Copilot - Plugin Tampering (Enable and Disable Within 5 Minutes)

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

Detects when a user enables and disables Copilot plugins within a 5-minute window. This behavior often indicates probing for security controls or living-off-Copilot techniques. This rule identifies discovery and defense evasion activities where users rapidly toggle plugin states, potentially testing security boundaries.

Attribute	Value
Type	Analytic Rule
Solution	Microsoft Copilot
ID	d4e5f6a7-b8c9-40d1-e2f3-a4b5c6d7e8f9
Severity	Medium
Status	Available
Kind	Scheduled
Tactics	Discovery, DefenseEvasion
Techniques	T1087, T1562
Required Connectors	MicrosoftCopilot
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
CopilotActivity	✓	✗	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Microsoft Copilot