Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Identifies a chain of events starting with disablement of Power Platform tenant isolation and removal of an environment's access security group. These events are correlated with Dataverse exfiltration alerts associated with the impacted environment and recently created Microsoft Entra guest users. Note: Activate other Dataverse analytics rules with the MITRE tactic 'Exfiltration' before enabling this rule.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Microsoft Business Applications |
| ID | 39efbf4b-b347-4cc7-895e-99a868bf29ea |
| Severity | High |
| Status | Available |
| Kind | Scheduled |
| Tactics | DefenseEvasion, Exfiltration |
| Techniques | T1629, T1567 |
| Required Connectors | PowerPlatformAdmin, AzureActiveDirectory, AzureActiveDirectoryIdentityProtection |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AuditLogs |
OperationName == "Update user" |
✓ | ✗ | ? |
PowerPlatformAdminActivity |
✓ | ✗ | ? | |
SecurityAlert |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
↑ Back to Analytic Rules · Back to Microsoft Business Applications