Copilot Studio - New connector first seen (14-day baseline)
Copilot Studio New Connector First Seen
Query
let detectionWindow = 1h;
let conn =
AppDependencies
| where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector"
| extend ConvId = tostring(Properties["conversationId"]),
ChannelId = tostring(Properties["channelId"]);
let baseline =
conn
| where TimeGenerated < ago(detectionWindow)
| distinct Target;
conn
| where TimeGenerated >= ago(detectionWindow)
| join kind=leftanti baseline on Target
| summarize
Calls = count(),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
Convs = make_set(ConvId, 25),
Channels = make_set(ChannelId, 10)
by Target, Name
| extend AccountName = strcat("connector:", Name)
| project LastSeen, FirstSeen, AccountName, Name, Target, Calls, Convs, Channels
| order by LastSeen descExplanation
This query is designed to monitor and raise an alert when a new connector or action operation is detected in the Copilot Studio environment that hasn't been seen in the past 14 days. Here's a simplified breakdown:
-
Purpose: To detect and alert on new connectors or actions that could indicate a newly published feature, configuration change, or potential security threat.
-
Data Source: It analyzes connector invocations from the
AppDependenciesdata, specifically where theDependencyTypeis "Connector". -
Baseline: It establishes a baseline using data from the past 14 days. Any connector targets that appear exclusively in the current detection window (the last hour) and not in the baseline will trigger an alert.
-
Detection Window: The query runs every hour to check for new connector targets.
-
Alert Details: When a new target is detected, it summarizes the number of calls, the first and last time the target was seen, and associated conversation and channel IDs.
-
Severity and Tactics: The alert is marked with medium severity and is associated with tactics like Execution and Persistence, relevant to techniques T1059 and T1554.
-
Incident Management: If a new connector is detected, an incident is created. Incidents are grouped by account and won't reopen if previously closed.
-
Configuration: The query is scheduled to run automatically and is tagged for easy identification and management.
This setup helps in identifying potentially unauthorized or unexpected changes in the system, allowing for timely investigation and response.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: P14D