KQL Search

Query Details

Copilot Sensitive Data Exposure

Query

id: 2b4e9d31-7a8c-4d2f-8c7e-6e1b9a3f4d12
name: Microsoft 365 Copilot - Sensitive data exposure via AI agent
description: |
  Detects A Microsoft 365 Copilot agent reading or returning content tagged
  with a sensitivity label of Confidential or higher, or content
  carrying DLP-style classifiers (PII, PCI, secrets).

  A misconfigured or prompt-injected agent can serve as an
  exfiltration path: a single crafted prompt can pull regulated
  data through an over-permissioned agent. This rule alerts on
  the data-access leg of that path so SOC can trace prompt -> tool
  -> data and contain the agent identity quickly.
severity: High
requiredDataConnectors:
- connectorId: MicrosoftCopilot
  dataTypes:
  - CopilotActivity
queryFrequency: PT15M
queryPeriod: PT1H
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1530
- T1213
- T1567
query: |
  // Confirmed schema: AccessedResources[].PolicyDetails (DLP policy hits)
  // and the top-level LLMEventData.DLPEvaluationDeferred boolean.
  CopilotActivity
  | where TimeGenerated > ago(1h)
  | where RecordType == "CopilotInteraction"
  | extend
      ThreadId = tostring(LLMEventData.ThreadId),
      DlpDeferred = tobool(LLMEventData.DLPEvaluationDeferred)
  | mv-expand r = LLMEventData.AccessedResources
  | extend
      SiteUrl = tostring(r.SiteUrl),
      ResourceType = tostring(r.Type),
      ResourceAction = tostring(r.Action),
      PolicyDetails = r.PolicyDetails,
      PolicyDetailsStr = tostring(r.PolicyDetails)
  | where DlpDeferred
      or (isnotempty(PolicyDetailsStr) and PolicyDetailsStr !in ("[]", "{}", "null"))
  | summarize
      SensitiveHits = count(),
      SiteHits = make_set(SiteUrl, 32),
      ResourceTypes = make_set(ResourceType, 16),
      Actions = make_set(ResourceAction, 8),
      Policies = make_set(PolicyDetails, 16),
      DlpDeferredCount = countif(DlpDeferred),
      Threads = make_set(ThreadId, 16),
      ClientIPs = make_set(SrcIpAddr, 16),
      FirstSeen = min(TimeGenerated),
      LastSeen = max(TimeGenerated)
      by AgentId, AgentName, ActorName, ActorUserId, TenantId
  | extend SrcIpAddr = tostring(ClientIPs[0])
entityMappings:
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: AgentName
  - identifier: AppId
    columnName: AgentId
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: ActorName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
eventGroupingSettings:
  aggregationKind: SingleAlert
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: Selected
    groupByEntities:
    - Account
    - CloudApplication
    groupByAlertDetails: []
    groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- Copilot
- AI

Explanation

This query is designed to monitor and detect potential sensitive data exposure incidents involving Microsoft 365 Copilot, an AI agent. Here's a simplified breakdown of what the query does:

  1. Purpose: The query aims to identify instances where the Microsoft 365 Copilot agent accesses or returns content labeled as "Confidential" or higher, or content that includes sensitive information like Personally Identifiable Information (PII), Payment Card Information (PCI), or secrets.

  2. Risk: If the Copilot agent is misconfigured or manipulated (e.g., through prompt injection), it could inadvertently expose sensitive data. This query helps detect such scenarios by focusing on the data access aspect, allowing security teams to trace the path from the prompt to the tool and the data, and quickly address any issues with the agent's identity.

  3. Severity: The alert generated by this query is considered high severity due to the potential risk of data exfiltration.

  4. Data Source: The query uses data from the "CopilotActivity" log, which records interactions with the Copilot agent.

  5. Frequency and Period: It runs every 15 minutes and looks back over the past hour to identify any suspicious activities.

  6. Detection Logic:

    • It checks for interactions where the data's sensitivity evaluation was deferred or where sensitive data policies were triggered.
    • It summarizes the findings, including the number of sensitive data hits, the sites accessed, resource types, actions taken, and any deferred evaluations.

  7. Alerting and Incident Management:

    • If any suspicious activity is detected, an alert is generated.
    • The alert groups related incidents by account and cloud application to streamline incident management.

  8. Entities and Mapping: The query maps various fields to entities like CloudApplication, Account, and IP to provide context for the alerts.

  9. Version and Tags: The query is versioned at 1.0.0 and tagged for easy identification and categorization within the security monitoring system.

Overall, this query is a proactive measure to ensure that sensitive data is not exposed through the use of AI agents like Microsoft 365 Copilot, helping organizations maintain data security and compliance.

Details

David Alonso profile picture

David Alonso

Released: May 20, 2026

Tables

CopilotActivity

Keywords

CopilotActivityResourcesPolicyDetailsThreadIdSiteUrlResourceTypeResourceActionSensitiveHitsSiteHitsResourceTypesActionsPoliciesDlpDeferredCountThreadsClientIPsFirstSeenLastSeenAgentIdAgentNameActorNameActorUserIdTenantIdSrcIpAddrCloudApplicationAccountIPAddressNameAppId

Operators

agowhereextendtostringtoboolmv-expandisnotemptysummarizecountmake_setcountifminmax

Actions