Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Detects when Copilot is accessed from an external IP address outside the corporate network. This is very dangerous if an attacker is using Copilot to enumerate data. This rule identifies potential account compromise scenarios where valid accounts are being used from unauthorized locations.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Microsoft Copilot |
| ID | f6a7b8c9-d0e1-42f3-a4b5-c6d7e8f9a0b1 |
| Severity | High |
| Tactics | InitialAccess |
| Techniques | T1078 |
| Required Connectors | MicrosoftCopilot |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
CopilotActivity |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊