Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Power Automate - Departing employee flow activity

Back
Idb1e11b8c-545a-4dea-a912-0008e160d183
RulenamePower Automate - Departing employee flow activity
DescriptionIdentifies instances where an employee who has been notified or is already terminated, on the TerminatedEmployees watchlist, creates or modifies a Power Automate flow.
SeverityHigh
TacticsExfiltration
Impact
TechniquesT1567
T1485
T1491
T0813
T0879
T0826
Required data connectorsPowerAutomate
KindScheduled
Query frequency1h
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Automate - Departing employee flow activity.yaml
Version3.2.0
Arm templateb1e11b8c-545a-4dea-a912-0008e160d183.json
Deploy To Azure
let query_frequency = 1h;
PowerAutomateActivity
| where TimeGenerated >= ago(query_frequency)
| where EventOriginalType in ("CreateFlow", "EditFlow")
| join kind=inner (MSBizAppsTerminatedEmployees()) on $left.ActorName == $right.UserPrincipalName
| extend path = parse_url(FlowDetailsUrl).Path
| extend EnvironmentId = tostring(split(path, "/")[2])
| extend FlowId = tostring(split(path, "/")[-2])
| extend
    AccountName = tostring(split(ActorName, "@")[0]),
    UPNSuffix = tostring(split(ActorName, "@")[1]),
    PowerAutomateAppId = 27592,
    CloudAppId = 32780
| project
    TimeGenerated,
    EventOriginalType,
    ActorName,
    EnvironmentId,
    AccountName,
    UPNSuffix,
    PowerAutomateAppId,
    CloudAppId,
    FlowId
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: PowerAutomateAppId
queryFrequency: 1h
name: Power Automate - Departing employee flow activity
alertDetailsOverride:
  alertDisplayNameFormat: PowerAutomate - Terminated user {{EventOriginalType}} detected
  alertDescriptionFormat: '{{ActorName}} is on the terminated employees watchlist and carried out {{EventOriginalType}} in environment id {{EnvironmentId}}.'
kind: Scheduled
tactics:
- Exfiltration
- Impact
triggerThreshold: 0
query: |
  let query_frequency = 1h;
  PowerAutomateActivity
  | where TimeGenerated >= ago(query_frequency)
  | where EventOriginalType in ("CreateFlow", "EditFlow")
  | join kind=inner (MSBizAppsTerminatedEmployees()) on $left.ActorName == $right.UserPrincipalName
  | extend path = parse_url(FlowDetailsUrl).Path
  | extend EnvironmentId = tostring(split(path, "/")[2])
  | extend FlowId = tostring(split(path, "/")[-2])
  | extend
      AccountName = tostring(split(ActorName, "@")[0]),
      UPNSuffix = tostring(split(ActorName, "@")[1]),
      PowerAutomateAppId = 27592,
      CloudAppId = 32780
  | project
      TimeGenerated,
      EventOriginalType,
      ActorName,
      EnvironmentId,
      AccountName,
      UPNSuffix,
      PowerAutomateAppId,
      CloudAppId,
      FlowId  
relevantTechniques:
- T1567
- T1485
- T1491
- T0813
- T0879
- T0826
triggerOperator: gt
customDetails:
  Environment: EnvironmentId
  FlowDetails: FlowId
queryPeriod: 7d
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Automate - Departing employee flow activity.yaml
severity: High
status: Available
id: b1e11b8c-545a-4dea-a912-0008e160d183
requiredDataConnectors:
- connectorId: PowerAutomate
  dataTypes:
  - PowerAutomateActivity
version: 3.2.0
description: Identifies instances where an employee who has been notified or is already terminated, on the TerminatedEmployees watchlist, creates or modifies a Power Automate flow.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b1e11b8c-545a-4dea-a912-0008e160d183')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b1e11b8c-545a-4dea-a912-0008e160d183')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{ActorName}} is on the terminated employees watchlist and carried out {{EventOriginalType}} in environment id {{EnvironmentId}}.",
          "alertDisplayNameFormat": "PowerAutomate - Terminated user {{EventOriginalType}} detected"
        },
        "alertRuleTemplateName": "b1e11b8c-545a-4dea-a912-0008e160d183",
        "customDetails": {
          "Environment": "EnvironmentId",
          "FlowDetails": "FlowId"
        },
        "description": "Identifies instances where an employee who has been notified or is already terminated, on the TerminatedEmployees watchlist, creates or modifies a Power Automate flow.",
        "displayName": "Power Automate - Departing employee flow activity",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "PowerAutomateAppId",
                "identifier": "AppId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Power Automate - Departing employee flow activity.yaml",
        "query": "let query_frequency = 1h;\nPowerAutomateActivity\n| where TimeGenerated >= ago(query_frequency)\n| where EventOriginalType in (\"CreateFlow\", \"EditFlow\")\n| join kind=inner (MSBizAppsTerminatedEmployees()) on $left.ActorName == $right.UserPrincipalName\n| extend path = parse_url(FlowDetailsUrl).Path\n| extend EnvironmentId = tostring(split(path, \"/\")[2])\n| extend FlowId = tostring(split(path, \"/\")[-2])\n| extend\n    AccountName = tostring(split(ActorName, \"@\")[0]),\n    UPNSuffix = tostring(split(ActorName, \"@\")[1]),\n    PowerAutomateAppId = 27592,\n    CloudAppId = 32780\n| project\n    TimeGenerated,\n    EventOriginalType,\n    ActorName,\n    EnvironmentId,\n    AccountName,\n    UPNSuffix,\n    PowerAutomateAppId,\n    CloudAppId,\n    FlowId\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P7D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Exfiltration",
          "Impact"
        ],
        "techniques": [
          "T1485",
          "T1491",
          "T1567"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}