KQL Search

Query Details

Agent Response Latency Anomaly

Query

id: b2c3d4e5-2008-4b22-9d01-0123456789c8
name: Copilot Studio - Connector latency / response-time anomaly
description: |
  Uses series_decompose_anomalies over hourly connector latency
  (DurationMs) to surface targets whose response time deviates sharply
  from their own trend. Latency anomalies can indicate a degraded backend,
  throttling under abuse, or a connector being driven with unusually large
  / malformed payloads.
query: |
  let lookback = 7d;
  AppDependencies
  | where TimeGenerated > ago(lookback)
  | where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector"
  | make-series AvgDuration = avg(DurationMs) default = 0.0 on TimeGenerated step 1h by Target
  | extend (Anomalies, Score, Baseline) = series_decompose_anomalies(AvgDuration, 2.5, -1, 'linefit')
  | mv-expand TimeGenerated to typeof(datetime), AvgDuration to typeof(real),
              Anomalies to typeof(long), Score to typeof(real), Baseline to typeof(real)
  | where Anomalies != 0
  | project TimeGenerated, Target, AvgDuration = round(AvgDuration, 0),
            Baseline = round(Baseline, 0), Score = round(Score, 2), Anomalies
  | order by abs(Score) desc
tactics:
  - Impact
techniques:
  - T1499
tags:
  - Sentinel-As-Code
  - Custom
  - CopilotStudio
  - AI

Explanation

This query is designed to identify unusual patterns in the response times of connectors used by Microsoft Copilot Studio. Here's a simple breakdown of what it does:

  1. Time Frame: It looks at data from the past 7 days.
  2. Data Source: It examines the AppDependencies table.
  3. Filtering: It focuses on entries where the application role is "Microsoft Copilot Studio" or the dependency type is "Connector".
  4. Data Aggregation: It calculates the average response time (DurationMs) for each target, broken down into hourly intervals.
  5. Anomaly Detection: It uses a function called series_decompose_anomalies to detect anomalies in these average response times. Anomalies are significant deviations from the expected trend.
  6. Data Expansion: It expands the data to include detailed information about each anomaly, such as the time it occurred, the target affected, and the anomaly score.
  7. Filtering Anomalies: It filters out any data points that are not anomalies.
  8. Presentation: It presents the results, showing the time, target, average duration, baseline, anomaly score, and anomaly status, sorted by the severity of the anomaly score.

The query helps identify potential issues like degraded backend performance, abuse-related throttling, or problems caused by unusually large or malformed payloads.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

AppDependencies

Operators

let|whereormake-seriesavgdefaultonstepbyextendseries_decompose_anomaliesmv-expandtotypeofprojectroundorder byabsdesc

Actions