KQL Search

Query Details

Agent Channel Distribution

Query

id: b2c3d4e5-2006-4b22-9d01-0123456789c6
name: Copilot Studio - Channel distribution and new-channel first seen
description: |
  Profiles which channels (Teams, Direct Line, web chat, custom, design)
  a Copilot Studio agent is reached on, and flags channels that appear in
  the recent window but not in the 14-day baseline. A new publishing
  channel can be an intended rollout - or an unauthorised embedding of the
  agent in a new surface.
query: |
  let detectionWindow = 1d;
  let evt = AppEvents | where Name in ("BotMessageReceived", "BotMessageSend")
            | extend ChannelId = tostring(Properties["channelId"]);
  let baseline = evt | where TimeGenerated between (ago(14d) .. ago(detectionWindow)) | distinct ChannelId;
  evt
  | where TimeGenerated > ago(detectionWindow)
  | summarize Turns = count(), Users = dcount(UserId), ClientIPs = make_set(ClientIP, 25),
              FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by ChannelId
  | join kind=leftouter (baseline | extend InBaseline = true) on ChannelId
  | extend Status = iff(isempty(InBaseline) or isnull(InBaseline), "NewChannel", "Known")
  | project LastSeen, FirstSeen, ChannelId, Status, Turns, Users, ClientIPs
  | order by Status asc, Turns desc
tactics:
  - InitialAccess
techniques:
  - T1078
tags:
  - Sentinel-As-Code
  - Custom
  - CopilotStudio
  - AI

Explanation

This query is designed to monitor and analyze the communication channels used by a Copilot Studio agent, such as Teams, Direct Line, web chat, custom, and design channels. It identifies any new channels that have appeared recently but were not present in the previous 14-day period. This can help determine if a new channel is part of an intended rollout or if the agent has been embedded in an unauthorized platform.

Here's a breakdown of the query:

  1. Detection Window: The query focuses on events from the last day (detectionWindow = 1d).

  2. Event Filtering: It filters events related to messages received or sent by the bot (BotMessageReceived, BotMessageSend) and extracts the channel ID.

  3. Baseline Creation: It establishes a baseline by identifying distinct channels used in the 14 days prior to the detection window.

  4. Recent Activity Analysis: It analyzes events from the last day to summarize the number of interactions (Turns), distinct users (Users), and a set of client IPs. It also records the first and last time the channel was seen.

  5. Channel Status: It compares recent channels with the baseline to determine if they are "NewChannel" (not in the baseline) or "Known" (in the baseline).

  6. Output: The results are ordered by channel status (new channels first) and the number of interactions, providing a clear view of channel activity and highlighting any new or unauthorized channels.

The query is tagged with tactics and techniques related to initial access and unauthorized access, and it is part of a custom solution for monitoring AI-driven interactions in Copilot Studio.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppEvents

Keywords

AppEventsChannelIdUserIdClientIPTimeGenerated

Operators

letwhereinextendtostringbetweenagodistinctsummarizecountdcountmake_setminmaxbyjoinkindleftouteriffisemptyisnullprojectorder byascdesc

Actions