Query Details
Microsoft Copilot Access To External Resources XPIA
Query
# *Microsoft Copilot Access to External Resources (XPIA)* ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1530 | Data from Cloud Storage | https://attack.mitre.org/techniques/T1530/ | #### Description This rule detects instances where Microsoft Copilot accesses external resources, specifically identifying events where 'XPIADetected' is true. This indicates Copilot interacting with resources outside its immediate environment, which could be a security concern if the accessed resources are sensitive or untrusted. #### Author <Optional> - **Name: Benjamin Zulliger** - **Github: https://github.com/benscha/KQLAdvancedHunting** - **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/** ## Defender XDR ```KQL CopilotActivity | extend LLM = parse_json(LLMEventData) | mv-expand AccessedResources = LLM.AccessedResources | extend XPIADetected = toboolean(AccessedResources.XPIADetected) | extend SiteUrl = tostring(AccessedResources.SiteUrl) | where XPIADetected == true ```
Explanation
This query is designed to monitor and detect when Microsoft Copilot accesses external resources, which is a potential security concern. It specifically looks for instances where the 'XPIADetected' flag is set to true, indicating that Copilot has interacted with resources outside its immediate environment. The query processes data from the CopilotActivity table, extracting and expanding the list of accessed resources. It then checks if any of these resources have the 'XPIADetected' flag set to true, and if so, it captures the URL of the accessed site. This helps identify potentially sensitive or untrusted external interactions by Microsoft Copilot.
Details
Benjamin Zulliger
Released: February 26, 2026
Tables
CopilotActivity
Keywords
CopilotActivityResourcesEnvironmentSecurity
Operators
extendparse_jsonmv-expandtobooleantostringwhere