Query Details

Microsoft 365 Copilot - Abnormal AI agent tool usage mix

Copilot Abnormal Tool Usage

Query

// Confirmed schema: LLMEventData.AISystemPlugin[].{Id, Name}
// Joins against the CopilotApprovedPlugins watchlist (any plugin NOT in
// the approved list AND newly seen / spiking is surfaced).
let baselineWindow = 14d;
let recentWindow = 1d;
let toolEvents =
    CopilotActivity
    | where TimeGenerated > ago(baselineWindow)
    | where RecordType == "CopilotInteraction"
    | mv-expand p = LLMEventData.AISystemPlugin
    | extend
        PluginId = tostring(p.Id),
        PluginName = tostring(p.Name),
        LowerPluginName = tolower(tostring(p.Name))
    | where isnotempty(PluginName);
let approved =
    _GetWatchlist('CopilotApprovedPlugins')
    | project ApprovedPlugin = tolower(tostring(column_ifexists('PluginName', '')))
    | where isnotempty(ApprovedPlugin);
let baseline =
    toolEvents
    | where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
    | summarize BaselineCalls = count() by AgentId, AgentName, PluginName, LowerPluginName;
let recent =
    toolEvents
    | where TimeGenerated > ago(recentWindow)
    | summarize RecentCalls = count() by AgentId, AgentName, PluginName, LowerPluginName;
recent
| join kind=leftouter baseline on AgentId, PluginName
| extend BaselineCalls = coalesce(BaselineCalls, 0)
| extend
    IsNewPlugin = BaselineCalls == 0,
    SpikeRatio = iff(BaselineCalls > 0, todouble(RecentCalls) / todouble(BaselineCalls), todouble(RecentCalls))
| join kind=leftanti approved on $left.LowerPluginName == $right.ApprovedPlugin
| where IsNewPlugin or SpikeRatio >= 5.0
| order by IsNewPlugin desc, SpikeRatio desc, RecentCalls desc

Explanation

This query is designed to identify unusual usage patterns of Microsoft 365 Copilot tools by analyzing the behavior of AI agents over a 24-hour period compared to their typical activity over the past 14 days. It specifically looks for:

  1. New Tool Usage: Identifies if an agent is using new, potentially sensitive tools that it hasn't used before.
  2. Unusual Activity: Detects if an agent that typically only reads data is suddenly using tools for writing or administrative tasks.
  3. Spike in Activity: Flags any significant increase in the frequency of tool usage by an agent, especially if the usage rate is five times higher than the baseline.

The query works by:

  • Collecting tool usage data from the past 14 days and the most recent 24 hours.
  • Comparing the recent activity against the 14-day baseline to identify new or spiking tool usage.
  • Filtering out tools that are not on an approved list, focusing on those that are newly seen or have a significant increase in usage.
  • Sorting the results to prioritize new tool usage and the highest spikes in activity.

This helps in detecting potential misuse or exploitation of high-impact tools by AI agents, which could indicate security threats like unauthorized access or privilege escalation.

Details

David Alonso profile picture

David Alonso

Released: May 20, 2026

Tables

CopilotActivity

Keywords

MicrosoftCopilotAgentPluginWatchlistAgentIdAgentNamePluginNameTimeGeneratedRecordTypeRecentCallsBaselineCallsSpikeRatio

Operators

let|wheremv-expandextendtostringtolowerisnotempty_GetWatchlistprojectcolumn_ifexistssummarizecountbetweenagojoinkind=leftoutercoalesceifftodoublekind=leftantion==or>=order bydesc

Tactics

ExecutionPrivilegeEscalation

MITRE Techniques

Actions

GitHub