KQL Search

Query Details

Agent Connector Error Storm

Query

id: b2c3d4e5-2003-4b22-9d01-0123456789c3
name: Copilot Studio - Connector error storm by conversation
description: |
  Surfaces conversations and connector targets with a high rate of failed
  calls (Success == false), broken down by result code. Useful to triage
  backend enumeration, permission probing, throttling, or an action stuck
  in a retry loop. Lower threshold than the analytic rule for proactive
  review.
query: |
  let lookback = 1d;
  AppDependencies
  | where TimeGenerated > ago(lookback)
  | where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector"
  | extend ConvId = tostring(Properties["conversationId"]),
           ChannelId = tostring(Properties["channelId"])
  | summarize
        Total     = count(),
        Failures  = countif(Success == false),
        ResultCodes = make_set(ResultCode, 25),
        Targets   = make_set(Target, 25),
        FirstSeen = min(TimeGenerated),
        LastSeen  = max(TimeGenerated)
      by ConvId, ChannelId, Name
  | extend FailureRate = round(100.0 * Failures / iff(Total == 0, 1, Total), 1)
  | where Failures >= 5
  | order by Failures desc
tactics:
  - Discovery
  - Impact
techniques:
  - T1190
  - T1499
tags:
  - Sentinel-As-Code
  - Custom
  - CopilotStudio
  - AI

Explanation

This query is designed to identify conversations and connector targets within the "Microsoft Copilot Studio" that have a high rate of failed calls. It looks at data from the past day and focuses on instances where the success of calls is false. The query breaks down these failures by result code and is useful for diagnosing issues such as backend enumeration, permission probing, throttling, or actions stuck in a retry loop. It provides a more detailed view than the analytic rule for proactive review.

Here's a simplified breakdown of what the query does:

  1. Time Frame: It examines data from the last day (lookback = 1d).
  2. Data Source: It filters data from AppDependencies where the application role is "Microsoft Copilot Studio" or the dependency type is "Connector".
  3. Data Extraction: It extracts conversation and channel IDs from the properties.
  4. Data Aggregation: It summarizes the data by counting total calls, failed calls, and collecting unique result codes and targets. It also notes the first and last time each conversation was seen.
  5. Failure Rate Calculation: It calculates the failure rate as a percentage of total calls.
  6. Filtering: It only includes conversations with at least 5 failures.
  7. Sorting: It orders the results by the number of failures in descending order.

The query is tagged with tactics and techniques related to discovery and impact, and it is associated with specific tags like Sentinel-As-Code, Custom, CopilotStudio, and AI.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

AppDependencies

Operators

let|whereorextendtostringsummarizecountcountifmake_setminmaxbyroundifforder bydesc

Actions