Security Controls

Data Loss Prevention

Starting at the E3 license level Flow administrators have the ability to introduce DLP policies. These policies can be used to prevent various connectors from being paired together. The way it works is by classifying data at a high level. Connectors are split between 'Business Data Only' and 'No Business Data Allowed'.

When people create new flows they will be unable to mix connectors from one group with connectors from the other.

For example in the image below the OneDrive and SharePoint connectors can be used together but neither could be used the Salesforce or Dynamics 365 since they are in seperate groups.

Logging?

Good news, logging does exist. Bad news, its not the greatest. In the Office365 Admin 'Security & Compliance' portal there is an option to perform an audit log search. This search provides the ability to search logs across the entire Office 365 platform.

Flow Event Types

Searching for Flow within the 'Activities' drop down shows seven different event types that can be searched:

Event

Event Description

Created flow

Shows events related to a flow being created

Edited flow

Events related to an existing

Deleted flow

These events occur when a flow has been removed

Edited flow permissions

If a permission to the flow has been changed. This can occur if a flow is shared to another user.

Deleted flow permissions

If a permission is removed. This could occur when someones access to a flow has been revoked.

Started a flow paid trial

These events occur if a user starts a trial to gain access to premium connectors.

Renewed a flow paid trial

These occur when a paid trial and continued.

Event Details

Unfortunately the event details are a bit sparse. In most cases the event shows time, activity type, user, ip and if it was successful.

Clicking on 'More information' does show a bit more information but the real details of the Flow are still a mystery.

The image above shows which connectors which were used, which is valuable information to have. The downside is that the intent of the Flow is still obscured from us, even in after looking at the details of the audit log.

Flow Details URL

At first when I saw the page for details I thought it was going to display all of the nitty gritty details of the flow. I expected to see each parameter for the connectors. Unfortunately the details page shows details about who owns the flow, who its been shared to, and if its currently in the 'on' or 'off' state.

Currently there is no way to get the details surrounding exactly what a flow is doing outside of impersonating the user and viewing there flows one at a time.

Quotas

In the Flow admin center under the 'Tenant' menu there is an option to see current usage statistics for Flows across the entire Office tenant.

A report can be downloaded that shows some useful information about the environment. To download the report you have to request it, then once the data is pulled together a download link is provided.

Much like viewing flow details anywhere else in Office365 the CSV provides the name of the flow, who owns it, environment, environment Id, and the current state of the Flow. The one new piece of information that is shown is the number of runs consumed.

Examining the number of runs consumed could be a indicator of a Flow being used for malicious purposes. It could also just be a flow that runs on a regular basis. Pivoting off this field provides some direction where previously there was no direction or way to begin to find potentially malicious flows.

PreviousInternal Network NextFun Nuances

Last updated 6 years ago

Was this helpful?