Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Copilot - File Uploads Disabled

Copilot - File Uploads Disabled

Back
Idc3d4e5f6-a7b8-49c0-d1e2-f3a4b5c6d7e8
RulenameCopilot - File Uploads Disabled
DescriptionDetects when file uploads are disabled in Copilot. Attackers often disable logging or file upload capabilities to avoid evidence collection and cover their tracks.

This rule identifies potential data exfiltration cover-up scenarios where security controls are being disabled.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562.001
Required data connectorsMicrosoftCopilot
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotFileUploadsDisabled.yaml
Version1.0.0
Arm templatec3d4e5f6-a7b8-49c0-d1e2-f3a4b5c6d7e8.json
Deploy To Azure
CopilotActivity
| where RecordType == "DisableCopilotPlugin"
| extend Resource = parse_json(LLMEventData).Resource[0]
| extend Property = tostring(Resource.Property)
| extend Old = tostring(Resource.OriginalValue)
| extend New = tostring(Resource.NewValue)
| where Property == "FileUploads" and Old == "Enabled" and New == "Disabled"
| project TimeGenerated, ActorName, SrcIpAddr, Property, Old, New

relevantTechniques:
- T1562.001
name: Copilot - File Uploads Disabled
queryFrequency: 1h
version: 1.0.0
triggerThreshold: 0
severity: High
requiredDataConnectors:
- connectorId: MicrosoftCopilot
  dataTypes:
  - CopilotActivity
tactics:
- DefenseEvasion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotFileUploadsDisabled.yaml
query: |
  CopilotActivity
  | where RecordType == "DisableCopilotPlugin"
  | extend Resource = parse_json(LLMEventData).Resource[0]
  | extend Property = tostring(Resource.Property)
  | extend Old = tostring(Resource.OriginalValue)
  | extend New = tostring(Resource.NewValue)
  | where Property == "FileUploads" and Old == "Enabled" and New == "Disabled"
  | project TimeGenerated, ActorName, SrcIpAddr, Property, Old, New  
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: ActorName
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
queryPeriod: 1h
triggerOperator: gt
id: c3d4e5f6-a7b8-49c0-d1e2-f3a4b5c6d7e8
status: Available
description: |
  'Detects when file uploads are disabled in Copilot. Attackers often disable logging or file upload capabilities to avoid evidence collection and cover their tracks.
  This rule identifies potential data exfiltration cover-up scenarios where security controls are being disabled.'