Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Copilot - File Uploads Disabled

Copilot - File Uploads Disabled

Back
Idc3d4e5f6-a7b8-49c0-d1e2-f3a4b5c6d7e8
RulenameCopilot - File Uploads Disabled
DescriptionDetects when file uploads are disabled in Copilot. Attackers often disable logging or file upload capabilities to avoid evidence collection and cover their tracks.

This rule identifies potential data exfiltration cover-up scenarios where security controls are being disabled.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562.001
Required data connectorsMicrosoftCopilot
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotFileUploadsDisabled.yaml
Version1.0.0
Arm templatec3d4e5f6-a7b8-49c0-d1e2-f3a4b5c6d7e8.json
Deploy To Azure
CopilotActivity
| where RecordType == "DisableCopilotPlugin"
| extend Resource = parse_json(LLMEventData).Resource[0]
| extend Property = tostring(Resource.Property)
| extend Old = tostring(Resource.OriginalValue)
| extend New = tostring(Resource.NewValue)
| where Property == "FileUploads" and Old == "Enabled" and New == "Disabled"
| project TimeGenerated, ActorName, SrcIpAddr, Property, Old, New

name: Copilot - File Uploads Disabled
query: |
  CopilotActivity
  | where RecordType == "DisableCopilotPlugin"
  | extend Resource = parse_json(LLMEventData).Resource[0]
  | extend Property = tostring(Resource.Property)
  | extend Old = tostring(Resource.OriginalValue)
  | extend New = tostring(Resource.NewValue)
  | where Property == "FileUploads" and Old == "Enabled" and New == "Disabled"
  | project TimeGenerated, ActorName, SrcIpAddr, Property, Old, New  
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorName
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
queryPeriod: 1h
version: 1.0.0
tactics:
- DefenseEvasion
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotFileUploadsDisabled.yaml
relevantTechniques:
- T1562.001
id: c3d4e5f6-a7b8-49c0-d1e2-f3a4b5c6d7e8
severity: High
requiredDataConnectors:
- connectorId: MicrosoftCopilot
  dataTypes:
  - CopilotActivity
status: Available
description: |
  'Detects when file uploads are disabled in Copilot. Attackers often disable logging or file upload capabilities to avoid evidence collection and cover their tracks.
  This rule identifies potential data exfiltration cover-up scenarios where security controls are being disabled.'  
queryFrequency: 1h