Skip to main content
  • EN
Question

Detection of DLP post in Windows 11 / Copilot

  • 20 June 2024
  • 6 replies
  • 137 views

Has anyone been successful in making the DLP work while using preview Copilot in the Windows 11? I don’t see the traffic alerts/page events in the SkopeIT. My assumption is it is using msedgewebview2.exe websocket which means Netskope is not capable of doing MiM inspection?

 

Thanks.

6 replies

K
Badge

This is also something I’ve been looking to understand as well. @11qwerty22, are you getting any DLP detects when using Copilot? I have not had any luck, and recently stumbled on the fact that WSS might be the reason.

I’ve opened a support case in hopes they can clarify, but curious on others experiences.

1

I opened a tech support case, my deployment engineer got back to me to confirm that MS Copilot uses Websocket as I suspected. No DLP alerts are working for me at the moment.

 

In order to detect activities, a feature flag for Websocket will need to be enabled on my tenant (global setting). I haven’t had a chance to play around with it, but I assume it will work the same way as MS Teams.

Besides MS Copilot, the feature flag will enable Slack, MS Onedrive and Bing activities.

K
Badge

@11qwerty22 hey thanks for the follow up and good to know there is a likely positive direction for this. Why this isn’t turned on by default is beyond me. We recently discovered that HTTP2 is a flag that is not enabled by default either. Quite annoying.

1

Update: Copilot (preview) for Enterprise comes with 2 versions: ‘web’ and ‘work’. The web DLP works since it uses Bing. The work one is a different story. No DLP detections work for this one. I have a pending case reviewing the issue.

Rohit_Bhaskar
Rank
Userlevel 4
Badge +17

Hi @k4zi & @11qwerty22 ,

 

Our team has published and article on Microsoft Copilot

I hope this helps

Thank you

Best Wishes, Rohit Bhaskar
1

Rohit, thanks for the link.

If Copilot uses Websockets and I have a global Websockets drop policy per your company’s best practices guide, which domain(s) I need to add to the exception list for Enterprise Copilot (preview) to work with DLP in Win11? 

For ex., I have the following:

for teams, *.teams.microsoft.com

for Bing/Copilot, substrate.office.com and sydney.bing.com

I added copilot.microsoft.com to the exception list, now the SkopeIT Page events show that I browsed to the application ‘MS Copilot’. I have a coaching message about Generative AI for Browse/Login, which works. However, none of the DLP rules work for enterprise/Work version of the Copilot. The activity as ‘Post’ doesn’t get detected.

Checking the session in Developer Tools, I noticed augloop.svc.cloud.microsoft also uses WSS. I added it as well. Same result. 

 

Appreciate any advice!

Reply


Terms & ConditionsCookie settings