Microsoft Sentinel solution for Microsoft Power Platform: security content reference
This article details the security content available for the Microsoft Sentinel solution for Power Platform. For more information about this solution, see Microsoft Sentinel solution for Microsoft Power Platform overview.
Important
- The Microsoft Sentinel solution for Power Platform is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
- The solution is a premium offering. Pricing information will be available before the solution becomes generally available.
- Provide feedback for this solution by completing this survey: https://aka.ms/SentinelPowerPlatformSolutionSurvey.
Built-in analytics rules
The following analytic rules are included when you install the solution for Power Platform. The data sources listed include the data connector name and table in Log Analytics. To avoid missing data in the inventory sources, we recommend that you don't change the default lookback period defined in the analytic rule templates.
| Rule name | Description | Source action | Tactics |
|---|---|---|---|
| PowerApps - App activity from unauthorized geo | Identifies Power Apps activity from countries in a predefined list of unauthorized countries. Get the list of ISO 3166-1 alpha-2 country codes from ISO Online Browsing Platform (OBP). This detection uses logs ingested from Microsoft Entra ID and requires that you also enable the Microsoft Entra ID data connector. |
Run an activity in Power App from a country that's on the unauthorized country code list. Data sources: - Power Platform Inventory (using Azure Functions) InventoryAppsInventoryEnvironments- Microsoft Power Platform Admin Activity (Preview) PowerPlatformAdminActivity- Microsoft Entra ID SigninLogs |
Initial access |
| PowerApps - Multiple apps deleted | Identifies mass delete activity where multiple Power Apps are deleted, matching a predefined threshold of total apps deleted or app deleted events across multiple Power Platform environments. | Delete many Power Apps from the Power Platform admin center. Data sources: - Power Platform Inventory (using Azure Functions) InventoryAppsInventoryEnvironments- Microsoft Power Platform Admin Activity (Preview) PowerPlatformAdminActivity |
Impact |
| PowerApps - Data destruction following publishing of a new app | Identifies a chain of events when a new app is created or published and is followed within 1 hour by mass update or delete events in Dataverse. If the app publisher is on the list of users in the TerminatedEmployees watchlist template, the incident severity is raised. | Delete a number of records in Power Apps within 1 hour of the Power App being created or published. Data sources: - Power Platform Inventory (using Azure Functions) InventoryAppsInventoryEnvironments- Microsoft Power Platform Admin Activity (Preview) PowerPlatformAdminActivity- Microsoft Dataverse (Preview) DataverseActivity |
Impact |
| PowerApps - Multiple users accessing a malicious link after launching new app | Identifies a chain of events when a new Power App is created and is followed by these events: - Multiple users launch the app within the detection window. - Multiple users open the same malicious URL. This detection cross correlates Power Apps execution logs with malicious URL click events from either of the following sources: - The Microsoft 365 Defender data connector or - Malicious URL indicators of compromise (IOC) in Microsoft Sentinel Threat Intelligence with the Advanced Security Information Model (ASIM) web session normalization parser. Get the distinct number of users who launch or click the malicious link by creating a query. |
Multiple users launch a new PowerApp and open a known malicious URL from the app. Data sources: - Power Platform Inventory (using Azure Functions) InventoryAppsInventoryEnvironments- Microsoft Power Platform Admin Activity (Preview) PowerPlatformAdminActivity- Threat Intelligence ThreatIntelligenceIndicator- Microsoft Defender XDR UrlClickEvents |
Initial access |
| PowerAutomate - Departing employee flow activity | Identifies instances where an employee who has been notified or is already terminated, and is on the Terminated Employees watchlist, creates or modifies a Power Automate flow. | User defined in the Terminated Employees watchlist creates or updates a Power Automate flow. Data sources: Microsoft Power Automate (Preview) PowerAutomateActivity- Power Platform Inventory (using Azure Functions) InventoryFlowsInventoryEnvironmentsTerminated employees watchlist |
Exfiltration, impact |
| PowerPlatform - Connector added to a sensitive environment | Identifies the creation of new API connectors within Power Platform, specifically targeting a predefined list of sensitive environments. | Add a new Power Platform connector in a sensitive Power Platform environment. Data sources: - Microsoft Power Platform Admin Activity (Preview) PowerPlatformAdminActivity- Power Platform Inventory (using Azure Functions) InventoryAppsInventoryEnvironmentsInventoryAppsConnections |
Execution, Exfiltration |
| PowerPlatform - DLP policy updated or removed | Identifies changes to the data loss prevention policy, specifically policies that are updated or removed. | Update or remove a Power Platform data loss prevention policy in Power Platform environment. Data sources: Microsoft Power Platform Admin Activity (Preview) PowerPlatformAdminActivity |
Defense Evasion |
| Dataverse - Guest user exfiltration following Power Platform defense impairment | Identifies a chain of events starting with disablement of Power Platform tenant isolation and removal of an environment's access security group. These events are correlated with Dataverse exfiltration alerts associated with the impacted environment and recently created Microsoft Entra guest users. Activate other Dataverse analytics rules with the MITRE tactic 'Exfiltration' before enabling this rule. |
As a recently created guest user, trigger Dataverse exfiltration alerts after the Power Platform security controls are disabled. Data sources: - PowerPlatformAdmin PowerPlatformAdminActivity- Dataverse DataverseActivity- Power Platform Inventory (using Azure Functions) InventoryEnvironments |
Defense Evasion |
| Dataverse - Mass export of records to Excel | Identifies users exporting a large amount of records from Dynamics 365 to Excel. The amount of records exported is significantly more than any other recent activity by that user. Large exports from users with no recent activity are identified using a predefined threshold. | Export many records from Dataverse to Excel. Data sources: - Dataverse DataverseActivity- Power Platform Inventory (using Azure Functions) InventoryEnvironments |
Exfiltration |
| Dataverse - User bulk retrieval outside normal activity | Identifies users retrieving significantly more records from Dataverse than they have in the past 2 weeks. | User retrieves many records from Dataverse Data sources: - Dataverse DataverseActivity- Power Platform Inventory (using Azure Functions) InventoryEnvironments |
Exfiltration |
| Power Apps - Bulk sharing of Power Apps to newly created guest users | Identifies unusual bulk sharing of Power Apps to newly created Microsoft Entra guest users. Unusual bulk sharing is based on a predefined threshold in the query. | Share an app with multiple external users. Data sources: - Microsoft Power Platform Admin Activity (Preview) PowerPlatformAdminActivity- Power Platform Inventory (using Azure Functions) InventoryAppsInventoryEnvironments- Microsoft Entra ID AuditLogs |
Resource Development, Initial Access, Lateral Movement |
| Power Automate - Unusual bulk deletion of flow resources | Identifies bulk deletion of Power Automate flows that exceed a predefined threshold defined in the query and deviate from activity patterns observed in the last 14 days. | Bulk deletion of Power Automate flows. Data sources: - PowerAutomate PowerAutomateActivity |
Impact, Defense Evasion |
| Power Platform - Possibly compromised user accesses Power Platform services | Identifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate, and Power Platform Admin Center. | User with risk signals accesses Power Platform portals. Data sources: - Microsoft Entra ID SigninLogs |
Initial Access, Lateral Movement |
Built-in parsers
The solution includes parsers that are used to access data from the raw data tables. Parsers ensure that the correct data is returned with a consistent schema. We recommend that you use the parsers instead of directly querying the inventory tables and watchlists. The Power Platform inventory related parsers return data from the last 7 days.
| Parser | Data returned | Table queried |
|---|---|---|
InventoryApps |
Power Apps Inventory | PowerApps_CL |
InventoryAppsConnections |
Power Apps connections Inventoryconnections | PowerAppsConnections_CL |
InventoryEnvironments |
Power Platform environments Inventory | PowerPlatrformEnvironments_CL |
InventoryFlows |
Power Automate flows Inventory | PowerAutomateFlows_CL |
MSBizAppsTerminatedEmployees |
Terminated employees watchlist (from watchlist template) | TerminatedEmployees |
GetPowerAppsEventDetails |
Returns parsed event details for Power Apps / Connections | PowerPlatformAdminActivity |
For more information about analytic rules, see Detect threats out-of-the-box.