Query Details

Copilot Studio - Tool abuse via connector breadth and destructive operations

Agent Tool Abuse Breadth

Query

let lookback = 1d;
let connectorBreadthThreshold = 4;
let destructiveVerbs = dynamic([
    "delete", "remove", "drop", "update", "patch", "put", "send", "post",
    "create", "disable", "reset", "grant", "revoke", "purge", "wipe"
]);
AppDependencies
| where TimeGenerated > ago(lookback)
| where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector"
| extend
    ConvId       = tostring(Properties["conversationId"]),
    ChannelId    = tostring(Properties["channelId"]),
    TargetPrefix = tolower(tostring(split(Target, "/")[0])),
    Operation    = tolower(tostring(split(Target, "/")[1]))
| summarize
    Calls = count(),
    DistinctConnectors = dcount(TargetPrefix),
    DistinctOperations = dcount(Operation),
    Connectors = make_set(TargetPrefix, 25),
    DestructiveOps = make_set_if(Operation, Operation has_any (destructiveVerbs), 25),
    Failures = countif(Success == false),
    FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated),
    UserId = take_any(UserId), ClientIP = take_any(ClientIP)
    by ConvId, ChannelId
| extend DestructiveCount = array_length(DestructiveOps)
| where DistinctConnectors >= connectorBreadthThreshold or DestructiveCount > 0
| extend AccountName = iff(isempty(UserId), "unknown-agent", UserId)
| project FirstSeen, LastSeen, AccountName, ConvId, ChannelId, ClientIP,
          Calls, DistinctConnectors, DistinctOperations, DestructiveCount,
          DestructiveOps, Failures, Connectors
| order by DistinctConnectors desc, DestructiveCount desc

Explanation

This query is designed to identify potential misuse of tools within the Copilot Studio environment by analyzing the use of connectors. It looks for conversations where there is either an unusually wide range of different connectors being used or where destructive operations are being performed. Destructive operations include actions like delete, remove, update, and others that can change or remove data.

Here's a simplified breakdown of what the query does:

  1. Time Frame: It examines data from the last day (lookback = 1d).

  2. Thresholds: It sets a threshold for the number of distinct connectors used in a conversation (connectorBreadthThreshold = 4) and identifies a list of verbs considered destructive (like "delete", "update", etc.).

  3. Data Source: It reads from AppDependencies where the role is "Microsoft Copilot Studio" or the dependency type is "Connector".

  4. Data Processing:

    • Extracts conversation and channel IDs, as well as the target and operation details.
    • Summarizes data by counting calls, distinct connectors, and operations.
    • Identifies any operations that match the destructive verbs.
    • Counts the number of failed operations.
  5. Filtering: It flags conversations that either use a wide range of connectors (more than the threshold) or perform destructive operations.

  6. Output: The results include details like the first and last time the conversation was seen, user ID, client IP, and counts of calls and operations. The results are sorted by the number of distinct connectors and destructive operations.

  7. Purpose: The query aims to detect potential abuse or unintended use of the Copilot Studio tools, which could indicate malicious activity or misuse.

  8. Tags and Techniques: It is associated with execution and impact tactics, and techniques like command and scripting interpreter (T1059) and data manipulation (T1565). It is tagged for use with Sentinel-As-Code, AI, and tool abuse detection.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

AppDependenciesPropertiesTimeGeneratedAppRoleNameDependencyTypeConvIdChannelIdTargetPrefixOperationSuccessUserIdClientIPAccountNameConnectorsDestructiveOpsDestructiveVerbs

Operators

letdynamicagotostringtolowersplitsummarizecountdcountmake_setmake_set_ifcountifminmaxtake_anyarray_lengthiffisemptyprojectorder by

Tactics

ExecutionImpact

MITRE Techniques

Actions

GitHub