Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Copilot - Plugin Created by Non-Admin User

Copilot - Plugin Created by Non-Admin User

Back
Ida1b2c3d4-e5f6-47a8-b9c0-d1e2f3a4b5c6
RulenameCopilot - Plugin Created by Non-Admin User
DescriptionDetects when a normal user creates a Copilot plugin. This can be used to inject malicious prompts, tools, or data exfiltration paths.

This rule identifies potential persistence or privilege misuse scenarios where non-administrative users create plugins that could be leveraged for malicious purposes.
SeverityHigh
TacticsPersistence
PrivilegeEscalation
TechniquesT1546
T1098
Required data connectorsMicrosoftCopilot
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotPluginCreatedByNonAdmin.yaml
Version1.0.0
Arm templatea1b2c3d4-e5f6-47a8-b9c0-d1e2f3a4b5c6.json
Deploy To Azure
CopilotActivity
| where RecordType == "CreateCopilotPlugin"
| where ActorUserType != "Admin"
| extend Data = parse_json(LLMEventData)
| extend Plugin = tostring(Data.Resource[0].Property)
| project TimeGenerated, ActorName, ActorUserId, SrcIpAddr, Plugin

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotPluginCreatedByNonAdmin.yaml
queryPeriod: 1h
description: |
  'Detects when a normal user creates a Copilot plugin. This can be used to inject malicious prompts, tools, or data exfiltration paths.
  This rule identifies potential persistence or privilege misuse scenarios where non-administrative users create plugins that could be leveraged for malicious purposes.'  
triggerThreshold: 0
name: Copilot - Plugin Created by Non-Admin User
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: ActorName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
kind: Scheduled
requiredDataConnectors:
- connectorId: MicrosoftCopilot
  dataTypes:
  - CopilotActivity
queryFrequency: 1h
tactics:
- Persistence
- PrivilegeEscalation
id: a1b2c3d4-e5f6-47a8-b9c0-d1e2f3a4b5c6
status: Available
version: 1.0.0
query: |
  CopilotActivity
  | where RecordType == "CreateCopilotPlugin"
  | where ActorUserType != "Admin"
  | extend Data = parse_json(LLMEventData)
  | extend Plugin = tostring(Data.Resource[0].Property)
  | project TimeGenerated, ActorName, ActorUserId, SrcIpAddr, Plugin  
severity: High
relevantTechniques:
- T1546
- T1098