Query Details
Detecting M365 Copilot Shared Agent
Query
// Detecting M365 Copilot Shared Agent
CloudAppEvents
| where Timestamp > ago(1h)
| where Application == @"Microsoft 365"
| where ActionType in ("BotCreate", "BotUpdateOperation-BotPublish")
Explanation
This query is designed to identify specific activities related to Microsoft 365 Copilot within the past hour. It looks at events from cloud applications and filters them to find instances where the application is "Microsoft 365" and the action types are either "BotCreate" or "BotUpdateOperation-BotPublish." Essentially, it's checking for the creation or publishing updates of bots associated with Microsoft 365 Copilot in the last hour.
Details
Steven Lim
Released: May 12, 2025
Tables
CloudAppEvents
Keywords
CloudAppEventsTimestampApplicationActionTypeMicrosoft365BotCreateBotUpdateOperationBotPublish
Operators
agoinwhere