Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Detects when Copilot is accessed from an external IP address outside the corporate network. This is very dangerous if an attacker is using Copilot to enumerate data. This rule identifies potential account compromise scenarios where valid accounts are being used from unauthorized locations.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Microsoft Copilot |
| ID | f6a7b8c9-d0e1-42f3-a4b5-c6d7e8f9a0b1 |
| Severity | High |
| Tactics | InitialAccess |
| Techniques | T1078 |
| Required Connectors | MicrosoftCopilot |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
CopilotActivity |
SrcIpAddr !startswith "10."SrcIpAddr !startswith "172."SrcIpAddr !startswith "192.168" |
✓ | ✗ | ✓ |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊