Copilot - Plugin Tampering Enable and Disable Within 5 Minutes

CopilotActivity
| where RecordType in ("EnableCopilotPlugin","DisableCopilotPlugin")
| summarize
    Actions = make_set(RecordType),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
  by ActorName, SrcIpAddr
| where Actions has "EnableCopilotPlugin" and Actions has "DisableCopilotPlugin"
| where LastSeen - FirstSeen < 5m
| extend AccountCustomEntity = ActorName, IPCustomEntity = SrcIpAddr

relevantTechniques:
- T1087
- T1562
name: Copilot - Plugin Tampering (Enable and Disable Within 5 Minutes)
queryFrequency: 5m
version: 1.0.0
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- connectorId: MicrosoftCopilot
  dataTypes:
  - CopilotActivity
tactics:
- Discovery
- DefenseEvasion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotPluginTampering.yaml
query: |
  CopilotActivity
  | where RecordType in ("EnableCopilotPlugin","DisableCopilotPlugin")
  | summarize
      Actions = make_set(RecordType),
      FirstSeen = min(TimeGenerated),
      LastSeen = max(TimeGenerated)
    by ActorName, SrcIpAddr
  | where Actions has "EnableCopilotPlugin" and Actions has "DisableCopilotPlugin"
  | where LastSeen - FirstSeen < 5m
  | extend AccountCustomEntity = ActorName, IPCustomEntity = SrcIpAddr  
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
queryPeriod: 5m
triggerOperator: gt
id: d4e5f6a7-b8c9-40d1-e2f3-a4b5c6d7e8f9
status: Available
description: |
  'Detects when a user enables and disables Copilot plugins within a 5-minute window. This behavior often indicates probing for security controls or living-off-Copilot techniques.
  This rule identifies discovery and defense evasion activities where users rapidly toggle plugin states, potentially testing security boundaries.'