Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Power Platform - Possibly compromised user accesses Power Platform services

Back
Id54d48840-1c64-4399-afee-ad39a069118d
RulenamePower Platform - Possibly compromised user accesses Power Platform services
DescriptionIdentifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center.
SeverityHigh
TacticsInitialAccess
LateralMovement
TechniquesT1078
T1210
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Possibly compromised user accesses Power Platform services.yaml
Version3.0.0
Arm template54d48840-1c64-4399-afee-ad39a069118d.json
Deploy To Azure
let power_automate_appid = "6204c1d1-4712-4c46-a7d9-3ed63d992682";
let power_apps_appid = "a8f7a65c-f5ba-4859-b2d6-df772c264e9d";
let ppac_appid = "065d9450-1e87-434e-ac2f-69af271549ed";
let query_frequency = 1h;
SigninLogs
| where ingestion_time() >= ago(query_frequency)
| where array_length(todynamic(RiskEventTypes)) != 0 or array_length(todynamic(RiskEventTypes_V2)) != 0
| where AppId in (power_automate_appid, power_apps_appid, ppac_appid)
| extend AffectedPlatform = case(
                                AppId == ppac_appid,
                                "Power Platform Admin Center",
                                AppId == power_apps_appid,
                                "Power Apps",
                                AppId == power_automate_appid,
                                "Power Automate",
                                "Unknown"
                            )
| extend
    Severity = iif(AffectedPlatform in ("Power Apps", "Power Automate"), "Medium", "High"),
    CloudAppId = case(AffectedPlatform == "Power Apps", int(27593), AffectedPlatform == "Power Automate", int(27592), 0),
    AccountName = tostring(split(UserPrincipalName, '@')[0]),
    UPNSuffix = tostring(split(UserPrincipalName, '@')[1])
| project
    TimeGenerated,
    UserId,
    UniqueTokenIdentifier,
    Identity,
    RiskEventTypes,
    RiskEventTypes_V2,
    UserPrincipalName,
    AppId,
    AppDisplayName,
    AffectedPlatform,
    IPAddress,
    Severity,
    CloudAppId,
    AccountName,
    UPNSuffix
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: IPAddress
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: AffectedPlatform
    identifier: Name
  - columnName: AppId
    identifier: AppId
  entityType: CloudApplication
triggerThreshold: 0
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Possibly compromised user accesses Power Platform services.yaml
queryFrequency: 1h
status: Available
customDetails:
  RiskEventTypes: RiskEventTypes
  RiskEventTypes_V2: RiskEventTypes_V2
relevantTechniques:
- T1078
- T1210
triggerOperator: gt
version: 3.0.0
id: 54d48840-1c64-4399-afee-ad39a069118d
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - SigninLogs
alertDetailsOverride:
  alertSeverityColumnName: Severity
  alertDisplayNameFormat: 'Risky user sign-in activity in {{{AffectedPlatform}} '
  alertDescriptionFormat: The user {{UserPrincipalName}} has sign-in risk events associated and successfully signed in to {{{AffectedPlatform}} from {{IPAddress}}
name: Power Platform - Possibly compromised user accesses Power Platform services
eventGroupingSettings:
  aggregationKind: SingleAlert
description: Identifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center.
query: |
  let power_automate_appid = "6204c1d1-4712-4c46-a7d9-3ed63d992682";
  let power_apps_appid = "a8f7a65c-f5ba-4859-b2d6-df772c264e9d";
  let ppac_appid = "065d9450-1e87-434e-ac2f-69af271549ed";
  let query_frequency = 1h;
  SigninLogs
  | where ingestion_time() >= ago(query_frequency)
  | where array_length(todynamic(RiskEventTypes)) != 0 or array_length(todynamic(RiskEventTypes_V2)) != 0
  | where AppId in (power_automate_appid, power_apps_appid, ppac_appid)
  | extend AffectedPlatform = case(
                                  AppId == ppac_appid,
                                  "Power Platform Admin Center",
                                  AppId == power_apps_appid,
                                  "Power Apps",
                                  AppId == power_automate_appid,
                                  "Power Automate",
                                  "Unknown"
                              )
  | extend
      Severity = iif(AffectedPlatform in ("Power Apps", "Power Automate"), "Medium", "High"),
      CloudAppId = case(AffectedPlatform == "Power Apps", int(27593), AffectedPlatform == "Power Automate", int(27592), 0),
      AccountName = tostring(split(UserPrincipalName, '@')[0]),
      UPNSuffix = tostring(split(UserPrincipalName, '@')[1])
  | project
      TimeGenerated,
      UserId,
      UniqueTokenIdentifier,
      Identity,
      RiskEventTypes,
      RiskEventTypes_V2,
      UserPrincipalName,
      AppId,
      AppDisplayName,
      AffectedPlatform,
      IPAddress,
      Severity,
      CloudAppId,
      AccountName,
      UPNSuffix  
tactics:
- InitialAccess
- LateralMovement
queryPeriod: 1d
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/54d48840-1c64-4399-afee-ad39a069118d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/54d48840-1c64-4399-afee-ad39a069118d')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "The user {{UserPrincipalName}} has sign-in risk events associated and successfully signed in to {{{AffectedPlatform}} from {{IPAddress}}",
          "alertDisplayNameFormat": "Risky user sign-in activity in {{{AffectedPlatform}} ",
          "alertSeverityColumnName": "Severity"
        },
        "alertRuleTemplateName": "54d48840-1c64-4399-afee-ad39a069118d",
        "customDetails": {
          "RiskEventTypes": "RiskEventTypes",
          "RiskEventTypes_V2": "RiskEventTypes_V2"
        },
        "description": "Identifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center.",
        "displayName": "Power Platform - Possibly compromised user accesses Power Platform services",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "AffectedPlatform",
                "identifier": "Name"
              },
              {
                "columnName": "AppId",
                "identifier": "AppId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Possibly compromised user accesses Power Platform services.yaml",
        "query": "let power_automate_appid = \"6204c1d1-4712-4c46-a7d9-3ed63d992682\";\nlet power_apps_appid = \"a8f7a65c-f5ba-4859-b2d6-df772c264e9d\";\nlet ppac_appid = \"065d9450-1e87-434e-ac2f-69af271549ed\";\nlet query_frequency = 1h;\nSigninLogs\n| where ingestion_time() >= ago(query_frequency)\n| where array_length(todynamic(RiskEventTypes)) != 0 or array_length(todynamic(RiskEventTypes_V2)) != 0\n| where AppId in (power_automate_appid, power_apps_appid, ppac_appid)\n| extend AffectedPlatform = case(\n                                AppId == ppac_appid,\n                                \"Power Platform Admin Center\",\n                                AppId == power_apps_appid,\n                                \"Power Apps\",\n                                AppId == power_automate_appid,\n                                \"Power Automate\",\n                                \"Unknown\"\n                            )\n| extend\n    Severity = iif(AffectedPlatform in (\"Power Apps\", \"Power Automate\"), \"Medium\", \"High\"),\n    CloudAppId = case(AffectedPlatform == \"Power Apps\", int(27593), AffectedPlatform == \"Power Automate\", int(27592), 0),\n    AccountName = tostring(split(UserPrincipalName, '@')[0]),\n    UPNSuffix = tostring(split(UserPrincipalName, '@')[1])\n| project\n    TimeGenerated,\n    UserId,\n    UniqueTokenIdentifier,\n    Identity,\n    RiskEventTypes,\n    RiskEventTypes_V2,\n    UserPrincipalName,\n    AppId,\n    AppDisplayName,\n    AffectedPlatform,\n    IPAddress,\n    Severity,\n    CloudAppId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "LateralMovement"
        ],
        "techniques": [
          "T1078",
          "T1210"
        ],
        "templateVersion": "3.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}