diff --git a/Sentinel/Hunting Malicious Copilot Agent.kql b/Sentinel/Hunting Malicious Copilot Agent.kql index de1dd5d..70e7ea3 100644 --- a/Sentinel/Hunting Malicious Copilot Agent.kql +++ b/Sentinel/Hunting Malicious Copilot Agent.kql @@ -18,3 +18,7 @@ PowerPlatformAdminActivity | where EventOriginalType in ("BotCreate", "BotComponentCreate", "BotUpdateOperation-BotPublish") | where ActorName has_any(HighRiskUsers) + + + +// MITRE ATT&CK