Power Platform - Possibly compromised user accesses Power Platform services

Back


Id	54d48840-1c64-4399-afee-ad39a069118d
Rulename	Power Platform - Possibly compromised user accesses Power Platform services
Description	Identifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center.
Severity	High
Tactics	InitialAccess LateralMovement
Techniques	T1078 T1210
Required data connectors	AzureActiveDirectory
Kind	Scheduled
Query frequency	1h
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Possibly compromised user accesses Power Platform services.yaml
Version	3.0.0
Arm template	54d48840-1c64-4399-afee-ad39a069118d.json

KQL

let power_automate_appid = "6204c1d1-4712-4c46-a7d9-3ed63d992682";
let power_apps_appid = "a8f7a65c-f5ba-4859-b2d6-df772c264e9d";
let ppac_appid = "065d9450-1e87-434e-ac2f-69af271549ed";
let query_frequency = 1h;
SigninLogs
| where ingestion_time() >= ago(query_frequency)
| where array_length(todynamic(RiskEventTypes)) != 0 or array_length(todynamic(RiskEventTypes_V2)) != 0
| where AppId in (power_automate_appid, power_apps_appid, ppac_appid)
| extend AffectedPlatform = case(
                                AppId == ppac_appid,
                                "Power Platform Admin Center",
                                AppId == power_apps_appid,
                                "Power Apps",
                                AppId == power_automate_appid,
                                "Power Automate",
                                "Unknown"
                            )
| extend
    Severity = iif(AffectedPlatform in ("Power Apps", "Power Automate"), "Medium", "High"),
    CloudAppId = case(AffectedPlatform == "Power Apps", int(27593), AffectedPlatform == "Power Automate", int(27592), 0),
    AccountName = tostring(split(UserPrincipalName, '@')[0]),
    UPNSuffix = tostring(split(UserPrincipalName, '@')[1])
| project
    TimeGenerated,
    UserId,
    UniqueTokenIdentifier,
    Identity,
    RiskEventTypes,
    RiskEventTypes_V2,
    UserPrincipalName,
    AppId,
    AppDisplayName,
    AffectedPlatform,
    IPAddress,
    Severity,
    CloudAppId,
    AccountName,
    UPNSuffix

YAML

queryPeriod: 1d
query: |
  let power_automate_appid = "6204c1d1-4712-4c46-a7d9-3ed63d992682";
  let power_apps_appid = "a8f7a65c-f5ba-4859-b2d6-df772c264e9d";
  let ppac_appid = "065d9450-1e87-434e-ac2f-69af271549ed";
  let query_frequency = 1h;
  SigninLogs
  | where ingestion_time() >= ago(query_frequency)
  | where array_length(todynamic(RiskEventTypes)) != 0 or array_length(todynamic(RiskEventTypes_V2)) != 0
  | where AppId in (power_automate_appid, power_apps_appid, ppac_appid)
  | extend AffectedPlatform = case(
                                  AppId == ppac_appid,
                                  "Power Platform Admin Center",
                                  AppId == power_apps_appid,
                                  "Power Apps",
                                  AppId == power_automate_appid,
                                  "Power Automate",
                                  "Unknown"
                              )
  | extend
      Severity = iif(AffectedPlatform in ("Power Apps", "Power Automate"), "Medium", "High"),
      CloudAppId = case(AffectedPlatform == "Power Apps", int(27593), AffectedPlatform == "Power Automate", int(27592), 0),
      AccountName = tostring(split(UserPrincipalName, '@')[0]),
      UPNSuffix = tostring(split(UserPrincipalName, '@')[1])
  | project
      TimeGenerated,
      UserId,
      UniqueTokenIdentifier,
      Identity,
      RiskEventTypes,
      RiskEventTypes_V2,
      UserPrincipalName,
      AppId,
      AppDisplayName,
      AffectedPlatform,
      IPAddress,
      Severity,
      CloudAppId,
      AccountName,
      UPNSuffix  
version: 3.0.0
name: Power Platform - Possibly compromised user accesses Power Platform services
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: IPAddress
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: AffectedPlatform
    identifier: Name
  - columnName: AppId
    identifier: AppId
  entityType: CloudApplication
eventGroupingSettings:
  aggregationKind: SingleAlert
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Possibly compromised user accesses Power Platform services.yaml
alertDetailsOverride:
  alertDisplayNameFormat: 'Risky user sign-in activity in {{{AffectedPlatform}} '
  alertDescriptionFormat: The user {{UserPrincipalName}} has sign-in risk events associated and successfully signed in to {{{AffectedPlatform}} from {{IPAddress}}
  alertSeverityColumnName: Severity
description: Identifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center.
kind: Scheduled
status: Available
severity: High
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - SigninLogs
triggerOperator: gt
triggerThreshold: 0
customDetails:
  RiskEventTypes: RiskEventTypes
  RiskEventTypes_V2: RiskEventTypes_V2
tactics:
- InitialAccess
- LateralMovement
id: 54d48840-1c64-4399-afee-ad39a069118d
relevantTechniques:
- T1078
- T1210

ARM