KQL Search

Query Details

HomeAI ToolsDevice Query

Defender XDR M365 Copilot Extensions Threat Monitoring

Query

// DefenderXDR M365 Copilot Extensions Threat Monitoring

// This morning, I posted on LinkedIn about the ConfusedPilot attack vector and shared a Sentinel analytic rule to monitor Copilot extensions’ external data access for potential malicious data poisoning. A community member mentioned they don’t have Sentinel and asked if this can be done in DefenderXDR. The short answer is yes. You just need to access an external data feed of malicious domains. In my KQL code example, I used Romain Marcoux’s feed of malicious domains, but you can replace the URL with your preferred external data feed.

// ConfusedPilot Attack Vector:
// https://www.linkedin.com/posts/0x534c_confusedpilot-activity-7252113628470943744-BgxN/

// M365 Copilot Extensions Threat Monitoring (Sentinel)
// https://www.linkedin.com/posts/0x534c_cybersecurity-generativeai-copilot-activity-7251091656249090048-GfSg/

// Malicious Domain Feed
// https://github.com/romainmarcoux/malicious-domains

let MaliciousDomainTable=externaldata(RawData:string)[h'https://raw.githubusercontent.com/romainmarcoux/malicious-domains/main/full-domains-aa.txt']
| parse RawData with MaliciousDomain:string;
CloudAppEvents
| where Timestamp > ago(1h)
| where ActionType == @"CopilotInteraction"
| extend UserID = tostring(RawEventData.UserId)
| extend CopilotData = todynamic(RawEventData.CopilotEventData)
| extend CopilotPlugin = tostring(CopilotData.AISystemPlugin[0].Id)
| where isnotempty(CopilotPlugin)
| extend PluginAccessURL = tostring(CopilotData.AccessedResources)
| mv-expand todynamic(PluginAccessURL)
| where PluginAccessURL has "SiteUrl"
| extend Url = tostring(PluginAccessURL.SiteUrl)
| extend Domain = tostring(parse_url(Url).Host)
| extend Action = tostring(PluginAccessURL.Action)
| join MaliciousDomainTable on $left.Domain == $right.MaliciousDomain

// MITRE ATT&CK
// T1116 Browser Extensions

Explanation

This KQL query is designed to monitor potential security threats related to Microsoft 365 Copilot extensions by checking for interactions with known malicious domains. Here's a simplified breakdown of what the query does:

  1. External Data Source: It begins by importing a list of known malicious domains from an external source (a GitHub repository maintained by Romain Marcoux).

  2. Data Filtering: The query then looks at cloud application events from the past hour (Timestamp > ago(1h)) specifically related to interactions with Copilot extensions (ActionType == "CopilotInteraction").

  3. Data Extraction and Transformation:

    • It extracts the user ID and Copilot event data from the raw event data.
    • It identifies the Copilot plugin involved in the interaction.
    • It expands the accessed resources to examine each URL accessed by the plugin.

  4. Domain Extraction: For each accessed resource, it extracts the domain from the URL.

  5. Threat Detection: The query checks if any of these domains match the list of known malicious domains by joining the event data with the malicious domain list.

  6. MITRE ATT&CK Reference: The query is related to the MITRE ATT&CK technique T1116, which involves browser extensions, indicating that the threat vector involves malicious use of browser extensions.

In summary, this query helps detect potential malicious activity by monitoring Copilot extensions' interactions with external domains and checking these domains against a list of known threats.

Details

Steven Lim profile picture

Steven Lim

Released: October 16, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsTimestampActionTypeUserIDRawEventDataCopilotDataCopilotPluginPluginAccessURLUrlDomainActionMaliciousDomainTable

Operators

letexternaldataparsewhereextendtostringtodynamicmv-expandhasparse_urljoin

Actions