Sentinel Solution for Microsoft Business Applications

Solution: Microsoft Business Applications

Microsoft Business Applications Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.2.2
Author	Microsoft
First Published	2023-04-19
Last Updated	2026-02-25
Solution Folder	Microsoft Business Applications
Marketplace	Azure Marketplace · Popularity: 🟢 High (85%)

Microsoft Power Platform provides a wide range of tools for citizen developers to build, run and manage low-code and no-code applications quickly, simply and at scale. With that, it also introduces a concern around the risk of security vulnerabilities introduced by citizen developers, some of whom may lack the security awareness of traditional pro-dev community. To counter this, early threat detection is crucial and can complement preventative guardrails to enable frictionless productivity while minimizing cyber risk.

The Microsoft Sentinel solution for Microsoft Power Platform allows customers to monitor and detect various suspicious or malicious activities in their Power Platform environments.

It collects activity logs from the different Power Platform components (Power Apps, Power Automate, Power Platform Connectors, Power Platform DLP, Dataverse) as well as the Power Platform inventory data and analyzes those activity logs to detect threats and suspicious activities such as: Power Apps execution from unauthorized geographies, suspicious data destruction by Power Apps, mass deletion of Power Apps, phishing attacks made possible through Power Apps, Power Automate flows activity by departing employees, Microsoft Power Platform connectors added to the an environment, and the update or removal of Microsoft Power Platform data loss prevention policies.

Due to the integration of the Power Platform inventory data, in addition to the activity logs, the solution also allows customers to investigate the detected threats in a full human readable context and understand for example what the name of the suspicious app is, the name of Power Platform environment it belongs to, the details of the user who created or modified the suspicious app, the details of the users using the app, and more.

Important

Please review the solution documentation to learn more about deploying, configuring and using this solution.

Additional Information

📖 Solution Overview: Microsoft Business Apps solution - Monitor and protect Power Platform and Dynamics 365 Customer Engagement environments
📖 Deployment Guide: Deploy Power Platform connectors - Deploy and configure data connectors for Dataverse and Power Platform
📖 Security Content: Security content reference - Built-in analytics rules and hunting queries for Power Platform

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 4 data connector(s):

Tables Used

This solution uses 13 table(s):

Table	Used By Connectors	Used By Content
`AuditLogs`	-	Analytics, Hunting
`DataverseActivity`	Microsoft Dataverse	Analytics, Hunting, Workbooks
`DeviceEvents`	-	Analytics, Hunting
`DeviceFileEvents`	-	Analytics
`DeviceInfo`	-	Analytics, Hunting
`EmailEvents`	-	Analytics
`FinanceOperationsActivity_CL`	Dynamics 365 Finance and Operations	Analytics
`OfficeActivity`	-	Analytics
`PowerAutomateActivity`	Microsoft Power Automate	Analytics
`PowerPlatformAdminActivity`	Microsoft Power Platform Admin Activity	Analytics, Hunting
`SigninLogs`	-	Analytics, Hunting
`ThreatIntelligenceIndicator`	-	Analytics
`UrlClickEvents`	-	Analytics

Internal Tables

The following 2 table(s) are used internally by this solution's content items:

Table	Used By Connectors	Used By Content
`IdentityInfo`	-	Hunting
`SecurityAlert`	-	Analytics, Hunting

Content Items

This solution includes 72 content item(s):

Content Type	Count
Analytic Rules	49
Hunting Queries	8
Playbooks	8
Parsers	5
Workbooks	1
Watchlists	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Dataverse - Anomalous application user activity	Medium	CredentialAccess, Execution, Persistence	`DataverseActivity`
Dataverse - Audit log data deletion	Low	DefenseEvasion	`DataverseActivity`
Dataverse - Audit logging disabled	Low	DefenseEvasion	`DataverseActivity`
Dataverse - Bulk record ownership re-assignment or sharing	Medium	PrivilegeEscalation	`DataverseActivity`
Dataverse - Executable uploaded to SharePoint document management site	Low	Execution, Persistence	`OfficeActivity`
Dataverse - Export activity from terminated or notified employee	Medium	Exfiltration	`DataverseActivity`
Dataverse - Guest user exfiltration following Power Platform defense impairment	High	DefenseEvasion, Exfiltration	`AuditLogs` `PowerPlatformAdminActivity` Internal use: `SecurityAlert`
Dataverse - Hierarchy security manipulation	Medium	PrivilegeEscalation	`DataverseActivity`
Dataverse - Honeypot instance activity	Medium	Discovery, Exfiltration	`DataverseActivity`
Dataverse - Login by a sensitive privileged user	High	InitialAccess, CredentialAccess, PrivilegeEscalation	`DataverseActivity`
Dataverse - Login from IP in the block list	High	InitialAccess	`DataverseActivity`
Dataverse - Login from IP not in the allow list	High	InitialAccess	`DataverseActivity`
Dataverse - Malware found in SharePoint document management site	Medium	Execution	`DataverseActivity` `OfficeActivity`
Dataverse - Mass deletion of records	Medium	Impact	`DataverseActivity`
Dataverse - Mass download from SharePoint document management	Low	Exfiltration	`OfficeActivity`
Dataverse - Mass export of records to Excel	Low	Exfiltration	`DataverseActivity`
Dataverse - Mass record updates	Medium	Impact	`DataverseActivity`
Dataverse - New Dataverse application user activity type	Medium	CredentialAccess, Execution, PrivilegeEscalation	`DataverseActivity`
Dataverse - New non-interactive identity granted access	Informational	Persistence, LateralMovement, PrivilegeEscalation	`AuditLogs` `DataverseActivity`
Dataverse - New sign-in from an unauthorized domain	Medium	InitialAccess	`DataverseActivity`
Dataverse - New user agent type that was not used before	Low	InitialAccess, DefenseEvasion	`DataverseActivity`
Dataverse - New user agent type that was not used with Office 365	Low	InitialAccess	`DataverseActivity` `OfficeActivity`
Dataverse - Organization settings modified	Informational	Persistence	`DataverseActivity`
Dataverse - Removal of blocked file extensions	Medium	DefenseEvasion	`DataverseActivity`
Dataverse - SharePoint document management site added or updated	Informational	Exfiltration	`DataverseActivity`
Dataverse - Suspicious security role modifications	Medium	PrivilegeEscalation	`DataverseActivity`
Dataverse - Suspicious use of TDS endpoint	Low	Exfiltration, InitialAccess	`DataverseActivity` Internal use: `SecurityAlert`
Dataverse - Suspicious use of Web API	Medium	Execution, Exfiltration, Reconnaissance, Discovery	`DataverseActivity` `SigninLogs`
Dataverse - TI map IP to DataverseActivity	Medium	InitialAccess, LateralMovement, Discovery	`DataverseActivity` `ThreatIntelligenceIndicator`
Dataverse - TI map URL to DataverseActivity	Medium	InitialAccess, Execution, Persistence	`DataverseActivity` `ThreatIntelligenceIndicator`
Dataverse - Terminated employee exfiltration over email	High	Exfiltration	`EmailEvents` Internal use: `SecurityAlert`
Dataverse - Terminated employee exfiltration to USB drive	High	Exfiltration	`DataverseActivity` `DeviceEvents` `DeviceFileEvents` `DeviceInfo`
Dataverse - Unusual sign-in following disabled IP address-based cookie binding protection	Medium	DefenseEvasion	`DataverseActivity`
Dataverse - User bulk retrieval outside normal activity	Low	Exfiltration	`DataverseActivity`
F&O - Bank account change following network alias reassignment	Low	CredentialAccess, LateralMovement, PrivilegeEscalation	`FinanceOperationsActivity_CL`
F&O - Mass update or deletion of user records	Medium	Impact	`FinanceOperationsActivity_CL`
F&O - Non-interactive account mapped to self or sensitive privileged user	Medium	CredentialAccess, Persistence, PrivilegeEscalation	`FinanceOperationsActivity_CL`
F&O - Reverted bank account number modifications	Low	Impact	`FinanceOperationsActivity_CL`
F&O - Unusual sign-in activity using single factor authentication	Low	CredentialAccess, InitialAccess	`SigninLogs`
Power Apps - App activity from unauthorized geo	Low	InitialAccess	`PowerPlatformAdminActivity` `SigninLogs`
Power Apps - Bulk sharing of Power Apps to newly created guest users	Medium	ResourceDevelopment, InitialAccess, LateralMovement	`AuditLogs` `PowerPlatformAdminActivity`
Power Apps - Multiple apps deleted	Medium	Impact	`PowerPlatformAdminActivity`
Power Apps - Multiple users access a malicious link after launching new app	High	InitialAccess	`PowerPlatformAdminActivity` `ThreatIntelligenceIndicator` `UrlClickEvents` Internal use: `SecurityAlert`
Power Automate - Departing employee flow activity	High	Exfiltration, Impact	`PowerAutomateActivity`
Power Automate - Unusual bulk deletion of flow resources	Medium	Impact, DefenseEvasion	`PowerAutomateActivity`
Power Platform - Account added to privileged Microsoft Entra roles	Low	PrivilegeEscalation	`AuditLogs`
Power Platform - Connector added to a sensitive environment	Low	Execution, Exfiltration	`PowerPlatformAdminActivity`
Power Platform - DLP policy updated or removed	Low	DefenseEvasion	`PowerPlatformAdminActivity`
Power Platform - Possibly compromised user accesses Power Platform services	High	InitialAccess, LateralMovement	`SigninLogs`

Hunting Queries

Name	Tactics	Tables Used
Dataverse - Activity after Microsoft Entra alerts	InitialAccess	`DataverseActivity` Internal use: `SecurityAlert`
Dataverse - Activity after failed logons	InitialAccess	`DataverseActivity` `SigninLogs`
Dataverse - Cross-environment data export activity	Exfiltration, Collection	`DataverseActivity`
Dataverse - Dataverse export copied to USB devices	Exfiltration	`DataverseActivity` `DeviceEvents` `DeviceInfo`
Dataverse - Generic client app used to access production environments	Execution	`DataverseActivity` `SigninLogs`
Dataverse - Identity management activity outside of privileged directory role membership	PrivilegeEscalation	`DataverseActivity` Internal use: `IdentityInfo`
Dataverse - Identity management changes without MFA	InitialAccess	`DataverseActivity` `SigninLogs`
Power Apps - Anomalous bulk sharing of Power App to newly created guest users	InitialAccess, LateralMovement, ResourceDevelopment	`AuditLogs` `PowerPlatformAdminActivity`

Workbooks

Name	Tables Used
Dynamics365Activity	`DataverseActivity`

Playbooks

Name	Description	Tables Used
Dataverse: Add SharePoint sites to watchlist	This playbook is used to add new or updated SharePoint document management sites into the configurat...	-
Dataverse: Add user to blocklist (alert trigger)	This playbook can be triggered on-demand when a Microsoft Sentinel alert is raised, allowing the ana...	-
Dataverse: Add user to blocklist (incident trigger)	This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically a...	-
Dataverse: Add user to blocklist using Outlook approval workflow	This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically a...	-
Dataverse: Add user to blocklist using Teams approval workflow	This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically a...	-
Dataverse: Remove user from blocklist	This playbook can be triggered on-demand when a Microsoft Sentinel alert is raised, allowing the ana...	-
Dataverse: Send notification to manager	This playbook can be triggered when a Microsoft Sentinel incident is raised and will automatically s...	-
Security workflow: alert verification with workload owners	This playbook can reduce burden on the SOC by offloading alert verification to IT admins for specifi...	-

Parsers

Name	Description	Tables Used
DataverseSharePointSites	DataverseSharePointSites	-
MSBizAppsNetworkAddresses	MSBizAppsNetworkAddresses	-
MSBizAppsOrgSettings	MSBizAppsOrgSettings	-
MSBizAppsTerminatedEmployees	MSBizAppsTerminatedEmployees	-
MSBizAppsVIPUsers	MSBizAppsVIPUsers	-

Watchlists

Name	Description	Tables Used
MSBizApps-Configuration	-	-

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.2.3	23-02-2026	Updated Dataverse - Activity after failed logons hunting query to use valid Enterprise technique
3.2.2	22-04-2025	Updated solution description.
3.2.1	11-04-2025	Move solution and content to GA. Minor analytic rule update.
3.2.0	15-11-2024	Renamed solution from Power Platform to Microsoft Business Applications. Merge Dynamics 365 CE Apps and Dynamics 365 Finance & Operations into a unified solution. New analytics rules, playbooks and hunting queries. Replace Dynamics 365 Finance and Operations function app using Codeless Connector. Retire PPInventory function app.
3.1.3	12-07-2024	Removal of Power Apps, Power Platform Connectors, Power Platform DLP data connectors. Associated logs are now ingested via Power Platform Admin Activity data connector. Update of analytics rules to utilize PowerPlatfromAdminActivity table. Update data connectors DCR properties.