Copilot Studio - Untrusted connector target (allowlist join)
Agent Untrusted Connector Target
Query
let lookback = 1d;
let trusted =
_GetWatchlist('CopilotStudioTrustedConnectors')
| project ConnectorTarget = tolower(tostring(column_ifexists('ConnectorTarget', '')))
| where isnotempty(ConnectorTarget);
AppDependencies
| where TimeGenerated > ago(lookback)
| where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector"
| extend
ConvId = tostring(Properties["conversationId"]),
ChannelId = tostring(Properties["channelId"]),
TargetLower = tolower(Target),
TargetPrefix = tolower(tostring(split(Target, "/")[0]))
| extend Trusted = TargetPrefix in (trusted) or TargetLower in (trusted)
| where not(Trusted)
| summarize Calls = count(), Convs = make_set(ConvId, 25), Channels = make_set(ChannelId, 10),
FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Name, Target, TargetPrefix
| order by Calls descExplanation
This query is designed to identify potentially suspicious activity involving the Copilot Studio application by checking if any connector or action calls are made to unapproved target hosts. Here's a simplified breakdown:
-
Purpose: The query flags any calls made by the Copilot Studio to hosts that are not on a predefined list of trusted connectors. This is important because interactions with untrusted hosts could indicate malicious activities, such as data being sent to an attacker-controlled endpoint or unauthorized configuration changes.
-
Trusted List: It uses a watchlist named
CopilotStudioTrustedConnectorsto determine which hosts are approved. The list must be populated with trusted host prefixes to function correctly. If the list is empty or only contains initial entries, the query will flag many hosts as untrusted, leading to potentially excessive alerts. -
Data Source: The query examines the
AppDependenciestable for entries generated in the last day (lookback = 1d) related to the "Microsoft Copilot Studio" application or any "Connector" type dependencies. -
Processing:
- It extracts and processes relevant properties like conversation ID, channel ID, and target host information.
- It checks if the target host or its prefix is in the trusted list.
- If the target is not trusted, it records the call.
-
Output: The query summarizes the untrusted calls by counting them, listing unique conversation and channel IDs, and noting the first and last time each untrusted target was seen. The results are ordered by the number of calls to highlight the most frequent untrusted interactions.
-
Security Context: This query is associated with tactics like Exfiltration and Command and Control, and techniques such as T1567 (Exfiltration Over Web Service) and T1071 (Application Layer Protocol). It is tagged for use in Sentinel-As-Code, custom monitoring, and AI-related activities.
In essence, this query helps monitor and secure the Copilot Studio environment by ensuring that all connector interactions are with approved, trusted hosts.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Tactics