Copilot

Copilot - AI-powered coding assistant that helps developers write code more efficiently.

Detection Rules for Copilot

Provider: Zoom

Detection Rule MITRE Tactic MITRE Technique Criticality
Suspicious Code Completion Suggestions Execution User Execution (T1203) High
Investigation Actions (APIs) Analyze patterns of code suggestions returned by Copilot for sensitive or risky functions
Incident Creation Criteria Detection of code completion involving functions that access sensitive data (e.g., API keys)
Unusual Repository Activity Collection Data from Information Repositories (T1213) Medium
Investigation Actions (APIs) Monitor commits to repositories integrated with Copilot
Incident Creation Criteria More than 5 commits within 10 minutes from a single user on critical repositories
Excessive Use of Sensitive Libraries Execution Exploitation for Client Execution (T1203) High
Investigation Actions (APIs) Track the frequency of libraries flagged as vulnerable or sensitive used in Copilot suggestions
Incident Creation Criteria Use of sensitive libraries (e.g., eval, exec) in over 3 code completions in a single session
Anomalous API Key Generation Credential Access Credentials from Password Stores (T1555) Critical
Investigation Actions (APIs) Monitor for sudden spikes in API key generation requests via Copilot
Incident Creation Criteria More than 5 API keys generated within a short timeframe from a single user
Unauthorized Use of Development Tools Persistence Credential Dumping (T1003) Medium
Investigation Actions (APIs) Audit changes in integrated tools with Copilot (e.g., IDE plugins)
Incident Creation Criteria Detection of installations or configurations not on the approved tools list
Code Submissions with Hardcoded Secrets Exfiltration Data Exfiltration Over Command and Control Channel (T1041) High
Investigation Actions (APIs) Scan submitted code for hardcoded credentials, tokens, or sensitive info
Incident Creation Criteria Detection of code submissions containing hardcoded secrets or credentials
High Frequency of API Interactions Collection Application Layer Protocol (T1071) Medium
Investigation Actions (APIs) Review API usage metrics for abnormal spikes in interaction with Copilot APIs
Incident Creation Criteria More than 50 API calls in a 5-minute window by a single user
Integration with Untrusted Third-Party Apps Defense Evasion Application Layer Protocol (T1071) High
Investigation Actions (APIs) Monitor for integration attempts with untrusted or external applications
Incident Creation Criteria Detection of Copilot integration with any external applications not approved by IT security

APIs and Their Scopes

Detection Rule Required API Scopes Required
Suspicious Code Completion Suggestions Copilot Code Suggestion API read:code, read:suggestions
Unusual Repository Activity Repository Activity API read:repo, read:commits
Excessive Use of Sensitive Libraries Code Analysis API read:code, read:analysis
Anomalous API Key Generation API Key Management API manage:apikeys
Unauthorized Use of Development Tools Tool Integration API read:integrations, manage:tools
Code Submissions with Hardcoded Secrets Secret Scanning API read:code, read:scanning
High Frequency of API Interactions API Usage Metrics API read:usage, read:metrics
Integration with Untrusted Third-Party Apps Third-Party Integration API read:integrations, manage:thirdparty

Reports and Widgets for CISO

Report Name Widgets Description
Security Incident Report Total Incidents Summary of security incidents detected related to Copilot.

Incident Severity Breakdown

Incident Timeline

Code Quality and Vulnerability Report Vulnerability Count Assessment of code submissions for vulnerabilities and risks.

Top Vulnerable Libraries

Submission Quality Score

User Access and Activity Report Active Users Overview of user access patterns and activity within Copilot.

Login Trends

Unauthorized Access Attempts

API Usage and Performance Report API Call Volume Metrics on API interactions and performance metrics.

Top API Users

Response Time Analysis

Integration Audit Report Total Integrations Review of integrations with third-party tools and their security posture.

Trusted vs. Untrusted Integrations

Integration Activity Log

Compliance and Policy Adherence Report Policy Violations Assessment of adherence to coding and security policies.

Non-Compliant Submissions

Compliance Trends

API Key Usage Report API Key Count Summary of API key generation and usage patterns.

Key Usage Trends

Anomalous Key Activities

Secret Management Report Total Secrets Found Overview of hardcoded secrets detected in code submissions.

Top Offending Submissions

Secret Exposure Trends