Detect Copilot Plugin Installation
Query
//Detect Copilot Plugin Installation
//https://www.linkedin.com/feed/update/urn:li:activity:7176504602702356481/
CloudAppEvents
| where ActionType == "AppInstalled"
| extend AppName = tostring(RawEventData.AddOnName)
| summarize by AppName , AccountType, AccountDisplayName
| sort by AppName asc
// MITRE ATT&CK Mapping
//The query focuses on detecting application installations, which can be associated with the following MITRE ATT&CK techniques:
// T1078: Valid Accounts - Adversaries may use valid accounts to install applications as part of their operations.
// T1136: Create Account - Creating new accounts might be part of the process when installing certain applications.
// T1087: Account Discovery - Adversaries may enumerate accounts to understand which ones have the necessary permissions to install applications.
// T1203: Exploitation for Client Execution - Exploiting vulnerabilities to install applications.Explanation
This query is designed to identify when a Copilot plugin or similar application is installed within a cloud environment. It works by looking at events where an application installation action is recorded. Specifically, it filters for events where the action type is "AppInstalled" and extracts the name of the application being installed. The query then organizes the data by the application name, account type, and account display name, and sorts the results alphabetically by the application name.
Additionally, the query is linked to certain MITRE ATT&CK techniques, which are methods that adversaries might use during cyber attacks. These techniques include:
- T1078: Valid Accounts: Using legitimate accounts to install applications.
- T1136: Create Account: Creating new accounts as part of the application installation process.
- T1087: Account Discovery: Identifying accounts with the necessary permissions for installation.
- T1203: Exploitation for Client Execution: Exploiting vulnerabilities to facilitate application installation.
Overall, the query helps in monitoring and detecting potential security risks associated with application installations in a cloud environment.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators