Query Details

Copilot Studio - Extended capability / architecture disclosure

Copilot Studio Capability Disclosure Extended

Query

let probes = dynamic([
    "what connectors","list your connectors","what actions","what can you do",
    "what topics","list your topics","what skills","what plugins",
    "what flows","list your flows","what tools","describe your actions",
    "what apis","what systems can you access","what can you connect to",
    "what data sources","reveal your connectors","what is your configuration",
    "what are your capabilities","what triggers do you have"
]);
let leakMarkers = dynamic([
    "connector","action","topic","flow","i have access to","i can use",
    "i can connect to","available actions","my connectors","my topics",
    "the following connectors","i can access","data source","i am able to call"
]);
let known =
    toscalar(
        AppDependencies
        | where TimeGenerated between (ago(7d) .. ago(1h))
        | where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector"
        | extend TargetPrefix = tolower(tostring(split(Target, "/")[0]))
        | where isnotempty(TargetPrefix) and strlen(TargetPrefix) >= 4
        | summarize Calls = count() by TargetPrefix
        | where Calls >= 5
        | summarize KnownConnectors = make_set(TargetPrefix, 200)
    );
let asks =
    AppEvents
    | where TimeGenerated > ago(1h)
    | where Name == "BotMessageReceived"
    | extend ConvId = tostring(Properties["conversationId"]),
             Prompt = tolower(tostring(Properties["text"]))
    | where isnotempty(Prompt) and Prompt has_any (probes)
    | project AskTime = TimeGenerated, ConvId, Prompt = substring(tostring(Properties["text"]), 0, 512),
              UserId, ClientIP, ChannelId = tostring(Properties["channelId"]);
let leaks =
    AppEvents
    | where TimeGenerated > ago(1h)
    | where Name == "BotMessageSend"
    | extend ConvId = tostring(Properties["conversationId"]),
             Output = tolower(tostring(Properties["text"]))
    | where isnotempty(Output) and Output has_any (leakMarkers)
    | extend OutputTokens = extract_all(@"([a-z][a-z0-9_\-]{3,})", Output)
    | extend LeakedConnectors = set_intersect(OutputTokens, known)
    | extend LeakedCount = array_length(LeakedConnectors)
    | where LeakedCount >= 2
    | project LeakTime = TimeGenerated, ConvId, LeakedCount, LeakedConnectors,
              OutputSample = substring(tostring(Properties["text"]), 0, 1024);
asks
| join kind=inner leaks on ConvId
| where LeakTime between (AskTime .. (AskTime + 10m))
| extend AccountName = iff(isempty(UserId), "unknown-agent", UserId)
| project AskTime, LeakTime, AccountName, UserId, ConvId, ChannelId, ClientIP,
          LeakedCount, LeakedConnectors, Prompt, OutputSample,
          LagSeconds = datetime_diff('second', LeakTime, AskTime)
| order by LeakedCount desc, AskTime desc

Explanation

This query is designed to monitor and detect potential information leaks in a system called "Copilot Studio." It specifically looks for instances where the system might inadvertently disclose its capabilities or architecture details in response to user queries. Here's a simplified breakdown:

  1. Purpose: The query aims to identify when the Copilot Studio system reveals more information than intended about its connectors, actions, topics, or skills in response to user prompts.

  2. How it Works:

    • Probes: It checks for specific user queries (probes) that ask about the system's capabilities, such as "what connectors" or "what actions."
    • Leak Markers: It looks for responses from the system that contain certain keywords (leak markers) indicating a potential disclosure, like "connector" or "action."
    • Known Connectors: It maintains a list of connectors that the system has genuinely used in the past week, ensuring that only relevant disclosures are flagged.
    • Detection: The rule triggers if the system's response includes at least two known connectors that have been actively used recently.
  3. Data Sources: It uses data from Application Insights, specifically application events and dependencies, to track user queries and system responses.

  4. Frequency and Scope: The query runs every hour and looks back over the past seven days to identify any incidents.

  5. Severity and Actions: The severity of such incidents is marked as medium, and if detected, an alert is generated, potentially creating an incident for further investigation.

  6. Additional Settings:

    • Entity Mappings: It maps detected incidents to user accounts and IP addresses for better tracking.
    • Incident Configuration: It groups related alerts into a single incident to avoid duplication and streamline response efforts.

Overall, this query helps ensure that the Copilot Studio system does not unintentionally disclose sensitive information about its internal workings in response to user interactions.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependenciesAppEvents

Keywords

CopilotStudioApplicationInsightsAppEventsDependenciesMicrosoftBotMessageReceivedSendAccountIP

Operators

letdynamictoscalarwherebetweenagoorextendtolowertostringsplitisnotemptystrlensummarizecountmake_setprojectsubstringhas_anyjoinkindoniffisemptydatetime_difforder bydescextract_allset_intersectarray_length

Severity

Medium

Tactics

DiscoveryCollection

MITRE Techniques

Frequency: PT1H

Period: P7D

Actions

GitHub