Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Power Platform - DLP policy updated or removed

Back
Id1b2e6172-85c5-417a-90c3-7cc80cb787f5
RulenamePower Platform - DLP policy updated or removed
DescriptionIdentifies changes to DLP policy, specifically policies which are updated or removed.
SeverityLow
TacticsDefenseEvasion
TechniquesT1480
Required data connectorsPowerPlatformAdmin
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - DLP policy updated or removed.yaml
Version3.2.0
Arm template1b2e6172-85c5-417a-90c3-7cc80cb787f5.json
Deploy To Azure
let create_policy_ignore_time_window = 10m;
let query_frequency = 1h;
let dlp_policy_events = PowerPlatformAdminActivity
    | where TimeGenerated >= ago(query_frequency)
    | where EventOriginalType == "GovernanceApiPolicyOperation"
    | where PropertyCollection has_any ("DeleteDlpPolicy", "UpdateDlpPolicy", "CreateDlpPolicy")
    | mv-expand PropertyCollection
    | extend
        Name = tostring(PropertyCollection.Name),
        Value = tostring(PropertyCollection.Value)
    | summarize Properties = make_bag(bag_pack(Name, Value))
        by
        TimeGenerated,
        EventOriginalUid
    | extend
        PolicyName = tostring(Properties['powerplatform.analytics.resource.display_name']),
        EventType = tostring(Properties['powerplatform.analytics.resource.tenant.governance.api_policy.operation_name']),
        ActorName = tostring(Properties['enduser.principal_name']),
        PolicyId = tostring(Properties['powerplatform.analytics.resource.id']),
        AdditionalInfo = Properties['powerplatform.analytics.resource.tenant.governance.api_policy.additional_resources'];
let delete_events = dlp_policy_events
    | where EventType == "DeleteDlpPolicy";
let update_events = dlp_policy_events
    | where EventType == "UpdateDlpPolicy";
let create_events = dlp_policy_events
    | where EventType == "CreateDlpPolicy"
    | extend ignore_time = TimeGenerated + create_policy_ignore_time_window;
union
    delete_events,
    (update_events
    | join kind=leftouter (
        create_events
        | project-away TimeGenerated
        )
        on PolicyId
    | where isempty(ignore_time) or TimeGenerated > ignore_time
    | project-away ignore_time)
| where TimeGenerated >= ago(query_frequency)
| extend
    AccountName = tostring(split(ActorName, "@")[0]),
    UPNSuffix = tostring(split(ActorName, "@")[1])
| project
    TimeGenerated,
    ActorName,
    EventType,
    PolicyName,
    PolicyId,
    AccountName,
    UPNSuffix,
    AdditionalInfo
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
queryFrequency: 1h
name: Power Platform - DLP policy updated or removed
alertDetailsOverride:
  alertDisplayNameFormat: PowerPlatform - DLP policy {{EventType}} event detected.
  alertDescriptionFormat: A DLP policy {{PolicyName}} was as modfiied or deleted. Event type {{EventType}}
kind: Scheduled
tactics:
- DefenseEvasion
triggerThreshold: 0
query: |
  let create_policy_ignore_time_window = 10m;
  let query_frequency = 1h;
  let dlp_policy_events = PowerPlatformAdminActivity
      | where TimeGenerated >= ago(query_frequency)
      | where EventOriginalType == "GovernanceApiPolicyOperation"
      | where PropertyCollection has_any ("DeleteDlpPolicy", "UpdateDlpPolicy", "CreateDlpPolicy")
      | mv-expand PropertyCollection
      | extend
          Name = tostring(PropertyCollection.Name),
          Value = tostring(PropertyCollection.Value)
      | summarize Properties = make_bag(bag_pack(Name, Value))
          by
          TimeGenerated,
          EventOriginalUid
      | extend
          PolicyName = tostring(Properties['powerplatform.analytics.resource.display_name']),
          EventType = tostring(Properties['powerplatform.analytics.resource.tenant.governance.api_policy.operation_name']),
          ActorName = tostring(Properties['enduser.principal_name']),
          PolicyId = tostring(Properties['powerplatform.analytics.resource.id']),
          AdditionalInfo = Properties['powerplatform.analytics.resource.tenant.governance.api_policy.additional_resources'];
  let delete_events = dlp_policy_events
      | where EventType == "DeleteDlpPolicy";
  let update_events = dlp_policy_events
      | where EventType == "UpdateDlpPolicy";
  let create_events = dlp_policy_events
      | where EventType == "CreateDlpPolicy"
      | extend ignore_time = TimeGenerated + create_policy_ignore_time_window;
  union
      delete_events,
      (update_events
      | join kind=leftouter (
          create_events
          | project-away TimeGenerated
          )
          on PolicyId
      | where isempty(ignore_time) or TimeGenerated > ignore_time
      | project-away ignore_time)
  | where TimeGenerated >= ago(query_frequency)
  | extend
      AccountName = tostring(split(ActorName, "@")[0]),
      UPNSuffix = tostring(split(ActorName, "@")[1])
  | project
      TimeGenerated,
      ActorName,
      EventType,
      PolicyName,
      PolicyId,
      AccountName,
      UPNSuffix,
      AdditionalInfo  
relevantTechniques:
- T1480
triggerOperator: gt
customDetails:
  PolicyName: PolicyName
  Policy: PolicyId
queryPeriod: 1d
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - DLP policy updated or removed.yaml
severity: Low
status: Available
id: 1b2e6172-85c5-417a-90c3-7cc80cb787f5
requiredDataConnectors:
- connectorId: PowerPlatformAdmin
  dataTypes:
  - PowerPlatformAdminActivity
version: 3.2.0
description: Identifies changes to DLP policy, specifically policies which are updated or removed.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1b2e6172-85c5-417a-90c3-7cc80cb787f5')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1b2e6172-85c5-417a-90c3-7cc80cb787f5')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A DLP policy {{PolicyName}} was as modfiied or deleted. Event type {{EventType}}",
          "alertDisplayNameFormat": "PowerPlatform - DLP policy {{EventType}} event detected."
        },
        "alertRuleTemplateName": "1b2e6172-85c5-417a-90c3-7cc80cb787f5",
        "customDetails": {
          "Policy": "PolicyId",
          "PolicyName": "PolicyName"
        },
        "description": "Identifies changes to DLP policy, specifically policies which are updated or removed.",
        "displayName": "Power Platform - DLP policy updated or removed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - DLP policy updated or removed.yaml",
        "query": "let create_policy_ignore_time_window = 10m;\nlet query_frequency = 1h;\nlet dlp_policy_events = PowerPlatformAdminActivity\n    | where TimeGenerated >= ago(query_frequency)\n    | where EventOriginalType == \"GovernanceApiPolicyOperation\"\n    | where PropertyCollection has_any (\"DeleteDlpPolicy\", \"UpdateDlpPolicy\", \"CreateDlpPolicy\")\n    | mv-expand PropertyCollection\n    | extend\n        Name = tostring(PropertyCollection.Name),\n        Value = tostring(PropertyCollection.Value)\n    | summarize Properties = make_bag(bag_pack(Name, Value))\n        by\n        TimeGenerated,\n        EventOriginalUid\n    | extend\n        PolicyName = tostring(Properties['powerplatform.analytics.resource.display_name']),\n        EventType = tostring(Properties['powerplatform.analytics.resource.tenant.governance.api_policy.operation_name']),\n        ActorName = tostring(Properties['enduser.principal_name']),\n        PolicyId = tostring(Properties['powerplatform.analytics.resource.id']),\n        AdditionalInfo = Properties['powerplatform.analytics.resource.tenant.governance.api_policy.additional_resources'];\nlet delete_events = dlp_policy_events\n    | where EventType == \"DeleteDlpPolicy\";\nlet update_events = dlp_policy_events\n    | where EventType == \"UpdateDlpPolicy\";\nlet create_events = dlp_policy_events\n    | where EventType == \"CreateDlpPolicy\"\n    | extend ignore_time = TimeGenerated + create_policy_ignore_time_window;\nunion\n    delete_events,\n    (update_events\n    | join kind=leftouter (\n        create_events\n        | project-away TimeGenerated\n        )\n        on PolicyId\n    | where isempty(ignore_time) or TimeGenerated > ignore_time\n    | project-away ignore_time)\n| where TimeGenerated >= ago(query_frequency)\n| extend\n    AccountName = tostring(split(ActorName, \"@\")[0]),\n    UPNSuffix = tostring(split(ActorName, \"@\")[1])\n| project\n    TimeGenerated,\n    ActorName,\n    EventType,\n    PolicyName,\n    PolicyId,\n    AccountName,\n    UPNSuffix,\n    AdditionalInfo\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1480"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}