Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Power Platform - Possibly compromised user accesses Power Platform services

Back
Id54d48840-1c64-4399-afee-ad39a069118d
RulenamePower Platform - Possibly compromised user accesses Power Platform services
DescriptionIdentifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center.
SeverityHigh
TacticsInitialAccess
LateralMovement
TechniquesT1078
T1210
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1h
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Possibly compromised user accesses Power Platform services.yaml
Version3.0.0
Arm template54d48840-1c64-4399-afee-ad39a069118d.json
Deploy To Azure
let power_automate_appid = "6204c1d1-4712-4c46-a7d9-3ed63d992682";
let power_apps_appid = "a8f7a65c-f5ba-4859-b2d6-df772c264e9d";
let ppac_appid = "065d9450-1e87-434e-ac2f-69af271549ed";
let query_frequency = 1h;
SigninLogs
| where ingestion_time() >= ago(query_frequency)
| where array_length(todynamic(RiskEventTypes)) != 0 or array_length(todynamic(RiskEventTypes_V2)) != 0
| where AppId in (power_automate_appid, power_apps_appid, ppac_appid)
| extend AffectedPlatform = case(
                                AppId == ppac_appid,
                                "Power Platform Admin Center",
                                AppId == power_apps_appid,
                                "Power Apps",
                                AppId == power_automate_appid,
                                "Power Automate",
                                "Unknown"
                            )
| extend
    Severity = iif(AffectedPlatform in ("Power Apps", "Power Automate"), "Medium", "High"),
    CloudAppId = case(AffectedPlatform == "Power Apps", int(27593), AffectedPlatform == "Power Automate", int(27592), 0),
    AccountName = tostring(split(UserPrincipalName, '@')[0]),
    UPNSuffix = tostring(split(UserPrincipalName, '@')[1])
| project
    TimeGenerated,
    UserId,
    UniqueTokenIdentifier,
    Identity,
    RiskEventTypes,
    RiskEventTypes_V2,
    UserPrincipalName,
    AppId,
    AppDisplayName,
    AffectedPlatform,
    IPAddress,
    Severity,
    CloudAppId,
    AccountName,
    UPNSuffix
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: AffectedPlatform
  - identifier: AppId
    columnName: AppId
tactics:
- InitialAccess
- LateralMovement
requiredDataConnectors:
- dataTypes:
  - SigninLogs
  connectorId: AzureActiveDirectory
alertDetailsOverride:
  alertDisplayNameFormat: 'Risky user sign-in activity in {{{AffectedPlatform}} '
  alertDescriptionFormat: The user {{UserPrincipalName}} has sign-in risk events associated and successfully signed in to {{{AffectedPlatform}} from {{IPAddress}}
  alertSeverityColumnName: Severity
id: 54d48840-1c64-4399-afee-ad39a069118d
severity: High
eventGroupingSettings:
  aggregationKind: SingleAlert
status: Available
customDetails:
  RiskEventTypes: RiskEventTypes
  RiskEventTypes_V2: RiskEventTypes_V2
query: |
  let power_automate_appid = "6204c1d1-4712-4c46-a7d9-3ed63d992682";
  let power_apps_appid = "a8f7a65c-f5ba-4859-b2d6-df772c264e9d";
  let ppac_appid = "065d9450-1e87-434e-ac2f-69af271549ed";
  let query_frequency = 1h;
  SigninLogs
  | where ingestion_time() >= ago(query_frequency)
  | where array_length(todynamic(RiskEventTypes)) != 0 or array_length(todynamic(RiskEventTypes_V2)) != 0
  | where AppId in (power_automate_appid, power_apps_appid, ppac_appid)
  | extend AffectedPlatform = case(
                                  AppId == ppac_appid,
                                  "Power Platform Admin Center",
                                  AppId == power_apps_appid,
                                  "Power Apps",
                                  AppId == power_automate_appid,
                                  "Power Automate",
                                  "Unknown"
                              )
  | extend
      Severity = iif(AffectedPlatform in ("Power Apps", "Power Automate"), "Medium", "High"),
      CloudAppId = case(AffectedPlatform == "Power Apps", int(27593), AffectedPlatform == "Power Automate", int(27592), 0),
      AccountName = tostring(split(UserPrincipalName, '@')[0]),
      UPNSuffix = tostring(split(UserPrincipalName, '@')[1])
  | project
      TimeGenerated,
      UserId,
      UniqueTokenIdentifier,
      Identity,
      RiskEventTypes,
      RiskEventTypes_V2,
      UserPrincipalName,
      AppId,
      AppDisplayName,
      AffectedPlatform,
      IPAddress,
      Severity,
      CloudAppId,
      AccountName,
      UPNSuffix  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Possibly compromised user accesses Power Platform services.yaml
kind: Scheduled
queryPeriod: 1d
version: 3.0.0
name: Power Platform - Possibly compromised user accesses Power Platform services
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1078
- T1210
description: Identifies user accounts flagged at risk in Microsoft Entra Identity Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate and Power Platform Admin Center.
triggerOperator: gt