Introduction
In today's digital landscape, low-code and no-code development platforms have become increasingly popular among businesses looking to accelerate their application development processes. However, with the convenience and speed that these platforms offer, there are also security risks that organizations must consider.
Power Platform provides a wide range of tools for citizen developers to build, run and manage low-code and no-code applications quickly, simply and at scale. With that, it also introduces a concern around the risk of security vulnerabilities introduced by citizen developers, some of whom may lack the security awareness of traditional pro-dev community. To counter this, early threat detection is crucial and can complement preventative guardrails to enable frictionless productivity while minimizing cyber risk.
We are excited to announce the Microsoft Sentinel Solution for Microsoft Power Platform in Public Preview. A solution that can help SOC analysts to detect and respond to threats introduced by citizen developed Power Apps.
Please sign up here for the limited public preview of the Microsoft Sentinel solution for Microsoft Power Platform.
Important
- The Microsoft Sentinel solution for Power Platform is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
- The solution is a premium offering. Pricing information will be available before the solution becomes generally available.
No-code/Low-code applications can pose a major security risk if not controlled and monitored properly
Power Apps developed in the Power Platform environment and published for use by internal and external users are often critical to the organization. They enable key business processes, leverage and interface with highly sensitive business data and integrate with multiple data source and applications, consequently becoming the gateway from the cloud to the most sensitive business applications of the organization.
However, the developers developing those critical and sensitive applications are not professional, security savvy developers. They are usually employees with business and technology orientation (often referred to as "Citizen Developers") that develop those applications for themselves and others.
As such, those applications can be easily vulnerable to threats and exploits. Breaches in those applications can lead to exposed customer data, disruption of key business processes, loss of revenues and major reputation impact.
Up until now, SOC teams lacked the visibility into the activities associated with developing, modifying, publishing and executing those no-code/low-code Power Apps.
How the solution addresses the possible security risks associated with citizen developed Power Apps in Power Platform?
The solution allows customers to monitor and detect various suspicious or malicious activities in their Power Platform environments.
It collects activity logs from the different Power Platform components (Power Apps, Power Automate, Power Platform Connectors, Power Platform DLP, Dataverse) as well as the Power Platform inventory data and analyzes those activity logs to detect threats and suspicious activities such as: Power Apps execution from unauthorized geographies, suspicious data destruction by Power Apps, mass deletion of Power Apps, phishing attacks made possible through Power Apps, Power Automate flows activity by departing employees, Microsoft Power Platform connectors added to the an environment, and the update or removal of Microsoft Power Platform data loss prevention policies.
Due to the integration of the Power Platform inventory data, in addition to the activity logs, the solution also allows customers to investigate the detected threats in a full human readable context and understand for example what the name of the suspicious app is, the name of Power Platform environment it belongs to, the details of the user who created or modified the suspicious app, the details of the users using the app, and more.
In summary, the Microsoft Sentinel solution for Microsoft Power Platform will help organizations to:
- Collect Microsoft Power Platform and Power Apps activity logs, audits, and events into the Microsoft Sentinel workspace.
- Detect execution of suspicious, malicious, or illegitimate activities within Microsoft Power Platform and Power Apps.
- Investigate threats detected in Microsoft Power Platform and Power Apps and contextualize them with additional user activities across the organization.
- Respond to Microsoft Power Platform-related and Power Apps-related threats and incidents in a simple and canned manner manually, automatically, or via a predefined workflow.
Customers can also use the automation and response capabilities of Microsoft Sentinel to create playbooks and automation rules using Microsoft Azure Logic Apps that will help handle and mitigate the detected threats by automatically or manually disabling the suspicious app, limiting users access to certain apps, or escalating to other stakeholders to advise on the legitimacy of a suspected activity.
What does the solution include out-of-the-box?
The Microsoft Sentinel Solution for Power Platform includes a set of data connectors and an initial collection of analytics rules which will evolve and expend over time.
Data Connectors:
|
Connector Name |
Covered Logs / Inventory |
|
Power Platform Inventory (using Azure Functions) |
|
|
Microsoft Power Apps (Preview) |
|
|
Microsoft Power Automate (Preview) |
|
|
Microsoft Power Platform Connectors (Preview) |
|
|
Microsoft Power Platform DLP (Preview) |
|
|
Dynamics365 |
Analytics Rules:
|
Rule name |
What does it detect? |
| PowerApps - App activity from unauthorized geo | Identifies Power Apps activity from countries in a predefined list of unauthorized countries. |
| PowerApps - Multiple apps deleted | Identifies mass delete activity where multiple Power Apps are deleted within a period of 1 hour, matching a predefined threshold of total apps deleted or app deletes events across multiple Power Platform environments. |
| PowerApps - Data destruction following publishing of a new app | Identifies a chain of events where a new app is created or published, that is followed by mass update or delete events in Dataverse within 1 hour. The incident severity is raised if the app publisher is on the list of users in the TerminatedEmployees watchlist template. |
| PowerApps - Multiple users accessing a malicious link after launching new app | Identifies a chain of events, where a new Power App is created, followed by multiple users launching the app within the detection window and clicking on the same malicious URL. |
| PowerAutomate - Departing employee flow activity | Identifies instances where an employee who has been notified or is already terminated creates or modifies a Power Automate flow. |
| PowerPlatform - Connector added to a Sensitive Environment | Identifies occurrences of new API connector creations within Power Platform, specifically targeting a predefined list of sensitive environments. |
| PowerPlatform - DLP policy updated or removed | Identifies changes to DLP policy, specifically policies which are updated or removed. |
Getting started
The Microsoft Sentinel solution for Microsoft Power Platform is available for customers in limited public preview now; Please sign up here and we will reach out to you with detailed deployment guidance after we enable it for you.
Additional reading
Microsoft Power Apps Blog: Integrating Microsoft Sentinel and Power Platform to better monitor and protect your low-code soluti...
Build conference announcement blog: Safely hyperscale low-code apps with ease using Microsoft Dataverse | Microsoft Power Apps
