KQL Search

Query Details

Agent Topic Trigger Enumeration

Query

id: b2c3d4e5-2010-4b22-9d01-0123456789ca
name: Copilot Studio - Topic / generative-answer trigger enumeration
description: |
  Profiles which named events a Copilot Studio agent emits beyond the
  basic message turns - topic triggers, generative-answer events, QnA and
  intent events - and highlights conversations that touch an unusually
  high number of distinct event types. Rapid enumeration of many topics in
  one conversation can indicate reconnaissance of the agent's capabilities.
query: |
  let lookback = 1d;
  AppEvents
  | where TimeGenerated > ago(lookback)
  | where Name !in ("BotMessageReceived", "BotMessageSend")
  | extend
      ConvId    = tostring(Properties["conversationId"]),
      ChannelId = tostring(Properties["channelId"])
  | summarize
        Events        = count(),
        DistinctEvents = dcount(Name),
        EventTypes    = make_set(Name, 50),
        FirstSeen     = min(TimeGenerated),
        LastSeen      = max(TimeGenerated)
      by ConvId, ChannelId, UserId
  | where DistinctEvents >= 1
  | order by DistinctEvents desc, Events desc
tactics:
  - Discovery
techniques:
  - T1592
tags:
  - Sentinel-As-Code
  - Custom
  - CopilotStudio
  - AI

Explanation

This query is designed to analyze events generated by a Copilot Studio agent over the past day. It focuses on identifying conversations that involve a wide variety of event types beyond basic message exchanges. Here's a simplified breakdown:

  1. Time Frame: The query looks at events from the past day (lookback = 1d).

  2. Data Source: It examines data from AppEvents.

  3. Filtering: It filters out basic message events, specifically "BotMessageReceived" and "BotMessageSend", to focus on more complex interactions.

  4. Data Extraction: For each event, it extracts the conversation ID (ConvId), channel ID (ChannelId), and user ID (UserId).

  5. Aggregation: It summarizes the data by:

    • Counting the total number of events (Events).
    • Counting the number of distinct event types (DistinctEvents).
    • Creating a set of up to 50 different event types encountered (EventTypes).
    • Recording the first and last time each event type was seen (FirstSeen, LastSeen).

  6. Filtering for Unusual Activity: It only includes conversations that have at least one distinct event type.

  7. Ordering: The results are sorted by the number of distinct event types in descending order, and then by the total number of events.

The purpose of this query is to identify conversations where many different types of events occur, which might suggest an exploration of the agent's capabilities. This can be useful for detecting reconnaissance activities. The query is associated with the "Discovery" tactic and the "T1592" technique, indicating its relevance to identifying information gathering activities.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppEvents

Keywords

AppEvents

Operators

let|where!inextendtostringsummarizecountdcountmake_setminmaxbyorder bydesc

Actions