Microsoft 365 Copilot Studio Application Insights logging modified
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when an M365 Copilot Studio agent’s Application Insights settings are modified. This may indicate an attacker with control over this Copilot Studio agent is attempting to disable Copilot Studio conversation logging, or exfiltrate conversation logs to an Application Insights resource under their control.
Strategy
Monitor Microsoft 365 audit logs for when the @Operation field includes an BotAppInsightsUpdate event within the PowerPlatform service.
Triage and response
- Identify what settings were modified for the corresponding bot application.
- Determine if the user
{{@usr.id}} is the bot owner or is expected to modify the bot application. - If
{{@usr.id}} is not responsible for or expected to be modifying the bot application, investigate surrounding events for anomalous activity. If necessary, initiate your company’s incident response (IR) process.
