KQL Search

Query Details

HomeAI ToolsDevice Query

Sentinel Analytics Rule For Copilot Studio Bot Creation Detection

Query

// Sentinel analytics rule for Copilot Studio Bot creation detection

AuditLogs
| where TimeGenerated > (1h)
| where Identity == "Power Virtual Agents Service"
| where OperationName == "Add application"
| where TargetResources contains "(Microsoft Copilot Studio)"

Explanation

This query is designed to detect the creation of a Copilot Studio Bot within the last hour. Here's a simple breakdown:

  1. AuditLogs: It starts by looking at the audit logs.
  2. TimeGenerated > (1h): It filters the logs to include only those generated in the past hour.
  3. Identity == "Power Virtual Agents Service": It further narrows down the logs to those where the action was performed by the "Power Virtual Agents Service".
  4. OperationName == "Add application": It looks for logs where the operation performed was "Add application".
  5. TargetResources contains "(Microsoft Copilot Studio)": Finally, it checks if the target resource involved contains the term "(Microsoft Copilot Studio)".

In summary, this query identifies any instances in the last hour where the Power Virtual Agents Service added an application related to Microsoft Copilot Studio.

Details

Steven Lim profile picture

Steven Lim

Released: August 16, 2024

Tables

AuditLogs

Keywords

SentinelAuditLogsTimeGeneratedIdentityOperationNameTargetResourcesPowerVirtualAgentsServiceMicrosoftCopilotStudio

Operators

>==contains

Actions