KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting New Copilot Extensions

Query

// Detecting New Copilot Extensions
// https://www.linkedin.com/posts/0x534c_cybersecurity-generativeai-m365-activity-7250789113249837056-D6rZ/

// I refuse to accept Message Center MC908119, which states that “Admins will lose tenant-level control over who can use Copilot agents” 😤. To counter this, I’ve developed a custom KQL detection in DefenderXDR. This detection identifies any newly installed, non-whitelisted Copilot extensions and alerts the M365 Admin for review. The M365 Admin can then block these extensions in the Integrated Apps section of the admin portal, reclaiming some control.💪

// Added your whitelisted extensions or plugins to WLExtensions
let WLExtensions = dynamic(["BingWebSearch"]);
CloudAppEvents
| where Timestamp > ago(1h)
| where ActionType == @"CopilotInteraction"
| extend UserID = tostring(RawEventData.UserId)
| extend CopilotData = todynamic(RawEventData.CopilotEventData)
| extend CopilotPlugin = tostring(CopilotData.AISystemPlugin[0].Id)
| where isnotempty(CopilotPlugin)
| where not (CopilotPlugin has_any (WLExtensions))
| project Timestamp, AccountObjectId, UserID, CopilotPlugin, ReportId

// MITRE ATT&CK
// T1116 Browser Extensions

Explanation

This KQL (Kusto Query Language) query is designed to help Microsoft 365 administrators detect any new Copilot extensions that have been installed but are not on a predefined whitelist. Here's a simple breakdown of what the query does:

  1. Whitelist Setup: It starts by defining a list of approved (whitelisted) Copilot extensions, in this case, just "BingWebSearch".

  2. Data Source: The query looks at CloudAppEvents, which contains logs of cloud application activities.

  3. Time Frame: It filters the events to only include those that occurred in the last hour.

  4. Action Type: It specifically focuses on events where the action type is "CopilotInteraction", indicating interactions with Copilot extensions.

  5. Data Extraction: The query extracts the user ID, Copilot event data, and the specific Copilot plugin ID from the raw event data.

  6. Filter Non-Whitelisted Extensions: It checks if the Copilot plugin ID is not in the whitelist. If it's not, it means a new, non-approved extension has been detected.

  7. Output: The query outputs the timestamp of the event, the account object ID, the user ID, the Copilot plugin ID, and the report ID for further review.

  8. Purpose: The purpose of this query is to alert M365 administrators about any newly installed Copilot extensions that are not on the whitelist, allowing them to review and potentially block these extensions in the admin portal to maintain control over their environment.

  9. Security Context: The query is related to the MITRE ATT&CK framework, specifically T1116, which deals with browser extensions, highlighting its relevance to cybersecurity.

Details

Steven Lim profile picture

Steven Lim

Released: October 12, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsTimestampActionTypeUserIDCopilotDataCopilotPluginAccountObjectIdReportId

Operators

letdynamic|where>ago==@extendtostringtodynamicisnotemptynothas_anyproject

Actions