Power Platform - Possibly compromised user accesses Power Platform services
| Id | 54d48840-1c64-4399-afee-ad39a069118d |
| Rulename | Power Platform - Possibly compromised user accesses Power Platform services |
| Description | Identifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center. |
| Severity | High |
| Tactics | InitialAccess LateralMovement |
| Techniques | T1078 T1210 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Possibly compromised user accesses Power Platform services.yaml |
| Version | 3.0.0 |
| Arm template | 54d48840-1c64-4399-afee-ad39a069118d.json |
let power_automate_appid = "6204c1d1-4712-4c46-a7d9-3ed63d992682";
let power_apps_appid = "a8f7a65c-f5ba-4859-b2d6-df772c264e9d";
let ppac_appid = "065d9450-1e87-434e-ac2f-69af271549ed";
let query_frequency = 1h;
SigninLogs
| where ingestion_time() >= ago(query_frequency)
| where array_length(todynamic(RiskEventTypes)) != 0 or array_length(todynamic(RiskEventTypes_V2)) != 0
| where AppId in (power_automate_appid, power_apps_appid, ppac_appid)
| extend AffectedPlatform = case(
AppId == ppac_appid,
"Power Platform Admin Center",
AppId == power_apps_appid,
"Power Apps",
AppId == power_automate_appid,
"Power Automate",
"Unknown"
)
| extend
Severity = iif(AffectedPlatform in ("Power Apps", "Power Automate"), "Medium", "High"),
CloudAppId = case(AffectedPlatform == "Power Apps", int(27593), AffectedPlatform == "Power Automate", int(27592), 0),
AccountName = tostring(split(UserPrincipalName, '@')[0]),
UPNSuffix = tostring(split(UserPrincipalName, '@')[1])
| project
TimeGenerated,
UserId,
UniqueTokenIdentifier,
Identity,
RiskEventTypes,
RiskEventTypes_V2,
UserPrincipalName,
AppId,
AppDisplayName,
AffectedPlatform,
IPAddress,
Severity,
CloudAppId,
AccountName,
UPNSuffix
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
query: |
let power_automate_appid = "6204c1d1-4712-4c46-a7d9-3ed63d992682";
let power_apps_appid = "a8f7a65c-f5ba-4859-b2d6-df772c264e9d";
let ppac_appid = "065d9450-1e87-434e-ac2f-69af271549ed";
let query_frequency = 1h;
SigninLogs
| where ingestion_time() >= ago(query_frequency)
| where array_length(todynamic(RiskEventTypes)) != 0 or array_length(todynamic(RiskEventTypes_V2)) != 0
| where AppId in (power_automate_appid, power_apps_appid, ppac_appid)
| extend AffectedPlatform = case(
AppId == ppac_appid,
"Power Platform Admin Center",
AppId == power_apps_appid,
"Power Apps",
AppId == power_automate_appid,
"Power Automate",
"Unknown"
)
| extend
Severity = iif(AffectedPlatform in ("Power Apps", "Power Automate"), "Medium", "High"),
CloudAppId = case(AffectedPlatform == "Power Apps", int(27593), AffectedPlatform == "Power Automate", int(27592), 0),
AccountName = tostring(split(UserPrincipalName, '@')[0]),
UPNSuffix = tostring(split(UserPrincipalName, '@')[1])
| project
TimeGenerated,
UserId,
UniqueTokenIdentifier,
Identity,
RiskEventTypes,
RiskEventTypes_V2,
UserPrincipalName,
AppId,
AppDisplayName,
AffectedPlatform,
IPAddress,
Severity,
CloudAppId,
AccountName,
UPNSuffix
description: Identifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center.
kind: Scheduled
name: Power Platform - Possibly compromised user accesses Power Platform services
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Possibly compromised user accesses Power Platform services.yaml
relevantTechniques:
- T1078
- T1210
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: UPNSuffix
entityType: Account
- fieldMappings:
- identifier: Address
columnName: IPAddress
entityType: IP
- fieldMappings:
- identifier: Name
columnName: AffectedPlatform
- identifier: AppId
columnName: AppId
entityType: CloudApplication
queryFrequency: 1h
version: 3.0.0
tactics:
- InitialAccess
- LateralMovement
id: 54d48840-1c64-4399-afee-ad39a069118d
eventGroupingSettings:
aggregationKind: SingleAlert
triggerThreshold: 0
alertDetailsOverride:
alertDescriptionFormat: The user {{UserPrincipalName}} has sign-in risk events associated and successfully signed in to {{{AffectedPlatform}} from {{IPAddress}}
alertDisplayNameFormat: 'Risky user sign-in activity in {{{AffectedPlatform}} '
alertSeverityColumnName: Severity
status: Available
queryPeriod: 1d
triggerOperator: gt
customDetails:
RiskEventTypes_V2: RiskEventTypes_V2
RiskEventTypes: RiskEventTypes
severity: High
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/54d48840-1c64-4399-afee-ad39a069118d')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/54d48840-1c64-4399-afee-ad39a069118d')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "The user {{UserPrincipalName}} has sign-in risk events associated and successfully signed in to {{{AffectedPlatform}} from {{IPAddress}}",
"alertDisplayNameFormat": "Risky user sign-in activity in {{{AffectedPlatform}} ",
"alertSeverityColumnName": "Severity"
},
"alertRuleTemplateName": "54d48840-1c64-4399-afee-ad39a069118d",
"customDetails": {
"RiskEventTypes": "RiskEventTypes",
"RiskEventTypes_V2": "RiskEventTypes_V2"
},
"description": "Identifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center.",
"displayName": "Power Platform - Possibly compromised user accesses Power Platform services",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPAddress",
"identifier": "Address"
}
]
},
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "AffectedPlatform",
"identifier": "Name"
},
{
"columnName": "AppId",
"identifier": "AppId"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Possibly compromised user accesses Power Platform services.yaml",
"query": "let power_automate_appid = \"6204c1d1-4712-4c46-a7d9-3ed63d992682\";\nlet power_apps_appid = \"a8f7a65c-f5ba-4859-b2d6-df772c264e9d\";\nlet ppac_appid = \"065d9450-1e87-434e-ac2f-69af271549ed\";\nlet query_frequency = 1h;\nSigninLogs\n| where ingestion_time() >= ago(query_frequency)\n| where array_length(todynamic(RiskEventTypes)) != 0 or array_length(todynamic(RiskEventTypes_V2)) != 0\n| where AppId in (power_automate_appid, power_apps_appid, ppac_appid)\n| extend AffectedPlatform = case(\n AppId == ppac_appid,\n \"Power Platform Admin Center\",\n AppId == power_apps_appid,\n \"Power Apps\",\n AppId == power_automate_appid,\n \"Power Automate\",\n \"Unknown\"\n )\n| extend\n Severity = iif(AffectedPlatform in (\"Power Apps\", \"Power Automate\"), \"Medium\", \"High\"),\n CloudAppId = case(AffectedPlatform == \"Power Apps\", int(27593), AffectedPlatform == \"Power Automate\", int(27592), 0),\n AccountName = tostring(split(UserPrincipalName, '@')[0]),\n UPNSuffix = tostring(split(UserPrincipalName, '@')[1])\n| project\n TimeGenerated,\n UserId,\n UniqueTokenIdentifier,\n Identity,\n RiskEventTypes,\n RiskEventTypes_V2,\n UserPrincipalName,\n AppId,\n AppDisplayName,\n AffectedPlatform,\n IPAddress,\n Severity,\n CloudAppId,\n AccountName,\n UPNSuffix\n",
"queryFrequency": "PT1H",
"queryPeriod": "P1D",
"severity": "High",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess",
"LateralMovement"
],
"techniques": [
"T1078",
"T1210"
],
"templateVersion": "3.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}