Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Power Platform - Possibly compromised user accesses Power Platform services

Back
Id54d48840-1c64-4399-afee-ad39a069118d
RulenamePower Platform - Possibly compromised user accesses Power Platform services
DescriptionIdentifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center.
SeverityHigh
TacticsInitialAccess
LateralMovement
TechniquesT1078
T1210
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Possibly compromised user accesses Power Platform services.yaml
Version3.0.0
Arm template54d48840-1c64-4399-afee-ad39a069118d.json
Deploy To Azure
let power_automate_appid = "6204c1d1-4712-4c46-a7d9-3ed63d992682";
let power_apps_appid = "a8f7a65c-f5ba-4859-b2d6-df772c264e9d";
let ppac_appid = "065d9450-1e87-434e-ac2f-69af271549ed";
let query_frequency = 1h;
SigninLogs
| where ingestion_time() >= ago(query_frequency)
| where array_length(todynamic(RiskEventTypes)) != 0 or array_length(todynamic(RiskEventTypes_V2)) != 0
| where AppId in (power_automate_appid, power_apps_appid, ppac_appid)
| extend AffectedPlatform = case(
                                AppId == ppac_appid,
                                "Power Platform Admin Center",
                                AppId == power_apps_appid,
                                "Power Apps",
                                AppId == power_automate_appid,
                                "Power Automate",
                                "Unknown"
                            )
| extend
    Severity = iif(AffectedPlatform in ("Power Apps", "Power Automate"), "Medium", "High"),
    CloudAppId = case(AffectedPlatform == "Power Apps", int(27593), AffectedPlatform == "Power Automate", int(27592), 0),
    AccountName = tostring(split(UserPrincipalName, '@')[0]),
    UPNSuffix = tostring(split(UserPrincipalName, '@')[1])
| project
    TimeGenerated,
    UserId,
    UniqueTokenIdentifier,
    Identity,
    RiskEventTypes,
    RiskEventTypes_V2,
    UserPrincipalName,
    AppId,
    AppDisplayName,
    AffectedPlatform,
    IPAddress,
    Severity,
    CloudAppId,
    AccountName,
    UPNSuffix
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: AffectedPlatform
  - identifier: AppId
    columnName: AppId
queryFrequency: 1h
name: Power Platform - Possibly compromised user accesses Power Platform services
alertDetailsOverride:
  alertDisplayNameFormat: 'Risky user sign-in activity in {{{AffectedPlatform}} '
  alertDescriptionFormat: The user {{UserPrincipalName}} has sign-in risk events associated and successfully signed in to {{{AffectedPlatform}} from {{IPAddress}}
  alertSeverityColumnName: Severity
kind: Scheduled
tactics:
- InitialAccess
- LateralMovement
triggerThreshold: 0
query: |
  let power_automate_appid = "6204c1d1-4712-4c46-a7d9-3ed63d992682";
  let power_apps_appid = "a8f7a65c-f5ba-4859-b2d6-df772c264e9d";
  let ppac_appid = "065d9450-1e87-434e-ac2f-69af271549ed";
  let query_frequency = 1h;
  SigninLogs
  | where ingestion_time() >= ago(query_frequency)
  | where array_length(todynamic(RiskEventTypes)) != 0 or array_length(todynamic(RiskEventTypes_V2)) != 0
  | where AppId in (power_automate_appid, power_apps_appid, ppac_appid)
  | extend AffectedPlatform = case(
                                  AppId == ppac_appid,
                                  "Power Platform Admin Center",
                                  AppId == power_apps_appid,
                                  "Power Apps",
                                  AppId == power_automate_appid,
                                  "Power Automate",
                                  "Unknown"
                              )
  | extend
      Severity = iif(AffectedPlatform in ("Power Apps", "Power Automate"), "Medium", "High"),
      CloudAppId = case(AffectedPlatform == "Power Apps", int(27593), AffectedPlatform == "Power Automate", int(27592), 0),
      AccountName = tostring(split(UserPrincipalName, '@')[0]),
      UPNSuffix = tostring(split(UserPrincipalName, '@')[1])
  | project
      TimeGenerated,
      UserId,
      UniqueTokenIdentifier,
      Identity,
      RiskEventTypes,
      RiskEventTypes_V2,
      UserPrincipalName,
      AppId,
      AppDisplayName,
      AffectedPlatform,
      IPAddress,
      Severity,
      CloudAppId,
      AccountName,
      UPNSuffix  
relevantTechniques:
- T1078
- T1210
triggerOperator: gt
customDetails:
  RiskEventTypes_V2: RiskEventTypes_V2
  RiskEventTypes: RiskEventTypes
queryPeriod: 1d
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Possibly compromised user accesses Power Platform services.yaml
severity: High
status: Available
id: 54d48840-1c64-4399-afee-ad39a069118d
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - SigninLogs
version: 3.0.0
description: Identifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/54d48840-1c64-4399-afee-ad39a069118d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/54d48840-1c64-4399-afee-ad39a069118d')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "The user {{UserPrincipalName}} has sign-in risk events associated and successfully signed in to {{{AffectedPlatform}} from {{IPAddress}}",
          "alertDisplayNameFormat": "Risky user sign-in activity in {{{AffectedPlatform}} ",
          "alertSeverityColumnName": "Severity"
        },
        "alertRuleTemplateName": "54d48840-1c64-4399-afee-ad39a069118d",
        "customDetails": {
          "RiskEventTypes": "RiskEventTypes",
          "RiskEventTypes_V2": "RiskEventTypes_V2"
        },
        "description": "Identifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center.",
        "displayName": "Power Platform - Possibly compromised user accesses Power Platform services",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "AffectedPlatform",
                "identifier": "Name"
              },
              {
                "columnName": "AppId",
                "identifier": "AppId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Possibly compromised user accesses Power Platform services.yaml",
        "query": "let power_automate_appid = \"6204c1d1-4712-4c46-a7d9-3ed63d992682\";\nlet power_apps_appid = \"a8f7a65c-f5ba-4859-b2d6-df772c264e9d\";\nlet ppac_appid = \"065d9450-1e87-434e-ac2f-69af271549ed\";\nlet query_frequency = 1h;\nSigninLogs\n| where ingestion_time() >= ago(query_frequency)\n| where array_length(todynamic(RiskEventTypes)) != 0 or array_length(todynamic(RiskEventTypes_V2)) != 0\n| where AppId in (power_automate_appid, power_apps_appid, ppac_appid)\n| extend AffectedPlatform = case(\n                                AppId == ppac_appid,\n                                \"Power Platform Admin Center\",\n                                AppId == power_apps_appid,\n                                \"Power Apps\",\n                                AppId == power_automate_appid,\n                                \"Power Automate\",\n                                \"Unknown\"\n                            )\n| extend\n    Severity = iif(AffectedPlatform in (\"Power Apps\", \"Power Automate\"), \"Medium\", \"High\"),\n    CloudAppId = case(AffectedPlatform == \"Power Apps\", int(27593), AffectedPlatform == \"Power Automate\", int(27592), 0),\n    AccountName = tostring(split(UserPrincipalName, '@')[0]),\n    UPNSuffix = tostring(split(UserPrincipalName, '@')[1])\n| project\n    TimeGenerated,\n    UserId,\n    UniqueTokenIdentifier,\n    Identity,\n    RiskEventTypes,\n    RiskEventTypes_V2,\n    UserPrincipalName,\n    AppId,\n    AppDisplayName,\n    AffectedPlatform,\n    IPAddress,\n    Severity,\n    CloudAppId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "LateralMovement"
        ],
        "techniques": [
          "T1078",
          "T1210"
        ],
        "templateVersion": "3.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}