KQL Search

Query Details

Copilot Rag Untrusted Source

Query

id: 9ec07108-7eb1-8fc2-d1b3-405e6f8190a5
name: Microsoft 365 Copilot - Untrusted RAG source used to ground agent response
description: |
  Detects A Microsoft 365 Copilot agent grounding its response on a retrieval
  source that is not on the approved corpus list. Used to surface
  RAG poisoning and "context smuggling" attacks where an attacker
  plants content in a shared store the agent indexes.

  The trusted corpus is sourced from the "CopilotTrustedRagSources"
  watchlist (alias: CopilotTrustedRagSources, column: SourceUri).
  Populate that watchlist with the URIs / hostnames of approved
  document repositories before enabling the rule.
severity: Medium
requiredDataConnectors:
- connectorId: MicrosoftCopilot
  dataTypes:
  - CopilotActivity
queryFrequency: PT1H
queryPeriod: PT1H
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- InitialAccess
- DefenseEvasion
relevantTechniques:
- T1195
- T1199
query: |
  let trusted =
      _GetWatchlist('CopilotTrustedRagSources')
      | project SourceUri = tolower(tostring(column_ifexists('SourceUri', '')))
      | where isnotempty(SourceUri);
  CopilotActivity
  | where TimeGenerated > ago(1h)
  | where RecordType == "CopilotInteraction"
  | extend AccessedResources = LLMEventData.AccessedResources
  | mv-expand AccessedResources
  | extend
      SourceUri = tolower(tostring(AccessedResources.SiteUrl)),
      Action    = tostring(AccessedResources.Action),
      ResourceType = tostring(AccessedResources.Type)
  | where isnotempty(SourceUri)
  | join kind=leftanti trusted on SourceUri
  | summarize
      UntrustedHits = count(),
      UntrustedSources = make_set(SourceUri, 64),
      Actions = make_set(Action, 16),
      ClientIPs = make_set(SrcIpAddr, 16),
      FirstSeen = min(TimeGenerated),
      LastSeen = max(TimeGenerated)
      by AgentId, AgentName, ActorName, TenantId
  | extend SrcIpAddr = tostring(ClientIPs[0])
entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: AgentName
  - identifier: AppId
    columnName: AgentId
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: ActorName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
eventGroupingSettings:
  aggregationKind: SingleAlert
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: Selected
    groupByEntities:
    - CloudApplication
    groupByAlertDetails: []
    groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- Copilot
- AI

Explanation

This query is designed to detect when a Microsoft 365 Copilot agent uses an unapproved source to generate its responses. It aims to identify potential security threats like "RAG poisoning" or "context smuggling," where malicious content is inserted into shared resources that the agent accesses.

Here's a simple breakdown of the query:

  1. Purpose: The query checks if the Microsoft 365 Copilot agent is using any retrieval source that is not on a predefined list of trusted sources. This helps in identifying unauthorized or potentially harmful sources being used.

  2. Trusted Sources: The list of approved sources is maintained in a watchlist called "CopilotTrustedRagSources." This list should be populated with the URIs or hostnames of trusted document repositories.

  3. Data Source: The query uses data from the "CopilotActivity" data type, which is part of the MicrosoftCopilot data connector.

  4. Time Frame: It looks at activities that occurred in the last hour.

  5. Detection Logic:

    • It extracts the accessed resources from Copilot interactions.
    • It checks if these resources are not in the trusted sources list.
    • If untrusted sources are found, it counts them and collects details like actions taken, client IPs, and the time range of these activities.

  6. Alert Generation: If any untrusted sources are detected, an alert is generated. The alert includes details about the agent, the actor, and the tenant involved.

  7. Severity and Tactics: The severity of the alert is set to "Medium," and it is associated with tactics like "Initial Access" and "Defense Evasion," which are part of the MITRE ATT&CK framework.

  8. Incident Management: The query is set to create incidents for detected events, with specific configurations for grouping and managing these incidents.

Overall, this query helps in monitoring and securing the use of Microsoft 365 Copilot by ensuring it only uses trusted sources for its operations.

Details

David Alonso profile picture

David Alonso

Released: May 20, 2026

Tables

CopilotActivity

Keywords

MicrosoftCopilotActivityCloudApplicationAccountIPAgentActorTenantSourceUriSiteUrlActionResourceTypeTimeGeneratedRecordTypeLLMEventDataAccessedResourcesSrcIpAddr

Operators

let_GetWatchlistprojecttolowertostringcolumn_ifexistswhereisnotemptyCopilotActivityTimeGeneratedagoRecordTypeextendLLMEventDatamv-expandjoinkind=leftantionsummarizecountmake_setminmaxbyentityMappingsfieldMappingsidentifiercolumnNameeventGroupingSettingsaggregationKindincidentConfigurationcreateIncidentgroupingConfigurationenabledreopenClosedIncidentlookbackDurationmatchingMethodgroupByEntitiesgroupByAlertDetailsgroupByCustomDetailsversionkindtags

Actions