Power Platform & Power Automate Audit Logs
Cloud & SaaSExecution EvidenceCloud Control PlaneSIEM / Log Aggregator
Location
Microsoft Purview > Audit (filter by PowerApps/Flow workload) or Power Platform Admin Center > AnalyticsDescription
Audit events for Power Apps, Power Automate (Flow), Power BI, and Power Virtual Agents capturing flow creation/execution, app sharing, connector usage, data export operations, and admin configuration changes.
Forensic Value
Power Automate flows are increasingly abused for automated data exfiltration because they can connect to external services and run on schedules without user interaction. Malicious flows can forward emails, copy files to external storage, or exfiltrate data through HTTP connectors. Power BI data export events may indicate bulk download of business intelligence reports. Monitoring connector usage reveals unauthorized integrations with external services that could serve as data exfiltration channels.
Tools Required
Microsoft PurviewPower Platform Admin CenterPowerShellMicrosoft Graph API
Collection Commands
PowerShell
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType PowerAppsApp,MicrosoftFlow -ResultSize 5000 | Export-Csv power_platform_audit.csv -NoTypeInformation
PowerShell
Get-AdminFlow -EnvironmentName <env-id> | Where-Object { $_.Properties.State -eq "Started" } | Select-Object DisplayName, CreatedTime, LastModifiedTime, CreatedBy | Export-Csv active_flows.csv -NoTypeInformationGraph API
GET https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=activityDisplayName eq 'Add app role assignment to service principal' and activityDateTime ge 2024-01-01T00:00:00Z
MITRE ATT&CK Techniques
T1059T1072T1567T1020T1098