KQL Search

Query Details

HomeAI ToolsDevice Query

Monitoring Microsoft 365 Copilot Web Search Queries With Defender XDR

Query

// Monitoring Microsoft 365 Copilot Web Search Queries with DefenderXDR

// What happens if your Microsoft 365 Copilot user account is compromised and used to exfiltrate data via web search queries? Can you check the queries performed through the compromised Copilot interaction?
// Microsoft has introduced web search query transparency for Microsoft 365 Copilot, allowing users to see the exact web search queries generated from their prompts. This feature enhances user understanding and prompt improvement by providing visibility into how queries are formed and used. Additionally, admins will gain capabilities for search, audit, and eDiscovery on these web queries.
// However, you don’t need to use eDiscovery. Instead, you can leverage DefenderXDR Advanced Hunting with the KQL I will share to extract all associated BingWebSearch URLs related to Copilot interactions for forensic investigation.

CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType == @"CopilotInteraction"
| extend UserID = tostring(RawEventData.UserId)
| extend CopilotData = todynamic(RawEventData.CopilotEventData)
| extend CopilotAccessResources = (CopilotData.AccessedResources)
| extend CopilotAppHost = tostring(CopilotData.AppHost)
| extend CopilotContexts = tostring(CopilotData.Contexts)
| extend CopilotType = tostring(CopilotData.Type)
| extend CopilotMessageIds = tostring(CopilotData.MessageIds)
| extend CopilotThreadId = tostring(CopilotData.ThreadId)
| extend CopilotPlugin = tostring(CopilotData.AISystemPlugin)
| where CopilotPlugin has "BingWebSearch" and RawEventData contains "http://"
// Copilot Web Search Url located in CopilotAccessResources

// MITRE ATT&CK Mapping
// Technique: Exfiltration Over Web Service (T1567)

Explanation

This query is designed to monitor Microsoft 365 Copilot web search queries using DefenderXDR. Here's a simplified summary:

  1. Purpose: The query helps detect if a Microsoft 365 Copilot user account has been compromised and used to exfiltrate data via web search queries.
  2. Feature: Microsoft 365 Copilot now provides transparency for web search queries, allowing users and admins to see the exact queries generated from user prompts. This aids in understanding and improving prompts and enables search, audit, and eDiscovery capabilities.
  3. Alternative to eDiscovery: Instead of using eDiscovery, you can use DefenderXDR Advanced Hunting with this KQL query to extract all BingWebSearch URLs related to Copilot interactions for forensic investigation.

Query Breakdown:

  • Data Source: The query looks at CloudAppEvents from the last 30 days.
  • Filter: It filters events where the action type is "CopilotInteraction".
  • Extract Data: It extracts various details from the raw event data, such as UserID, Copilot event data, accessed resources, app host, contexts, type, message IDs, thread ID, and the plugin used.
  • Specific Condition: It specifically looks for interactions involving the "BingWebSearch" plugin and where the raw event data contains "http://".

Security Mapping:

  • MITRE ATT&CK Technique: The query maps to the "Exfiltration Over Web Service" technique (T1567).

In essence, this query helps identify and investigate potential data exfiltration activities through web search queries made by Microsoft 365 Copilot, enhancing security monitoring and forensic capabilities.

Details

Steven Lim profile picture

Steven Lim

Released: September 25, 2024

Tables

CloudAppEvents

Keywords

CloudAppEventsCopilotInteractionUserIDCopilotDataCopilotAccessResourcesCopilotAppHostCopilotContextsCopilotTypeCopilotMessageIdsCopilotThreadIdCopilotPluginBingWebSearchRawEventData

Operators

CloudAppEvents|where>ago( )==@extend=tostring( )todynamic( )hascontains.

Actions