text code block:`m365_copilot_graph_api` (appDisplayName="*Copilot*" OR appDisplayName="M365ChatClient") deviceDetail.isCompliant=false OR deviceDetail.isManaged=false | eval user = userPrincipalName | stats count as events, dc(ipAddress) as unique_ips, values(ipAddress) as ip_addresses, dc(location.city) as unique_cities, values(location.city) as cities, dc(location.countryOrRegion) as unique_countries, values(location.countryOrRegion) as countries, values(deviceDetail.isCompliant) as compliance_status, values(deviceDetail.isManaged) as management_status, min(_time) as first_seen, max(_time) as last_seen BY user, deviceDetail.operatingSystem, deviceDetail.browser | eval days_active = round((last_seen - first_seen)/86400, 1) | eval first_seen = strftime(first_seen, "%Y-%m-%d %H:%M:%S") | eval last_seen = strftime(last_seen, "%Y-%m-%d %H:%M:%S") | sort -events, -unique_countries | `m365_copilot_non_compliant_devices_accessing_m365_copilot_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).