Query Details
Agent Untrusted Connector Target
Query
id: b2c3d4e5-2009-4b22-9d01-0123456789c9
name: Copilot Studio - Untrusted connector target (allowlist join)
description: |
Flags Copilot Studio connector / action calls whose Target host is not
on the approved CopilotStudioTrustedConnectors watchlist (column
ConnectorTarget). A fetch or action against a host outside the approved
set can indicate a poisoned / rogue action, data egress to an attacker-
controlled endpoint, or configuration drift.
Returns rows only once the CopilotStudioTrustedConnectors watchlist is
populated with your approved connector target prefixes. While it holds
only the seed rows, the leftanti join treats every other target as
untrusted and the hunt will be noisy - seed it before relying on it.
query: |
let lookback = 1d;
let trusted =
_GetWatchlist('CopilotStudioTrustedConnectors')
| project ConnectorTarget = tolower(tostring(column_ifexists('ConnectorTarget', '')))
| where isnotempty(ConnectorTarget);
AppDependencies
| where TimeGenerated > ago(lookback)
| where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector"
| extend
ConvId = tostring(Properties["conversationId"]),
ChannelId = tostring(Properties["channelId"]),
TargetLower = tolower(Target),
TargetPrefix = tolower(tostring(split(Target, "/")[0]))
| extend Trusted = TargetPrefix in (trusted) or TargetLower in (trusted)
| where not(Trusted)
| summarize Calls = count(), Convs = make_set(ConvId, 25), Channels = make_set(ChannelId, 10),
FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Name, Target, TargetPrefix
| order by Calls desc
tactics:
- Exfiltration
- CommandAndControl
techniques:
- T1567
- T1071
tags:
- Sentinel-As-Code
- Custom
- CopilotStudio
- AI
Explanation
This query is designed to identify potentially suspicious activity involving the Copilot Studio application by checking if any connector or action calls are made to unapproved target hosts. Here's a simplified breakdown:
-
Purpose: The query flags any calls made by the Copilot Studio to hosts that are not on a predefined list of trusted connectors. This is important because interactions with untrusted hosts could indicate malicious activities, such as data being sent to an attacker-controlled endpoint or unauthorized configuration changes.
-
Trusted List: It uses a watchlist named
CopilotStudioTrustedConnectorsto determine which hosts are approved. The list must be populated with trusted host prefixes to function correctly. If the list is empty or only contains initial entries, the query will flag many hosts as untrusted, leading to potentially excessive alerts. -
Data Source: The query examines the
AppDependenciestable for entries generated in the last day (lookback = 1d) related to the "Microsoft Copilot Studio" application or any "Connector" type dependencies. -
Processing:
- It extracts and processes relevant properties like conversation ID, channel ID, and target host information.
- It checks if the target host or its prefix is in the trusted list.
- If the target is not trusted, it records the call.
-
Output: The query summarizes the untrusted calls by counting them, listing unique conversation and channel IDs, and noting the first and last time each untrusted target was seen. The results are ordered by the number of calls to highlight the most frequent untrusted interactions.
-
Security Context: This query is associated with tactics like Exfiltration and Command and Control, and techniques such as T1567 (Exfiltration Over Web Service) and T1071 (Application Layer Protocol). It is tagged for use in Sentinel-As-Code, custom monitoring, and AI-related activities.
In essence, this query helps monitor and secure the Copilot Studio environment by ensuring that all connector interactions are with approved, trusted hosts.
Details
David Alonso
Released: June 8, 2026
Tables
Keywords
Operators