Query Details
MS Copilots
Query
//This a list of locating Copilot usage in the SecurityEvent table. //Copilot in Microsoft Edge SecurityEvent | where CommandLine has "ux=copilot" | where Process == "msedge.exe" //Copilot in Excel SecurityEvent | where CommandLine has "copilot" | where NewProcessName has "EXCEL.EXE" //Copilot in PowerPoint SecurityEvent | where CommandLine has "copilot" | where NewProcessName has "POWERPNT.EXE" //Copilot in Visual Studio SecurityEvent | where CommandLine has "copilot" | where NewProcessName has "vsce-sign.exe"
Explanation
This query is designed to identify instances of Copilot usage within the SecurityEvent table for various Microsoft applications. It filters events based on specific criteria for each application:
- Microsoft Edge: Looks for events where the command line contains "ux=copilot" and the process is "msedge.exe".
- Excel: Searches for events where the command line contains "copilot" and the new process name is "EXCEL.EXE".
- PowerPoint: Finds events where the command line contains "copilot" and the new process name is "POWERPNT.EXE".
- Visual Studio: Identifies events where the command line contains "copilot" and the new process name is "vsce-sign.exe".
In summary, this query helps track the usage of Copilot across different Microsoft applications by filtering relevant security events.
Details
Rod Trent
Released: August 1, 2024
Tables
SecurityEvent
Keywords
SecurityEventCopilotMicrosoftEdgeExcelPowerPointVisualStudio
Operators
SecurityEvent|wherehas==.