KQL Search

Query Details

Agent Conversation Volume By User

Query

id: b2c3d4e5-2001-4b22-9d01-0123456789c1
name: Copilot Studio - Conversation volume by user / session
description: |
  Surfaces the busiest Copilot Studio users, sessions and channels over
  the lookback window so an analyst can spot scripted abuse, denial-of-
  wallet pacing, or a single identity dominating an agent. Lower-volume
  context than the flooding analytic rule, for proactive review.
query: |
  let lookback = 1d;
  AppEvents
  | where TimeGenerated > ago(lookback)
  | where Name in ("BotMessageReceived", "BotMessageSend")
  | extend
      ConvId    = tostring(Properties["conversationId"]),
      ChannelId = tostring(Properties["channelId"]),
      DesignMode = tostring(Properties["DesignMode"])
  | summarize
        InboundTurns  = countif(Name == "BotMessageReceived"),
        OutboundTurns = countif(Name == "BotMessageSend"),
        Conversations = dcount(ConvId),
        Channels      = make_set(ChannelId, 10),
        ClientIPs     = make_set(ClientIP, 25),
        FirstSeen     = min(TimeGenerated),
        LastSeen      = max(TimeGenerated)
      by UserId, SessionId
  | extend TurnsPerConversation = round(toreal(InboundTurns) / iff(Conversations == 0, 1, Conversations), 1)
  | order by InboundTurns desc
tactics:
  - Impact
techniques:
  - T1499
tags:
  - Sentinel-As-Code
  - Custom
  - CopilotStudio
  - AI

Explanation

This query is designed to analyze user activity in Copilot Studio over the past day. It focuses on identifying the most active users, sessions, and channels to help analysts detect potential issues such as scripted abuse or a single user dominating interactions. Here's a breakdown of what the query does:

  1. Time Frame: It looks at events from the past day (lookback = 1d).

  2. Event Filtering: It filters for events where a bot message was either received or sent ("BotMessageReceived", "BotMessageSend").

  3. Data Extraction: It extracts relevant properties like conversation ID, channel ID, and design mode from the event properties.

  4. Data Aggregation:

    • Counts the number of inbound and outbound messages.
    • Counts distinct conversations.
    • Collects up to 10 unique channel IDs and 25 unique client IPs.
    • Records the first and last time each user-session pair was seen.

  5. Calculations: It calculates the average number of turns (messages) per conversation.

  6. Sorting: The results are sorted by the number of inbound messages in descending order, highlighting the busiest users or sessions.

The query is tagged with tactics and techniques related to potential impacts and is part of a custom analytic rule set for proactive monitoring in Copilot Studio.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppEvents

Keywords

AppEventsPropertiesConversationIdChannelIdDesignModeClientIPUserIdSessionIdTimeGeneratedInboundTurnsOutboundTurnsConversationsChannelsClientIPsFirstSeenLastSeenTurnsPerConversation

Operators

letwhereinextendtostringsummarizecountifdcountmake_setminmaxbyroundtorealifforder by

Actions