Microsoft Sentinel solution for Microsoft Power Platform overview
The Microsoft Sentinel solution for Power Platform allows you to monitor and detect suspicious or malicious activities in your Power Platform environment. The solution collects activity logs from different Power Platform components and inventory data. It analyzes those activity logs to detect threats and suspicious activities like the following activities:
- Power Apps execution from unauthorized geographies
- Suspicious data destruction by Power Apps
- Mass deletion of Power Apps
- Phishing attacks made possible through Power Apps
- Power Automate flows activity by departing employees
- Microsoft Power Platform connectors added to the environment
- Update or removal of Microsoft Power Platform data loss prevention policies
Important
- The Microsoft Sentinel solution for Power Platform is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
- The solution is a premium offering. Pricing information will be available before the solution becomes generally available.
- Provide feedback for this solution by completing this survey: https://aka.ms/SentinelPowerPlatformSolutionSurvey.
Why you should install the solution
The Microsoft Sentinel solution for Microsoft Power Platform helps organizations to:
- Collect Microsoft Power Platform and Power Apps activity logs, audits, and events into the Microsoft Sentinel workspace.
- Detect execution of suspicious, malicious, or illegitimate activities within Microsoft Power Platform and Power Apps.
- Investigate threats detected in Microsoft Power Platform and Power Apps and contextualize them with other user activities across the organization.
- Respond to Microsoft Power Platform-related and Power Apps-related threats and incidents in a simple and canned manner manually, automatically, or through a predefined workflow.
What the solution includes
The Microsoft Sentinel solution for Power Platform includes several data connectors and analytic rules.
Data connectors
The Microsoft Sentinel solution for Power Platform ingests and cross-correlates activity logs and inventory data from multiple sources. So, the solution requires that you enable the following data connectors that are available as part of the solution.
| Connector name | Data collected | Log Analytics tables |
|---|---|---|
| Power Platform Inventory (using Azure Functions) | Power Apps and Power Automate inventory data For more information, see Set up Microsoft Power Platform self-service analytics to export Power Platform inventory and usage data. |
PowerApps_CL, PowerPlatrformEnvironments_CL, PowerAutomateFlows_CL, PowerAppsConnections_CL |
| Microsoft Power Apps (Preview) | Power Apps activity logs For more information, see Power Apps activity logging. |
PowerAppsActivity |
| Microsoft Power Automate (Preview) | Power Automate activity logs For more information, see View Power Automate audit logs. |
PowerAutomateActivity |
| Microsoft Power Platform Connectors (Preview) | Power Platform connector activity logs For more information, see View the Power Platform connector activity logs. |
PowerPlatformConnectorActivity |
| Microsoft Power Platform DLP (Preview) | Data loss prevention activity logs For more information, see Data loss prevention activity logging. |
PowerPlatformDlpActivity |
| Microsoft Power Platform Admin Activity (Preview) | Power Platform administrator activity logs For more information, see View Power Platform administrative logs using auditing solutions in Microsoft Purview (preview). |
|
| Microsoft Dataverse (Preview) | Dataverse and model-driven apps activity logging For more information, see Microsoft Dataverse and model-driven apps activity logging. If you use the data connector for Dynamics 365, migrate to the data connector for Microsoft Dataverse. This data connector replaces the legacy data connector for Dynamics 365 and supports data collection rules. |
DataverseActivity |
Analytic rules
The solution includes analytics rules to detect threats and suspicious activity in your Power Platform environment. These activities include Power Apps being run from unauthorized geographies, suspicious data destruction by Power Apps, mass deletion of Power Apps, and more. For more information, see Microsoft Sentinel solution for Microsoft Power Platform: security content reference.
Parsers
The solution includes parsers that are used to access data from the raw data tables. Parsers ensure that the correct data is returned with a consistent schema. We recommend that you use the parsers instead of directly querying the inventory tables and watchlists. For more information, see Microsoft Sentinel solution for Microsoft Power Platform: security content reference.
Next steps
Deploy the Microsoft Sentinel solution for Microsoft Power Platform
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for