Query Details
Copilot Abnormal Tool Usage
Query
id: 2b13a43b-a1e4-b2f5-04e6-7393a4b3c3d8
name: Microsoft 365 Copilot - Abnormal AI agent tool usage mix
description: |
Hunts for Microsoft 365 Copilot agents whose 24-hour tool-invocation profile
differs sharply from their 14-day baseline: new sensitive tools
appearing, write / admin tools invoked by an agent that has only
ever read, or call rate spiking far above the per-tool baseline.
Useful for finding agent-exploitation, chaining anomalies, and
abuse of high-impact tools (send-email, delete-file, write-graph,
password-reset) by an agent that previously did not touch them.
query: |
// Confirmed schema: LLMEventData.AISystemPlugin[].{Id, Name}
// Joins against the CopilotApprovedPlugins watchlist (any plugin NOT in
// the approved list AND newly seen / spiking is surfaced).
let baselineWindow = 14d;
let recentWindow = 1d;
let toolEvents =
CopilotActivity
| where TimeGenerated > ago(baselineWindow)
| where RecordType == "CopilotInteraction"
| mv-expand p = LLMEventData.AISystemPlugin
| extend
PluginId = tostring(p.Id),
PluginName = tostring(p.Name),
LowerPluginName = tolower(tostring(p.Name))
| where isnotempty(PluginName);
let approved =
_GetWatchlist('CopilotApprovedPlugins')
| project ApprovedPlugin = tolower(tostring(column_ifexists('PluginName', '')))
| where isnotempty(ApprovedPlugin);
let baseline =
toolEvents
| where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
| summarize BaselineCalls = count() by AgentId, AgentName, PluginName, LowerPluginName;
let recent =
toolEvents
| where TimeGenerated > ago(recentWindow)
| summarize RecentCalls = count() by AgentId, AgentName, PluginName, LowerPluginName;
recent
| join kind=leftouter baseline on AgentId, PluginName
| extend BaselineCalls = coalesce(BaselineCalls, 0)
| extend
IsNewPlugin = BaselineCalls == 0,
SpikeRatio = iff(BaselineCalls > 0, todouble(RecentCalls) / todouble(BaselineCalls), todouble(RecentCalls))
| join kind=leftanti approved on $left.LowerPluginName == $right.ApprovedPlugin
| where IsNewPlugin or SpikeRatio >= 5.0
| order by IsNewPlugin desc, SpikeRatio desc, RecentCalls desc
tactics:
- Execution
- PrivilegeEscalation
techniques:
- T1059
- T1098
tags:
- Sentinel-As-Code
- Custom
- Copilot
- AI
Explanation
This query is designed to identify unusual usage patterns of Microsoft 365 Copilot tools by analyzing the behavior of AI agents over a 24-hour period compared to their typical activity over the past 14 days. It specifically looks for:
- New Tool Usage: Identifies if an agent is using new, potentially sensitive tools that it hasn't used before.
- Unusual Activity: Detects if an agent that typically only reads data is suddenly using tools for writing or administrative tasks.
- Spike in Activity: Flags any significant increase in the frequency of tool usage by an agent, especially if the usage rate is five times higher than the baseline.
The query works by:
- Collecting tool usage data from the past 14 days and the most recent 24 hours.
- Comparing the recent activity against the 14-day baseline to identify new or spiking tool usage.
- Filtering out tools that are not on an approved list, focusing on those that are newly seen or have a significant increase in usage.
- Sorting the results to prioritize new tool usage and the highest spikes in activity.
This helps in detecting potential misuse or exploitation of high-impact tools by AI agents, which could indicate security threats like unauthorized access or privilege escalation.
Details
David Alonso
Released: May 20, 2026
Tables
CopilotActivity
Keywords
MicrosoftCopilotAgentPluginWatchlistAgentIdAgentNamePluginNameTimeGeneratedRecordTypeRecentCallsBaselineCallsSpikeRatio
Operators
let|wheremv-expandextendtostringtolowerisnotempty_GetWatchlistprojectcolumn_ifexistssummarizecountbetweenagojoinkind=leftoutercoalesceifftodoublekind=leftantion==or>=order bydesc