Query Details

Copilot Studio - Dormant agent / connector reactivation

Agent Dormancy Break

Query

let reactivationWindow = 1d;
let silenceDays = 7d;
let conn = AppDependencies
           | where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector";
let recent = conn | where TimeGenerated > ago(reactivationWindow)
             | summarize RecentCalls = count(), LastSeen = max(TimeGenerated) by Target;
let priorActivity = conn
             | where TimeGenerated between (ago(60d) .. ago(reactivationWindow + silenceDays))
             | summarize PriorLastSeen = max(TimeGenerated) by Target;
let recentlySilent = conn
             | where TimeGenerated between (ago(reactivationWindow + silenceDays) .. ago(reactivationWindow))
             | distinct Target;
recent
| join kind=inner priorActivity on Target
| join kind=leftanti recentlySilent on Target
| extend DaysDormant = round(toreal(datetime_diff('day', LastSeen, PriorLastSeen)), 0)
| project LastSeen, Target, RecentCalls, PriorLastSeen, DaysDormant
| order by DaysDormant desc

Explanation

This query is designed to identify and analyze connector targets and agent app versions that were inactive for at least 7 days and then became active again recently. This pattern might suggest a reactivated stale action, a forgotten integration being misused, or tools that are only activated during specific operations. Here's a simple breakdown of what the query does:

  1. Define Time Windows:

    • reactivationWindow: The recent period to check for activity (1 day).
    • silenceDays: The period of inactivity to look for (7 days).
  2. Filter Relevant Data:

    • It focuses on dependencies related to "Microsoft Copilot Studio" or those classified as "Connector".
  3. Identify Recent Activity:

    • Finds targets that have been active in the last day and counts their recent activity.
  4. Identify Prior Activity:

    • Looks for the last time these targets were active in the past, excluding the recent window and the silence period.
  5. Identify Recently Silent Targets:

    • Finds targets that were inactive during the silence period.
  6. Combine Results:

    • Joins the recent activity with prior activity, excluding those that were silent recently.
    • Calculates how many days the target was dormant before becoming active again.
  7. Output:

    • Displays the last seen time, target, number of recent calls, last seen time before the recent activity, and the number of dormant days, sorted by the number of dormant days in descending order.

This query helps in detecting potentially suspicious reactivations of previously dormant connectors or agents, which could indicate security concerns or operational anomalies.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

AppDependenciesMicrosoftCopilotStudioConnectorTargetTimeGenerated

Operators

letwhereorsummarizecountmaxbybetweenagodistinctjoinkindonextendroundtorealdatetime_diffprojectorder bydesc

Tactics

Persistence

MITRE Techniques

Actions

GitHub