Query Details
Copilot Grounding Source Enumeration
Query
id: 4a9c8d5e-7b2f-4e1a-9c3d-1f6a8b9c2d3e
name: Microsoft 365 Copilot - Grounding source enumeration (RAG recon)
description: |
Hunts for Microsoft 365 Copilot agents or users that touch an unusually
diverse set of grounding sources (sites, document libraries, mailboxes)
in a short window — the RAG-equivalent of network port-scanning.
Common pre-cursor to data discovery, sensitive-file harvesting, and
staged exfiltration. Pairs well with CopilotExfiltrationPattern.
query: |
let recentWindow = 1h;
let baselineWindow = 14d;
let recent =
CopilotActivity
| where TimeGenerated > ago(recentWindow)
| where RecordType == "CopilotInteraction"
| mv-expand src = LLMEventData.RagSources
| extend SourceUri = tolower(tostring(src))
| where isnotempty(SourceUri)
| summarize
RecentDistinctSources = dcount(SourceUri),
RecentSampleSources = make_set(SourceUri, 25),
RecentCalls = count()
by AgentId, AgentName, ActorName = tostring(coalesce(ActorName, column_ifexists('ActorUPN', '')));
let baseline =
CopilotActivity
| where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
| where RecordType == "CopilotInteraction"
| mv-expand src = LLMEventData.RagSources
| extend SourceUri = tolower(tostring(src))
| where isnotempty(SourceUri)
| summarize BaselineDistinctSources = dcount(SourceUri)
by AgentId, ActorName = tostring(coalesce(ActorName, column_ifexists('ActorUPN', '')));
recent
| join kind=leftouter baseline on AgentId, ActorName
| extend BaselineDistinctSources = coalesce(BaselineDistinctSources, 0)
| extend SpikeRatio = iff(BaselineDistinctSources > 0,
todouble(RecentDistinctSources) / todouble(BaselineDistinctSources),
todouble(RecentDistinctSources))
| where RecentDistinctSources >= 25 and (BaselineDistinctSources == 0 or SpikeRatio >= 5.0)
| project TimeGenerated = now(), AgentId, AgentName, ActorName,
RecentDistinctSources, BaselineDistinctSources, SpikeRatio,
RecentCalls, RecentSampleSources
| order by SpikeRatio desc, RecentDistinctSources desc
tactics:
- Discovery
- Collection
techniques:
- T1083
- T1213
tags:
- Sentinel-As-Code
- Custom
- Copilot
- AI
Explanation
This query is designed to detect unusual activity by Microsoft 365 Copilot agents or users who are accessing a wide variety of sources (like sites, document libraries, or mailboxes) in a short period of time. This behavior is similar to network port-scanning and can be an early indicator of data discovery, sensitive file harvesting, or data exfiltration attempts.
Here's a simplified breakdown of what the query does:
-
Define Time Windows: It sets a "recent" time window of 1 hour and a "baseline" time window of 14 days.
-
Recent Activity: It looks at Copilot interactions in the last hour, counting how many distinct sources each agent or user has accessed and listing up to 25 of these sources.
-
Baseline Activity: It examines Copilot interactions over the previous 14 days (excluding the last hour) to count how many distinct sources each agent or user typically accesses.
-
Comparison: It compares the recent activity to the baseline:
- If an agent or user has accessed at least 25 distinct sources recently and either has no baseline activity or has a recent-to-baseline spike ratio of 5 or more, they are flagged.
-
Output: The results include details like the agent or user ID, names, the number of distinct sources accessed recently and in the baseline, the spike ratio, and a sample of recent sources accessed. The results are sorted by the spike ratio and the number of recent distinct sources.
The query is associated with tactics like Discovery and Collection and techniques such as T1083 (File and Directory Discovery) and T1213 (Data from Information Repositories). It is tagged for use with Microsoft Sentinel, custom detection, and AI-related activities.
Details
David Alonso
Released: May 20, 2026
Tables
Keywords
Operators