Query Details
Copilot Trace Level Anomalies
Query
id: 4d35c65d-c306-d417-2608-95b5c6d5e5fa
name: Microsoft 365 Copilot - Trace-level interaction-path anomalies
description: |
Hunts for Microsoft 365 Copilot conversations whose execution trace is
abnormal: excessive trace length, tight tool-call loops (the
same tool fired more than ten times in five minutes), or
retry storms on a single tool. These are the trace-level
signatures of runaway agents, prompt-injected loops, and
agent-exploitation campaigns that try to wedge the model into
a stuck state.
Pair this query with the token-spike analytical rule to
separate legitimate heavy workloads from genuine misbehaviour.
query: |
// Confirmed schema has no TraceStepId; we use ThreadId + per-interaction
// cardinality (Messages, AISystemPlugin, AccessedResources) as proxies
// for trace shape. Long threads, rapid-fire bursts, and sustained high
// message rates are surfaced.
let window = 1d;
CopilotActivity
| where TimeGenerated > ago(window)
| where RecordType == "CopilotInteraction"
| extend ThreadId = tostring(LLMEventData.ThreadId)
| where isnotempty(ThreadId)
| extend
InteractionMessages = array_length(LLMEventData.Messages),
InteractionPlugins = array_length(LLMEventData.AISystemPlugin),
InteractionResources = array_length(LLMEventData.AccessedResources)
| summarize
Interactions = count(),
TotalMessages = sum(InteractionMessages),
TotalPlugins = sum(InteractionPlugins),
TotalResources = sum(InteractionResources),
Plugins = make_set(tostring(LLMEventData.AISystemPlugin), 16),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by ThreadId, AgentId, AgentName, ActorUserId
| extend DurationMin = datetime_diff('minute', LastSeen, FirstSeen)
| extend MsgPerMin = iff(DurationMin > 0, todouble(TotalMessages) / DurationMin, todouble(TotalMessages))
| where (TotalMessages > 100)
or (Interactions > 50 and DurationMin < 60)
or (MsgPerMin > 5 and DurationMin >= 5)
| order by TotalMessages desc, MsgPerMin desc
tactics:
- Impact
- Execution
techniques:
- T1499
- T1059
tags:
- Sentinel-As-Code
- Custom
- Copilot
- AI
Explanation
This query is designed to identify unusual patterns in Microsoft 365 Copilot conversations that might indicate potential issues or misuse. Here's a simplified breakdown:
-
Purpose: The query looks for abnormal execution traces in Microsoft 365 Copilot interactions. These anomalies could include:
- Excessively long traces.
- Repeated use of the same tool within a short period.
- Multiple retries on a single tool.
-
Indicators of Concern: These patterns might suggest problems like runaway agents, loops caused by prompt injections, or attempts to exploit the system.
-
Data Analysis:
- The query examines Copilot activity over the past day.
- It focuses on interactions with a unique identifier (ThreadId) and calculates various metrics such as the number of messages, plugins, and resources accessed.
- It summarizes this data by counting interactions and calculating totals for messages, plugins, and resources.
- It also identifies the first and last occurrence of each interaction to determine its duration.
-
Anomaly Detection:
- The query flags interactions with more than 100 messages, more than 50 interactions in less than an hour, or a message rate exceeding 5 messages per minute over a duration of at least 5 minutes.
-
Output: The results are sorted by the total number of messages and message rate, highlighting the most significant anomalies.
-
Contextual Use: This query is meant to be used alongside another rule that analyzes token spikes to differentiate between legitimate heavy usage and actual misbehavior.
-
Security Context: The query is associated with tactics like Impact and Execution and techniques such as T1499 (Resource Consumption) and T1059 (Command and Scripting Interpreter), indicating its relevance to security monitoring and threat detection.
Overall, this query helps in identifying and investigating potential security threats or performance issues within Microsoft 365 Copilot by analyzing interaction patterns.
Details
David Alonso
Released: May 20, 2026
Tables
Keywords
Operators