Microsoft Defender Advanced Hunting Copilot Activities

//Microsoft Defender Advanced Hunting Copilot Activities //https://www.linkedin.com/pulse/microsoft-defender-advanced-hunting-copilot-activities-steven-lim-cudyc/ CloudAppEvents | where ActionType == @"CopilotInteraction" | extend UserID = tostring(RawEventData.UserId) | extend CopilotData = todynamic(RawEventData.CopilotEventData) | extend CopilotAccessResources = (CopilotData.AccessedResources) | extend CopilotAppHost = tostring(CopilotData.AppHost) | extend CopilotContexts = tostring(CopilotData.Contexts) | extend CopilotType = tostring(CopilotData.Type) | extend CopilotMessageIds = tostring(CopilotData.MessageIds) | extend CopilotThreadId = tostring(CopilotData.ThreadId) | project Timestamp, UserID, CopilotAccessResources, CopilotAppHost, CopilotContexts, CopilotType, CopilotMessageIds, CopilotThreadId // Copilot Interaction Data Formatted // Insert your hunting query for copilot related activities. //The below Defender custom KQL detection rule detects potential Copilot abuse by threat actors at regular interval. CloudAppEvents | where Timestamp > ago(1h) | where IPTags has_any ("Brute force attacker", "Password spray attacker", "malicious", "Possible Hackers", "Tor") | where ActionType == "CopilotInteraction" //Detect token theft via AiTM phishing attack whereby token is then used to conduct copilot activities for data summarization and extraction. let AnomalousTokenRequestId= SecurityAlert | where TimeGenerated > ago(30d) | where AlertName == "Anomalous Token" | mv-expand todynamic(Entities) | project Entities | extend RequestId = tostring(Entities.RequestId) | distinct RequestId; let CopilotClientIP= SigninLogs | where TimeGenerated > ago(30d) | where AppDisplayName contains "copilot" | distinct IPAddress; AADUserRiskEvents | where TimeGenerated > ago(30d) | where RequestId has_any(AnomalousTokenRequestId) | where IpAddress has_any(CopilotClientIP) | project TimeGenerated, UserPrincipalName, RiskEventType, RiskLevel, DetectionTimingType, IpAddress, Location //Detect malicious Copilot external data search via Microsoft Graph Connectors. This detection is useful when your Copilot has external plugin enabled and access external corporate data via plugin through graph connectors. let CopilotIPs = MicrosoftGraphActivityLogs | where TimeGenerated > ago(30d) | where RequestUri contains "[email protected]" | distinct IPAddress; SigninLogs | where TimeGenerated > ago(30d) | where RiskEventTypes contains "maliciousIPAddress" | where IPAddress has_any (CopilotIPs) //Microsoft Defender for Cloud App added the application "Microsoft Copilot for Microsoft 365", it will be easier to threat hunt using the activity log or using advance hunting KQL. CloudAppEvents | where Application == "Microsoft Copilot for Microsoft 365" //Identify token theft through AiTM phishing attacks, where stolen tokens are exploited for Copilot activities involving data summarization and extraction from a non-malicious IP. Leverage Sentinel Behavior Analytics to detect initial logins from new ISPs (potentially threat actors) and correlate this IP data with Copilot activities from CloudAppEvents. let FirstTimeUserConnectedISPIP = BehaviorAnalytics | where TimeGenerated > ago(7d) // Behaviour Analytics detecting user first time connected to a new ISP | where tostring(ActivityInsights.FirstTimeUserConnectedViaISP) == "True" | where ActivityType == "LogOn" | where SourceDevice == "" // Non-corporate endpoint | where InvestigationPriority > 0 // Suspicious Session | project SourceIPAddress; CloudAppEvents | where ActionType == "CopilotInteraction" // Correlating copilot activities from the new ISP IP | where IPAddress has_any(FirstTimeUserConnectedISPIP)

Explanation

This query is a comprehensive set of KQL (Kusto Query Language) scripts designed to monitor and detect potential abuse of Microsoft Copilot activities within a cloud environment. Here's a simplified summary of each part:

Extract Copilot Interaction Data:
- The first part of the query extracts and formats data related to user interactions with Microsoft Copilot from CloudAppEvents. It includes details like user ID, accessed resources, application host, contexts, message IDs, and thread IDs.
Detect Potential Copilot Abuse:
- The second part sets up a detection rule to identify potential abuse of Copilot by monitoring for interactions from IP addresses associated with known malicious activities (e.g., brute force attacks, password spray attacks, etc.) within the last hour.
Detect Token Theft via AiTM Phishing:
- This section identifies anomalous token requests (possibly from phishing attacks) and correlates them with Copilot activities. It checks for suspicious tokens and IP addresses used in Copilot interactions over the past 30 days.
Detect Malicious External Data Search:
- This part detects malicious searches for external data via Microsoft Graph Connectors by monitoring Copilot activities from specific IP addresses and correlating them with known malicious IP addresses.
Monitor Microsoft Copilot Application:
- It filters CloudAppEvents to specifically look at activities related to the "Microsoft Copilot for Microsoft 365" application, making it easier to hunt for threats.
Identify Token Theft from Non-Malicious IPs:
- The final part identifies potential token theft through AiTM phishing attacks by detecting initial logins from new ISPs (possibly threat actors) and correlating these IPs with Copilot activities. It uses behavior analytics to spot users connecting from new ISPs and checks if these IPs are involved in Copilot interactions.

Overall, these scripts are designed to enhance security monitoring and threat detection related to Microsoft Copilot activities, ensuring any suspicious or malicious behavior is promptly identified and investigated.

Details

Steven Lim

Released: August 2, 2024

Tables

CloudAppEvents SecurityAlert SigninLogs AADUserRiskEvents MicrosoftGraphActivityLogs BehaviorAnalytics

Keywords

CloudAppEventsUserSecurityAlertSigninLogsAADUserRiskEventsMicrosoftGraphActivityLogsBehaviorAnalytics

Operators

==|extendtostringtodynamicprojecthas_anycontainsmv-expanddistinctlet

KQL Search