Merge branch 'unified-bizapps' of https://github.com/batamig/azure-docs-pr into unified-bizapps

batamig · batamig · commit 03eca44a64e6 · 2024-12-05T21:04:57.000-05:00
diff --git a/articles/sentinel/business-applications/deploy-power-platform-solution.md b/articles/sentinel/business-applications/deploy-power-platform-solution.md
@@ -75,9 +75,8 @@ When working with Microsoft Dataverse, Dataverse activity logging is available o
 
 1. After deploying your data connectors and configuring data collection, run activities like create, update, and delete to generate logs for data that you enabled for monitoring.
 
-1. Wait the following amounts of time for Microsoft Sentinel to ingest the data:
+1. For Power Platform activity logs, wait 60 minutes for Microsoft Sentinel to ingest the data.
 
-   - **Power Platform activity logs**: 60 minutes
 1. To verify that Microsoft Sentinel is getting the data you expect, run KQL queries against the data tables that collect logs from your data connectors.
 
    For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), run KQL queries on the **General** > **Logs** page. In the [Defender portal](https://security.microsoft.com/), run KQL queries in the **Investigation & response** > **Hunting** > **Advanced hunting**.
diff --git a/articles/sentinel/business-applications/power-platform-solution-security-content.md b/articles/sentinel/business-applications/power-platform-solution-security-content.md
@@ -53,7 +53,7 @@ The following analytic rules are included when you install the solution for Powe
 |Dataverse - New user agent type that was not used with Office 365|Identifies users accessing Dynamics with a User Agent that hasn't been seen in any Office 365 workloads in the last 14 days.|Activity in Dataverse from a new user-agent.<br><br>**Data sources**:<br>- Dataverse<br>`DataverseActivity`|InitialAccess|
 |Dataverse - Organization settings modified|Identifies changes made at the organization level in the Dataverse environment.|Organization level property modified in Dataverse.<br><br>**Data sources**:<br>- Dataverse<br>`DataverseActivity`|Persistence|
 |Dataverse - Removal of blocked file extensions|Identifies modifications to an environment's blocked file extensions and extracts the removed extension.|Removal of blocked file extensions in Dataverse properties.<br><br>**Data sources**:<br>- Dataverse<br>`DataverseActivity`|DefenseEvasion|
-|Dataverse - SharePoint document management site added or updated|Identifies modifications of the SharePoint document management integration. <br><br>Document management allows storage of data located externally to Dataverse. Combine this analytics rule with the **MSBizApps-Add-SharePointSite-To-Watchlist** playbook to automatically update the **Dataverse-SharePointSites** watchlist. <br><br>This watchlist can be used to correlate events between Dataverse and SharePoint when using the Office 365 data connector.|SharePoint site mapping added in Document Management.<br><br>**Data sources**:<br>- Dataverse<br>`DataverseActivity`|Exfiltration|
+|Dataverse - SharePoint document management site added or updated|Identifies modifications of the SharePoint document management integration. <br><br>Document management allows storage of data located externally to Dataverse. Combine this analytics rule with the **Dataverse: Add SharePoint sites to watchlist** playbook to automatically update the **Dataverse-SharePointSites** watchlist. <br><br>This watchlist can be used to correlate events between Dataverse and SharePoint when using the Office 365 data connector.|SharePoint site mapping added in Document Management.<br><br>**Data sources**:<br>- Dataverse<br>`DataverseActivity`|Exfiltration|
 |Dataverse - Suspicious security role modifications|Identifies an unusual pattern of events whereby a new role is created, followed by the creator adding members to the role and later removing the member or deleting the role after a short time period.|Changes in security roles and role assignments.<br><br>**Data sources**:<br>- Dataverse<br>`DataverseActivity`|PrivilegeEscalation|
 |Dataverse - Suspicious use of TDS endpoint|Identifies Dataverse TDS (Tabular Data Stream) protocol-based queries, where the source user or IP address has recent security alerts and the TDS protocol hasn't been used previously in the target environment.|Sudden use of the TDS endpoint in correlation with security alerts.<br><br>**Data sources**:<br>- Dataverse<br>`DataverseActivity`<br>- AzureActiveDirectoryIdentityProtection<br>`SecurityAlert`|Exfiltration, InitialAccess|
 |Dataverse - Suspicious use of Web API|Identifies sign-ins across multiple Dataverse environments that breach a predefined threshold and originate from a user with an IP address that was used to sign into a well-known Microsoft Entra app registration.|Sign-in using WebAPI across multiple environments using a well known public application ID.<br><br>**Data sources**:<br>- Dataverse<br>`DataverseActivity`<br>- AzureActiveDirectory<br>`SigninLogs`|Execution, Exfiltration, Reconnaissance, Discovery|
@@ -105,6 +105,22 @@ The solution includes hunting queries that can be used by analysts to proactivel
 | Dataverse - Identity management changes without MFA | Used to show privileged identity administration operations in Dataverse made by accounts that signed in without using MFA. | - Dataverse<br>`DataverseActivity`<br>- AzureActiveDirectory<br>`SigninLogs, DataverseActivity` | InitialAccess |
 | Power Apps - Anomalous bulk sharing of Power App to newly created guest users | The query detects anomalous attempts to perform bulk sharing of a Power App to newly created guest users. | **Data sources**:<br>PowerPlatformAdmin, AzureActiveDirectory<br>`AuditLogs, PowerPlatformAdminActivity` | InitialAccess, LateralMovement, ResourceDevelopment |
 
+## Playbooks
+
+This solution contains playbooks which can be use to automate security response to incidents and alerts in Microsoft Sentinel.
+
+| Playbook name | Description |
+| --- | --- |
+| Security workflow: alert verification with workload owners | This playbook can reduce burden on the SOC by offloading alert verification to IT admins for specific analytics rules. It is triggered when a Microsoft Sentinel alert is generated, creates a message (and associated notification email) in the workload owner's Microsoft Teams channel containing details of the alert. If the workload owner responds that the activity is not authorized, the alert will be converted to an incident in Microsoft Sentinel for the SOC to handle. |
+| Dataverse: Send notification to manager | This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically send an email notificiation to the manager of the affected user entitites. The Playbook can be configured to send either to the Dynamics 365 manager, or using the manager in Office 365. |
+| Dataverse: Add user to blocklist (incident trigger) | This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically add affected user entitites to a pre-defined Microsoft Entra group, resulting in blocked access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse. |
+| Dataverse: Add user to blocklist using Outlook approval workflow | This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically add affected user entitites to a pre-defined Microsoft Entra group, using an Outlook based approval workflow, resulting in blocked access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse. |
+| Dataverse: Add user to blocklist using Teams approval workflow | This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically add affected user entitites to a pre-defined Microsoft Entra group, using a Teams adaptive card approval workflow, resulting in blocked access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse. |
+| Dataverse: Add user to blocklist (alert trigger) | This playbook can be triggered on-demand when a Microsoft Sentinel alert is raised, allowing the analyst to add affected user entitites to a pre-defined Microsoft Entra group, resulting in blocked access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse. |
+| Dataverse: Remove user from blocklist | This playbook can be triggered on-demand when a Microsoft Sentinel alert is raised, allowing the analyst to remove affected user entitites from a pre-defined Microsoft Entra group used to block access. The Microsoft Entra group is used with Conditional Access to block sign-in to the Dataverse. |
+| Dataverse: Add SharePoint sites to watchlist | This playbook is used to add new or updated SharePoint document management sites into the configuration watchlist. When combined with a scheduled analytics rule monitoring the Dataverse activity log, this Playbook will trigger when a new SharePoint document management site mapping is added. The site will be added to a watchlist to extend monitoring coverage. |
+
+
 ## Workbooks
 
 Microsoft Sentinel workbooks are customizable, interactive dashboards within Microsoft Sentinel that facilitate analysts' efficient visualization, analysis, and investigation of security data. This solution includes the **Dynamics 365 Activity** workbook, which presents a visual representation of activity in Microsoft Dynamics 365 Customer Engagement / Dataverse, including record retrieval statistics and an anomaly chart.
@@ -117,7 +133,7 @@ This solution includes the **MSBizApps-Configuration** watchlist, and requires u
 - **NetworkAddresses**
 - **TerminatedEmployees**
 
-For more information, see [Watchlists in Microsoft Sentinel](../watchlists.md).
+For more information, see [Watchlists in Microsoft Sentinel](../watchlists.md) and [Create watchlists](../watchlists-create.md#upload-watchlist-created-from-a-template-preview).
 
 ## Built-in parsers
 
diff --git a/articles/sentinel/dynamics-365/deploy-dynamics-365-finance-operations-solution.md b/articles/sentinel/dynamics-365/deploy-dynamics-365-finance-operations-solution.md
@@ -106,7 +106,7 @@ To collect the managed identity application ID from Microsoft Entra ID:
 1. In the Finance and Operations portal, navigate to **System administration > Setup > Microsoft Entra ID** applications.
 
 1. Create a new entry in the table:
-    - For the **Client Id**, type the application ID of the managed identity.
+    - For the **Client Id**, type the application ID of the app registration.
     - For the **Name**, type a name for the application. 
     - For the **User ID**, type the user ID created in the [previous step](#create-a-user-for-data-collection-in-finance-and-operations). 
 
diff --git a/articles/sentinel/whats-new.md b/articles/sentinel/whats-new.md
@@ -13,7 +13,7 @@ ms.date: 12/02/2024
 
 # What's new in Microsoft Sentinel
 
-This article lists recent features added for Microsoft Sentinel, and new features in related services that provide an enhanced user experience in Microsoft Sentinel.
+This article lists recent features added for Microsoft Sentinel, and new features in related services that provide an enhanced user experience in Microsoft Sentinel. For new features in Microsoft's unifed security operations (SecOps) platform, see the [unified SecOps platform documentation](/unified-secops-platform/whats-new).
 
 The listed features were released in the last three months. For information about earlier features delivered, see our [Tech Community blogs](https://techcommunity.microsoft.com/t5/azure-sentinel/bg-p/AzureSentinelBlog/label-name/What's%20New).
 
@@ -32,7 +32,9 @@ The listed features were released in the last three months. For information abou
 
 Microsoft Sentinel now provides a unified solution for Microsoft Power Platform, Microsoft Dynamics 365 Customer Engagement, and Microsoft Dynamics 365 Finance and Operations. The solution includes data connectors and security content for all platforms.
 
-The updated solution removes the Power Platform Inventory data connector while we work on stability improvements. While customers who are already using the Power Platform Inventory data connector can continue to use it, it won't be available to install or deploy for new customers.
+The updated solution removes the **Dynamics 365 CE Apps** and the **Dynamics 365 Finance and Operations** solutions from the Microsoft Sentinel **Content hub**. Existing customers will see that these solutions are renamed to the **Microsoft Business Applications** solution.
+
+The updated solution also removes the Power Platform Inventory data connector. While the Power Platform Inventory data connector continues to be supported on workspaces where it's already deployed, it isn't available for new deployments in other workspaces.
 
 For more information, see:
 
@@ -60,6 +62,8 @@ For more details and setup instructions, see [Connect Microsoft Sentinel to Amaz
 
 ## November 2024
 
+- [Microsoft Sentinel availability in Microsoft Defender portal](#microsoft-sentinel-availability-in-microsoft-defender-portal)
+
 ### Microsoft Sentinel availability in Microsoft Defender portal
 
 We previously announced Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal.
