KQL Search

Query Details

Agent Dormancy Break

Query

id: b2c3d4e5-2007-4b22-9d01-0123456789c7
name: Copilot Studio - Dormant agent / connector reactivation
description: |
  Finds connector targets (and agent app versions) that were silent for
  >=7 days and then became active again in the recent window. A dormant-
  then-active pattern can indicate a re-enabled stale action, a forgotten
  integration being abused, or staged tooling that only lights up during
  an operation.
query: |
  let reactivationWindow = 1d;
  let silenceDays = 7d;
  let conn = AppDependencies
             | where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector";
  let recent = conn | where TimeGenerated > ago(reactivationWindow)
               | summarize RecentCalls = count(), LastSeen = max(TimeGenerated) by Target;
  let priorActivity = conn
               | where TimeGenerated between (ago(60d) .. ago(reactivationWindow + silenceDays))
               | summarize PriorLastSeen = max(TimeGenerated) by Target;
  let recentlySilent = conn
               | where TimeGenerated between (ago(reactivationWindow + silenceDays) .. ago(reactivationWindow))
               | distinct Target;
  recent
  | join kind=inner priorActivity on Target
  | join kind=leftanti recentlySilent on Target
  | extend DaysDormant = round(toreal(datetime_diff('day', LastSeen, PriorLastSeen)), 0)
  | project LastSeen, Target, RecentCalls, PriorLastSeen, DaysDormant
  | order by DaysDormant desc
tactics:
  - Persistence
techniques:
  - T1554
tags:
  - Sentinel-As-Code
  - Custom
  - CopilotStudio
  - AI

Explanation

This query is designed to identify and analyze connector targets and agent app versions that were inactive for at least 7 days and then became active again recently. This pattern might suggest a reactivated stale action, a forgotten integration being misused, or tools that are only activated during specific operations. Here's a simple breakdown of what the query does:

  1. Define Time Windows:

    • reactivationWindow: The recent period to check for activity (1 day).
    • silenceDays: The period of inactivity to look for (7 days).

  2. Filter Relevant Data:

    • It focuses on dependencies related to "Microsoft Copilot Studio" or those classified as "Connector".

  3. Identify Recent Activity:

    • Finds targets that have been active in the last day and counts their recent activity.

  4. Identify Prior Activity:

    • Looks for the last time these targets were active in the past, excluding the recent window and the silence period.

  5. Identify Recently Silent Targets:

    • Finds targets that were inactive during the silence period.

  6. Combine Results:

    • Joins the recent activity with prior activity, excluding those that were silent recently.
    • Calculates how many days the target was dormant before becoming active again.

  7. Output:

    • Displays the last seen time, target, number of recent calls, last seen time before the recent activity, and the number of dormant days, sorted by the number of dormant days in descending order.

This query helps in detecting potentially suspicious reactivations of previously dormant connectors or agents, which could indicate security concerns or operational anomalies.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

AppDependenciesMicrosoftCopilotStudioConnectorTargetTimeGenerated

Operators

letwhereorsummarizecountmaxbybetweenagodistinctjoinkindonextendroundtorealdatetime_diffprojectorder bydesc

Actions