KQL Search

Query Details

Copilot Delegation Chain Anomaly

Query

id: 4d6a1e53-2e5c-4f7b-8a9d-8b3e7c5f6a34
name: Microsoft 365 Copilot - Anomalous AI agent delegation chains
description: |
  Hunts for Microsoft 365 Copilot conversations where one agent delegates to
  another agent (and possibly a third) within a short window.
  Long delegation chains expand blast radius: each hop inherits a
  new identity and toolset and obscures the original prompt.

  Surfaces:
    - Chains of three or more agents within one conversation.
    - Delegations crossing tenants or user contexts.
    - Delegations where the leaf agent touches sensitive resources.
query: |
  let window = 7d;
  let agentEvents =
      CopilotActivity
      | where TimeGenerated > ago(window)
      | extend
          ConversationId = tostring(LLMEventData.ConversationId),
          ParentAgentId = tostring(LLMEventData.ParentAgentId),
          ParentAgentName = tostring(LLMEventData.ParentAgentName),
          DelegationType = tostring(LLMEventData.DelegationType),
          TouchedResource = tostring(LLMEventData.ResourceUri)
      | where isnotempty(ConversationId);
  let chains =
      agentEvents
      | summarize
          AgentChain = make_set(AgentName, 16),
          AgentIds = make_set(AgentId, 16),
          ParentAgents = make_set(ParentAgentName, 16),
          Delegations = make_set(DelegationType, 16),
          Resources = make_set(TouchedResource, 32),
          Actors = make_set(ActorName, 16),
          Tenants = make_set(TenantId, 8),
          FirstSeen = min(TimeGenerated),
          LastSeen = max(TimeGenerated),
          EventCount = count()
          by ConversationId
      | extend
          ChainLength = array_length(AgentChain),
          CrossTenant = array_length(Tenants) > 1,
          CrossUser = array_length(Actors) > 1;
  chains
  | where ChainLength >= 3 or CrossTenant or CrossUser
  | order by ChainLength desc, LastSeen desc
tactics:
  - LateralMovement
  - Discovery
techniques:
  - T1078
  - T1087
tags:
  - Sentinel-As-Code
  - Custom
  - Copilot
  - AI

Explanation

This query is designed to identify unusual delegation patterns in Microsoft 365 Copilot conversations. It focuses on detecting situations where one AI agent delegates tasks to another, potentially forming a chain of three or more agents within a short time frame. Such chains can increase security risks by expanding the scope of access and obscuring the original request.

Here's a simplified breakdown of what the query does:

  1. Time Frame: It looks at events from the past 7 days.
  2. Data Collection: It gathers data on conversations involving AI agents, including details like conversation ID, parent agent ID, delegation type, and any resources accessed.
  3. Chain Analysis: It summarizes this data to identify chains of agents, noting the length of the chain, whether the delegation crosses different tenants or user contexts, and the resources involved.
  4. Filtering: It filters the results to highlight chains that are three or more agents long, involve multiple tenants, or involve multiple users.
  5. Sorting: The results are sorted by the length of the chain and the most recent activity.

The query is associated with tactics like lateral movement and discovery, and it uses techniques related to valid accounts and account discovery. It is tagged for use with Sentinel-As-Code, custom implementations, and AI-related activities.

Details

David Alonso profile picture

David Alonso

Released: May 20, 2026

Tables

CopilotActivity

Keywords

MicrosoftCopilotConversationsAgentsDelegationChainsResourcesTenantsUsers

Operators

let|where>agoextendtostringisnotemptysummarizemake_setminmaxcountbyarray_lengthororder bydesc

Actions