Query Details

Copilot Studio - Untrusted connector target (allowlist join)

Agent Untrusted Connector Target

Query

let lookback = 1d;
let trusted =
    _GetWatchlist('CopilotStudioTrustedConnectors')
    | project ConnectorTarget = tolower(tostring(column_ifexists('ConnectorTarget', '')))
    | where isnotempty(ConnectorTarget);
AppDependencies
| where TimeGenerated > ago(lookback)
| where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector"
| extend
    ConvId       = tostring(Properties["conversationId"]),
    ChannelId    = tostring(Properties["channelId"]),
    TargetLower  = tolower(Target),
    TargetPrefix = tolower(tostring(split(Target, "/")[0]))
| extend Trusted = TargetPrefix in (trusted) or TargetLower in (trusted)
| where not(Trusted)
| summarize Calls = count(), Convs = make_set(ConvId, 25), Channels = make_set(ChannelId, 10),
            FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Name, Target, TargetPrefix
| order by Calls desc

Explanation

This query is designed to identify potentially suspicious activity involving the Copilot Studio application by checking if any connector or action calls are made to unapproved target hosts. Here's a simplified breakdown:

  1. Purpose: The query flags any calls made by the Copilot Studio to hosts that are not on a predefined list of trusted connectors. This is important because interactions with untrusted hosts could indicate malicious activities, such as data being sent to an attacker-controlled endpoint or unauthorized configuration changes.

  2. Trusted List: It uses a watchlist named CopilotStudioTrustedConnectors to determine which hosts are approved. The list must be populated with trusted host prefixes to function correctly. If the list is empty or only contains initial entries, the query will flag many hosts as untrusted, leading to potentially excessive alerts.

  3. Data Source: The query examines the AppDependencies table for entries generated in the last day (lookback = 1d) related to the "Microsoft Copilot Studio" application or any "Connector" type dependencies.

  4. Processing:

    • It extracts and processes relevant properties like conversation ID, channel ID, and target host information.
    • It checks if the target host or its prefix is in the trusted list.
    • If the target is not trusted, it records the call.
  5. Output: The query summarizes the untrusted calls by counting them, listing unique conversation and channel IDs, and noting the first and last time each untrusted target was seen. The results are ordered by the number of calls to highlight the most frequent untrusted interactions.

  6. Security Context: This query is associated with tactics like Exfiltration and Command and Control, and techniques such as T1567 (Exfiltration Over Web Service) and T1071 (Application Layer Protocol). It is tagged for use in Sentinel-As-Code, custom monitoring, and AI-related activities.

In essence, this query helps monitor and secure the Copilot Studio environment by ensuring that all connector interactions are with approved, trusted hosts.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

CopilotStudioAppDependenciesPropertiesConversationIdChannelTargetNameTimeGenerated

Operators

let_GetWatchlistprojecttolowertostringcolumn_ifexistswhereisnotemptyagoorextendsplitinnotsummarizecountmake_setminmaxbyorder

Tactics

ExfiltrationCommandAndControl

MITRE Techniques

Actions

GitHub