Microsoft 365 Copilot - Off-hours or anomalous-geo agent usage
Copilot Off Hours Or Geo Anomaly
Query
let lookback = 30d;
let recentWindow = 1d;
let usual =
SigninLogs
| where TimeGenerated between (ago(lookback) .. ago(recentWindow))
| where ResultType == 0
| extend Hour = hourofday(TimeGenerated), Country = tostring(LocationDetails.countryOrRegion)
| summarize UsualHours = make_set(Hour, 24), UsualCountries = make_set(Country, 50)
by UserPrincipalName = tolower(UserPrincipalName);
CopilotActivity
| where TimeGenerated > ago(recentWindow)
| where RecordType == "CopilotInteraction"
| extend ActorUpn = tolower(tostring(coalesce(column_ifexists('ActorUPN', ''), ActorName)))
| extend Hour = hourofday(TimeGenerated)
| join kind=leftouter usual on $left.ActorUpn == $right.UserPrincipalName
| extend ActorCountry = tostring(coalesce(column_ifexists('Location', ''),
column_ifexists('Country', '')))
| extend
OffHours = isnotnull(UsualHours) and not(set_has_element(UsualHours, Hour)),
AnomalousGeo = isnotempty(ActorCountry) and isnotnull(UsualCountries)
and not(set_has_element(UsualCountries, ActorCountry))
| where OffHours or AnomalousGeo
| project TimeGenerated, AgentId, AgentName, ActorUpn, Hour, ActorCountry,
OffHours, AnomalousGeo, UsualHours, UsualCountries, TenantId
| order by TimeGenerated descExplanation
This query is designed to detect potentially suspicious activity involving Microsoft 365 Copilot. It looks for Copilot sessions that occur either outside of a user's normal working hours or from a location that the user hasn't accessed from in the past 30 days. This could indicate unauthorized access, such as session theft or misuse of OAuth tokens.
Here's a simplified breakdown of what the query does:
-
Define Timeframes: It sets a 30-day period to establish a baseline of usual activity and a 1-day period to check for recent activity.
-
Establish Usual Patterns: It analyzes sign-in logs from the past 30 days to determine each user's typical working hours and the countries they usually log in from.
-
Identify Anomalies: It examines recent Copilot interactions (within the last day) to see if they occur outside of these usual hours or from unusual locations.
-
Flag Suspicious Activity: If a Copilot session is detected outside of normal hours or from an unusual location, it is flagged as potentially suspicious.
-
Output: The query outputs details of these flagged sessions, including the time, user, location, and whether the activity was outside usual hours or from an anomalous location.
The query is associated with tactics like Initial Access and Defense Evasion, and techniques related to unauthorized account use. It is tagged for use in Sentinel and related to AI and Copilot activities.
Details

David Alonso
Released: May 20, 2026
Tables
Keywords
Operators
Tactics