Microsoft 365 Copilot - Resource diversity burst per user
Copilot Resource Diversity Burst
Query
let lookback = 14d;
let recentWindow = 1h;
let floorSites = 10; // minimum sites/hour to even consider
let spikeMultiplier = 3.0; // hour must exceed P95 by this factor
let perUserHour =
CopilotActivity
| where TimeGenerated > ago(lookback)
| where RecordType == "CopilotInteraction"
| mv-expand r = LLMEventData.AccessedResources
| extend SiteUrl = tostring(r.SiteUrl)
| where isnotempty(SiteUrl)
| summarize
DistinctSites = dcount(SiteUrl),
AnyAgentName = take_any(AgentName),
AnyAgentId = take_any(AgentId),
AnyActor = take_any(ActorName)
by ActorUserId, TenantId, Hour = bin(TimeGenerated, 1h);
let baseline =
perUserHour
| where Hour < bin(now(), 1h) - recentWindow
| summarize
P95Sites = todouble(percentile(DistinctSites, 95)),
MedianSites = todouble(percentile(DistinctSites, 50))
by ActorUserId;
let recent =
perUserHour
| where Hour >= bin(now(), 1h) - recentWindow;
recent
| join kind=leftouter baseline on ActorUserId
| extend
P95Sites = coalesce(P95Sites, 0.0),
MedianSites = coalesce(MedianSites, 0.0)
| extend SpikeRatio = iff(P95Sites > 0, todouble(DistinctSites) / P95Sites, todouble(DistinctSites))
| where DistinctSites >= floorSites and DistinctSites > P95Sites * spikeMultiplier
| project
Hour, ActorUserId, ActorName = AnyActor, AgentId = AnyAgentId,
AgentName = AnyAgentName, DistinctSites, P95Sites, MedianSites,
SpikeRatio, TenantIdExplanation
This query is designed to detect unusual activity by users of Microsoft 365 Copilot. Specifically, it looks for sudden increases in the number of different resources (like SharePoint sites or OneDrive locations) that a user accesses within a one-hour period. This can indicate potential reconnaissance or exploration across different departments, possibly by an unauthorized user or a compromised account.
Here's a simplified breakdown of how it works:
-
Data Collection: It gathers data on user interactions with resources over the past 14 days.
-
Baseline Calculation: It calculates a baseline for each user, determining the 95th percentile (P95) of distinct sites accessed per hour over the past 14 days.
-
Recent Activity Check: It examines the most recent hour of activity to see if the number of distinct sites accessed is significantly higher than the user's baseline (specifically, more than three times the P95 value).
-
Alert Trigger: If a user's activity exceeds this threshold and involves accessing at least 10 different sites in an hour, an alert is triggered.
-
Incident Management: The query is set to create an incident if such an alert is triggered, grouping related alerts by user account.
This helps identify potential security threats by flagging users who suddenly access a wide range of resources, which they don't typically do, indicating possible unauthorized exploration or data collection.
Details

David Alonso
Released: May 20, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: P14D