KQL Search

Query Details

Copilot Studio Privilege Escalation Claim

Query

id: a1b2c3d4-1011-4a11-9c01-0123456789b1
name: Copilot Studio - Authority / role-impersonation claim in user message
description: |
  Raises an incident when an inbound Copilot Studio user message asserts
  an authority or role the channel cannot verify ("I am the CFO", "as an
  administrator", "I'm authorised to", "on behalf of the board") in order
  to coax the agent into releasing restricted data or running privileged
  actions. Because the agent has no way to validate the claim, this social
  -engineering pattern is a common privilege-escalation lever against
  Copilot Studio agents.

  Reads inbound turns from AppEvents (Name == "BotMessageReceived") with
  the prompt text in Properties.text (requires "Log sensitive properties"
  on the agent's Application Insights settings).
severity: Medium
requiredDataConnectors:
- connectorId: ApplicationInsights
  dataTypes:
  - AppEvents
queryFrequency: PT1H
queryPeriod: PT1H
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- PrivilegeEscalation
- InitialAccess
relevantTechniques:
- T1548
- T1078
query: |
  let escalationMarkers = dynamic([
      "i am the ceo", "i'm the ceo", "i am the cfo", "i'm the cfo",
      "i am the cto", "i am your administrator", "as an administrator",
      "as the administrator", "as an admin", "i am an admin", "i'm an admin",
      "i have admin", "i am authorised", "i am authorized", "i'm authorised",
      "i'm authorized", "i am allowed to", "i have permission to",
      "on behalf of the", "i am from it", "i'm from security",
      "by order of", "override the policy", "i outrank", "elevate my access",
      "give me access to", "grant me access", "i should have access"
  ]);
  AppEvents
  | where Name == "BotMessageReceived"
  | extend
      ConvId    = tostring(Properties["conversationId"]),
      ChannelId = tostring(Properties["channelId"]),
      Locale    = tostring(Properties["locale"]),
      DesignMode = tostring(Properties["DesignMode"]),
      Text      = tolower(tostring(Properties["text"]))
  | where isnotempty(Text)
  | mv-apply Marker = escalationMarkers to typeof(string) on (
        where Text contains Marker
        | summarize Markers = make_set(Marker)
    )
  | extend AccountName = iff(isempty(UserId), "unknown-agent", UserId)
  | project
      TimeGenerated, AccountName, ConvId, ChannelId, Locale, DesignMode,
      Markers, Text = substring(tostring(Properties["text"]), 0, 1024),
      SessionId, ClientIP, AppVersion
  | order by TimeGenerated desc
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIP
eventGroupingSettings:
  aggregationKind: SingleAlert
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
    - Account
    groupByAlertDetails: []
    groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- CopilotStudio
- AI
- PrivilegeEscalation
- SocialEngineering

Explanation

This query is designed to detect potential social engineering attempts in messages received by a system called Copilot Studio. It specifically looks for messages where a user claims to have authority or a specific role, such as "I am the CFO" or "as an administrator," which the system cannot verify. These claims are often used to trick the system into releasing sensitive information or performing actions that require higher privileges.

Here's a simplified breakdown of the query:

  1. Purpose: The query raises an alert when a message contains phrases that suggest the sender is trying to impersonate someone with authority to gain access or privileges they shouldn't have.

  2. Data Source: It analyzes inbound messages received by the system, specifically looking at the "BotMessageReceived" events from Application Insights.

  3. Detection Logic: The query checks if the message text contains any phrases from a predefined list of authority or role-impersonation markers (e.g., "I am the CEO," "as an admin").

  4. Alert Details: If such phrases are detected, the query logs details like the time the message was received, the account name, conversation ID, channel ID, and a snippet of the message text.

  5. Severity and Tactics: The alert is classified with medium severity and is associated with tactics like Privilege Escalation and Initial Access, indicating the potential risk of unauthorized access.

  6. Incident Management: The query is set to create an incident for each alert, grouping similar alerts together based on the account involved, to help manage and investigate these incidents efficiently.

  7. Frequency: The query runs every hour, checking messages from the past hour to ensure timely detection of potential threats.

Overall, this query helps in identifying and responding to social engineering attempts that could lead to unauthorized access or data breaches in the Copilot Studio environment.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppEvents

Keywords

CopilotStudioUserMessageAppEventsBotMessageReceivedPropertiesTextAccountNameConvIdChannelIdLocaleDesignModeSessionIdClientIPAppVersionAccountIP

Operators

letdynamictostringtolowerisnotemptymv-applycontainssummarizemake_setiffisemptyprojectsubstringorder by

Actions