fixed typo

Author: v-shils

articles/sentinel/business-applications/power-platform-solution-security-content.md

@@ -25,7 +25,7 @@ The following analytic rules are included when you install the solution for Powe
 |PowerApps - App activity from unauthorized geo|Identifies Power Apps activity from countries in a predefined list of unauthorized countries.  <br><br> Get the list of ISO 3166-1 alpha-2 country codes from [ISO Online Browsing Platform (OBP)](https://www.iso.org/obp/ui).<br><br>This detection uses logs ingested from Microsoft Entra ID. So, we recommend that you enable the Microsoft Entra ID data connector. |Run an activity in Power App from a country that's on the unauthorized country code list.<br><br>**Data sources**: <br>- Power Platform Inventory (using Azure Functions) <br>`InventoryApps`<br>`InventoryEnvironments`<br>- Microsoft Power Apps (Preview)<br>`PowerAppsActivity`<br>- Microsoft Entra ID<br>`SigninLogs`<br>|Initial access|
 |PowerApps - Multiple apps deleted|Identifies mass delete activity where multiple Power Apps are deleted, matching a predefined threshold of total apps deleted or app deleted events across multiple Power Platform environments.|Delete many Power Apps from the Power Platform admin center. <br><br>**Data sources**:<br>- Power Platform Inventory (using Azure Functions)<br>`InventoryApps`<br>`InventoryEnvironments`<br>- Microsoft Power Apps (Preview)<br>`PowerAppsActivity`|Impact|
 |PowerApps - Data destruction following publishing of a new app|Identifies a chain of events when a new app is created or published and is followed within 1 hour by mass update or delete events in Dataverse. If the app publisher is on the list of users in the **TerminatedEmployees** watchlist template, the incident severity is raised.|Delete a number of records in Power Apps within 1 hour of the Power App being created or published.<br><br>**Data sources**:<br>- Power Platform Inventory (using Azure Functions)<br>`InventoryApps`<br>`InventoryEnvironments`<br>- Microsoft Power Apps (Preview)<br>`PowerAppsActivity`<br>- Microsoft Dataverse (Preview)<br>`DataverseActivity`|Impact|
-|PowerApps - Multiple users accessing a malicious link after launching new app|Identifies a chain of events when a new Power App is created and is followed by these events:<br>- Multiple users launch the app within the detection window.<br>- Multiple users open the same malicious URL.<br><br>This detection cross correlates Power Apps execution logs with malicious URL click events from either of the following sources:<br>- The Microsoft 365 Defender data connector or <br>- Malicious URL indicators of compromise (IOC) in Microsoft Sentinel Threat Intelligence with the Advanced Security Information Model (ASIM) web session normalization parser.<br><br>Get the distinct number of users who launch or click the malicious link by creating a query.|Mutiple users launch a new PowerApp and open a known malicious URL from the app.<br><br>**Data sources**:<br>- Power Platform Inventory (using Azure Functions)<br>`InventoryApps`<br>`InventoryEnvironments`<br>- Microsoft Power Apps (Preview)<br>`PowerAppsActivity`<br>- Threat Intelligence <br>`ThreatIntelligenceIndicator`<br>- Microsoft Defender XDR<br>`UrlClickEvents`<br>|Initial access|
+|PowerApps - Multiple users accessing a malicious link after launching new app|Identifies a chain of events when a new Power App is created and is followed by these events:<br>- Multiple users launch the app within the detection window.<br>- Multiple users open the same malicious URL.<br><br>This detection cross correlates Power Apps execution logs with malicious URL click events from either of the following sources:<br>- The Microsoft 365 Defender data connector or <br>- Malicious URL indicators of compromise (IOC) in Microsoft Sentinel Threat Intelligence with the Advanced Security Information Model (ASIM) web session normalization parser.<br><br>Get the distinct number of users who launch or click the malicious link by creating a query.|Multiple users launch a new PowerApp and open a known malicious URL from the app.<br><br>**Data sources**:<br>- Power Platform Inventory (using Azure Functions)<br>`InventoryApps`<br>`InventoryEnvironments`<br>- Microsoft Power Apps (Preview)<br>`PowerAppsActivity`<br>- Threat Intelligence <br>`ThreatIntelligenceIndicator`<br>- Microsoft Defender XDR<br>`UrlClickEvents`<br>|Initial access|
 |PowerAutomate - Departing employee flow activity|Identifies instances where an employee who has been notified or is already terminated, and is on the **Terminated Employees** watchlist, creates or modifies a Power Automate flow.|User defined in the **Terminated Employees** watchlist creates or updates a Power Automate flow.<br><br>**Data sources**:<br>Microsoft Power Automate (Preview)<br>`PowerAutomateActivity`<br>- Power Platform Inventory (using Azure Functions)<br>`InventoryFlows`<br>`InventoryEnvironments`<br>Terminated employees watchlist|Exfiltration, impact|
 |PowerPlatform - Connector added to a sensitive environment|Identifies the creation of new API connectors within Power Platform, specifically targeting a predefined list of sensitive environments.|Add a new Power Platform connector in a sensitive Power Platform environment.<br><br>**Data sources**:<br>- Microsoft Power Platform Connectors (Preview)<br>`PowerPlatformConnectorActivity`<br>- Power Platform Inventory (using Azure Functions)<br>`InventoryApps`<br>`InventoryEnvironments`<br>`InventoryAppsConnections`<br>|Execution, Exfiltration|
 |PowerPlatform - DLP policy updated or removed|Identifies changes to the data loss prevention policy, specifically policies that are updated or removed.|Update or remove a Power Platform data loss prevention policy in Power Platform environment.<br><br>**Data sources**:<br>Microsoft Power Platform DLP (Preview)<br>`PowerPlatformDlpActivity`|Defense Evasion|