Removed data destruction rule - UUF

Author: mberdugo

articles/sentinel/business-applications/power-platform-solution-security-content.md

@@ -4,7 +4,7 @@ description: Learn about the built-in security content provided by the Microsoft
 author: batamig
 ms.author: bagol
 ms.topic: conceptual
-ms.date: 11/14/2024
+ms.date: 7/7/2025
 
 
 #Customer intent: As a security analyst, I want to understand Microsoft Sentinel's built-in analytics rules and parsers for Microsoft Power Platform and Microsoft Dynamics 365 Customer Engagement so that I can detect and respond to potential security threats effectively.
@@ -64,7 +64,6 @@ The following analytic rules are included when you install the solution for Powe
 |---------|---------|---------|---------|
 |Power Apps - App activity from unauthorized geo|Identifies Power Apps activity from geographic regions in a predefined list of unauthorized geographic regions.  <br><br> This detection gets the list of ISO 3166-1 alpha-2 country codes from [ISO Online Browsing Platform (OBP)](https://www.iso.org/obp/ui).<br><br>This detection uses logs ingested from Microsoft Entra ID and requires that you also enable the Microsoft Entra ID data connector.|Run an activity in a Power App from a geographic region that's on the unauthorized country code list.<br><br>**Data sources**: <br>- Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`<br>- Microsoft Entra ID<br>`SigninLogs`<br>|Initial access|
 |Power Apps - Multiple apps deleted|Identifies mass delete activity where multiple Power Apps are deleted, matching a predefined threshold of total apps deleted or app deleted events across multiple Power Platform environments.|Delete many Power Apps from the Power Platform admin center. <br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`|Impact|
-|Power Apps - Data destruction following publishing of a new app|Identifies a chain of events when a new app is created or published and is followed within 1 hour by a mass update or delete event in Dataverse. |Delete many records in Power Apps within 1 hour of the Power App being created or published.<br><br>If the app publisher is on the list of users in the **TerminatedEmployees** watchlist template, the incident severity is raised.<br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`<br>- Microsoft Dataverse<br>`DataverseActivity`|Impact|
 |Power Apps - Multiple users accessing a malicious link after launching new app|Identifies a chain of events when a new Power App is created and is followed by these events:<br>- Multiple users launch the app within the detection window.<br>- Multiple users open the same malicious URL.<br><br>This detection cross correlates Power Apps execution logs with malicious URL selection events from either of the following sources:<br>- The Microsoft 365 Defender data connector or <br>- Malicious URL indicators of compromise (IOC) in Microsoft Sentinel Threat Intelligence with the Advanced Security Information Model (ASIM) web session normalization parser.<br><br>This detection gets the distinct number of users who launch or select the malicious link by creating a query.|Multiple users launch a new PowerApp and open a known malicious URL from the app.<br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`<br>- Threat Intelligence <br>`ThreatIntelligenceIndicator`<br>- Microsoft Defender XDR<br>`UrlClickEvents`<br>|Initial access|
 |Power Apps - Bulk sharing of Power Apps to newly created guest users|Identifies unusual bulk sharing of Power Apps to newly created Microsoft Entra guest users. Unusual bulk sharing is based on a predefined threshold in the query.|Share an app with multiple external users.<br><br>**Data sources:**<br>- Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`- Microsoft Entra ID<br>`AuditLogs`|Resource Development,<br>Initial Access,<br>Lateral Movement|