Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Copilot - Plugin Created by Non-Admin User

Copilot - Plugin Created by Non-Admin User

Back
Ida1b2c3d4-e5f6-47a8-b9c0-d1e2f3a4b5c6
RulenameCopilot - Plugin Created by Non-Admin User
DescriptionDetects when a normal user creates a Copilot plugin. This can be used to inject malicious prompts, tools, or data exfiltration paths.

This rule identifies potential persistence or privilege misuse scenarios where non-administrative users create plugins that could be leveraged for malicious purposes.
SeverityHigh
TacticsPersistence
PrivilegeEscalation
TechniquesT1546
T1098
Required data connectorsMicrosoftCopilot
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotPluginCreatedByNonAdmin.yaml
Version1.0.0
Arm templatea1b2c3d4-e5f6-47a8-b9c0-d1e2f3a4b5c6.json
Deploy To Azure
CopilotActivity
| where RecordType == "CreateCopilotPlugin"
| where ActorUserType != "Admin"
| extend Data = parse_json(LLMEventData)
| extend Plugin = tostring(Data.Resource[0].Property)
| project TimeGenerated, ActorName, ActorUserId, SrcIpAddr, Plugin

relevantTechniques:
- T1546
- T1098
name: Copilot - Plugin Created by Non-Admin User
queryFrequency: 1h
version: 1.0.0
triggerThreshold: 0
severity: High
requiredDataConnectors:
- connectorId: MicrosoftCopilot
  dataTypes:
  - CopilotActivity
tactics:
- Persistence
- PrivilegeEscalation
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotPluginCreatedByNonAdmin.yaml
query: |
  CopilotActivity
  | where RecordType == "CreateCopilotPlugin"
  | where ActorUserType != "Admin"
  | extend Data = parse_json(LLMEventData)
  | extend Plugin = tostring(Data.Resource[0].Property)
  | project TimeGenerated, ActorName, ActorUserId, SrcIpAddr, Plugin  
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: ActorName
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
queryPeriod: 1h
triggerOperator: gt
id: a1b2c3d4-e5f6-47a8-b9c0-d1e2f3a4b5c6
status: Available
description: |
  'Detects when a normal user creates a Copilot plugin. This can be used to inject malicious prompts, tools, or data exfiltration paths.
  This rule identifies potential persistence or privilege misuse scenarios where non-administrative users create plugins that could be leveraged for malicious purposes.'