Microsoft 365 Copilot Studio Application Insights logging modified

microsoft-365

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Goal

Detect when an M365 Copilot Studio agent’s Application Insights settings are modified. This may indicate an attacker with control over this Copilot Studio agent is attempting to disable Copilot Studio conversation logging, or exfiltrate conversation logs to an Application Insights resource under their control.

Strategy

Monitor Microsoft 365 audit logs for when the @Operation field includes an BotAppInsightsUpdate event within the PowerPlatform service.

Triage and response

  1. Identify what settings were modified for the corresponding bot application.
  2. Determine if the user {{@usr.id}} is the bot owner or is expected to modify the bot application.
  3. If {{@usr.id}} is not responsible for or expected to be modifying the bot application, investigate surrounding events for anomalous activity. If necessary, initiate your company’s incident response (IR) process.