Copilot - Plugin Tampering Enable and Disable Within 5 Minutes

CopilotActivity
| where RecordType in ("EnableCopilotPlugin","DisableCopilotPlugin")
| summarize
    Actions = make_set(RecordType),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
  by ActorName, SrcIpAddr
| where Actions has "EnableCopilotPlugin" and Actions has "DisableCopilotPlugin"
| where LastSeen - FirstSeen < 5m
| extend AccountCustomEntity = ActorName, IPCustomEntity = SrcIpAddr

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotPluginTampering.yaml
queryPeriod: 5m
description: |
  'Detects when a user enables and disables Copilot plugins within a 5-minute window. This behavior often indicates probing for security controls or living-off-Copilot techniques.
  This rule identifies discovery and defense evasion activities where users rapidly toggle plugin states, potentially testing security boundaries.'  
triggerThreshold: 0
name: Copilot - Plugin Tampering (Enable and Disable Within 5 Minutes)
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
kind: Scheduled
requiredDataConnectors:
- connectorId: MicrosoftCopilot
  dataTypes:
  - CopilotActivity
queryFrequency: 5m
tactics:
- Discovery
- DefenseEvasion
id: d4e5f6a7-b8c9-40d1-e2f3-a4b5c6d7e8f9
status: Available
version: 1.0.0
query: |
  CopilotActivity
  | where RecordType in ("EnableCopilotPlugin","DisableCopilotPlugin")
  | summarize
      Actions = make_set(RecordType),
      FirstSeen = min(TimeGenerated),
      LastSeen = max(TimeGenerated)
    by ActorName, SrcIpAddr
  | where Actions has "EnableCopilotPlugin" and Actions has "DisableCopilotPlugin"
  | where LastSeen - FirstSeen < 5m
  | extend AccountCustomEntity = ActorName, IPCustomEntity = SrcIpAddr  
severity: Medium
relevantTechniques:
- T1087
- T1562