KQL Search

Query Details

Agent Connector Baseline Deviation

Query

id: b2c3d4e5-2002-4b22-9d01-0123456789c2
name: Copilot Studio - Connector usage baseline deviation
description: |
  Compares each connector / action target's call volume in the recent
  window against its own 14-day baseline and flags new or sharply spiking
  connectors. New tool targets and sudden spikes are early indicators of
  configuration drift, a newly added (possibly malicious) action, or an
  attacker driving a backend through the agent.
query: |
  let detectionWindow = 1d;
  let conn =
      AppDependencies
      | where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector";
  let baseline =
      conn
      | where TimeGenerated between (ago(14d) .. ago(detectionWindow))
      | summarize BaselineCalls = count(), BaselineDays = dcount(bin(TimeGenerated, 1d)) by Target
      | extend BaselineDailyAvg = toreal(BaselineCalls) / iff(BaselineDays == 0, 1, BaselineDays);
  conn
  | where TimeGenerated > ago(detectionWindow)
  | summarize RecentCalls = count(), Connectors = make_set(Name, 10), LastSeen = max(TimeGenerated) by Target
  | join kind=leftouter baseline on Target
  | extend BaselineDailyAvg = coalesce(BaselineDailyAvg, 0.0)
  | extend Status = case(
        isnull(BaselineCalls),                       "NewConnector",
        RecentCalls >= 3 * BaselineDailyAvg and RecentCalls >= 10, "SpikingConnector",
        "Normal")
  | where Status != "Normal"
  | project LastSeen, Target, Connectors, RecentCalls, BaselineDailyAvg = round(BaselineDailyAvg, 1), Status
  | order by Status asc, RecentCalls desc
tactics:
  - Execution
  - Persistence
techniques:
  - T1059
  - T1554
tags:
  - Sentinel-As-Code
  - Custom
  - CopilotStudio
  - AI

Explanation

This query is designed to monitor and identify unusual activity in the usage of connectors or action targets within the "Microsoft Copilot Studio" application. Here's a simplified breakdown of what the query does:

  1. Time Frame Definition: It sets a detection window of 1 day to analyze recent activity.

  2. Data Collection: It gathers data from the AppDependencies table, focusing on entries related to "Microsoft Copilot Studio" or those marked as "Connector".

  3. Baseline Calculation: It calculates a 14-day baseline for each connector or action target by counting the number of calls and determining the average daily call volume during this period.

  4. Recent Activity Analysis: It examines the call volume for the past day and summarizes the number of calls, the connectors involved, and the last time each target was seen.

  5. Comparison and Status Assignment:

    • It compares recent activity against the baseline.
    • If a connector is new (not seen in the baseline), it is labeled as "NewConnector".
    • If a connector's recent call volume is at least three times the baseline average and has at least 10 calls, it is labeled as "SpikingConnector".
    • Otherwise, it is considered "Normal".

  6. Filtering and Output: It filters out "Normal" connectors and presents the results, showing details like the last seen time, target, connectors involved, recent call volume, baseline average, and status.

  7. Purpose: The query helps identify new or sharply increasing connector usage, which could indicate configuration changes, new actions (potentially malicious), or unauthorized access attempts.

  8. Security Context: It aligns with security tactics and techniques related to execution and persistence, specifically referencing techniques T1059 (Command and Scripting Interpreter) and T1554 (Compromise Client Software Binary).

  9. Tags: It is tagged for use with Sentinel-As-Code, custom monitoring, and AI-related activities within Copilot Studio.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

AppDependenciesMicrosoftCopilotStudioConnectorActionTargetConfigurationAgent

Operators

letwhereorbetweensummarizebyextendtorealiffbincountdcountagomake_setmaxjoinkindoncoalescecaseisnullandprojectroundorder byascdesc

Actions