { "Content-Type": "application/x-www-form-urlencoded" }, @@ -2348,7 +2348,7 @@ "description": "Identifies a chain of events starting with disablement of Power Platform tenant isolation and removal of an environment's access security group. These events are correlated with Dataverse exfiltration alerts associated with the impacted environment and recently created Microsoft Entra guest users.\n\nNote: Activate other Dataverse analytics rules with the MITRE tactic 'Exfiltration' before enabling this rule.", "displayName": "Dataverse - Guest user exfiltration following Power Platform defense impairment", "enabled": false, - "query": "let query_lookback = 14d;\nlet query_frequncy = 1h;\nlet defense_evasion_events = PowerPlatformAdminActivity\n | where TimeGenerated >= ago(query_lookback)\n | where EventOriginalType == \"TenantIsolationOperation\"\n | mv-expand PropertyCollection\n | where PropertyCollection.Name == \"powerplatform.analytics.resource.tenant.isolation_policy.enabled\"\n | where PropertyCollection.Value == \"False\"\n | summarize\n TenantIsolationRemovalTimestamp = max(TimeGenerated)\n by SecurityDisablingUser = ActorName\n | join kind=inner (\n PowerPlatformAdminActivity\n | where TimeGenerated >= ago(query_lookback)\n | where EventOriginalType == \"EnvironmentPropertyChange\"\n | where PropertyCollection has \"Property: SecurityGroupId, Old Value: , New Value: \"\n | mv-expand PropertyCollection\n | extend\n GroupRemovalTimestamp = TimeGenerated,\n InstanceUrl = tostring(iif(PropertyCollection.Name == \"powerplatform.analytics.resource.environment.url\", PropertyCollection.Value, \"\")),\n EnvironmentId = tostring(iif(PropertyCollection.Name == \"powerplatform.analytics.resource.environment.name\", PropertyCollection.Value, \"\"))\n | summarize InstanceUrl = max(InstanceUrl), EnvironmentId = max(EnvironmentId) by GroupRemovalTimestamp, SecurityDisablingUser = ActorName)\n on SecurityDisablingUser\n | summarize\n GroupRemovalTimestamp = max(GroupRemovalTimestamp),\n TenantIsolationRemovalTimestamp = max(TenantIsolationRemovalTimestamp)\n by SecurityDisablingUser, InstanceUrl, EnvironmentId;\nlet exfiltration_alerts = SecurityAlert\n | where TimeGenerated >= ago(query_frequncy)\n | where Tactics has \"Exfiltration\"\n | where Entities has ('\"AppId\":32780')\n | mv-expand todynamic(Entities)\n | extend AlertUPN = iif(Entities.Type == \"account\", strcat(Entities.Name, \"@\", Entities.UPNSuffix), \"\")\n | extend InstanceUrl = tostring(iif(Entities.AppId == 32780, Entities.InstanceName, \"\"))\n | join kind=inner defense_evasion_events on InstanceUrl\n | where StartTime > TenantIsolationRemovalTimestamp and StartTime > GroupRemovalTimestamp\n | summarize InstanceUrl = max(InstanceUrl), AlertUPN = max(AlertUPN) by AlertName, SystemAlertId\n | extend AlertDetails = bag_pack_columns(AlertName, SystemAlertId)\n | summarize AlertDetails = make_set(AlertDetails, 100) by AlertUPN, InstanceUrl\n | join kind=inner (\n AuditLogs\n | where OperationName == \"Update user\"\n | where Identity == \"Microsoft Invitation Acceptance Portal\"\n | mv-expand TargetResources\n | extend ModifiedProperties = TargetResources.modifiedProperties\n | mv-expand ModifiedProperties\n | where ModifiedProperties.displayName == \"AcceptedAs\"\n | summarize RedeemTime = max(TimeGenerated) by GuestUser = tostring(parse_json(replace_regex(tostring(ModifiedProperties.newValue), \"\\\\r\", \"\"))[0]))\n on $left.AlertUPN == $right.GuestUser;\ndefense_evasion_events\n| join kind=inner exfiltration_alerts on InstanceUrl\n| extend\n AccountName = tostring(split(SecurityDisablingUser, \"@\")[0]),\n UPNSuffix = tostring(split(SecurityDisablingUser, \"@\")[1]),\n GuestAccountName = tostring(split(GuestUser, \"@\")[0]),\n GuestUPNSuffix = tostring(split(GuestUser, \"@\")[0]),\n DataverseId = 32780\n| project\n SecurityDisablingUser,\n GuestUser,\n AlertDetails,\n TenantIsolationRemovalTimestamp,\n GroupRemovalTimestamp,\n InstanceUrl,\n AccountName,\n UPNSuffix,\n GuestAccountName,\n GuestUPNSuffix,\n DataverseId\n", + "query": "let query_lookback = 14d;\nlet query_frequncy = 1h;\nlet defense_evasion_events = PowerPlatformAdminActivity\n | where TimeGenerated >= ago(query_lookback)\n | where EventOriginalType == \"TenantIsolationOperation\"\n | mv-expand PropertyCollection\n | where PropertyCollection.Name == \"powerplatform.analytics.resource.tenant.isolation_policy.enabled\"\n | where PropertyCollection.Value == \"False\"\n | summarize\n TenantIsolationRemovalTimestamp = max(TimeGenerated)\n by SecurityDisablingUser = ActorName\n | join kind=inner (\n PowerPlatformAdminActivity\n | where TimeGenerated >= ago(query_lookback)\n | where EventOriginalType == \"EnvironmentPropertyChange\"\n | where PropertyCollection has \"Property: SecurityGroupId, Old Value: , New Value: \"\n | mv-expand PropertyCollection\n | extend\n GroupRemovalTimestamp = TimeGenerated,\n InstanceUrl = tostring(iif(PropertyCollection.Name == \"powerplatform.analytics.resource.environment.url\", PropertyCollection.Value, \"\")),\n EnvironmentId = tostring(iif(PropertyCollection.Name == \"powerplatform.analytics.resource.environment.name\", PropertyCollection.Value, \"\"))\n | summarize InstanceUrl = max(InstanceUrl), EnvironmentId = max(EnvironmentId) by GroupRemovalTimestamp, SecurityDisablingUser = ActorName)\n on SecurityDisablingUser\n | summarize\n GroupRemovalTimestamp = max(GroupRemovalTimestamp),\n TenantIsolationRemovalTimestamp = max(TenantIsolationRemovalTimestamp)\n by SecurityDisablingUser, InstanceUrl, EnvironmentId;\nlet exfiltration_alerts = SecurityAlert\n | where TimeGenerated >= ago(query_frequncy)\n | where Tactics has \"Exfiltration\"\n | where Entities has ('\"AppId\":32780')\n | mv-expand todynamic(Entities)\n | extend AlertUPN = iif(Entities.Type == \"account\", strcat(Entities.Name, \"@\", Entities.UPNSuffix), \"\")\n | extend InstanceUrl = tostring(iif(Entities.AppId == 32780, Entities.InstanceName, \"\"))\n | join kind=inner defense_evasion_events on InstanceUrl\n | where StartTime > TenantIsolationRemovalTimestamp and StartTime > GroupRemovalTimestamp\n | summarize InstanceUrl = max(InstanceUrl), AlertUPN = max(AlertUPN) by AlertName, SystemAlertId\n | extend AlertDetails = bag_pack_columns(AlertName, SystemAlertId)\n | summarize AlertDetails = make_set(AlertDetails, 100) by AlertUPN, InstanceUrl\n | join kind=inner (\n AuditLogs\n | where OperationName == \"Update user\"\n | where Identity == \"Microsoft Invitation Acceptance Portal\"\n | mv-expand TargetResources\n | extend ModifiedProperties = TargetResources.modifiedProperties\n | mv-expand ModifiedProperties\n | where ModifiedProperties.displayName == \"AcceptedAs\"\n | summarize RedeemTime = max(TimeGenerated) by GuestUser = tostring(parse_json(replace_regex(tostring(ModifiedProperties.newValue), \"\\\\r\", \"\"))[0]))\n on $left.AlertUPN == $right.GuestUser;\ndefense_evasion_events\n| join kind=inner exfiltration_alerts on InstanceUrl\n| extend\n AccountName = tostring(split(SecurityDisablingUser, \"@\")[0]),\n UPNSuffix = tostring(split(SecurityDisablingUser, \"@\")[1]),\n GuestAccountName = tostring(split(GuestUser, \"@\")[0]),\n GuestUPNSuffix = tostring(split(GuestUser, \"@\")[0]),\n DataverseId = 32780\n| project\n SecurityDisablingUser,\n GuestUser,\n AlertDetails,\n TenantIsolationRemovalTimestamp,\n GroupRemovalTimestamp,\n InstanceUrl,\n EnvironmentId,\n AccountName,\n UPNSuffix,\n GuestAccountName,\n GuestUPNSuffix,\n DataverseId\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "High", @@ -2430,7 +2430,7 @@ "aggregationKind": "SingleAlert" }, "customDetails": { - "EnvironmentId": "EnvironmentId" + "Environment": "EnvironmentId" }, "alertDetailsOverride": { "alertDescriptionFormat": "{{SecurityDisablingUser}} disabled Power Platform tenant isolation and removed the security group used to control access to {{{InstanceUrl}}. Exfiltration alerts associated with guest users were then detected from user {{{GuestUser}}", @@ -7161,9 +7161,8 @@ "aggregationKind": "SingleAlert" }, "customDetails": { - "EnvironmentId": "EnvironmentId", - "PowerAppsAppId": "AppId", - "PowerAppsAppName": "AppName" + "App": "AppId", + "Environment": "EnvironmentId" }, "alertDetailsOverride": { "alertDescriptionFormat": "User {{ActorName}} activity associated with app {{AppName}} from an unauthorized geolocation: {{Location}}", @@ -7303,7 +7302,7 @@ "aggregationKind": "SingleAlert" }, "customDetails": { - "EnvironmentId": "EnvironmentId", + "Environment": "EnvironmentId", "EnvironmentName": "EnvironmentName", "PowerAppsAppName": "AppName" }, @@ -7648,8 +7647,8 @@ }, "customDetails": { "AppCreator": "AppCreator", - "EnvironmentId": "EnvironmentId", - "PowerAppsAppId": "AppId", + "Environment": "EnvironmentId", + "PowerAppsApp": "AppId", "PowerAppsAppName": "AppName" }, "alertDetailsOverride": { @@ -7782,7 +7781,7 @@ "aggregationKind": "SingleAlert" }, "customDetails": { - "EnvironmentId": "EnvironmentId", + "Environment": "EnvironmentId", "FlowDetails": "FlowId" }, "alertDetailsOverride": { @@ -8166,8 +8165,8 @@ "aggregationKind": "SingleAlert" }, "customDetails": { - "ConnectionId": "ConnectionId", - "EnvironmentId": "EnvironmentId" + "Connection": "ConnectionId", + "Environment": "EnvironmentId" }, "alertDetailsOverride": { "alertDescriptionFormat": "{{ActorName}} added a new API connector in environment id {{EnvironmentId}}. This environment has been listed as sensitive.", @@ -8284,7 +8283,7 @@ "aggregationKind": "SingleAlert" }, "customDetails": { - "PolicyId": "PolicyId", + "Policy": "PolicyId", "PolicyName": "PolicyName" }, "alertDetailsOverride": {