Query Details
Monitor Copilot Agent For Share Point
Query
// https://www.pentestpartners.com/security-blog/exploiting-copilot-ai-for-sharepoint/ // Monitoring excessive prompts, a potential sign of prompt testing. let MonitorThreshold = 8; CloudAppEvents | where Timestamp > ago(1d) | where ActionType == @"CopilotInteraction" | extend UserID = tostring(RawEventData.UserId) | extend CopilotData = todynamic(RawEventData.CopilotEventData) | extend CopilotPlugin = tostring(CopilotData.AISystemPlugin[0].Id) | where CopilotPlugin == "EnterpriseSearch" | where parse_json(CopilotData)["Messages"][0]["isPrompt"] == 'true' | extend AccountUPN = UserID | summarize PromptCount=count() by AccountUPN | where PromptCount > MonitorThreshold
Explanation
This query is designed to monitor and identify users who are excessively interacting with a specific AI system plugin, "EnterpriseSearch," within the last day. Here's a simplified breakdown:
-
Time Frame: It looks at events from the past day (
Timestamp > ago(1d)). -
Event Type: It filters for events where the action type is "CopilotInteraction."
-
User Identification: It extracts the user ID from the raw event data.
-
Plugin Identification: It checks if the interaction involves the "EnterpriseSearch" plugin.
-
Prompt Detection: It identifies interactions that are prompts (messages where
isPromptis true). -
User Activity Summary: It counts how many prompts each user has made.
-
Threshold Check: It flags users who have made more than 8 prompts, which could indicate excessive or unusual activity, possibly related to testing or exploiting the AI system.
In essence, this query helps in detecting potential misuse or testing of the AI system by monitoring users who frequently send prompts to the "EnterpriseSearch" plugin.
Details
Steven Lim
Released: May 8, 2025
Tables
Keywords
Operators