Query Details
Detecting Copilot Studio Bot Creation
Query
// Detecting Copilot Studio Bot Creation // https://www.linkedin.com/posts/0x534c_copilotstudiobots-securityconfiguration-dlp-activity-7230083382682992641-dLMZ/ // The below KQL will detect the list of Copilot Studio bots created in your tenant and your can correlate the NodeName (id) against the AuditLogs TargetResources for more information. ExposureGraphNodes | where NodeLabel == @"serviceprincipal" | where NodeProperties.rawData.accountDisplayName contains "Microsoft Copilot Studio" | where NodeProperties.rawData.accountEnabled == "true" | where NodeProperties.rawData.tags startswith "power-virtual-agents-"
Explanation
This KQL query is designed to identify the creation of Copilot Studio bots within a tenant. Here's a simplified breakdown of what the query does:
- Source Table: The query looks at the
ExposureGraphNodestable. - Filter by Node Type: It filters the nodes to only include those labeled as
serviceprincipal. - Filter by Display Name: It further filters these nodes to include only those whose display name contains "Microsoft Copilot Studio".
- Check if Enabled: It ensures that the account is enabled by checking if
accountEnabledis set to "true". - Filter by Tags: Finally, it filters the nodes to include only those whose tags start with "power-virtual-agents-".
In summary, this query identifies active service principal accounts related to Microsoft Copilot Studio bots, specifically those tagged for Power Virtual Agents, within your tenant.
Details
Steven Lim
Released: August 16, 2024
Tables
ExposureGraphNodes
Keywords
ExposureGraphNodesNodeLabelNodePropertiesRawDataAccountDisplayNameMicrosoftCopilotStudioAccountEnabledTagsPowerVirtualAgentsAuditLogsTargetResourcesNodeName
Operators
==contains==startswith