Query Details

Copilot Studio - Connector failure storm

Copilot Studio Connector Error Storm

Query

AppDependencies
| where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector"
| extend ConvId = tostring(Properties["conversationId"]),
         ChannelId = tostring(Properties["channelId"])
| where Success == false
| summarize
      Failures      = count(),
      Connectors    = make_set(Name, 25),
      Targets       = make_set(Target, 25),
      ResultCodes   = make_set(ResultCode, 25),
      FirstFailure  = min(TimeGenerated),
      LastFailure   = max(TimeGenerated)
    by ConvId, ChannelId
| where Failures >= 10
| extend AccountName = iff(isempty(ConvId), "unknown-conversation", ConvId)
| project
    LastFailure, FirstFailure, AccountName, ConvId, ChannelId,
    Failures, Connectors, Targets, ResultCodes
| order by Failures desc

Explanation

This query is designed to monitor and raise an alert when there is an unusual surge in failed connector or action calls within Microsoft Copilot Studio conversations. Specifically, it triggers an incident if there are 10 or more failures within an hour. This could indicate potential issues such as backend enumeration, credential probing, looping actions, or malicious activity.

Here's a simplified breakdown of the query:

  1. Data Source: It reads from the AppDependencies table, focusing on entries where the DependencyType is "Connector" and the AppRoleName is "Microsoft Copilot Studio". Only failed calls (Success == false) are considered.

  2. Data Processing:

    • Extracts conversation and channel IDs from the properties.
    • Counts the number of failures for each conversation and channel.
    • Collects details about the connectors, targets, and result codes involved in the failures.
    • Determines the time of the first and last failure.
  3. Alert Condition: If a conversation has 10 or more failures, it is flagged.

  4. Output: The results are sorted by the number of failures, and key details are projected for further analysis.

  5. Incident Creation: If the alert condition is met, an incident is created, grouping alerts by account (conversation ID).

  6. Configuration: The alert is set to run every hour and is enabled by default. It is tagged for easy identification and categorized under tactics like Discovery and Impact, with relevant techniques noted.

Overall, this query helps in identifying and responding to potential reliability issues or security threats related to connector failures in Copilot Studio.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

AppDependenciesMicrosoftCopilotStudioConnectorPropertiesConversationIdChannelIdSuccessFailuresConnectorsTargetsResultCodesTimeGeneratedAccountNameConvId

Operators

whereextendsummarizemake_setminmaxbyiffisemptyprojectorder by

Severity

Medium

Tactics

DiscoveryImpact

MITRE Techniques

Frequency: PT1H

Period: PT1H

Actions

GitHub