Microsoft Copilot Access To External Resources XPIA
Query
CopilotActivity
| extend LLM = parse_json(LLMEventData)
| mv-expand AccessedResources = LLM.AccessedResources
| extend XPIADetected = toboolean(AccessedResources.XPIADetected)
| extend SiteUrl = tostring(AccessedResources.SiteUrl)
| where XPIADetected == trueAbout this query
Microsoft Copilot Access to External Resources (XPIA)
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1530 | Data from Cloud Storage | https://attack.mitre.org/techniques/T1530/ |
Description
This rule detects instances where Microsoft Copilot accesses external resources, specifically identifying events where 'XPIADetected' is true. This indicates Copilot interacting with resources outside its immediate environment, which could be a security concern if the accessed resources are sensitive or untrusted.
Author <Optional>
- Name: Benjamin Zulliger
- Github: https://github.com/benscha/KQLAdvancedHunting
- LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/
Defender XDR
Explanation
This query is designed to monitor and detect when Microsoft Copilot accesses external resources, which is a potential security concern. It specifically looks for instances where the 'XPIADetected' flag is set to true, indicating that Copilot has interacted with resources outside its immediate environment. The query processes data from the CopilotActivity table, extracting and expanding the list of accessed resources. It then checks if any of these resources have the 'XPIADetected' flag set to true, and if so, it captures the URL of the accessed site. This helps identify potentially sensitive or untrusted external interactions by Microsoft Copilot.
