Unused actions in Copilot Studio AI agents may indicate potential security risks or operational inefficiencies, as they could be remnants of previous configurations or used by adversaries to evade detection. SOC teams should proactively hunt for these unused actions in Azure Sentinel to identify and mitigate potential attack vectors or anomalous behavior.
KQL Query
let TopicsConnectionReference =
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| mv-expand topic = AgentTopicsDetails
| mv-expand actionTopic = topic.beginDialog.actions
| where isnotempty(actionTopic.connectionReference)
| extend TopicConnectionReference = tostring(actionTopic.connectionReference)
| distinct TopicConnectionReference;
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| where not(IsGenerativeOrchestrationEnabled)
| where isnotempty(AgentToolsDetails)
| mv-expand tool = AgentToolsDetails
| extend ToolConnectionReference = tostring(tool.action.connectionReference)
| where isnotempty(ToolConnectionReference)
| where ToolConnectionReference !in (TopicsConnectionReference)
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns, tool, ToolConnectionReference
id: 3b6c9d0e-1f2a-3b4c-5d6e-7f8a9b0c1d2e
name: Copilot Studio AI Agents - Unused Actions
description: |
This query identifies Copilot Studio AI agents with classic orchestration that include Actions not referenced in any Topic.
While unused Actions may not pose an immediate security risk, they can introduce unnecessary exposure and potential maintenance issues.
In some cases, these orphaned Actions might still hold sensitive connection details or credentials, creating an indirect exposure risk if overlooked.
Recommended Action: Review and remove unused Actions to reduce attack surface, simplify agent logic, and prevent accidental execution of outdated or unnecessary operations.
requiredDataConnectors: []
tactics: []
relevantTechniques: []
query: |
let TopicsConnectionReference =
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| mv-expand topic = AgentTopicsDetails
| mv-expand actionTopic = topic.beginDialog.actions
| where isnotempty(actionTopic.connectionReference)
| extend TopicConnectionReference = tostring(actionTopic.connectionReference)
| distinct TopicConnectionReference;
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| where not(IsGenerativeOrchestrationEnabled)
| where isnotempty(AgentToolsDetails)
| mv-expand tool = AgentToolsDetails
| extend ToolConnectionReference = tostring(tool.action.connectionReference)
| where isnotempty(ToolConnectionReference)
| where ToolConnectionReference !in (TopicsConnectionReference)
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns, tool, ToolConnectionReference
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: CreatorAccountUpn
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: AIAgentName
version: 1.0.0Scenario: A system administrator schedules a nightly backup job using a PowerShell script that is not linked to any topic.
Filter/Exclusion: Exclude actions associated with scheduled jobs or system maintenance tasks (e.g., powershell.exe -Command "Backup-System").
Scenario: An IT team uses a custom tool like dbbackup.exe to perform database backups, which is not integrated into any topic or workflow.
Filter/Exclusion: Exclude actions related to database backup tools or administrative utilities (e.g., dbbackup.exe, sqlbackup.exe).
Scenario: A developer creates a test action in Copilot Studio to simulate API calls for debugging purposes, but the action is never used in a published topic.
Filter/Exclusion: Exclude actions labeled as “test” or “debug” in the action description or metadata.
Scenario: A DevOps team uses a CI/CD tool like Jenkins to trigger a deployment action, which is not referenced in any topic but is part of an internal automation pipeline.
Filter/Exclusion: Exclude actions associated with CI/CD tools (e.g., jenkins-cli.sh, gitlab-runner, azure-pipelines) or internal automation workflows.
Scenario: A helpdesk team sets up a custom action in Copilot Studio to send email notifications using a tool like sendmail.exe, but the action is not used in any active topic.
Filter/Exclusion: Exclude actions related to email notification tools (e.g., sendmail.exe, smtpclient.dll, mailtool.exe) or internal helpdesk automation.