Query Details
Copilot Api Misuse High Failure Rate
Query
id: 0fd18219-8fc2-90d3-e2c4-516f8291a1b6
name: Microsoft 365 Copilot - API misuse / automation abuse from AI agent
description: |
Detects A Microsoft 365 Copilot agent that, within a 1-hour window, drives
an unusually high volume of downstream API or tool calls with a
high client-error (4xx) or server-error (5xx) rate. This is the
signature of a runaway agent loop, automation abuse, or a
brute-force-style API misuse driven by a compromised agent.
Threshold defaults: at least 200 calls in the window AND error
rate at or above 30 percent. Tune via the "MinCalls" and
"ErrorRateThreshold" let statements at the top of the query.
severity: Medium
requiredDataConnectors:
- connectorId: MicrosoftCopilot
dataTypes:
- CopilotActivity
queryFrequency: PT1H
queryPeriod: PT1H
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- Impact
relevantTechniques:
- T1499
query: |
let MinCalls = 200;
let ErrorRateThreshold = 0.30;
CopilotActivity
| where TimeGenerated > ago(1h)
| extend
ToolName = tostring(LLMEventData.ToolName),
HttpStatus = toint(LLMEventData.HttpStatus),
ApiTarget = tostring(LLMEventData.ApiTarget)
| where isnotempty(ToolName) or isnotempty(ApiTarget)
| summarize
TotalCalls = count(),
ClientErrors = countif(HttpStatus between (400 .. 499)),
ServerErrors = countif(HttpStatus between (500 .. 599)),
Tools = make_set(ToolName, 32),
ApiTargets = make_set(ApiTarget, 32),
ClientIPs = make_set(SrcIpAddr, 16),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by AgentId, AgentName, ActorName, TenantId
| extend ErrorRate = todouble(ClientErrors + ServerErrors) / todouble(TotalCalls)
| where TotalCalls >= MinCalls and ErrorRate >= ErrorRateThreshold
| extend SrcIpAddr = tostring(ClientIPs[0])
entityMappings:
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: AgentName
- identifier: AppId
columnName: AgentId
- entityType: Account
fieldMappings:
- identifier: Name
columnName: ActorName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT6H
matchingMethod: Selected
groupByEntities:
- CloudApplication
groupByAlertDetails: []
groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- Copilot
- AI
Explanation
This query is designed to detect unusual behavior from a Microsoft 365 Copilot agent, which might indicate misuse or abuse of APIs. Here's a simple breakdown:
-
Purpose: The query identifies if a Microsoft 365 Copilot agent is making an unusually high number of API or tool calls within a one-hour period, with a significant portion of those calls resulting in errors. This could suggest a problem like a runaway loop, automation abuse, or misuse by a compromised agent.
-
Criteria:
- The agent must make at least 200 calls within the hour.
- At least 30% of these calls must result in client (4xx) or server (5xx) errors.
-
Data Source: It uses data from the
CopilotActivitydata type, provided by the MicrosoftCopilot connector. -
Process:
- It checks activities from the last hour.
- It calculates the total number of calls, counts the errors, and identifies the tools and APIs used.
- It computes the error rate as a percentage of total calls.
- It filters for agents that meet the criteria of high call volume and error rate.
-
Output: If an agent meets these conditions, it triggers an alert with a medium severity level.
-
Additional Details:
- The query is scheduled to run every hour.
- It maps relevant data to entities like CloudApplication, Account, and IP for further analysis.
- It creates incidents for detected issues, with settings for grouping related alerts.
This setup helps in monitoring and managing potential issues with AI-driven automation in Microsoft 365 environments.
Details
David Alonso
Released: May 20, 2026
Tables
Keywords
Operators