KQL Search

Query Details

HomeAI ToolsDevice Query

M365 Copilot Chat Safe Link Monitoring

Query

// M365 Copilot Chat SafeLink Monitoring
// https://admin.microsoft.com/AdminPortal/home?#/MessageCenter/:/messages/MC1013453

let M365CopilotChatURL =
CloudAppEvents
| where Timestamp > ago(1h)
| where ActionType == @"CopilotInteraction"
| extend UserID = tostring(RawEventData.UserId)
| extend CopilotData = todynamic(RawEventData.CopilotEventData)
| extend CopilotAccessResources = (CopilotData.AccessedResources)
| extend CopilotAppHost = tostring(CopilotData.AppHost)
| extend CopilotContexts = tostring(CopilotData.Contexts)
| extend CopilotType = tostring(CopilotData.Type)
| extend CopilotMessageIds = tostring(CopilotData.MessageIds)
| extend CopilotThreadId = tostring(CopilotData.ThreadId)
| mv-expand CopilotAccessResources
| where CopilotAppHost == "Bing" and isnotempty(CopilotAccessResources.SiteUrl)
| project CopilotAccessResources.SiteUrl;
UrlClickEvents
| where Timestamp > ago(1h)
| where ActionType == "ClickBlocked"
| where Url has_any(M365CopilotChatURL)

Explanation

This query is designed to monitor and analyze interactions with the Microsoft 365 Copilot feature, specifically focusing on SafeLink monitoring within the past hour. Here's a simplified breakdown:

  1. Data Source: The query pulls data from two sources: CloudAppEvents and UrlClickEvents.

  2. Time Frame: It looks at events that occurred within the last hour.

  3. Copilot Interactions:

    • It filters for events where the action type is "CopilotInteraction".
    • It extracts and processes various pieces of data related to the Copilot interaction, such as user ID, accessed resources, app host, contexts, type, message IDs, and thread ID.
    • It specifically focuses on interactions where the Copilot app host is "Bing" and there is a non-empty site URL in the accessed resources.

  4. URL Monitoring:

    • It collects the URLs accessed by Copilot interactions that meet the above criteria.
    • It then checks the UrlClickEvents for any "ClickBlocked" actions, indicating that a URL click was blocked.
    • It matches these blocked URL clicks against the list of URLs accessed by Copilot interactions.

In essence, the query is used to identify and monitor any URLs accessed by Microsoft 365 Copilot interactions that were subsequently blocked by SafeLink within the last hour.

Details

Steven Lim profile picture

Steven Lim

Released: February 22, 2025

Tables

CloudAppEventsUrlClickEvents

Keywords

CloudAppEventsUrlClickEventsTimestampActionTypeUserIDCopilotDataCopilotAccessResourcesCopilotAppHostCopilotContextsCopilotTypeCopilotMessageIdsCopilotThreadIdSiteUrl

Operators

let|where>ago()==extend=tostring()todynamic()mv-expandandisnotempty()projecthas_any()

Actions