KQL Search

Query Details

Copilot Studio Bulk Data Exfiltration Intent

Query

id: a1b2c3d4-1012-4a11-9c01-0123456789b2
name: Copilot Studio - Bulk data-exfiltration intent in user message
description: |
  Raises an incident when an inbound Copilot Studio user message asks the
  agent to return data in bulk ("show all records", "export all bookings",
  "list every customer", "dump the table", "give me the full list")
  instead of the single, scoped record the agent is meant to serve. This
  is the classic prompt-driven exfiltration pattern where an
  over-permissive agent or connector returns far more than the user is
  entitled to.

  Reads inbound turns from AppEvents (Name == "BotMessageReceived") with
  the prompt text in Properties.text (requires "Log sensitive properties"
  on the agent's Application Insights settings). Pair with
  CopilotStudioSensitiveDataInResponse to confirm whether bulk content was
  actually returned.
severity: Medium
requiredDataConnectors:
- connectorId: ApplicationInsights
  dataTypes:
  - AppEvents
queryFrequency: PT1H
queryPeriod: PT1H
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- Collection
- Exfiltration
relevantTechniques:
- T1213
- T1530
query: |
  let exfilMarkers = dynamic([
      "show all", "list all", "list every", "export all", "export the entire",
      "give me all", "give me every", "give me the full list", "full list of",
      "all records", "all customers", "all users", "all bookings", "all orders",
      "all employees", "every record", "every customer", "every user",
      "dump the", "dump all", "entire database", "entire table",
      "complete list of", "everything you have on", "all the data",
      "without any filter", "no limit", "select *"
  ]);
  AppEvents
  | where Name == "BotMessageReceived"
  | extend
      ConvId    = tostring(Properties["conversationId"]),
      ChannelId = tostring(Properties["channelId"]),
      Locale    = tostring(Properties["locale"]),
      DesignMode = tostring(Properties["DesignMode"]),
      Text      = tolower(tostring(Properties["text"]))
  | where isnotempty(Text)
  | mv-apply Marker = exfilMarkers to typeof(string) on (
        where Text contains Marker
        | summarize Markers = make_set(Marker)
    )
  | extend AccountName = iff(isempty(UserId), "unknown-agent", UserId)
  | project
      TimeGenerated, AccountName, ConvId, ChannelId, Locale, DesignMode,
      Markers, Text = substring(tostring(Properties["text"]), 0, 1024),
      SessionId, ClientIP, AppVersion
  | order by TimeGenerated desc
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIP
eventGroupingSettings:
  aggregationKind: SingleAlert
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
    - Account
    groupByAlertDetails: []
    groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- CopilotStudio
- AI
- DataExfiltration
- Collection

Explanation

This query is designed to detect potential data exfiltration attempts through a chatbot or virtual assistant, specifically in the context of Copilot Studio. Here's a simplified breakdown of what it does:

  1. Purpose: The query identifies situations where a user message to a chatbot requests large amounts of data, such as "show all records" or "export all bookings." This could indicate an attempt to extract more data than the user is authorized to access.

  2. Data Source: It analyzes inbound messages received by the bot, which are logged as "BotMessageReceived" events in Application Insights.

  3. Detection Method: The query looks for specific phrases (e.g., "show all," "dump the table") in the message text that suggest a request for bulk data. These phrases are stored in a list called exfilMarkers.

  4. Alert Generation: If any of these phrases are found in a message, an alert is generated. The alert includes details like the time the message was received, the account name, conversation ID, channel ID, and the text of the message.

  5. Severity and Tactics: The severity of the alert is set to "Medium," and it is associated with tactics like "Collection" and "Exfiltration," which are common in data theft scenarios.

  6. Incident Management: If such an event is detected, an incident is created. The system can group similar incidents together based on the account involved, but it won't reopen closed incidents.

  7. Frequency: The query runs every hour and looks back over the past hour to identify any suspicious messages.

  8. Tags and Versioning: The query is tagged with relevant keywords for easy identification and is versioned for tracking changes.

Overall, this query helps monitor and prevent unauthorized data access through chatbot interactions by flagging messages that could indicate an attempt to extract large datasets.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppEvents

Keywords

CopilotStudioAppEventsBotMessageReceivedAccountNameUserIdSessionIdClientIPAppVersion

Operators

letdynamictostringtolowerisnotemptymv-applytotypeofcontainssummarizemake_setiffisemptyprojectsubstringorder bydesc

Actions