Microsoft Sentinel solution for Dynamics 365 Finance and Operations: security content reference
This article details the security content available for the Microsoft Sentinel solution for Dynamics 365 Finance and Operations.
Important
- The Microsoft Sentinel solution for Dynamics 365 Finance and Operations is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
- The solution is a premium offering. Pricing information will be available before the solution becomes generally available.
Learn more about the solution.
Built-in analytics rules
| Rule name | Description | Source action | Tactics |
|---|---|---|---|
| F&O – Non-interactive account mapped to self or sensitive privileged user | Identifies changes to Microsoft Entra Client Apps registered for Finance & Operations, specifically when a new client is mapped to a predefined list of sensitive privileged user accounts, or when a user associates a client app with their own account. | Mapping modifications in Finance and Operations portal, under Modules > System Administration > Microsoft Entra Applications. Data source: FinanceOperationsActivity_CL |
Credential Access, Persistence, Privilege Escalation |
| F&O – Mass update or deletion of user account records | Identifies large delete or update operations on Finance and Operations user records based on predefined thresholds. Default update threshold: 50 Default delete threshold: 10 |
Deletions or modifications in Finance and Operations portal, under Modules > System Administration > Users Data source: FinanceOperationsActivity_CL |
Impact |
| F&O – Bank account change following network alias reassignment | Identifies updates to bank account number by a user account which his alias was recently modified to a new value. | Changes in bank account number, in Finance and Operations portal, under Workspaces > Bank management > All bank accounts correlated with a relevant change in the user account to alias mapping. Data source: FinanceOperationsActivity_CL |
Credential Access, Lateral Movement, Privilege Escalation |
| F&O – Reverted bank account number modifications | Identifies changes to bank account numbers in Finance & Operations, whereby a bank account number is modified but then subsequently reverted a short time later. | Changes in bank account number, in Finance and Operations portal, under Workspaces > Bank management > All bank accounts. Data source: FinanceOperationsActivity_CL |
Impact |
| F&O – Unusual sign-in activity using single factor authentication | Identifies successful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from a Microsoft Entra ID trusted network location, or from geolocations seen previously in the last 14 days are excluded. This detection uses logs ingested from Microsoft Entra ID. Therefore, you should enable the Microsoft Entra data connector. |
Sign-ins to the monitored Finance and Operations environment. Data source: Singinlogs |
Credential Access, Initial Access |
Next steps
In this article, you learned about the security content provided with the Microsoft Sentinel solution for Dynamics 365 Finance and Operations.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for