Microsoft 365 Copilot - Sensitive data exposure via AI agent
Copilot Sensitive Data Exposure
Query
// Confirmed schema: AccessedResources[].PolicyDetails (DLP policy hits)
// and the top-level LLMEventData.DLPEvaluationDeferred boolean.
CopilotActivity
| where TimeGenerated > ago(1h)
| where RecordType == "CopilotInteraction"
| extend
ThreadId = tostring(LLMEventData.ThreadId),
DlpDeferred = tobool(LLMEventData.DLPEvaluationDeferred)
| mv-expand r = LLMEventData.AccessedResources
| extend
SiteUrl = tostring(r.SiteUrl),
ResourceType = tostring(r.Type),
ResourceAction = tostring(r.Action),
PolicyDetails = r.PolicyDetails,
PolicyDetailsStr = tostring(r.PolicyDetails)
| where DlpDeferred
or (isnotempty(PolicyDetailsStr) and PolicyDetailsStr !in ("[]", "{}", "null"))
| summarize
SensitiveHits = count(),
SiteHits = make_set(SiteUrl, 32),
ResourceTypes = make_set(ResourceType, 16),
Actions = make_set(ResourceAction, 8),
Policies = make_set(PolicyDetails, 16),
DlpDeferredCount = countif(DlpDeferred),
Threads = make_set(ThreadId, 16),
ClientIPs = make_set(SrcIpAddr, 16),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by AgentId, AgentName, ActorName, ActorUserId, TenantId
| extend SrcIpAddr = tostring(ClientIPs[0])Explanation
This query is designed to monitor and detect potential sensitive data exposure incidents involving Microsoft 365 Copilot, an AI agent. Here's a simplified breakdown of what the query does:
-
Purpose: The query aims to identify instances where the Microsoft 365 Copilot agent accesses or returns content labeled as "Confidential" or higher, or content that includes sensitive information like Personally Identifiable Information (PII), Payment Card Information (PCI), or secrets.
-
Risk: If the Copilot agent is misconfigured or manipulated (e.g., through prompt injection), it could inadvertently expose sensitive data. This query helps detect such scenarios by focusing on the data access aspect, allowing security teams to trace the path from the prompt to the tool and the data, and quickly address any issues with the agent's identity.
-
Severity: The alert generated by this query is considered high severity due to the potential risk of data exfiltration.
-
Data Source: The query uses data from the "CopilotActivity" log, which records interactions with the Copilot agent.
-
Frequency and Period: It runs every 15 minutes and looks back over the past hour to identify any suspicious activities.
-
Detection Logic:
- It checks for interactions where the data's sensitivity evaluation was deferred or where sensitive data policies were triggered.
- It summarizes the findings, including the number of sensitive data hits, the sites accessed, resource types, actions taken, and any deferred evaluations.
-
Alerting and Incident Management:
- If any suspicious activity is detected, an alert is generated.
- The alert groups related incidents by account and cloud application to streamline incident management.
-
Entities and Mapping: The query maps various fields to entities like CloudApplication, Account, and IP to provide context for the alerts.
-
Version and Tags: The query is versioned at 1.0.0 and tagged for easy identification and categorization within the security monitoring system.
Overall, this query is a proactive measure to ensure that sensitive data is not exposed through the use of AI agents like Microsoft 365 Copilot, helping organizations maintain data security and compliance.
Details

David Alonso
Released: May 20, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT15M
Period: PT1H