Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Copilot - File Uploads Disabled

Copilot - File Uploads Disabled

Back
Idc3d4e5f6-a7b8-49c0-d1e2-f3a4b5c6d7e8
RulenameCopilot - File Uploads Disabled
DescriptionDetects when file uploads are disabled in Copilot. Attackers often disable logging or file upload capabilities to avoid evidence collection and cover their tracks.

This rule identifies potential data exfiltration cover-up scenarios where security controls are being disabled.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562.001
Required data connectorsMicrosoftCopilot
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotFileUploadsDisabled.yaml
Version1.0.0
Arm templatec3d4e5f6-a7b8-49c0-d1e2-f3a4b5c6d7e8.json
Deploy To Azure
CopilotActivity
| where RecordType == "DisableCopilotPlugin"
| extend Resource = parse_json(LLMEventData).Resource[0]
| extend Property = tostring(Resource.Property)
| extend Old = tostring(Resource.OriginalValue)
| extend New = tostring(Resource.NewValue)
| where Property == "FileUploads" and Old == "Enabled" and New == "Disabled"
| project TimeGenerated, ActorName, SrcIpAddr, Property, Old, New

entityMappings:
- fieldMappings:
  - columnName: ActorName
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
triggerOperator: gt
tactics:
- DefenseEvasion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotFileUploadsDisabled.yaml
version: 1.0.0
query: |
  CopilotActivity
  | where RecordType == "DisableCopilotPlugin"
  | extend Resource = parse_json(LLMEventData).Resource[0]
  | extend Property = tostring(Resource.Property)
  | extend Old = tostring(Resource.OriginalValue)
  | extend New = tostring(Resource.NewValue)
  | where Property == "FileUploads" and Old == "Enabled" and New == "Disabled"
  | project TimeGenerated, ActorName, SrcIpAddr, Property, Old, New  
triggerThreshold: 0
relevantTechniques:
- T1562.001
queryPeriod: 1h
status: Available
severity: High
kind: Scheduled
name: Copilot - File Uploads Disabled
queryFrequency: 1h
id: c3d4e5f6-a7b8-49c0-d1e2-f3a4b5c6d7e8
description: |
  'Detects when file uploads are disabled in Copilot. Attackers often disable logging or file upload capabilities to avoid evidence collection and cover their tracks.
  This rule identifies potential data exfiltration cover-up scenarios where security controls are being disabled.'  
requiredDataConnectors:
- dataTypes:
  - CopilotActivity
  connectorId: MicrosoftCopilot