Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
As reliance on digital technology and AI integration to drive enterprise solutions grows, detecting threats becomes increasingly critical. Cybercrime is rising, with data breaches occurring more frequently each year.
Mitigate potential security incidents before they escalate into significant breaches by using effective threat detection. By implementing robust monitoring and alerting systems, you can quickly detect suspicious activities and respond promptly to protect data and applications.
This article outlines the threat detection capabilities you can use to effectively manage and secure Power Platform environments.
Microsoft Sentinel
Microsoft Sentinel equips admins with a comprehensive security and monitoring solution that intelligently detects and responds to suspicious activities such as mass data deletion or app execution from unauthorized geographies.
The Microsoft Sentinel solution lets customers investigate detected threats and identify the suspicious app's name, its environment, the user who created or modified it, the users using it, and more. It helps organizations:
- Collect Power Platform activity logs, audits, and events into the Microsoft Sentinel workspace.
- Detect execution of suspicious, malicious, or illegitimate activities within Power Platform.
- Investigate threats detected in Power Platform and contextualize them with other user activities across the organization.
- Respond to Power Platform-related threats and incidents manually, automatically, or via a predefined workflow.
The Microsoft Sentinel solution includes built-in threat coverage for the following scenarios commonly encountered in business applications:
- Power Apps activity from an unauthorized geographic ___location
- Access to malicious links through Power Apps
- Bulk deletion of Power Apps data
- Destruction of Power Apps data in Dataverse
- A new Power Platform connector in a sensitive environment
- Automated Power Automate activity by departing employees
- Change or removal of a Power Platform data loss prevention (DLP) policy
The SecOps team can use Microsoft Sentinel tools to investigate and respond to these incidents. The following screenshot shows an example of an incident: a Power Automate flow created by a fired employee.
After setting up Microsoft Sentinel to collect Power Platform data, use threat detection rules to run regularly, query the collected data, and analyze it to discover threats. Start by using the built-in analytics rules to create these rules. The rules generate alerts when they detect specific conditions. Alerts are aggregated into incidents that you can assign and investigate. You can also build predetermined, automated responses into the rules' configuration.
Learn more:
- Connect Microsoft Power Platform to Microsoft Sentinel
- Review the security content reference for Microsoft Power Platform
- Configure threat detection rules
Identity
Monitor identity-related risk events on potentially compromised identities and remediate those risks. Review the reported risk events using:
Microsoft Entra ID reporting. Learn more in What is Identity Protection? and Identity Protection.
Identity Protection risk detection API to get programmatic access to security detections through Microsoft Graph. Learn more in riskDetection and riskyUser.
Microsoft Entra ID uses adaptive machine learning algorithms, heuristics, and known compromised credentials (username and password pairs) to detect suspicious actions related to your user accounts. These username and password pairs are surfaced by monitoring the public and dark web, and by working with security researchers, law enforcement, security teams at Microsoft, and others.
Activity logging
Power Apps, Power Automate, Copilot Studio, Connectors, Power Pages, Data Loss Prevention, and Power Platform administrative activity logging are tracked and viewed from Microsoft Purview. Learn about Microsoft Purview.
Dataverse auditing logs changes that are made to customer records in an environment with a Dataverse database. Dataverse auditing also logs user access through an app or the SDK in an environment. This auditing is enabled at the environment level, and additional configuration is required for individual tables and columns.
Microsoft Power Platform admins use applications like Microsoft Defender or Microsoft Sentinel to monitor certain types of security threats and build audit reports using available APIs.
Continuous, holistic threat detection and the ability to apply preventative guardrails are essential for enabling frictionless productivity while minimizing cyber risk.
Threat analysis
A comprehensive analysis to identify threats, attacks, vulnerabilities, and counter measures is crucial during the design phase of a workload. Threat modeling is an engineering exercise that includes defining security requirements, identifying and mitigating threats, and validating those mitigations. You can use this technique at any stage of application development or production, but it's most effective during the design stages of new functionality.
Learn more: Recommendations for threat analysis
Next steps
Review the other articles in this series to further enhance your security posture:
- Establish data protection and privacy controls
- Implement a DLP strategy
- Configure identity and access management
- Meet compliance requirements
- Secure the default environment
After reviewing the articles, review the security checklist to ensure Power Platform deployments are robust, resilient, and aligned with best practices.