Query Details

Detecting Copilot Studio Bot Creation

Query

// Detecting Copilot Studio Bot Creation
// https://www.linkedin.com/posts/0x534c_copilotstudiobots-securityconfiguration-dlp-activity-7230083382682992641-dLMZ/
// The below KQL will detect the list of Copilot Studio bots created in your tenant and your can correlate the NodeName (id) against the AuditLogs TargetResources for more information.

ExposureGraphNodes
| where NodeLabel == @"serviceprincipal"
| where NodeProperties.rawData.accountDisplayName contains "Microsoft Copilot Studio"
| where NodeProperties.rawData.accountEnabled == "true"
| where NodeProperties.rawData.tags startswith "power-virtual-agents-"

// MITRE ATT&CK Mapping

// Based on the query, here are the potential MITRE ATT&CK techniques that could be relevant:

// T1078 - Valid Accounts: The query is identifying service principals (a type of account) that are enabled and have specific tags. This technique involves adversaries using valid accounts to maintain access to a network.
// T1087 - Account Discovery: The query is discovering accounts with specific properties, which aligns with the technique where adversaries attempt to enumerate user or service accounts.
// T1098 - Account Manipulation: If the query is used to monitor or detect changes in service principal accounts, it could relate to this technique, which involves adversaries manipulating accounts to maintain access.

Explanation

This KQL query is designed to identify specific service principals, which are essentially special types of accounts, within your organization's network. Here's a simple breakdown of what the query does:

  1. Purpose: The query aims to detect the creation of "Copilot Studio" bots within your organization's tenant. These bots are associated with Microsoft's Copilot Studio.

  2. How it Works:

    • It searches through a dataset called ExposureGraphNodes.
    • It filters for entries where the NodeLabel is "serviceprincipal", indicating that these entries are related to service principal accounts.
    • It further narrows down the results to those where the account's display name includes "Microsoft Copilot Studio".
    • It ensures that only active accounts are considered by checking if the accountEnabled property is set to "true".
    • It also checks if the account's tags start with "power-virtual-agents-", which is likely a specific identifier for these types of bots.
  3. Security Context:

    • The query is useful for security monitoring and auditing purposes, helping to ensure that only authorized bots are created and active within your network.
    • It aligns with certain MITRE ATT&CK techniques, which are frameworks used to understand and categorize cyber threats:
      • T1078 - Valid Accounts: The query identifies valid service principal accounts, which could be used by adversaries to maintain unauthorized access.
      • T1087 - Account Discovery: It involves discovering accounts with specific characteristics, which adversaries might do to understand the network better.
      • T1098 - Account Manipulation: If used for monitoring, the query could help detect unauthorized changes to these accounts, which is a common tactic for maintaining access.

In summary, this query helps you monitor and manage the creation and status of specific service principal accounts related to Copilot Studio bots, enhancing your organization's security posture.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

ExposureGraphNodes

Keywords

ExposureGraphNodesNodeLabelNodePropertiesRawDataAccountDisplayNameMicrosoftCopilotStudioAuditLogsTargetResourcesNodeNameIdTenantServicePrincipalAccountEnabledTagsPowerVirtualAgents

Operators

==containsstartswith

MITRE Techniques

Actions

GitHub