Microsoft 365 Copilot Studio Application Insights logging modified

microsoft-365

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when an M365 Copilot Studio agent’s Application Insights settings are modified. This may indicate an attacker with control over this Copilot Studio agent is attempting to disable Copilot Studio conversation logging, or exfiltrate conversation logs to an Application Insights resource under their control.

Strategy

Monitor Microsoft 365 audit logs for when the @Operation field includes an BotAppInsightsUpdate event within the PowerPlatform service.

Triage and response

  1. Identify what settings were modified for the corresponding bot application.
  2. Determine if the user {{@usr.id}} is the bot owner or is expected to modify the bot application.
  3. If {{@usr.id}} is not responsible for or expected to be modifying the bot application, investigate surrounding events for anomalous activity. If necessary, initiate your company’s incident response (IR) process.