Query Details
Copilot Studio New Connector First Seen
Query
id: a1b2c3d4-1006-4a11-9c01-0123456789a6
name: Copilot Studio - New connector first seen (14-day baseline)
description: |
Raises an incident when a Copilot Studio agent invokes a connector /
action operation (Target) that has never appeared in the preceding
14-day baseline. A brand-new connector target can indicate a newly
published (and possibly malicious) action, configuration drift, or an
attacker who has added a tool to the agent to reach a new backend.
Reads connector invocations from AppDependencies (DependencyType ==
"Connector"). The baseline window is the 14 days before the detection
window; only Targets seen exclusively in the recent window fire.
severity: Medium
requiredDataConnectors:
- connectorId: ApplicationInsights
dataTypes:
- AppDependencies
queryFrequency: PT1H
queryPeriod: P14D
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- Execution
- Persistence
relevantTechniques:
- T1059
- T1554
query: |
let detectionWindow = 1h;
let conn =
AppDependencies
| where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector"
| extend ConvId = tostring(Properties["conversationId"]),
ChannelId = tostring(Properties["channelId"]);
let baseline =
conn
| where TimeGenerated < ago(detectionWindow)
| distinct Target;
conn
| where TimeGenerated >= ago(detectionWindow)
| join kind=leftanti baseline on Target
| summarize
Calls = count(),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
Convs = make_set(ConvId, 25),
Channels = make_set(ChannelId, 10)
by Target, Name
| extend AccountName = strcat("connector:", Name)
| project LastSeen, FirstSeen, AccountName, Name, Target, Calls, Convs, Channels
| order by LastSeen desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT6H
matchingMethod: Selected
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- CopilotStudio
- AI
- Connectors
- Baseline
Explanation
This query is designed to monitor and raise an alert when a new connector or action operation is detected in the Copilot Studio environment that hasn't been seen in the past 14 days. Here's a simplified breakdown:
-
Purpose: To detect and alert on new connectors or actions that could indicate a newly published feature, configuration change, or potential security threat.
-
Data Source: It analyzes connector invocations from the
AppDependenciesdata, specifically where theDependencyTypeis "Connector". -
Baseline: It establishes a baseline using data from the past 14 days. Any connector targets that appear exclusively in the current detection window (the last hour) and not in the baseline will trigger an alert.
-
Detection Window: The query runs every hour to check for new connector targets.
-
Alert Details: When a new target is detected, it summarizes the number of calls, the first and last time the target was seen, and associated conversation and channel IDs.
-
Severity and Tactics: The alert is marked with medium severity and is associated with tactics like Execution and Persistence, relevant to techniques T1059 and T1554.
-
Incident Management: If a new connector is detected, an incident is created. Incidents are grouped by account and won't reopen if previously closed.
-
Configuration: The query is scheduled to run automatically and is tagged for easy identification and management.
This setup helps in identifying potentially unauthorized or unexpected changes in the system, allowing for timely investigation and response.
Details
David Alonso
Released: June 8, 2026
Tables
Keywords
Operators