Query Details

Microsoft 365 Copilot - Trace-level interaction-path anomalies

Copilot Trace Level Anomalies

Query

// Confirmed schema has no TraceStepId; we use ThreadId + per-interaction
// cardinality (Messages, AISystemPlugin, AccessedResources) as proxies
// for trace shape. Long threads, rapid-fire bursts, and sustained high
// message rates are surfaced.
let window = 1d;
CopilotActivity
| where TimeGenerated > ago(window)
| where RecordType == "CopilotInteraction"
| extend ThreadId = tostring(LLMEventData.ThreadId)
| where isnotempty(ThreadId)
| extend
    InteractionMessages = array_length(LLMEventData.Messages),
    InteractionPlugins = array_length(LLMEventData.AISystemPlugin),
    InteractionResources = array_length(LLMEventData.AccessedResources)
| summarize
    Interactions = count(),
    TotalMessages = sum(InteractionMessages),
    TotalPlugins = sum(InteractionPlugins),
    TotalResources = sum(InteractionResources),
    Plugins = make_set(tostring(LLMEventData.AISystemPlugin), 16),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by ThreadId, AgentId, AgentName, ActorUserId
| extend DurationMin = datetime_diff('minute', LastSeen, FirstSeen)
| extend MsgPerMin = iff(DurationMin > 0, todouble(TotalMessages) / DurationMin, todouble(TotalMessages))
| where (TotalMessages > 100)
    or (Interactions > 50 and DurationMin < 60)
    or (MsgPerMin > 5 and DurationMin >= 5)
| order by TotalMessages desc, MsgPerMin desc

Explanation

This query is designed to identify unusual patterns in Microsoft 365 Copilot conversations that might indicate potential issues or misuse. Here's a simplified breakdown:

  1. Purpose: The query looks for abnormal execution traces in Microsoft 365 Copilot interactions. These anomalies could include:

    • Excessively long traces.
    • Repeated use of the same tool within a short period.
    • Multiple retries on a single tool.
  2. Indicators of Concern: These patterns might suggest problems like runaway agents, loops caused by prompt injections, or attempts to exploit the system.

  3. Data Analysis:

    • The query examines Copilot activity over the past day.
    • It focuses on interactions with a unique identifier (ThreadId) and calculates various metrics such as the number of messages, plugins, and resources accessed.
    • It summarizes this data by counting interactions and calculating totals for messages, plugins, and resources.
    • It also identifies the first and last occurrence of each interaction to determine its duration.
  4. Anomaly Detection:

    • The query flags interactions with more than 100 messages, more than 50 interactions in less than an hour, or a message rate exceeding 5 messages per minute over a duration of at least 5 minutes.
  5. Output: The results are sorted by the total number of messages and message rate, highlighting the most significant anomalies.

  6. Contextual Use: This query is meant to be used alongside another rule that analyzes token spikes to differentiate between legitimate heavy usage and actual misbehavior.

  7. Security Context: The query is associated with tactics like Impact and Execution and techniques such as T1499 (Resource Consumption) and T1059 (Command and Scripting Interpreter), indicating its relevance to security monitoring and threat detection.

Overall, this query helps in identifying and investigating potential security threats or performance issues within Microsoft 365 Copilot by analyzing interaction patterns.

Details

David Alonso profile picture

David Alonso

Released: May 20, 2026

Tables

CopilotActivity

Keywords

CopilotActivityThreadMessagesPluginsResourcesAgentActorUserTimeDurationMinuteInteractions

Operators

let|whereextendisnotemptyarray_lengthsummarizecountsummake_settostringminmaxbydatetime_diffifftodoubleororder bydesc

Tactics

ImpactExecution

MITRE Techniques

Actions

GitHub