Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Copilot - File Uploads Disabled

Copilot - File Uploads Disabled

Back
Idc3d4e5f6-a7b8-49c0-d1e2-f3a4b5c6d7e8
RulenameCopilot - File Uploads Disabled
DescriptionDetects when file uploads are disabled in Copilot. Attackers often disable logging or file upload capabilities to avoid evidence collection and cover their tracks.

This rule identifies potential data exfiltration cover-up scenarios where security controls are being disabled.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562.001
Required data connectorsMicrosoftCopilot
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotFileUploadsDisabled.yaml
Version1.0.0
Arm templatec3d4e5f6-a7b8-49c0-d1e2-f3a4b5c6d7e8.json
Deploy To Azure
CopilotActivity
| where RecordType == "DisableCopilotPlugin"
| extend Resource = parse_json(LLMEventData).Resource[0]
| extend Property = tostring(Resource.Property)
| extend Old = tostring(Resource.OriginalValue)
| extend New = tostring(Resource.NewValue)
| where Property == "FileUploads" and Old == "Enabled" and New == "Disabled"
| project TimeGenerated, ActorName, SrcIpAddr, Property, Old, New

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: ActorName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
tactics:
- DefenseEvasion
requiredDataConnectors:
- dataTypes:
  - CopilotActivity
  connectorId: MicrosoftCopilot
id: c3d4e5f6-a7b8-49c0-d1e2-f3a4b5c6d7e8
severity: High
status: Available
query: |
  CopilotActivity
  | where RecordType == "DisableCopilotPlugin"
  | extend Resource = parse_json(LLMEventData).Resource[0]
  | extend Property = tostring(Resource.Property)
  | extend Old = tostring(Resource.OriginalValue)
  | extend New = tostring(Resource.NewValue)
  | where Property == "FileUploads" and Old == "Enabled" and New == "Disabled"
  | project TimeGenerated, ActorName, SrcIpAddr, Property, Old, New  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotFileUploadsDisabled.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.0
name: Copilot - File Uploads Disabled
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1562.001
description: |
  'Detects when file uploads are disabled in Copilot. Attackers often disable logging or file upload capabilities to avoid evidence collection and cover their tracks.
  This rule identifies potential data exfiltration cover-up scenarios where security controls are being disabled.'  
triggerOperator: gt