User signed in to an application via Power Automate for the first time

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-06-24

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AzureAD
Detection Modules	Identity Threat Module
Detector Tags
ATT&CK Tactic	Initial Access (TA0001) Exfiltration (TA0010)
ATT&CK Technique	Valid Accounts (T1078) Automated Exfiltration (T1020)
Severity	Informational

A user signed in to an application via Power Automate for the first time. This may be indicative of a compromised account.

Use automation flows to automate data exfiltration, C2 communication, lateral movement and evade DLP solutions.

Check if this was a desired behavior as part of the automation flow.
Analyze the actions taken by the user during the session and verify that this is a legitimate session.
Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
Look for signs of different data exfiltration via email, shared links or uploads to online storage.

ATT&CK Tactic

ATT&CK Technique

Severity

Low

A user signed in to an uncommon application via Power Automate for the first time. This may be indicative of a compromised account.

Use automation flows to automate data exfiltration, C2 communication, lateral movement and evade DLP solutions.

Check if this was a desired behavior as part of the automation flow.
Analyze the actions taken by the user during the session and verify that this is a legitimate session.
Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).
Look for signs of different data exfiltration via email, shared links or uploads to online storage.