KQL Search

Query Details

HomeAI ToolsDevice Query

M365 Copilot Extensions Threat Monitoring

Query

// M365 Copilot Extensions Threat Monitoring

// https://www.linkedin.com/posts/0x534c_cybersecurity-generativeai-m365-activity-7250789113249837056-D6rZ/
// This just keeps getting better and better! ๐Ÿ˜‚ I absolutely refuse to accept Message Center MC908119, which claims that โ€˜Admins will lose tenant-level control over who can use Copilot agents.โ€™ ๐Ÿ˜ค As a countermeasure, Iโ€™ve developed a Sentinel analytics rule that monitors all external URLs accessed by M365 Copilot extensions against my Threat Intelligence database for potential malicious activities. This rule is linked with a logic playbook automation to mark the user as compromised and isolate their access. ๐Ÿ’ฏ๐Ÿ˜˜

CloudAppEvents
| where TimeGenerated > ago(1h)
| where ActionType == @"CopilotInteraction"
| extend UserID = tostring(RawEventData.UserId)
| extend CopilotData = todynamic(RawEventData.CopilotEventData)
| extend CopilotPlugin = tostring(CopilotData.AISystemPlugin[0].Id)
| where isnotempty(CopilotPlugin)
| extend PluginAccessURL = tostring(CopilotData.AccessedResources)
| mv-expand todynamic(PluginAccessURL)
| where PluginAccessURL has "SiteUrl"
| extend Url = tostring(PluginAccessURL.SiteUrl)
| extend Domain = tostring(parse_url(Url).Host)
| extend Action = tostring(PluginAccessURL.Action)
| join ThreatIntelligenceIndicator on $left.Domain == $right.DomainName


// MITRE ATT&CK
// T1116 Browser Extensions

Explanation

This query is designed to monitor potential threats associated with Microsoft 365 Copilot extensions by analyzing cloud application events. Here's a simplified breakdown of what the query does:

  1. Data Source: It examines events from the CloudAppEvents table, focusing on interactions with Copilot extensions.

  2. Time Frame: The query looks at events generated within the last hour.

  3. Filter Criteria: It specifically targets events where the action type is "CopilotInteraction."

  4. Data Extraction:

    • Extracts the UserID and details about the Copilot interaction from the raw event data.
    • Identifies the Copilot plugin involved in the interaction.
    • Extracts URLs accessed by the Copilot plugin.

  5. URL Analysis:

    • Expands the list of accessed resources to analyze each URL.
    • Extracts the domain from each URL for further examination.

  6. Threat Intelligence:

    • Compares the extracted domains against a threat intelligence database to identify any matches with known malicious domains.

  7. Automation:

    • If a match is found, the query is linked to an automated playbook that marks the user as compromised and isolates their access to prevent further potential threats.

  8. Security Framework: The query aligns with the MITRE ATT&CK framework, specifically addressing the tactic of using browser extensions for malicious purposes (Technique T1116).

Overall, this query is part of a security measure to detect and respond to potential threats posed by external URLs accessed through M365 Copilot extensions.

Details

Steven Lim profile picture

Steven Lim

Released: October 13, 2024

Tables

CloudAppEventsThreatIntelligenceIndicator

Keywords

CloudAppEventsUserCopilotThreatIntelligenceIndicatorDomainPluginAccessURLUrlAction

Operators

ago()==tostring()todynamic()isnotempty()mv-expandhasparse_url()join

Actions