Splunk

M365 Copilot Non Compliant Devices Accessing M365 Copilot

Last updated 2 days ago on 2026-07-17

About

Detects M365 Copilot access from non-compliant or unmanaged devices that violate corporate security policies, indicating potential shadow IT usage, BYOD policy violations, or compromised endpoint access. The detection filters M365 Copilot Graph API events where deviceDetail.isCompliant=false or deviceDetail.isManaged=false, then aggregates by user, operating system, and browser to calculate metrics including event counts, unique IPs and locations, and compliance/management status over time. Users accessing Copilot from non-compliant or unmanaged devices are flagged and sorted by activity volume and geographic spread, enabling security teams to identify unauthorized endpoints that may lack proper security controls, encryption, or MDM enrollment.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.splunk.com/en_us/blog/artificial-intelligence/m365-copilot-log-analysis-splunk.html(external, opens in a new tab or window)
False Positives
Legitimate employees using personal devices during emergencies, new hires awaiting device provisioning, temporary workers with unmanaged equipment, or users accessing Copilot from approved but temporarily non-compliant devices may trigger false positives.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`m365_copilot_graph_api` (appDisplayName="*Copilot*" OR appDisplayName="M365ChatClient") deviceDetail.isCompliant=false OR deviceDetail.isManaged=false | eval user = userPrincipalName | stats count as events, dc(ipAddress) as unique_ips, values(ipAddress) as ip_addresses, dc(location.city) as unique_cities, values(location.city) as cities, dc(location.countryOrRegion) as unique_countries, values(location.countryOrRegion) as countries, values(deviceDetail.isCompliant) as compliance_status, values(deviceDetail.isManaged) as management_status, min(_time) as first_seen, max(_time) as last_seen BY user, deviceDetail.operatingSystem, deviceDetail.browser | eval days_active = round((last_seen - first_seen)/86400, 1) | eval first_seen = strftime(first_seen, "%Y-%m-%d %H:%M:%S") | eval last_seen = strftime(last_seen, "%Y-%m-%d %H:%M:%S") | sort -events, -unique_countries | `m365_copilot_non_compliant_devices_accessing_m365_copilot_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).