KQL Search

Query Details

HomeAI ToolsDevice Query

M365 Copilot Gone Rouge

Query

// https://www.linkedin.com/posts/0x534c_cybersecurity-safelinkprotection-maliciousurl-activity-7325956438965518337-JV3o

| where Timestamp > ago(1h)
| where Workload == "Copilot"
| where ActionType == "ClickBlocked"
| project Timestamp, AccountUpn, Url, UrlChain, IPAddress

Explanation

This KQL (Kusto Query Language) query is designed to filter and display specific data from a dataset. Here's a simple breakdown of what it does:

  1. Time Filter: It looks at records from the last hour (Timestamp > ago(1h)).

  2. Workload Filter: It only considers records where the workload is "Copilot" (Workload == "Copilot").

  3. Action Type Filter: It focuses on actions where a click was blocked (ActionType == "ClickBlocked").

  4. Projection: It selects and displays only certain fields from the filtered records: Timestamp, AccountUpn (user account), Url (the URL that was clicked), UrlChain (the sequence of URLs involved), and IPAddress (the IP address from which the action was attempted).

In summary, this query retrieves and displays information about blocked click actions related to the "Copilot" workload that occurred in the last hour, showing details like the time, user account, URL, URL chain, and IP address.

Details

Steven Lim profile picture

Steven Lim

Released: May 8, 2025

Tables

The query does not specify a table name.

Keywords

Timestamp Workload ActionType AccountUpn Url UrlChain IPAddress

Operators

ago()where==>project

Actions