Query Details

Copilot Studio - Connector usage baseline deviation

Agent Connector Baseline Deviation

Query

let detectionWindow = 1d;
let conn =
    AppDependencies
    | where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector";
let baseline =
    conn
    | where TimeGenerated between (ago(14d) .. ago(detectionWindow))
    | summarize BaselineCalls = count(), BaselineDays = dcount(bin(TimeGenerated, 1d)) by Target
    | extend BaselineDailyAvg = toreal(BaselineCalls) / iff(BaselineDays == 0, 1, BaselineDays);
conn
| where TimeGenerated > ago(detectionWindow)
| summarize RecentCalls = count(), Connectors = make_set(Name, 10), LastSeen = max(TimeGenerated) by Target
| join kind=leftouter baseline on Target
| extend BaselineDailyAvg = coalesce(BaselineDailyAvg, 0.0)
| extend Status = case(
      isnull(BaselineCalls),                       "NewConnector",
      RecentCalls >= 3 * BaselineDailyAvg and RecentCalls >= 10, "SpikingConnector",
      "Normal")
| where Status != "Normal"
| project LastSeen, Target, Connectors, RecentCalls, BaselineDailyAvg = round(BaselineDailyAvg, 1), Status
| order by Status asc, RecentCalls desc

Explanation

This query is designed to monitor and identify unusual activity in the usage of connectors or action targets within the "Microsoft Copilot Studio" application. Here's a simplified breakdown of what the query does:

  1. Time Frame Definition: It sets a detection window of 1 day to analyze recent activity.

  2. Data Collection: It gathers data from the AppDependencies table, focusing on entries related to "Microsoft Copilot Studio" or those marked as "Connector".

  3. Baseline Calculation: It calculates a 14-day baseline for each connector or action target by counting the number of calls and determining the average daily call volume during this period.

  4. Recent Activity Analysis: It examines the call volume for the past day and summarizes the number of calls, the connectors involved, and the last time each target was seen.

  5. Comparison and Status Assignment:

    • It compares recent activity against the baseline.
    • If a connector is new (not seen in the baseline), it is labeled as "NewConnector".
    • If a connector's recent call volume is at least three times the baseline average and has at least 10 calls, it is labeled as "SpikingConnector".
    • Otherwise, it is considered "Normal".
  6. Filtering and Output: It filters out "Normal" connectors and presents the results, showing details like the last seen time, target, connectors involved, recent call volume, baseline average, and status.

  7. Purpose: The query helps identify new or sharply increasing connector usage, which could indicate configuration changes, new actions (potentially malicious), or unauthorized access attempts.

  8. Security Context: It aligns with security tactics and techniques related to execution and persistence, specifically referencing techniques T1059 (Command and Scripting Interpreter) and T1554 (Compromise Client Software Binary).

  9. Tags: It is tagged for use with Sentinel-As-Code, custom monitoring, and AI-related activities within Copilot Studio.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

AppDependenciesMicrosoftCopilotStudioConnectorActionTargetConfigurationAgent

Operators

letwhereorbetweensummarizebyextendtorealiffbincountdcountagomake_setmaxjoinkindoncoalescecaseisnullandprojectroundorder byascdesc

Tactics

ExecutionPersistence

MITRE Techniques

Actions

GitHub