Query Details

M365 Copilot Extensions Threat Monitoring

Query

// M365 Copilot Extensions Threat Monitoring

// https://www.linkedin.com/posts/0x534c_cybersecurity-generativeai-m365-activity-7250789113249837056-D6rZ/
// This just keeps getting better and better! ๐Ÿ˜‚ I absolutely refuse to accept Message Center MC908119, which claims that โ€˜Admins will lose tenant-level control over who can use Copilot agents.โ€™ ๐Ÿ˜ค As a countermeasure, Iโ€™ve developed a Sentinel analytics rule that monitors all external URLs accessed by M365 Copilot extensions against my Threat Intelligence database for potential malicious activities. This rule is linked with a logic playbook automation to mark the user as compromised and isolate their access. ๐Ÿ’ฏ๐Ÿ˜˜

// ConfusedPilot Attack Vector:
// https://www.linkedin.com/posts/0x534c_confusedpilot-activity-7252113628470943744-BgxN/

// M365 Copilot Extensions Threat Monitoring (Sentinel)
// https://www.linkedin.com/posts/0x534c_cybersecurity-generativeai-copilot-activity-7251091656249090048-GfSg/

CloudAppEvents
| where TimeGenerated > ago(1h)
| where ActionType == @"CopilotInteraction"
| extend UserID = tostring(RawEventData.UserId)
| extend CopilotData = todynamic(RawEventData.CopilotEventData)
| extend CopilotPlugin = tostring(CopilotData.AISystemPlugin[0].Id)
| where isnotempty(CopilotPlugin)
| extend PluginAccessURL = tostring(CopilotData.AccessedResources)
| mv-expand todynamic(PluginAccessURL)
| where PluginAccessURL has "SiteUrl"
| extend Url = tostring(PluginAccessURL.SiteUrl)
| extend Domain = tostring(parse_url(Url).Host)
| extend Action = tostring(PluginAccessURL.Action)
| join ThreatIntelligenceIndicator on $left.Domain == $right.DomainName


// MITRE ATT&CK
// T1116 Browser Extensions

Explanation

This query is designed to monitor potential threats associated with Microsoft 365 Copilot extensions by analyzing cloud application events. Here's a breakdown of what the query does in simple terms:

  1. Time Filter: It looks at events generated in the last hour.

  2. Action Type: It specifically focuses on events where the action type is "CopilotInteraction," indicating interactions with Copilot extensions.

  3. User and Copilot Data Extraction:

    • It extracts the user ID and detailed Copilot event data from the raw event data.
    • It identifies the specific Copilot plugin involved in the interaction.
  4. URL and Domain Extraction:

    • It extracts URLs accessed by the Copilot plugin.
    • It expands these URLs to find specific site URLs accessed.
    • It parses these URLs to extract the domain name.
  5. Threat Intelligence Matching:

    • It compares the extracted domain names against a threat intelligence database to identify potential malicious activities.
  6. Automation and Response:

    • If a match is found, the rule is linked with an automated playbook that marks the user as compromised and isolates their access to prevent further threats.
  7. Reference to MITRE ATT&CK:

    • The query references the MITRE ATT&CK framework, specifically T1116, which relates to the use of browser extensions for malicious purposes.

Overall, this query is part of a security monitoring strategy to detect and respond to potential threats from external URLs accessed by M365 Copilot extensions, ensuring that any suspicious activity is promptly addressed.

Details

Steven Lim profile picture

Steven Lim

Released: October 16, 2024

Tables

CloudAppEventsThreatIntelligenceIndicator

Keywords

CloudAppEventsCopilotInteractionUserIDCopilotDataCopilotPluginPluginAccessURLUrlDomainActionThreatIntelligenceIndicator

Operators

CloudAppEvents|where>ago==@extendtostringtodynamicisnotemptymv-expandhasparse_urljoinon

MITRE Techniques

Actions

GitHub