Power Platform & Power Automate Audit Logs

m365-azureExecution EvidenceCloud Admin PortalSIEM / Log Aggregator

Location

Microsoft Purview > Audit (filter by PowerApps/Flow workload) or Power Platform Admin Center > Analytics

Description

Audit events for Power Apps, Power Automate (Flow), Power BI, and Power Virtual Agents capturing flow creation/execution, app sharing, connector usage, data export operations, and admin configuration changes.

Forensic Value

Power Automate flows are increasingly abused for automated data exfiltration because they can connect to external services and run on schedules without user interaction. Malicious flows can forward emails, copy files to external storage, or exfiltrate data through HTTP connectors. Power BI data export events may indicate bulk download of business intelligence reports. Monitoring connector usage reveals unauthorized integrations with external services that could serve as data exfiltration channels.

Tools Required

Microsoft PurviewPower Platform Admin CenterPowerShellMicrosoft Graph API

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical