Rulehound

M365 Copilot Non Compliant Devices Accessing M365 Copilot

Splunk Security Content

Summary

The rule detects access to Microsoft 365 (M365) Copilot from non-compliant or unmanaged devices, which poses a risk of unauthorized usage potentially violating corporate security policies. The main objective is to identify instances of shadow IT, BYOD violations, or compromised device usage. The rule processes events from the M365 Copilot Graph API to filter out access attempts where devices lack compliance (deviceDetail.isCompliant=false) or management (deviceDetail.isManaged=false). The data is aggregated by user, operating system, and browser, providing metrics such as event counts, unique IP addresses, and geolocation data. This information is crucial in enabling security teams to pinpoint unauthorized endpoints lacking sufficient security measures, leading to possibly significant data exposure risks.