Query Details

Microsoft 365 Copilot - Anomalous AI agent delegation chains

Copilot Delegation Chain Anomaly

Query

let window = 7d;
let agentEvents =
    CopilotActivity
    | where TimeGenerated > ago(window)
    | extend
        ConversationId = tostring(LLMEventData.ConversationId),
        ParentAgentId = tostring(LLMEventData.ParentAgentId),
        ParentAgentName = tostring(LLMEventData.ParentAgentName),
        DelegationType = tostring(LLMEventData.DelegationType),
        TouchedResource = tostring(LLMEventData.ResourceUri)
    | where isnotempty(ConversationId);
let chains =
    agentEvents
    | summarize
        AgentChain = make_set(AgentName, 16),
        AgentIds = make_set(AgentId, 16),
        ParentAgents = make_set(ParentAgentName, 16),
        Delegations = make_set(DelegationType, 16),
        Resources = make_set(TouchedResource, 32),
        Actors = make_set(ActorName, 16),
        Tenants = make_set(TenantId, 8),
        FirstSeen = min(TimeGenerated),
        LastSeen = max(TimeGenerated),
        EventCount = count()
        by ConversationId
    | extend
        ChainLength = array_length(AgentChain),
        CrossTenant = array_length(Tenants) > 1,
        CrossUser = array_length(Actors) > 1;
chains
| where ChainLength >= 3 or CrossTenant or CrossUser
| order by ChainLength desc, LastSeen desc

Explanation

This query is designed to identify unusual delegation patterns in Microsoft 365 Copilot conversations. It focuses on detecting situations where one AI agent delegates tasks to another, potentially forming a chain of three or more agents within a short time frame. Such chains can increase security risks by expanding the scope of access and obscuring the original request.

Here's a simplified breakdown of what the query does:

  1. Time Frame: It looks at events from the past 7 days.
  2. Data Collection: It gathers data on conversations involving AI agents, including details like conversation ID, parent agent ID, delegation type, and any resources accessed.
  3. Chain Analysis: It summarizes this data to identify chains of agents, noting the length of the chain, whether the delegation crosses different tenants or user contexts, and the resources involved.
  4. Filtering: It filters the results to highlight chains that are three or more agents long, involve multiple tenants, or involve multiple users.
  5. Sorting: The results are sorted by the length of the chain and the most recent activity.

The query is associated with tactics like lateral movement and discovery, and it uses techniques related to valid accounts and account discovery. It is tagged for use with Sentinel-As-Code, custom implementations, and AI-related activities.

Details

David Alonso profile picture

David Alonso

Released: May 20, 2026

Tables

CopilotActivity

Keywords

MicrosoftCopilotConversationsAgentsDelegationChainsResourcesTenantsUsers

Operators

let|where>agoextendtostringisnotemptysummarizemake_setminmaxcountbyarray_lengthororder bydesc

Tactics

LateralMovementDiscovery

MITRE Techniques

Actions

GitHub