Query Details

Microsoft 365 Copilot - Resource diversity burst per user

Copilot Resource Diversity Burst

Query

let lookback = 14d;
let recentWindow = 1h;
let floorSites = 10;          // minimum sites/hour to even consider
let spikeMultiplier = 3.0;     // hour must exceed P95 by this factor
let perUserHour =
    CopilotActivity
    | where TimeGenerated > ago(lookback)
    | where RecordType == "CopilotInteraction"
    | mv-expand r = LLMEventData.AccessedResources
    | extend SiteUrl = tostring(r.SiteUrl)
    | where isnotempty(SiteUrl)
    | summarize
        DistinctSites = dcount(SiteUrl),
        AnyAgentName = take_any(AgentName),
        AnyAgentId = take_any(AgentId),
        AnyActor = take_any(ActorName)
        by ActorUserId, TenantId, Hour = bin(TimeGenerated, 1h);
let baseline =
    perUserHour
    | where Hour < bin(now(), 1h) - recentWindow
    | summarize
        P95Sites = todouble(percentile(DistinctSites, 95)),
        MedianSites = todouble(percentile(DistinctSites, 50))
        by ActorUserId;
let recent =
    perUserHour
    | where Hour >= bin(now(), 1h) - recentWindow;
recent
| join kind=leftouter baseline on ActorUserId
| extend
    P95Sites = coalesce(P95Sites, 0.0),
    MedianSites = coalesce(MedianSites, 0.0)
| extend SpikeRatio = iff(P95Sites > 0, todouble(DistinctSites) / P95Sites, todouble(DistinctSites))
| where DistinctSites >= floorSites and DistinctSites > P95Sites * spikeMultiplier
| project
    Hour, ActorUserId, ActorName = AnyActor, AgentId = AnyAgentId,
    AgentName = AnyAgentName, DistinctSites, P95Sites, MedianSites,
    SpikeRatio, TenantId

Explanation

This query is designed to detect unusual activity by users of Microsoft 365 Copilot. Specifically, it looks for sudden increases in the number of different resources (like SharePoint sites or OneDrive locations) that a user accesses within a one-hour period. This can indicate potential reconnaissance or exploration across different departments, possibly by an unauthorized user or a compromised account.

Here's a simplified breakdown of how it works:

  1. Data Collection: It gathers data on user interactions with resources over the past 14 days.

  2. Baseline Calculation: It calculates a baseline for each user, determining the 95th percentile (P95) of distinct sites accessed per hour over the past 14 days.

  3. Recent Activity Check: It examines the most recent hour of activity to see if the number of distinct sites accessed is significantly higher than the user's baseline (specifically, more than three times the P95 value).

  4. Alert Trigger: If a user's activity exceeds this threshold and involves accessing at least 10 different sites in an hour, an alert is triggered.

  5. Incident Management: The query is set to create an incident if such an alert is triggered, grouping related alerts by user account.

This helps identify potential security threats by flagging users who suddenly access a wide range of resources, which they don't typically do, indicating possible unauthorized exploration or data collection.

Details

David Alonso profile picture

David Alonso

Released: May 20, 2026

Tables

CopilotActivity

Keywords

MicrosoftCopilotActivityResourcesSharePointOneDriveUserTenantAccountCloudApplicationAlertIncident

Operators

letmv-expandextendtostringwhereisnotemptysummarizedcounttake_anybyagobinnowjoinkind=leftoutercoalesceifftodoublepercentileproject

Severity

Medium

Tactics

DiscoveryCollection

MITRE Techniques

Frequency: PT1H

Period: P14D

Actions

GitHub