KQL Search

Query Details

HomeAI ToolsDevice Query

Excessive Copilot Prompt Activity

Query

# *Excessive Copilot Prompt Activity*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |

#### Description

Detects when a user generates an unusually high number of prompts to Copilot within a short period (e.g., 50 prompts in an hour). This could indicate automated activity, data exfiltration attempts, or misuse of the Copilot service.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**


## Defender XDR
```KQL
CopilotActivity
| where RecordType == "CopilotInteraction"
| extend LLM = parse_json(LLMEventData)
| extend Messages = LLM.Messages
| mv-expand Messages
| where tostring(Messages.isPrompt) == "true"
| summarize PromptCount = count() by ActorName, bin(TimeGenerated, 1h)
| where PromptCount > 50        // adjust threshold
```

Explanation

This query is designed to detect unusual activity related to the use of Copilot, a tool that assists users by generating code or text based on prompts. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at records from a data source called CopilotActivity, specifically those that are categorized as "CopilotInteraction".

  2. Extracting Information: It extracts detailed information from a field called LLMEventData and focuses on the messages within this data.

  3. Filtering Prompts: The query then filters these messages to identify only those that are prompts (i.e., requests made to Copilot to generate a response).

  4. Counting Prompts: It counts the number of prompts made by each user (referred to as ActorName) within each hour.

  5. Detecting Excessive Activity: Finally, it flags any user who has made more than 50 prompts in an hour, which could suggest automated activity, potential misuse, or attempts to extract data.

In summary, this query helps identify users who might be overusing or misusing the Copilot service by generating a large number of prompts in a short time frame.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: February 26, 2026

Tables

CopilotActivity

Keywords

CopilotActivityMessagesActorNameTimeGenerated

Operators

whereextendparse_jsonmv-expandtostringsummarizecountbin

Actions