Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Power Platform - Connector added to a sensitive environment

Back
Id886a5655-3d12-42f1-8927-4095789c575e
RulenamePower Platform - Connector added to a sensitive environment
DescriptionIdentifies occurrences of new API connector creations within Power Platform, specifically targeting a predefined list of sensitive environments.
SeverityLow
TacticsExecution
Exfiltration
TechniquesT0871
T1567
T1537
Required data connectorsPowerPlatformAdmin
KindScheduled
Query frequency1h
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Connector added to a sensitive environment.yaml
Version3.2.0
Arm template886a5655-3d12-42f1-8927-4095789c575e.json
Deploy To Azure
let sensitive_environment_id = dynamic([
    // Specify the list of sensitive power platform environment ID's to monitor here.
    // Example: "10e72012-8886-41ec-b973-250286419b38", "183c7056-7ed0-426f-8ae6-69819cf72259"
    ]);
let query_frequency = 11h;
PowerPlatformAdminActivity
| where TimeGenerated >= ago (query_frequency)
| where EventOriginalType == "PutConnection"
| extend Properties = tostring(PropertyCollection)
| extend SrcIpAddr = extract(@'"enduser.ip_address","Value":"([^"]+)"', 1, Properties)
| extend SrcIpAddr = iif(SrcIpAddr startswith '::ffff:', replace_string('::ffff:', '', SrcIpAddr), SrcIpAddr)
| extend
    EnvironmentId = extract(@'"powerplatform.analytics.resource.environment.id","Value":"([^"]+)"', 1, Properties),
    ConnectionId = extract(@'"powerplatform.analytics.resource.connection.id","Value":"([^"]+)"', 1, Properties)
| where EnvironmentId in~ (sensitive_environment_id)
| extend
    AccountName = tostring(split(ActorName, "@")[0]),
    UPNSuffix = tostring(split(ActorName, "@")[1])
| project
    TimeGenerated,
    EventOriginalType,
    ActorName,
    SrcIpAddr,
    ConnectionId,
    EnvironmentId,
    AccountName,
    UPNSuffix
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
queryFrequency: 1h
name: Power Platform - Connector added to a sensitive environment
alertDetailsOverride:
  alertDisplayNameFormat: New Power Platform connector added in a sensitive environment
  alertDescriptionFormat: '{{ActorName}} added a new API connector in environment id {{EnvironmentId}}. This environment has been listed as sensitive.'
kind: Scheduled
tactics:
- Execution
- Exfiltration
triggerThreshold: 0
query: |
  let sensitive_environment_id = dynamic([
      // Specify the list of sensitive power platform environment ID's to monitor here.
      // Example: "10e72012-8886-41ec-b973-250286419b38", "183c7056-7ed0-426f-8ae6-69819cf72259"
      ]);
  let query_frequency = 11h;
  PowerPlatformAdminActivity
  | where TimeGenerated >= ago (query_frequency)
  | where EventOriginalType == "PutConnection"
  | extend Properties = tostring(PropertyCollection)
  | extend SrcIpAddr = extract(@'"enduser.ip_address","Value":"([^"]+)"', 1, Properties)
  | extend SrcIpAddr = iif(SrcIpAddr startswith '::ffff:', replace_string('::ffff:', '', SrcIpAddr), SrcIpAddr)
  | extend
      EnvironmentId = extract(@'"powerplatform.analytics.resource.environment.id","Value":"([^"]+)"', 1, Properties),
      ConnectionId = extract(@'"powerplatform.analytics.resource.connection.id","Value":"([^"]+)"', 1, Properties)
  | where EnvironmentId in~ (sensitive_environment_id)
  | extend
      AccountName = tostring(split(ActorName, "@")[0]),
      UPNSuffix = tostring(split(ActorName, "@")[1])
  | project
      TimeGenerated,
      EventOriginalType,
      ActorName,
      SrcIpAddr,
      ConnectionId,
      EnvironmentId,
      AccountName,
      UPNSuffix  
relevantTechniques:
- T0871
- T1567
- T1537
triggerOperator: gt
customDetails:
  Environment: EnvironmentId
  Connection: ConnectionId
queryPeriod: 7d
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Connector added to a sensitive environment.yaml
severity: Low
status: Available
id: 886a5655-3d12-42f1-8927-4095789c575e
requiredDataConnectors:
- connectorId: PowerPlatformAdmin
  dataTypes:
  - PowerPlatformAdminActivity
version: 3.2.0
description: Identifies occurrences of new API connector creations within Power Platform, specifically targeting a predefined list of sensitive environments.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/886a5655-3d12-42f1-8927-4095789c575e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/886a5655-3d12-42f1-8927-4095789c575e')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{ActorName}} added a new API connector in environment id {{EnvironmentId}}. This environment has been listed as sensitive.",
          "alertDisplayNameFormat": "New Power Platform connector added in a sensitive environment"
        },
        "alertRuleTemplateName": "886a5655-3d12-42f1-8927-4095789c575e",
        "customDetails": {
          "Connection": "ConnectionId",
          "Environment": "EnvironmentId"
        },
        "description": "Identifies occurrences of new API connector creations within Power Platform, specifically targeting a predefined list of sensitive environments.",
        "displayName": "Power Platform - Connector added to a sensitive environment",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Platform - Connector added to a sensitive environment.yaml",
        "query": "let sensitive_environment_id = dynamic([\n    // Specify the list of sensitive power platform environment ID's to monitor here.\n    // Example: \"10e72012-8886-41ec-b973-250286419b38\", \"183c7056-7ed0-426f-8ae6-69819cf72259\"\n    ]);\nlet query_frequency = 11h;\nPowerPlatformAdminActivity\n| where TimeGenerated >= ago (query_frequency)\n| where EventOriginalType == \"PutConnection\"\n| extend Properties = tostring(PropertyCollection)\n| extend SrcIpAddr = extract(@'\"enduser.ip_address\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| extend SrcIpAddr = iif(SrcIpAddr startswith '::ffff:', replace_string('::ffff:', '', SrcIpAddr), SrcIpAddr)\n| extend\n    EnvironmentId = extract(@'\"powerplatform.analytics.resource.environment.id\",\"Value\":\"([^\"]+)\"', 1, Properties),\n    ConnectionId = extract(@'\"powerplatform.analytics.resource.connection.id\",\"Value\":\"([^\"]+)\"', 1, Properties)\n| where EnvironmentId in~ (sensitive_environment_id)\n| extend\n    AccountName = tostring(split(ActorName, \"@\")[0]),\n    UPNSuffix = tostring(split(ActorName, \"@\")[1])\n| project\n    TimeGenerated,\n    EventOriginalType,\n    ActorName,\n    SrcIpAddr,\n    ConnectionId,\n    EnvironmentId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P7D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "Exfiltration"
        ],
        "techniques": [
          "T1537",
          "T1567"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}