Merge pull request #298605 from kingwil/docs-editor/solution-overview-1745308201

prmerger-automator[bot] · web-flow · commit ae3b2b26364c · 2025-04-22T09:18:11.000Z
Update solution-overview.md
diff --git a/articles/sentinel/business-applications/deploy-power-platform-solution.md b/articles/sentinel/business-applications/deploy-power-platform-solution.md
@@ -15,11 +15,6 @@ ms.date: 11/14/2024
 
 This article describes how to deploy the [Microsoft Sentinel solution for Microsoft Business Apps](../business-applications/solution-overview.md) to connect your Microsoft Power Platform and Microsoft Dynamics 365 Customer Engagement system to Microsoft Sentinel. The solution collects audit and activity logs to detect threats, suspicious activities, illegitimate activities, and more.
 
-> [!IMPORTANT]
->
-> - The Microsoft Sentinel solution for Microsoft Business Apps is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
-> - The solution is a premium offering. Pricing information will be available before the solution becomes generally available.
-
 ## Prerequisites
 
 Before deploying the Microsoft Sentinel solution for Microsoft Business Apps, ensure that you meet the following prerequisites:
diff --git a/articles/sentinel/business-applications/power-platform-solution-security-content.md b/articles/sentinel/business-applications/power-platform-solution-security-content.md
@@ -15,12 +15,6 @@ ms.date: 11/14/2024
 
 This article details the security content available for the Microsoft Sentinel solution for Power Platform. For more information about this solution, see [Microsoft Sentinel solution for Microsoft Power Platform and Microsoft Dynamics 365 Customer Engagement overview](power-platform-solution-overview.md).
 
-> [!IMPORTANT]
->
-> - The Microsoft Sentinel solution for Power Platform is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
-> - The solution is a premium offering. Pricing information will be available before the solution becomes generally available.
-> - Provide feedback for this solution by completing this survey: [https://aka.ms/SentinelPowerPlatformSolutionSurvey](https://aka.ms/SentinelPowerPlatformSolutionSurvey).
-
 ## Built-in analytics rules
 
 The following analytic rules are included when you install the solution for Power Platform. The data sources listed include the data connector name and table in Log Analytics.
@@ -68,25 +62,25 @@ The following analytic rules are included when you install the solution for Powe
 
 |Rule name|Description|Source action|Tactics|
 |---------|---------|---------|---------|
-|Power Apps - App activity from unauthorized geo|Identifies Power Apps activity from geographic regions in a predefined list of unauthorized geographic regions.  <br><br> This detection gets the list of ISO 3166-1 alpha-2 country codes from [ISO Online Browsing Platform (OBP)](https://www.iso.org/obp/ui).<br><br>This detection uses logs ingested from Microsoft Entra ID and requires that you also enable the Microsoft Entra ID data connector.|Run an activity in a Power App from a geographic region that's on the unauthorized country code list.<br><br>**Data sources**: <br>- Microsoft Power Platform Admin Activity (Preview)<br>`PowerPlatformAdminActivity`<br>- Microsoft Entra ID<br>`SigninLogs`<br>|Initial access|
-|Power Apps - Multiple apps deleted|Identifies mass delete activity where multiple Power Apps are deleted, matching a predefined threshold of total apps deleted or app deleted events across multiple Power Platform environments.|Delete many Power Apps from the Power Platform admin center. <br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity (Preview)<br>`PowerPlatformAdminActivity`|Impact|
-|Power Apps - Data destruction following publishing of a new app|Identifies a chain of events when a new app is created or published and is followed within 1 hour by a mass update or delete event in Dataverse. |Delete many records in Power Apps within 1 hour of the Power App being created or published.<br><br>If the app publisher is on the list of users in the **TerminatedEmployees** watchlist template, the incident severity is raised.<br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity (Preview)<br>`PowerPlatformAdminActivity`<br>- Microsoft Dataverse (Preview)<br>`DataverseActivity`|Impact|
-|Power Apps - Multiple users accessing a malicious link after launching new app|Identifies a chain of events when a new Power App is created and is followed by these events:<br>- Multiple users launch the app within the detection window.<br>- Multiple users open the same malicious URL.<br><br>This detection cross correlates Power Apps execution logs with malicious URL selection events from either of the following sources:<br>- The Microsoft 365 Defender data connector or <br>- Malicious URL indicators of compromise (IOC) in Microsoft Sentinel Threat Intelligence with the Advanced Security Information Model (ASIM) web session normalization parser.<br><br>This detection gets the distinct number of users who launch or select the malicious link by creating a query.|Multiple users launch a new PowerApp and open a known malicious URL from the app.<br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity (Preview)<br>`PowerPlatformAdminActivity`<br>- Threat Intelligence <br>`ThreatIntelligenceIndicator`<br>- Microsoft Defender XDR<br>`UrlClickEvents`<br>|Initial access|
-|Power Apps - Bulk sharing of Power Apps to newly created guest users|Identifies unusual bulk sharing of Power Apps to newly created Microsoft Entra guest users. Unusual bulk sharing is based on a predefined threshold in the query.|Share an app with multiple external users.<br><br>**Data sources:**<br>- Microsoft Power Platform Admin Activity (Preview)<br>`PowerPlatformAdminActivity`- Microsoft Entra ID<br>`AuditLogs`|Resource Development,<br>Initial Access,<br>Lateral Movement|
+|Power Apps - App activity from unauthorized geo|Identifies Power Apps activity from geographic regions in a predefined list of unauthorized geographic regions.  <br><br> This detection gets the list of ISO 3166-1 alpha-2 country codes from [ISO Online Browsing Platform (OBP)](https://www.iso.org/obp/ui).<br><br>This detection uses logs ingested from Microsoft Entra ID and requires that you also enable the Microsoft Entra ID data connector.|Run an activity in a Power App from a geographic region that's on the unauthorized country code list.<br><br>**Data sources**: <br>- Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`<br>- Microsoft Entra ID<br>`SigninLogs`<br>|Initial access|
+|Power Apps - Multiple apps deleted|Identifies mass delete activity where multiple Power Apps are deleted, matching a predefined threshold of total apps deleted or app deleted events across multiple Power Platform environments.|Delete many Power Apps from the Power Platform admin center. <br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`|Impact|
+|Power Apps - Data destruction following publishing of a new app|Identifies a chain of events when a new app is created or published and is followed within 1 hour by a mass update or delete event in Dataverse. |Delete many records in Power Apps within 1 hour of the Power App being created or published.<br><br>If the app publisher is on the list of users in the **TerminatedEmployees** watchlist template, the incident severity is raised.<br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`<br>- Microsoft Dataverse<br>`DataverseActivity`|Impact|
+|Power Apps - Multiple users accessing a malicious link after launching new app|Identifies a chain of events when a new Power App is created and is followed by these events:<br>- Multiple users launch the app within the detection window.<br>- Multiple users open the same malicious URL.<br><br>This detection cross correlates Power Apps execution logs with malicious URL selection events from either of the following sources:<br>- The Microsoft 365 Defender data connector or <br>- Malicious URL indicators of compromise (IOC) in Microsoft Sentinel Threat Intelligence with the Advanced Security Information Model (ASIM) web session normalization parser.<br><br>This detection gets the distinct number of users who launch or select the malicious link by creating a query.|Multiple users launch a new PowerApp and open a known malicious URL from the app.<br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`<br>- Threat Intelligence <br>`ThreatIntelligenceIndicator`<br>- Microsoft Defender XDR<br>`UrlClickEvents`<br>|Initial access|
+|Power Apps - Bulk sharing of Power Apps to newly created guest users|Identifies unusual bulk sharing of Power Apps to newly created Microsoft Entra guest users. Unusual bulk sharing is based on a predefined threshold in the query.|Share an app with multiple external users.<br><br>**Data sources:**<br>- Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`- Microsoft Entra ID<br>`AuditLogs`|Resource Development,<br>Initial Access,<br>Lateral Movement|
 
 ### Power Automate rules
 
 |Rule name|Description|Source action|Tactics|
 |---------|---------|---------|---------|
-|Power Automate - Departing employee flow activity|Identifies instances where an employee who has been notified or is already terminated, and is on the **Terminated Employees** watchlist, creates or modifies a Power Automate flow.|User defined in the **TerminatedEmployees** watchlist creates or updates a Power Automate flow.<br><br>**Data sources**:<br>Microsoft Power Automate (Preview)<br>`PowerAutomateActivity`<br>**TerminatedEmployees** watchlist|Exfiltration, impact|
+|Power Automate - Departing employee flow activity|Identifies instances where an employee who has been notified or is already terminated, and is on the **Terminated Employees** watchlist, creates or modifies a Power Automate flow.|User defined in the **TerminatedEmployees** watchlist creates or updates a Power Automate flow.<br><br>**Data sources**:<br>Microsoft Power Automate<br>`PowerAutomateActivity`<br>**TerminatedEmployees** watchlist|Exfiltration, impact|
 |Power Automate - Unusual bulk deletion of flow resources|Identifies bulk deletion of Power Automate flows that exceed a predefined threshold defined in the query, and deviate from activity patterns observed in the last 14 days.|Bulk deletion of Power Automate flows.<br><br>**Data sources:**<br>- PowerAutomate<br>`PowerAutomateActivity`<br>|Impact, <br>Defense Evasion|
 
 ### Power Platform rules
 
 |Rule name|Description|Source action|Tactics|
 |---------|---------|---------|---------|
-|Power Platform - Connector added to a sensitive environment|Identifies the creation of new API connectors within Power Platform, specifically targeting a predefined list of sensitive environments.|Add a new Power Platform connector in a sensitive Power Platform environment.<br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity (Preview)<br>`PowerPlatformAdminActivity`<br>|Execution, Exfiltration|
-|Power Platform - DLP policy updated or removed|Identifies changes to the data loss prevention policy, specifically policies that are updated or removed.|Update or remove a Power Platform data loss prevention policy in Power Platform environment.<br><br>**Data sources**:<br>Microsoft Power Platform Admin Activity (Preview)<br>`PowerPlatformAdminActivity`|Defense Evasion|
+|Power Platform - Connector added to a sensitive environment|Identifies the creation of new API connectors within Power Platform, specifically targeting a predefined list of sensitive environments.|Add a new Power Platform connector in a sensitive Power Platform environment.<br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`<br>|Execution, Exfiltration|
+|Power Platform - DLP policy updated or removed|Identifies changes to the data loss prevention policy, specifically policies that are updated or removed.|Update or remove a Power Platform data loss prevention policy in Power Platform environment.<br><br>**Data sources**:<br>Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`|Defense Evasion|
 |Power Platform - Possibly compromised user accesses Power Platform services|Identifies user accounts flagged at risk in Microsoft Entra ID Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate, and Power Platform Admin Center.|User with risk signals accesses Power Platform portals.<br><br>**Data sources:**<br>- Microsoft Entra ID<br>`SigninLogs`|Initial Access, Lateral Movement|
 |Power Platform - Account added to privileged Microsoft Entra roles|Identifies changes to the following privileged directory roles that affect Power Platform:<br>- Dynamics 365 Admins- Power Platform Admins- Fabric Admins|**Data sources**:<br>AzureActiveDirectory<br>`AuditLogs`|PrivilegeEscalation|
 
diff --git a/articles/sentinel/business-applications/solution-overview.md b/articles/sentinel/business-applications/solution-overview.md
@@ -18,11 +18,6 @@ The Microsoft Sentinel solution for Microsoft Business Apps helps you monitor an
 - [Microsoft Dynamics 365 Customer Engagement](/dynamics365/customerengagement/) is a cloud-based suite of customer relationship management (CRM) applications designed to streamline and automate business processes across sales, customer service, field service, project service automation, and marketing
 - [Microsoft Dynamics 365 for Finance and Operations](/dynamics365/finance) is a comprehensive Enterprise Resource Planning (ERP) solution that combines financial and operational capabilities to help businesses manage their day-to-day operations. It offers a range of features that enable businesses to streamline workflows, automate tasks, and gain insights into operational performance.
 
-> [!IMPORTANT]
->
-> - The Microsoft Sentinel solution for Microsoft Business Apps is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
-> - The solution is a premium offering. Pricing information will be available before the solution becomes generally available.
-
 ## Securing Power Platform and Microsoft Dynamics 365 Customer Engagement activities
 
 The Microsoft Sentinel solution for Microsoft Business Apps helps you secure your Power Platform by allowing you to:
diff --git a/articles/sentinel/dynamics-365/deploy-dynamics-365-finance-operations-solution.md b/articles/sentinel/dynamics-365/deploy-dynamics-365-finance-operations-solution.md
@@ -15,10 +15,6 @@ ms.date: 11/14/2024
 
 This article describes how to deploy the Dynamics 365 Finance and Operations content within the Microsoft Sentinel solution for Microsoft Business Applications. The solution monitors and protects your Dynamics 365 Finance and Operations system: It collects audits and activity logs from the Dynamics 365 Finance and Operations environment, and detects threats, suspicious activities, illegitimate activities, and more. [Read more about the solution](dynamics-365-finance-operations-solution-overview.md).
 
-> [!IMPORTANT]
-> - The Microsoft Sentinel solution for Dynamics 365 Finance and Operations is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
-> - The solution is a premium offering. Pricing information will be available before the solution becomes generally available.
-
 ## Prerequisites
 
 Before you begin, verify that:
diff --git a/articles/sentinel/dynamics-365/dynamics-365-finance-operations-security-content.md b/articles/sentinel/dynamics-365/dynamics-365-finance-operations-security-content.md
@@ -15,10 +15,6 @@ ms.date: 11/14/2024
 
 This article details the security content available for the Microsoft Sentinel solution for Dynamics 365 Finance and Operations.
 
-> [!IMPORTANT]
-> - The Microsoft Sentinel solution for Dynamics 365 Finance and Operations is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
-> - The solution is a premium offering. Pricing information will be available before the solution becomes generally available.
-
 [Learn more about the solution](dynamics-365-finance-operations-solution-overview.md).
 
 ## Built-in analytics rules
