Power Platform - DLP policy updated or removed

Back


Id	1b2e6172-85c5-417a-90c3-7cc80cb787f5
Rulename	Power Platform - DLP policy updated or removed
Description	Identifies changes to DLP policy, specifically policies which are updated or removed.
Severity	Low
Tactics	DefenseEvasion
Techniques	T1480
Required data connectors	PowerPlatformAdmin
Kind	Scheduled
Query frequency	1h
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - DLP policy updated or removed.yaml
Version	3.2.0
Arm template	1b2e6172-85c5-417a-90c3-7cc80cb787f5.json

KQL

let create_policy_ignore_time_window = 10m;
let query_frequency = 1h;
let dlp_policy_events = PowerPlatformAdminActivity
    | where TimeGenerated >= ago(query_frequency)
    | where EventOriginalType == "GovernanceApiPolicyOperation"
    | where PropertyCollection has_any ("DeleteDlpPolicy", "UpdateDlpPolicy", "CreateDlpPolicy")
    | mv-expand PropertyCollection
    | extend
        Name = tostring(PropertyCollection.Name),
        Value = tostring(PropertyCollection.Value)
    | summarize Properties = make_bag(bag_pack(Name, Value))
        by
        TimeGenerated,
        EventOriginalUid
    | extend
        PolicyName = tostring(Properties['powerplatform.analytics.resource.display_name']),
        EventType = tostring(Properties['powerplatform.analytics.resource.tenant.governance.api_policy.operation_name']),
        ActorName = tostring(Properties['enduser.principal_name']),
        PolicyId = tostring(Properties['powerplatform.analytics.resource.id']),
        AdditionalInfo = Properties['powerplatform.analytics.resource.tenant.governance.api_policy.additional_resources'];
let delete_events = dlp_policy_events
    | where EventType == "DeleteDlpPolicy";
let update_events = dlp_policy_events
    | where EventType == "UpdateDlpPolicy";
let create_events = dlp_policy_events
    | where EventType == "CreateDlpPolicy"
    | extend ignore_time = TimeGenerated + create_policy_ignore_time_window;
union
    delete_events,
    (update_events
    | join kind=leftouter (
        create_events
        | project-away TimeGenerated
        )
        on PolicyId
    | where isempty(ignore_time) or TimeGenerated > ignore_time
    | project-away ignore_time)
| where TimeGenerated >= ago(query_frequency)
| extend
    AccountName = tostring(split(ActorName, "@")[0]),
    UPNSuffix = tostring(split(ActorName, "@")[1])
| project
    TimeGenerated,
    ActorName,
    EventType,
    PolicyName,
    PolicyId,
    AccountName,
    UPNSuffix,
    AdditionalInfo

YAML

relevantTechniques:
- T1480
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
version: 3.2.0
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - DLP policy updated or removed.yaml
description: Identifies changes to DLP policy, specifically policies which are updated or removed.
customDetails:
  Policy: PolicyId
  PolicyName: PolicyName
requiredDataConnectors:
- connectorId: PowerPlatformAdmin
  dataTypes:
  - PowerPlatformAdminActivity
triggerOperator: gt
alertDetailsOverride:
  alertDisplayNameFormat: PowerPlatform - DLP policy {{EventType}} event detected.
  alertDescriptionFormat: A DLP policy {{PolicyName}} was as modfiied or deleted. Event type {{EventType}}
eventGroupingSettings:
  aggregationKind: SingleAlert
id: 1b2e6172-85c5-417a-90c3-7cc80cb787f5
queryFrequency: 1h
query: |
  let create_policy_ignore_time_window = 10m;
  let query_frequency = 1h;
  let dlp_policy_events = PowerPlatformAdminActivity
      | where TimeGenerated >= ago(query_frequency)
      | where EventOriginalType == "GovernanceApiPolicyOperation"
      | where PropertyCollection has_any ("DeleteDlpPolicy", "UpdateDlpPolicy", "CreateDlpPolicy")
      | mv-expand PropertyCollection
      | extend
          Name = tostring(PropertyCollection.Name),
          Value = tostring(PropertyCollection.Value)
      | summarize Properties = make_bag(bag_pack(Name, Value))
          by
          TimeGenerated,
          EventOriginalUid
      | extend
          PolicyName = tostring(Properties['powerplatform.analytics.resource.display_name']),
          EventType = tostring(Properties['powerplatform.analytics.resource.tenant.governance.api_policy.operation_name']),
          ActorName = tostring(Properties['enduser.principal_name']),
          PolicyId = tostring(Properties['powerplatform.analytics.resource.id']),
          AdditionalInfo = Properties['powerplatform.analytics.resource.tenant.governance.api_policy.additional_resources'];
  let delete_events = dlp_policy_events
      | where EventType == "DeleteDlpPolicy";
  let update_events = dlp_policy_events
      | where EventType == "UpdateDlpPolicy";
  let create_events = dlp_policy_events
      | where EventType == "CreateDlpPolicy"
      | extend ignore_time = TimeGenerated + create_policy_ignore_time_window;
  union
      delete_events,
      (update_events
      | join kind=leftouter (
          create_events
          | project-away TimeGenerated
          )
          on PolicyId
      | where isempty(ignore_time) or TimeGenerated > ignore_time
      | project-away ignore_time)
  | where TimeGenerated >= ago(query_frequency)
  | extend
      AccountName = tostring(split(ActorName, "@")[0]),
      UPNSuffix = tostring(split(ActorName, "@")[1])
  | project
      TimeGenerated,
      ActorName,
      EventType,
      PolicyName,
      PolicyId,
      AccountName,
      UPNSuffix,
      AdditionalInfo  
severity: Low
status: Available
queryPeriod: 1d
name: Power Platform - DLP policy updated or removed
tactics:
- DefenseEvasion
kind: Scheduled

ARM