Microsoft Defender Advanced Hunting Copilot Activities
Query
//Microsoft Defender Advanced Hunting Copilot Activities
//https://www.linkedin.com/pulse/microsoft-defender-advanced-hunting-copilot-activities-steven-lim-cudyc/
CloudAppEvents
| where ActionType == @"CopilotInteraction"
| extend UserID = tostring(RawEventData.UserId)
| extend CopilotData = todynamic(RawEventData.CopilotEventData)
| extend CopilotAccessResources = (CopilotData.AccessedResources)
| extend CopilotAppHost = tostring(CopilotData.AppHost)
| extend CopilotContexts = tostring(CopilotData.Contexts)
| extend CopilotType = tostring(CopilotData.Type)
| extend CopilotMessageIds = tostring(CopilotData.MessageIds)
| extend CopilotThreadId = tostring(CopilotData.ThreadId)
| project Timestamp, UserID, CopilotAccessResources, CopilotAppHost,
CopilotContexts, CopilotType, CopilotMessageIds, CopilotThreadId
// Copilot Interaction Data Formatted
// Insert your hunting query for copilot related activities.
//The below Defender custom KQL detection rule detects potential Copilot abuse by threat actors at regular interval.
CloudAppEvents
| where Timestamp > ago(1h)
| where IPTags has_any ("Brute force attacker", "Password spray attacker", "malicious", "Possible Hackers", "Tor")
| where ActionType == "CopilotInteraction"
//Detect token theft via AiTM phishing attack whereby token is then used to conduct copilot activities for data summarization and extraction.
let AnomalousTokenRequestId=
SecurityAlert
| where TimeGenerated > ago(30d)
| where AlertName == "Anomalous Token"
| mv-expand todynamic(Entities)
| project Entities
| extend RequestId = tostring(Entities.RequestId)
| distinct RequestId;
let CopilotClientIP=
SigninLogs
| where TimeGenerated > ago(30d)
| where AppDisplayName contains "copilot"
| distinct IPAddress;
AADUserRiskEvents
| where TimeGenerated > ago(30d)
| where RequestId has_any(AnomalousTokenRequestId)
| where IpAddress has_any(CopilotClientIP)
| project TimeGenerated, UserPrincipalName, RiskEventType, RiskLevel, DetectionTimingType, IpAddress, Location
//Detect malicious Copilot external data search via Microsoft Graph Connectors. This detection is useful when your Copilot has external plugin enabled and access external corporate data via plugin through graph connectors.
let CopilotIPs =
MicrosoftGraphActivityLogs
| where TimeGenerated > ago(30d)
| where RequestUri contains "[email protected]"
| distinct IPAddress;
SigninLogs
| where TimeGenerated > ago(30d)
| where RiskEventTypes contains "maliciousIPAddress"
| where IPAddress has_any (CopilotIPs)
//Microsoft Defender for Cloud App added the application "Microsoft Copilot for Microsoft 365", it will be easier to threat hunt using the activity log or using advance hunting KQL.
CloudAppEvents
| where Application == "Microsoft Copilot for Microsoft 365"
//Identify token theft through AiTM phishing attacks, where stolen tokens are exploited for Copilot activities involving data summarization and extraction from a non-malicious IP. Leverage Sentinel Behavior Analytics to detect initial logins from new ISPs (potentially threat actors) and correlate this IP data with Copilot activities from CloudAppEvents.
let FirstTimeUserConnectedISPIP =
BehaviorAnalytics
| where TimeGenerated > ago(7d)
// Behaviour Analytics detecting user first time connected to a new ISP
| where tostring(ActivityInsights.FirstTimeUserConnectedViaISP) == "True"
| where ActivityType == "LogOn"
| where SourceDevice == "" // Non-corporate endpoint
| where InvestigationPriority > 0 // Suspicious Session
| project SourceIPAddress;
CloudAppEvents
| where ActionType == "CopilotInteraction"
// Correlating copilot activities from the new ISP IP
| where IPAddress has_any(FirstTimeUserConnectedISPIP)
// MITRE ATT&CK Mapping
// Initial Access
// T1078: Valid Accounts - Detecting anomalous token usage and new ISP connections can indicate compromised accounts.
// Execution
// T1059: Command and Scripting Interpreter - Copilot interactions can be seen as automated scripting activities.
// Persistence
// T1078: Valid Accounts - Persistent access through stolen tokens.
// Privilege Escalation
// T1078: Valid Accounts - Using stolen tokens to escalate privileges.
// Defense Evasion
// T1078: Valid Accounts - Using valid accounts to evade detection.
// Credential Access
// T1550: Use Alternate Authentication Material - Token theft via AiTM phishing attacks.
// Discovery
// T1083: File and Directory Discovery - Accessing resources and contexts via Copilot.
// Collection
// T1114: Email Collection - Data summarization and extraction activities.
// Command and Control
// T1071: Application Layer Protocol - Copilot interactions over application protocols.
// Exfiltration
// T1041: Exfiltration Over C2 Channel - Data extraction via Copilot activities.Explanation
This query is designed to monitor and detect potentially malicious activities involving Microsoft Copilot within a cloud environment. Here's a simplified breakdown of what each part of the query does:
-
Copilot Interaction Monitoring: The query starts by filtering cloud application events to find interactions specifically related to Microsoft Copilot. It extracts various details about these interactions, such as user IDs, accessed resources, application hosts, contexts, types, message IDs, and thread IDs.
-
Detecting Copilot Abuse: It includes a rule to detect potential abuse of Copilot by threat actors. This is done by looking for interactions from IP addresses associated with known malicious activities, such as brute force attacks or use of Tor, within the last hour.
-
Token Theft Detection: The query identifies anomalous token requests that could indicate token theft through phishing attacks. It correlates these with Copilot activities to detect if stolen tokens are being used for data summarization and extraction.
-
Malicious External Data Search: It checks for malicious searches of external data via Microsoft Graph Connectors, which could indicate unauthorized access to corporate data through Copilot.
-
Application Monitoring: The query monitors activities related to the "Microsoft Copilot for Microsoft 365" application, making it easier to track and analyze Copilot-related events.
-
ISP Connection Analysis: It identifies first-time connections from new ISPs, which could indicate suspicious activity, and correlates these with Copilot interactions to detect potential threat actors.
-
MITRE ATT&CK Mapping: The query maps various detected activities to the MITRE ATT&CK framework, identifying tactics and techniques such as initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, collection, command and control, and exfiltration.
Overall, this query is a comprehensive approach to detecting and analyzing potential security threats related to Microsoft Copilot activities, leveraging advanced hunting capabilities in Microsoft Defender.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators