KQL Search

Query Details

Agent Tool Abuse Breadth

Query

id: b2c3d4e5-2012-4b22-9d01-0123456789d2
name: Copilot Studio - Tool abuse via connector breadth and destructive operations
description: |
  Surfaces possible tool / action manipulation (over-permissive connector
  execution). Aggregates Copilot Studio connector calls per conversation
  and flags conversations that either fan out across an unusually wide set
  of distinct connectors / operations, or invoke destructive operation
  verbs (delete, remove, drop, update, send, grant, revoke, reset). A
  single benign turn usually touches one or two read operations; broad or
  state-changing fan-out in one conversation can indicate an attacker
  driving the agent's actions beyond its intended scope.

  Reads AppDependencies (DependencyType == "Connector" /
  AppRoleName == "Microsoft Copilot Studio") and works from metadata
  alone - no sensitive-property logging required. Tune the DistinctConnectors
  threshold to your agents' normal action breadth before relying on it.
query: |
  let lookback = 1d;
  let connectorBreadthThreshold = 4;
  let destructiveVerbs = dynamic([
      "delete", "remove", "drop", "update", "patch", "put", "send", "post",
      "create", "disable", "reset", "grant", "revoke", "purge", "wipe"
  ]);
  AppDependencies
  | where TimeGenerated > ago(lookback)
  | where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector"
  | extend
      ConvId       = tostring(Properties["conversationId"]),
      ChannelId    = tostring(Properties["channelId"]),
      TargetPrefix = tolower(tostring(split(Target, "/")[0])),
      Operation    = tolower(tostring(split(Target, "/")[1]))
  | summarize
      Calls = count(),
      DistinctConnectors = dcount(TargetPrefix),
      DistinctOperations = dcount(Operation),
      Connectors = make_set(TargetPrefix, 25),
      DestructiveOps = make_set_if(Operation, Operation has_any (destructiveVerbs), 25),
      Failures = countif(Success == false),
      FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated),
      UserId = take_any(UserId), ClientIP = take_any(ClientIP)
      by ConvId, ChannelId
  | extend DestructiveCount = array_length(DestructiveOps)
  | where DistinctConnectors >= connectorBreadthThreshold or DestructiveCount > 0
  | extend AccountName = iff(isempty(UserId), "unknown-agent", UserId)
  | project FirstSeen, LastSeen, AccountName, ConvId, ChannelId, ClientIP,
            Calls, DistinctConnectors, DistinctOperations, DestructiveCount,
            DestructiveOps, Failures, Connectors
  | order by DistinctConnectors desc, DestructiveCount desc
tactics:
  - Execution
  - Impact
techniques:
  - T1059
  - T1565
tags:
  - Sentinel-As-Code
  - Custom
  - CopilotStudio
  - AI
  - ToolAbuse

Explanation

This query is designed to identify potential misuse of tools within the Copilot Studio environment by analyzing the use of connectors. It looks for conversations where there is either an unusually wide range of different connectors being used or where destructive operations are being performed. Destructive operations include actions like delete, remove, update, and others that can change or remove data.

Here's a simplified breakdown of what the query does:

  1. Time Frame: It examines data from the last day (lookback = 1d).

  2. Thresholds: It sets a threshold for the number of distinct connectors used in a conversation (connectorBreadthThreshold = 4) and identifies a list of verbs considered destructive (like "delete", "update", etc.).

  3. Data Source: It reads from AppDependencies where the role is "Microsoft Copilot Studio" or the dependency type is "Connector".

  4. Data Processing:

    • Extracts conversation and channel IDs, as well as the target and operation details.
    • Summarizes data by counting calls, distinct connectors, and operations.
    • Identifies any operations that match the destructive verbs.
    • Counts the number of failed operations.

  5. Filtering: It flags conversations that either use a wide range of connectors (more than the threshold) or perform destructive operations.

  6. Output: The results include details like the first and last time the conversation was seen, user ID, client IP, and counts of calls and operations. The results are sorted by the number of distinct connectors and destructive operations.

  7. Purpose: The query aims to detect potential abuse or unintended use of the Copilot Studio tools, which could indicate malicious activity or misuse.

  8. Tags and Techniques: It is associated with execution and impact tactics, and techniques like command and scripting interpreter (T1059) and data manipulation (T1565). It is tagged for use with Sentinel-As-Code, AI, and tool abuse detection.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

AppDependenciesPropertiesTimeGeneratedAppRoleNameDependencyTypeConvIdChannelIdTargetPrefixOperationSuccessUserIdClientIPAccountNameConnectorsDestructiveOpsDestructiveVerbs

Operators

letdynamicagotostringtolowersplitsummarizecountdcountmake_setmake_set_ifcountifminmaxtake_anyarray_lengthiffisemptyprojectorder by

Actions