Query Details

Copilot Studio - New connector first seen (14-day baseline)

Copilot Studio New Connector First Seen

Query

let detectionWindow = 1h;
let conn =
    AppDependencies
    | where AppRoleName == "Microsoft Copilot Studio" or DependencyType == "Connector"
    | extend ConvId = tostring(Properties["conversationId"]),
             ChannelId = tostring(Properties["channelId"]);
let baseline =
    conn
    | where TimeGenerated < ago(detectionWindow)
    | distinct Target;
conn
| where TimeGenerated >= ago(detectionWindow)
| join kind=leftanti baseline on Target
| summarize
      Calls      = count(),
      FirstSeen  = min(TimeGenerated),
      LastSeen   = max(TimeGenerated),
      Convs      = make_set(ConvId, 25),
      Channels   = make_set(ChannelId, 10)
    by Target, Name
| extend AccountName = strcat("connector:", Name)
| project LastSeen, FirstSeen, AccountName, Name, Target, Calls, Convs, Channels
| order by LastSeen desc

Explanation

This query is designed to monitor and raise an alert when a new connector or action operation is detected in the Copilot Studio environment that hasn't been seen in the past 14 days. Here's a simplified breakdown:

  • Purpose: To detect and alert on new connectors or actions that could indicate a newly published feature, configuration change, or potential security threat.

  • Data Source: It analyzes connector invocations from the AppDependencies data, specifically where the DependencyType is "Connector".

  • Baseline: It establishes a baseline using data from the past 14 days. Any connector targets that appear exclusively in the current detection window (the last hour) and not in the baseline will trigger an alert.

  • Detection Window: The query runs every hour to check for new connector targets.

  • Alert Details: When a new target is detected, it summarizes the number of calls, the first and last time the target was seen, and associated conversation and channel IDs.

  • Severity and Tactics: The alert is marked with medium severity and is associated with tactics like Execution and Persistence, relevant to techniques T1059 and T1554.

  • Incident Management: If a new connector is detected, an incident is created. Incidents are grouped by account and won't reopen if previously closed.

  • Configuration: The query is scheduled to run automatically and is tagged for easy identification and management.

This setup helps in identifying potentially unauthorized or unexpected changes in the system, allowing for timely investigation and response.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

CopilotStudioConnectorsApplicationInsightsAppDependenciesExecutionPersistenceAccountAlertIncident

Operators

letwhereextendtostringagodistinctjoinkind=leftantisummarizecountminmaxmake_setbystrcatprojectorder bydesc

Severity

Medium

Tactics

ExecutionPersistence

MITRE Techniques

Frequency: PT1H

Period: P14D

Actions

GitHub