Query Details
M365 Copilot Plugins Inventory Analysis
Query
// M365 Copilot Plugins Inventory Analysis //Is your organization overseeing who can use Copilot with installed apps and plugins from Microsoft or other providers? If so, are you aware of the plugins your Copilot users are utilizing and their usage frequency from a security risk perspective? The following KQL query offers the Security Operations team an inventory of Copilot users’ plugins and their usage frequency for analysis: CloudAppEvents | where TimeGenerated > ago(90d) | where ActionType == @"CopilotInteraction" | extend UserID = tostring(RawEventData.UserId) | extend CopilotData = todynamic(RawEventData.CopilotEventData) | extend CopilotAccessResources = (CopilotData.AccessedResources) | extend CopilotAppHost = tostring(CopilotData.AppHost) | extend CopilotContexts = tostring(CopilotData.Contexts) | extend CopilotType = tostring(CopilotData.Type) | extend CopilotMessageIds = tostring(CopilotData.MessageIds) | extend CopilotThreadId = tostring(CopilotData.ThreadId) | extend CopilotPlugin = tostring(CopilotData.AISystemPlugin) | where CopilotPlugin != "[]" | summarize Plugin_Usage=count() by CopilotPlugin // MITRE ATT&CK Mapping // Tactic: Collection (TA0009) // Technique: Data from Information Repositories (T1213) // The query extracts data from CloudAppEvents related to CopilotInteraction, which can be considered as collecting data from information repositories. // Tactic: Discovery (TA0007) // Technique: Account Discovery (T1087) // The extend UserID = tostring(RawEventData.UserId) line is used to identify user accounts involved in the interactions. // Tactic: Credential Access (TA0006) // Technique: Unsecured Credentials (T1552) // The query extends and processes various fields like CopilotData, CopilotAccessResources, and CopilotAppHost, which could potentially include sensitive information. // Tactic: Execution (TA0002) // Technique: Command and Scripting Interpreter (T1059) // The use of KQL itself falls under scripting and command-line interpretation for executing queries. // Tactic: Exfiltration (TA0010) // Technique: Exfiltration Over Web Service (T1567) // The CopilotPlugin data could be used to understand interactions with external services, which might be relevant for exfiltration activities.
Explanation
This KQL query is designed to help the Security Operations team monitor and analyze the usage of Microsoft Copilot plugins within an organization. Here's a simplified summary:
-
Purpose: The query aims to provide an inventory of Copilot users' plugins and their usage frequency to assess potential security risks.
-
Data Source: It pulls data from
CloudAppEventsover the past 90 days. -
Filtering: It specifically looks for events where the action type is
CopilotInteraction. -
Data Extraction:
- Extracts user IDs and various details about the Copilot interactions, such as accessed resources, app host, contexts, type, message IDs, thread ID, and the specific plugin used.
- Filters out events where no plugin is used (
CopilotPlugin != "[]").
-
Summarization: It counts the usage of each plugin (
Plugin_Usage=count() by CopilotPlugin). -
Security Context: The query is mapped to various MITRE ATT&CK tactics and techniques, indicating how the extracted data can be relevant for understanding potential security threats, such as:
- Collection: Gathering data from information repositories.
- Discovery: Identifying user accounts involved in interactions.
- Credential Access: Handling potentially sensitive information.
- Execution: Using KQL for scripting and command-line interpretation.
- Exfiltration: Understanding interactions with external services that might be relevant for data exfiltration.
In essence, this query helps organizations keep track of which plugins are being used with Copilot, how frequently they are used, and provides insights into potential security implications.
Details
Steven Lim
Released: September 5, 2024
Tables
Keywords
Operators