Adversaries may leverage Copilot Studio AI agents to make HTTP requests to connector endpoints as part of command and control or data exfiltration activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential misuse of AI agents by threat actors exploiting Power Platform connectors.
KQL Query
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| mvexpand Topic = AgentTopicsDetails
| where Topic has "HttpRequestAction"
| extend TopicActions = Topic.beginDialog.actions
| mvexpand action = TopicActions
| where action['$kind'] == "HttpRequestAction"
| extend Url = tostring(action.url.literalValue)
| extend ParsedUrl = parse_url(Url)
| extend Host = tostring(ParsedUrl["Host"])
| where Host has_any("graph.microsoft.com", "management.azure.com")
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, ParsedUrl, Url, Host, AgentStatus, CreatorAccountUpn, OwnerAccountUpns, Topic
id: 8b3c7d9e-0f1a-2b3c-4d5e-6f7a8b9c0d1e
name: Copilot Studio AI Agents - HTTP Requests to Connector Endpoints
description: |
This query identifies Copilot Studio AI agents that use HTTP actions to endpoints where Power Platform connectors are available (e.g., graph.microsoft.com, management.azure.com).
Using direct HTTP calls instead of built-in connectors can indicate inefficient implementation and may introduce security risks, such as bypassing connector-level authentication and governance controls.
Recommended Action: Verify with the agent owner whether direct HTTP calls are necessary.
If not, replace them with the appropriate Power Platform connector to ensure secure, managed integration and reduce complexity.
requiredDataConnectors: []
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| mvexpand Topic = AgentTopicsDetails
| where Topic has "HttpRequestAction"
| extend TopicActions = Topic.beginDialog.actions
| mvexpand action = TopicActions
| where action['$kind'] == "HttpRequestAction"
| extend Url = tostring(action.url.literalValue)
| extend ParsedUrl = parse_url(Url)
| extend Host = tostring(ParsedUrl["Host"])
| where Host has_any("graph.microsoft.com", "management.azure.com")
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, ParsedUrl, Url, Host, AgentStatus, CreatorAccountUpn, OwnerAccountUpns, Topic
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: CreatorAccountUpn
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: AIAgentName
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Url
version: 1.0.0Scenario: Scheduled Data Sync Job Using Power BI Connector
Description: A scheduled job runs to sync data from Power BI to a local database using the Power BI connector, which makes HTTP requests to graph.microsoft.com.
Filter/Exclusion: destination_host != "graph.microsoft.com" or request_url NOT LIKE '%/v1.0/%'
Scenario: Admin Task to Update Power Automate Flows via API
Description: An administrator updates Power Automate flows using the Microsoft Graph API, which involves HTTP requests to graph.microsoft.com.
Filter/Exclusion: user_principal_name LIKE '%[email protected]%' or request_url NOT LIKE '%/beta/%'
Scenario: Power Apps Canvas App with Embedded HTTP Action
Description: A Power Apps canvas app includes an HTTP action that calls a Power Platform connector endpoint, such as management.azure.com, as part of a data integration flow.
Filter/Exclusion: app_type = "PowerApps" AND request_url NOT LIKE '%/api/%'
Scenario: Azure DevOps Pipeline Deploying Power Automate Flows
Description: An Azure DevOps pipeline deploys Power Automate flows, which may trigger HTTP requests to Power Platform connectors during deployment.
Filter/Exclusion: user_agent LIKE '%Azure DevOps%' or request_url NOT LIKE '%/deployments/%'
Scenario: Power BI Report Refresh Using Azure AD Authentication
Description: A Power BI report refresh process authenticates via Azure AD and makes HTTP requests to management.azure.com as part of the refresh workflow.
Filter/Exclusion: request_url NOT LIKE '%/subscriptions/%' or user_principal_name LIKE '%[email protected]%'