Query Details

Sentinel Analytics Rule For Copilot Studio Bot Creation Detection

Query

// Sentinel analytics rule for Copilot Studio Bot creation detection

AuditLogs
| where TimeGenerated > ago(1h)
| where Identity == "Power Virtual Agents Service"
| where OperationName == "Add application"
| where TargetResources contains "(Microsoft Copilot Studio)"

// MITRE ATT&CK Mapping

// Based on the operations and filters used in the KQL query, the following MITRE ATT&CK techniques are relevant:

// T1078: Valid Accounts - The query is looking for specific identities performing operations, which can be related to the use of valid accounts to perform actions1.
// T1098: Account Manipulation - The operation “Add application” could be associated with account manipulation activities, such as adding new applications or modifying existing ones2.
// T1566: Phishing - If the “Add application” operation is part of a broader phishing campaign to gain access to resources, this technique might be relevant3.

Explanation

This query is designed to detect the creation of a Copilot Studio Bot by monitoring audit logs. It specifically looks for actions performed by the "Power Virtual Agents Service" identity within the last hour, focusing on operations named "Add application" that involve resources related to "Microsoft Copilot Studio."

The query is associated with certain MITRE ATT&CK techniques:

  1. T1078: Valid Accounts - It checks for specific identities performing actions, which could indicate the use of legitimate accounts to carry out operations.
  2. T1098: Account Manipulation - The "Add application" operation might involve manipulating accounts, such as adding new applications or altering existing ones.
  3. T1566: Phishing - If the "Add application" action is part of a phishing campaign aimed at accessing resources, this technique could be relevant.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

AuditLogs

Keywords

AuditLogsTimeGeneratedIdentityOperationNameTargetResourcesMicrosoftCopilotStudioPowerVirtualAgentsServiceAddApplication

Operators

AuditLogs|where>ago==contains

MITRE Techniques

Actions

GitHub