Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Copilot - File Uploads Disabled

Copilot - File Uploads Disabled

Back
Idc3d4e5f6-a7b8-49c0-d1e2-f3a4b5c6d7e8
RulenameCopilot - File Uploads Disabled
DescriptionDetects when file uploads are disabled in Copilot. Attackers often disable logging or file upload capabilities to avoid evidence collection and cover their tracks.

This rule identifies potential data exfiltration cover-up scenarios where security controls are being disabled.
SeverityHigh
TacticsDefenseEvasion
TechniquesT1562.001
Required data connectorsMicrosoftCopilot
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotFileUploadsDisabled.yaml
Version1.0.0
Arm templatec3d4e5f6-a7b8-49c0-d1e2-f3a4b5c6d7e8.json
Deploy To Azure
CopilotActivity
| where RecordType == "DisableCopilotPlugin"
| extend Resource = parse_json(LLMEventData).Resource[0]
| extend Property = tostring(Resource.Property)
| extend Old = tostring(Resource.OriginalValue)
| extend New = tostring(Resource.NewValue)
| where Property == "FileUploads" and Old == "Enabled" and New == "Disabled"
| project TimeGenerated, ActorName, SrcIpAddr, Property, Old, New

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotFileUploadsDisabled.yaml
queryPeriod: 1h
description: |
  'Detects when file uploads are disabled in Copilot. Attackers often disable logging or file upload capabilities to avoid evidence collection and cover their tracks.
  This rule identifies potential data exfiltration cover-up scenarios where security controls are being disabled.'  
triggerThreshold: 0
name: Copilot - File Uploads Disabled
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: ActorName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
kind: Scheduled
requiredDataConnectors:
- connectorId: MicrosoftCopilot
  dataTypes:
  - CopilotActivity
queryFrequency: 1h
tactics:
- DefenseEvasion
id: c3d4e5f6-a7b8-49c0-d1e2-f3a4b5c6d7e8
status: Available
version: 1.0.0
query: |
  CopilotActivity
  | where RecordType == "DisableCopilotPlugin"
  | extend Resource = parse_json(LLMEventData).Resource[0]
  | extend Property = tostring(Resource.Property)
  | extend Old = tostring(Resource.OriginalValue)
  | extend New = tostring(Resource.NewValue)
  | where Property == "FileUploads" and Old == "Enabled" and New == "Disabled"
  | project TimeGenerated, ActorName, SrcIpAddr, Property, Old, New  
severity: High
relevantTechniques:
- T1562.001