Learn Editor: Update power-platform-solution-security-content.md

kingwil · kingwil · commit d4cd7f8fb891 · 2025-04-22T09:08:51.000+01:00
diff --git a/articles/sentinel/business-applications/power-platform-solution-security-content.md b/articles/sentinel/business-applications/power-platform-solution-security-content.md
@@ -15,12 +15,6 @@ ms.date: 11/14/2024
 
 This article details the security content available for the Microsoft Sentinel solution for Power Platform. For more information about this solution, see [Microsoft Sentinel solution for Microsoft Power Platform and Microsoft Dynamics 365 Customer Engagement overview](power-platform-solution-overview.md).
 
-> [!IMPORTANT]
->
-> - The Microsoft Sentinel solution for Power Platform is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
-> - The solution is a premium offering. Pricing information will be available before the solution becomes generally available.
-> - Provide feedback for this solution by completing this survey: [https://aka.ms/SentinelPowerPlatformSolutionSurvey](https://aka.ms/SentinelPowerPlatformSolutionSurvey).
-
 ## Built-in analytics rules
 
 The following analytic rules are included when you install the solution for Power Platform. The data sources listed include the data connector name and table in Log Analytics.
@@ -68,25 +62,25 @@ The following analytic rules are included when you install the solution for Powe
 
 |Rule name|Description|Source action|Tactics|
 |---------|---------|---------|---------|
-|Power Apps - App activity from unauthorized geo|Identifies Power Apps activity from geographic regions in a predefined list of unauthorized geographic regions.  <br><br> This detection gets the list of ISO 3166-1 alpha-2 country codes from [ISO Online Browsing Platform (OBP)](https://www.iso.org/obp/ui).<br><br>This detection uses logs ingested from Microsoft Entra ID and requires that you also enable the Microsoft Entra ID data connector.|Run an activity in a Power App from a geographic region that's on the unauthorized country code list.<br><br>**Data sources**: <br>- Microsoft Power Platform Admin Activity (Preview)<br>`PowerPlatformAdminActivity`<br>- Microsoft Entra ID<br>`SigninLogs`<br>|Initial access|
-|Power Apps - Multiple apps deleted|Identifies mass delete activity where multiple Power Apps are deleted, matching a predefined threshold of total apps deleted or app deleted events across multiple Power Platform environments.|Delete many Power Apps from the Power Platform admin center. <br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity (Preview)<br>`PowerPlatformAdminActivity`|Impact|
-|Power Apps - Data destruction following publishing of a new app|Identifies a chain of events when a new app is created or published and is followed within 1 hour by a mass update or delete event in Dataverse. |Delete many records in Power Apps within 1 hour of the Power App being created or published.<br><br>If the app publisher is on the list of users in the **TerminatedEmployees** watchlist template, the incident severity is raised.<br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity (Preview)<br>`PowerPlatformAdminActivity`<br>- Microsoft Dataverse (Preview)<br>`DataverseActivity`|Impact|
-|Power Apps - Multiple users accessing a malicious link after launching new app|Identifies a chain of events when a new Power App is created and is followed by these events:<br>- Multiple users launch the app within the detection window.<br>- Multiple users open the same malicious URL.<br><br>This detection cross correlates Power Apps execution logs with malicious URL selection events from either of the following sources:<br>- The Microsoft 365 Defender data connector or <br>- Malicious URL indicators of compromise (IOC) in Microsoft Sentinel Threat Intelligence with the Advanced Security Information Model (ASIM) web session normalization parser.<br><br>This detection gets the distinct number of users who launch or select the malicious link by creating a query.|Multiple users launch a new PowerApp and open a known malicious URL from the app.<br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity (Preview)<br>`PowerPlatformAdminActivity`<br>- Threat Intelligence <br>`ThreatIntelligenceIndicator`<br>- Microsoft Defender XDR<br>`UrlClickEvents`<br>|Initial access|
-|Power Apps - Bulk sharing of Power Apps to newly created guest users|Identifies unusual bulk sharing of Power Apps to newly created Microsoft Entra guest users. Unusual bulk sharing is based on a predefined threshold in the query.|Share an app with multiple external users.<br><br>**Data sources:**<br>- Microsoft Power Platform Admin Activity (Preview)<br>`PowerPlatformAdminActivity`- Microsoft Entra ID<br>`AuditLogs`|Resource Development,<br>Initial Access,<br>Lateral Movement|
+|Power Apps - App activity from unauthorized geo|Identifies Power Apps activity from geographic regions in a predefined list of unauthorized geographic regions.  <br><br> This detection gets the list of ISO 3166-1 alpha-2 country codes from [ISO Online Browsing Platform (OBP)](https://www.iso.org/obp/ui).<br><br>This detection uses logs ingested from Microsoft Entra ID and requires that you also enable the Microsoft Entra ID data connector.|Run an activity in a Power App from a geographic region that's on the unauthorized country code list.<br><br>**Data sources**: <br>- Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`<br>- Microsoft Entra ID<br>`SigninLogs`<br>|Initial access|
+|Power Apps - Multiple apps deleted|Identifies mass delete activity where multiple Power Apps are deleted, matching a predefined threshold of total apps deleted or app deleted events across multiple Power Platform environments.|Delete many Power Apps from the Power Platform admin center. <br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`|Impact|
+|Power Apps - Data destruction following publishing of a new app|Identifies a chain of events when a new app is created or published and is followed within 1 hour by a mass update or delete event in Dataverse. |Delete many records in Power Apps within 1 hour of the Power App being created or published.<br><br>If the app publisher is on the list of users in the **TerminatedEmployees** watchlist template, the incident severity is raised.<br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`<br>- Microsoft Dataverse<br>`DataverseActivity`|Impact|
+|Power Apps - Multiple users accessing a malicious link after launching new app|Identifies a chain of events when a new Power App is created and is followed by these events:<br>- Multiple users launch the app within the detection window.<br>- Multiple users open the same malicious URL.<br><br>This detection cross correlates Power Apps execution logs with malicious URL selection events from either of the following sources:<br>- The Microsoft 365 Defender data connector or <br>- Malicious URL indicators of compromise (IOC) in Microsoft Sentinel Threat Intelligence with the Advanced Security Information Model (ASIM) web session normalization parser.<br><br>This detection gets the distinct number of users who launch or select the malicious link by creating a query.|Multiple users launch a new PowerApp and open a known malicious URL from the app.<br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`<br>- Threat Intelligence <br>`ThreatIntelligenceIndicator`<br>- Microsoft Defender XDR<br>`UrlClickEvents`<br>|Initial access|
+|Power Apps - Bulk sharing of Power Apps to newly created guest users|Identifies unusual bulk sharing of Power Apps to newly created Microsoft Entra guest users. Unusual bulk sharing is based on a predefined threshold in the query.|Share an app with multiple external users.<br><br>**Data sources:**<br>- Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`- Microsoft Entra ID<br>`AuditLogs`|Resource Development,<br>Initial Access,<br>Lateral Movement|
 
 ### Power Automate rules
 
 |Rule name|Description|Source action|Tactics|
 |---------|---------|---------|---------|
-|Power Automate - Departing employee flow activity|Identifies instances where an employee who has been notified or is already terminated, and is on the **Terminated Employees** watchlist, creates or modifies a Power Automate flow.|User defined in the **TerminatedEmployees** watchlist creates or updates a Power Automate flow.<br><br>**Data sources**:<br>Microsoft Power Automate (Preview)<br>`PowerAutomateActivity`<br>**TerminatedEmployees** watchlist|Exfiltration, impact|
+|Power Automate - Departing employee flow activity|Identifies instances where an employee who has been notified or is already terminated, and is on the **Terminated Employees** watchlist, creates or modifies a Power Automate flow.|User defined in the **TerminatedEmployees** watchlist creates or updates a Power Automate flow.<br><br>**Data sources**:<br>Microsoft Power Automate<br>`PowerAutomateActivity`<br>**TerminatedEmployees** watchlist|Exfiltration, impact|
 |Power Automate - Unusual bulk deletion of flow resources|Identifies bulk deletion of Power Automate flows that exceed a predefined threshold defined in the query, and deviate from activity patterns observed in the last 14 days.|Bulk deletion of Power Automate flows.<br><br>**Data sources:**<br>- PowerAutomate<br>`PowerAutomateActivity`<br>|Impact, <br>Defense Evasion|
 
 ### Power Platform rules
 
 |Rule name|Description|Source action|Tactics|
 |---------|---------|---------|---------|
-|Power Platform - Connector added to a sensitive environment|Identifies the creation of new API connectors within Power Platform, specifically targeting a predefined list of sensitive environments.|Add a new Power Platform connector in a sensitive Power Platform environment.<br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity (Preview)<br>`PowerPlatformAdminActivity`<br>|Execution, Exfiltration|
-|Power Platform - DLP policy updated or removed|Identifies changes to the data loss prevention policy, specifically policies that are updated or removed.|Update or remove a Power Platform data loss prevention policy in Power Platform environment.<br><br>**Data sources**:<br>Microsoft Power Platform Admin Activity (Preview)<br>`PowerPlatformAdminActivity`|Defense Evasion|
+|Power Platform - Connector added to a sensitive environment|Identifies the creation of new API connectors within Power Platform, specifically targeting a predefined list of sensitive environments.|Add a new Power Platform connector in a sensitive Power Platform environment.<br><br>**Data sources**:<br>- Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`<br>|Execution, Exfiltration|
+|Power Platform - DLP policy updated or removed|Identifies changes to the data loss prevention policy, specifically policies that are updated or removed.|Update or remove a Power Platform data loss prevention policy in Power Platform environment.<br><br>**Data sources**:<br>Microsoft Power Platform Admin Activity<br>`PowerPlatformAdminActivity`|Defense Evasion|
 |Power Platform - Possibly compromised user accesses Power Platform services|Identifies user accounts flagged at risk in Microsoft Entra ID Protection and correlates these users with sign-in activity in Power Platform, including Power Apps, Power Automate, and Power Platform Admin Center.|User with risk signals accesses Power Platform portals.<br><br>**Data sources:**<br>- Microsoft Entra ID<br>`SigninLogs`|Initial Access, Lateral Movement|
 |Power Platform - Account added to privileged Microsoft Entra roles|Identifies changes to the following privileged directory roles that affect Power Platform:<br>- Dynamics 365 Admins- Power Platform Admins- Fabric Admins|**Data sources**:<br>AzureActiveDirectory<br>`AuditLogs`|PrivilegeEscalation|
 
