Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Power Apps - App activity from unauthorized geo

Power Apps - App activity from unauthorized geo

Back
Id7ec1e61d-f3b7-4f40-bb1a-357a63913c23
RulenamePower Apps - App activity from unauthorized geo
DescriptionIdentifies Power Apps activity from countries in a predefined list of unauthorized countries.
SeverityLow
TacticsInitialAccess
TechniquesT1078
Required data connectorsAzureActiveDirectory
PowerPlatformAdmin
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - App activity from unauthorized geo.yaml
Version3.2.0
Arm template7ec1e61d-f3b7-4f40-bb1a-357a63913c23.json
Deploy To Azure
let unauthorized_country_codes = dynamic([
    // Specify the disallowed two letter country codes
    // example: disallowed_country_codes = dynamic(["RU", "KP", "IR"])
    ]);
let query_frequency = 1h;
let query_lookback = 14d;
let powerapps_events = dynamic(["LaunchPowerApp", "AppDlpEvaluationResultChange", "UpdatePowerApp", "PublishPowerApp", "RecordScopesConsent", "CreatePowerApp", "PowerAppPermissionEdited", "PowerAppPermissionDeleted", "ImportExistingCanvasApp", "DeletePowerApp", "ImportNewCanvasApp", "PromotePowerAppVersion", "RemoveHeroApp", "DeletePowerAppVersion", "PublishSolutionCanvasAppVersion", "AdminModifyAppPermissions", "AdminModifyAppOwner", "AdminQuarantineApp", "AdminDeleteApp", "AdminSetAppBypassConsent", "PatchPowerApp"]);
PowerPlatformAdminActivity
| where TimeGenerated >= ago(query_frequency)
| where EventOriginalType in (powerapps_events)
| extend Properties = tostring(PropertyCollection)
| extend SrcIpAddr = extract(@'"enduser.ip_address","Value":"([^"]+)"', 1, Properties)
| extend SrcIpAddr = iif(SrcIpAddr startswith '::ffff:', replace_string(SrcIpAddr, '::ffff:', ''), SrcIpAddr)
| extend AppId = extract(@'"powerplatform.analytics.resource.power_app.id","Value":"([^"]+)"', 1, Properties)
| extend AppId = tolower(replace_string(AppId, '/providers/Microsoft.PowerApps/apps/', ''))
| extend
    AppName = extract(@'"powerplatform.analytics.resource.power_app.display_name","Value":"([^"]+)"', 1, Properties),
    EnvironmentId = extract(@'"powerplatform.analytics.resource.environment.id","Value":"([^"]+)"', 1, Properties),
    EnvironmentName = extract(@'"powerplatform.analytics.resource.environment.name","Value":"([^"]+)"', 1, Properties)
| summarize FirstEvent = min(TimeGenerated) by ActorName, SrcIpAddr, AppName, AppId, EnvironmentId, EnvironmentName
| join kind=inner (
    SigninLogs
    | where TimeGenerated >= ago(query_lookback)
    | where Location in (unauthorized_country_codes)
    | summarize by IPAddress, Location)
    on $left.SrcIpAddr == $right.IPAddress
| extend
    PowerAppsEntityId = 27593,
    DataverseId = 32780,
    AccountName = tostring(split(ActorName, '@')[0]),
    UPNSuffix = tostring(split(ActorName, '@')[1])
| project
    FirstEvent,
    ActorName,
    SrcIpAddr,
    Location,
    AppName,
    AppId,
    EnvironmentId,
    EnvironmentName,
    PowerAppsEntityId,
    AccountName,
    UPNSuffix

description: Identifies Power Apps activity from countries in a predefined list of unauthorized countries.
version: 3.2.0
triggerThreshold: 0
tactics:
- InitialAccess
queryPeriod: 14d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Apps - App activity from unauthorized geo.yaml
triggerOperator: gt
status: Available
alertDetailsOverride:
  alertDisplayNameFormat: Power Apps activity from an unauthorized location
  alertDescriptionFormat: 'User {{ActorName}} activity associated with app {{AppName}} from an unauthorized geolocation: {{Location}}'
eventGroupingSettings:
  aggregationKind: SingleAlert
id: 7ec1e61d-f3b7-4f40-bb1a-357a63913c23
name: Power Apps - App activity from unauthorized geo
queryFrequency: 1h
severity: Low
customDetails:
  EnvironmentName: EnvironmentName
  App: AppId
  Environment: EnvironmentId
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: PowerAppsEntityId
    identifier: AppId
  - columnName: AppName
    identifier: Name
  entityType: CloudApplication
relevantTechniques:
- T1078
query: |
  let unauthorized_country_codes = dynamic([
      // Specify the disallowed two letter country codes
      // example: disallowed_country_codes = dynamic(["RU", "KP", "IR"])
      ]);
  let query_frequency = 1h;
  let query_lookback = 14d;
  let powerapps_events = dynamic(["LaunchPowerApp", "AppDlpEvaluationResultChange", "UpdatePowerApp", "PublishPowerApp", "RecordScopesConsent", "CreatePowerApp", "PowerAppPermissionEdited", "PowerAppPermissionDeleted", "ImportExistingCanvasApp", "DeletePowerApp", "ImportNewCanvasApp", "PromotePowerAppVersion", "RemoveHeroApp", "DeletePowerAppVersion", "PublishSolutionCanvasAppVersion", "AdminModifyAppPermissions", "AdminModifyAppOwner", "AdminQuarantineApp", "AdminDeleteApp", "AdminSetAppBypassConsent", "PatchPowerApp"]);
  PowerPlatformAdminActivity
  | where TimeGenerated >= ago(query_frequency)
  | where EventOriginalType in (powerapps_events)
  | extend Properties = tostring(PropertyCollection)
  | extend SrcIpAddr = extract(@'"enduser.ip_address","Value":"([^"]+)"', 1, Properties)
  | extend SrcIpAddr = iif(SrcIpAddr startswith '::ffff:', replace_string(SrcIpAddr, '::ffff:', ''), SrcIpAddr)
  | extend AppId = extract(@'"powerplatform.analytics.resource.power_app.id","Value":"([^"]+)"', 1, Properties)
  | extend AppId = tolower(replace_string(AppId, '/providers/Microsoft.PowerApps/apps/', ''))
  | extend
      AppName = extract(@'"powerplatform.analytics.resource.power_app.display_name","Value":"([^"]+)"', 1, Properties),
      EnvironmentId = extract(@'"powerplatform.analytics.resource.environment.id","Value":"([^"]+)"', 1, Properties),
      EnvironmentName = extract(@'"powerplatform.analytics.resource.environment.name","Value":"([^"]+)"', 1, Properties)
  | summarize FirstEvent = min(TimeGenerated) by ActorName, SrcIpAddr, AppName, AppId, EnvironmentId, EnvironmentName
  | join kind=inner (
      SigninLogs
      | where TimeGenerated >= ago(query_lookback)
      | where Location in (unauthorized_country_codes)
      | summarize by IPAddress, Location)
      on $left.SrcIpAddr == $right.IPAddress
  | extend
      PowerAppsEntityId = 27593,
      DataverseId = 32780,
      AccountName = tostring(split(ActorName, '@')[0]),
      UPNSuffix = tostring(split(ActorName, '@')[1])
  | project
      FirstEvent,
      ActorName,
      SrcIpAddr,
      Location,
      AppName,
      AppId,
      EnvironmentId,
      EnvironmentName,
      PowerAppsEntityId,
      AccountName,
      UPNSuffix  
requiredDataConnectors:
- dataTypes:
  - PowerPlatformAdminActivity
  connectorId: PowerPlatformAdmin
- dataTypes:
  - SigninLogs
  connectorId: AzureActiveDirectory