KQL Search

Query Details

HomeAI ToolsDevice Query

Cloud App Suspicious Copilot Agent Detection

Query

// CloudApp Suspicious Copilot Agent Detection

CloudAppEvents
| where Timestamp > ago(1h)
| where Application == @"Microsoft 365"
| where ActionType in ("BotCreate", "BotUpdateOperation-BotPublish")
| where UncommonForUser has "ISP" or UncommonForUser has "CountryCode"

// MITRE ATT&CK

Explanation

This query is designed to detect suspicious activities related to the use of a "Copilot Agent" within the Microsoft 365 cloud application. Here's a simple breakdown of what it does:

  1. Time Filter: It looks at events that have occurred in the last hour (Timestamp > ago(1h)).

  2. Application Filter: It focuses specifically on events related to the "Microsoft 365" application.

  3. Action Type Filter: It checks for specific actions, namely "BotCreate" and "BotUpdateOperation-BotPublish", which are related to the creation and publishing of bots.

  4. Uncommon Activity Filter: It identifies events that are unusual for the user, specifically if the activity is associated with an uncommon Internet Service Provider (ISP) or an uncommon country code for that user.

Overall, this query aims to identify potentially suspicious bot-related activities in Microsoft 365 that are unusual for the user, possibly indicating unauthorized or malicious actions.

Details

Steven Lim profile picture

Steven Lim

Released: November 27, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsApplicationActionTypeUncommonForUserTimestamp

Operators

CloudAppEvents|where>ago()|where==|wherein()|wherehasorhas

Actions