Query Details
Monitoring Copilot Data Exfiltration Via Graph API
Query
// Monitoring Copilot Data Exfiltration via Graph API let CopilotGraphExfilCmds = dynamic(["interactionHistory","getAllEnterpriseInteractions"]); MicrosoftGraphActivityLogs | where TimeGenerated > ago(1h) | extend ParseData = parse_url(RequestUri) | where ParseData has_any (CopilotGraphExfilCmds)
Explanation
This query is designed to monitor potential data exfiltration activities through the Microsoft Graph API, specifically related to a tool or feature referred to as "Copilot." Here's a simple breakdown of what the query does:
-
Define Commands: It starts by defining a list of specific commands or actions (
interactionHistoryandgetAllEnterpriseInteractions) that are associated with potential data exfiltration activities. -
Filter Logs: It looks at the
MicrosoftGraphActivityLogs, which are logs of activities performed using the Microsoft Graph API. -
Time Frame: It filters these logs to only include activities that have occurred within the last hour.
-
Parse URL: It extracts and parses the URL from the
RequestUrifield in the logs to analyze the specific actions being requested. -
Identify Suspicious Activity: Finally, it checks if any of the parsed URLs contain the defined suspicious commands. If they do, these entries are flagged as potential data exfiltration activities.
In summary, this query is used to detect recent activities that might indicate unauthorized data access or transfer using specific Graph API commands related to "Copilot."
Details
Steven Lim
Released: February 11, 2025
Tables
Keywords
Operators