Query Details
Copilot Studio Connector Error Storm
Query
id: a1b2c3d4-1005-4a11-9c01-0123456789a5
name: Copilot Studio - Connector failure storm
description: |
Raises an incident when a single Copilot Studio conversation drives an
abnormal burst of failed connector / action calls (>=10 failures in the
hour). A storm of connector failures can indicate enumeration of a
backend, credential / permission probing, an action stuck in a loop, or
an attacker fuzzing a tool the agent exposes.
Reads connector invocations from the AppDependencies table
(DependencyType == "Connector", AppRoleName == "Microsoft Copilot
Studio"), where Success == false marks a failed call and Target is the
connector operation (e.g. shared_msnweather/TomorrowsForecast).
severity: Medium
requiredDataConnectors:
- connectorId: ApplicationInsights
dataTypes:
- AppDependencies
queryFrequency: PT1H
queryPeriod: PT1H
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- Discovery
- Impact
relevantTechniques:
- T1046
- T1499
query: |
AppDependencies
| where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector"
| extend ConvId = tostring(Properties["conversationId"]),
ChannelId = tostring(Properties["channelId"])
| where Success == false
| summarize
Failures = count(),
Connectors = make_set(Name, 25),
Targets = make_set(Target, 25),
ResultCodes = make_set(ResultCode, 25),
FirstFailure = min(TimeGenerated),
LastFailure = max(TimeGenerated)
by ConvId, ChannelId
| where Failures >= 10
| extend AccountName = iff(isempty(ConvId), "unknown-conversation", ConvId)
| project
LastFailure, FirstFailure, AccountName, ConvId, ChannelId,
Failures, Connectors, Targets, ResultCodes
| order by Failures desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT6H
matchingMethod: Selected
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- CopilotStudio
- AI
- Connectors
- Reliability
Explanation
This query is designed to monitor and raise an alert when there is an unusual surge in failed connector or action calls within Microsoft Copilot Studio conversations. Specifically, it triggers an incident if there are 10 or more failures within an hour. This could indicate potential issues such as backend enumeration, credential probing, looping actions, or malicious activity.
Here's a simplified breakdown of the query:
-
Data Source: It reads from the
AppDependenciestable, focusing on entries where theDependencyTypeis "Connector" and theAppRoleNameis "Microsoft Copilot Studio". Only failed calls (Success == false) are considered. -
Data Processing:
- Extracts conversation and channel IDs from the properties.
- Counts the number of failures for each conversation and channel.
- Collects details about the connectors, targets, and result codes involved in the failures.
- Determines the time of the first and last failure.
-
Alert Condition: If a conversation has 10 or more failures, it is flagged.
-
Output: The results are sorted by the number of failures, and key details are projected for further analysis.
-
Incident Creation: If the alert condition is met, an incident is created, grouping alerts by account (conversation ID).
-
Configuration: The alert is set to run every hour and is enabled by default. It is tagged for easy identification and categorized under tactics like Discovery and Impact, with relevant techniques noted.
Overall, this query helps in identifying and responding to potential reliability issues or security threats related to connector failures in Copilot Studio.
Details
David Alonso
Released: June 8, 2026
Tables
Keywords
Operators