Copilot - Plugin Created by Non-Admin User

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

Detects when a normal user creates a Copilot plugin. This can be used to inject malicious prompts, tools, or data exfiltration paths. This rule identifies potential persistence or privilege misuse scenarios where non-administrative users create plugins that could be leveraged for malicious purposes.

Attribute Value
Type Analytic Rule
Solution Microsoft Copilot
ID a1b2c3d4-e5f6-47a8-b9c0-d1e2f3a4b5c6
Severity High
Status Available
Kind Scheduled
Tactics Persistence, PrivilegeEscalation
Techniques T1546, T1098
Required Connectors MicrosoftCopilot
Source View on GitHub

Tables Used

This content item queries data from the following tables:

Table Transformations Ingestion API Lake-Only
CopilotActivity ?

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Analytic Rules · Back to Microsoft Copilot