Microsoft 365 Copilot - AI agent access drift outside baseline
Copilot Access Drift Detection
Query
// Confirmed schema: LLMEventData.AccessedResources[].Type / .SiteUrl
// Drift is computed on the resource-type set per user across a 14d window.
let lookback = 14d;
let recentWindow = 1h;
let events =
CopilotActivity
| where TimeGenerated > ago(lookback)
| where RecordType == "CopilotInteraction"
| mv-expand r = LLMEventData.AccessedResources
| extend
ResourceType = tostring(r.Type),
SiteUrl = tolower(tostring(r.SiteUrl)),
ResourceAction = tostring(r.Action)
| where isnotempty(ResourceType);
let baseline =
events
| where TimeGenerated between (ago(lookback) .. ago(recentWindow))
| summarize BaselineTypes = make_set(ResourceType, 64) by ActorUserId;
let recent =
events
| where TimeGenerated > ago(recentWindow);
recent
| join kind=leftouter baseline on ActorUserId
| extend BaselineTypes = coalesce(BaselineTypes, dynamic([]))
| where array_index_of(BaselineTypes, ResourceType) < 0
| summarize
DriftCount = count(),
NewResourceTypes = make_set(ResourceType, 16),
SampleSites = make_set(SiteUrl, 16),
SampleActions = make_set(ResourceAction, 8),
AgentNames = make_set(AgentName, 8),
AgentIds = make_set(AgentId, 8),
AnyActor = take_any(ActorName),
ClientIPs = make_set(SrcIpAddr, 16),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by ActorUserId, TenantId
| extend
AgentName = tostring(AgentNames[0]),
AgentId = tostring(AgentIds[0]),
ActorName = AnyActor,
SrcIpAddr = tostring(ClientIPs[0])Explanation
This query is designed to monitor and detect unusual behavior by Microsoft 365 Copilot agents, specifically when they access tools or data sources that are not part of their usual activity over the past 14 days. Here's a simple breakdown:
-
Purpose: The query identifies when a Microsoft 365 Copilot agent accesses resources outside its established 14-day baseline. This could indicate unauthorized access or misuse of permissions.
-
Severity: The alert is marked as "Medium" severity, suggesting that while it's not critical, it still requires attention.
-
Data Source: It uses data from the "MicrosoftCopilot" connector, specifically looking at "CopilotActivity" data.
-
Frequency and Period: The query runs every hour and examines data from the past 14 days.
-
Detection Logic:
- It first collects all resource access events by Copilot agents over the last 14 days.
- It establishes a baseline of resource types accessed by each agent during this period.
- It then checks for any recent access (within the last hour) to resource types not in the baseline.
- If such access is detected, it counts these occurrences and gathers additional details like the types of new resources accessed, sample sites, actions, agent names, and IP addresses.
-
Alerting: If any access drift is detected, an alert is triggered. The alert includes details about the agent, the user involved, and the IP address from which the access occurred.
-
Entity Mapping: The query maps detected entities to cloud applications, user accounts, and IP addresses for better context in alerts.
-
Incident Management: When an alert is generated, it can create an incident in the system. Incidents are grouped by the cloud application to manage related alerts efficiently.
-
Version and Tags: The query is versioned as 1.0.0 and tagged for easy identification and categorization within the system.
Overall, this query helps security analysts monitor for potential privilege escalation or unauthorized access by AI agents, ensuring that any deviation from normal behavior is promptly investigated.
Details

David Alonso
Released: May 20, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: P14D