KQL Search

Query Details

Copilot Studio Prompt Injection Patterns

Query

id: a1b2c3d4-1001-4a11-9c01-0123456789a1
name: Copilot Studio - Prompt-injection / instruction-override patterns in user message
description: |
  Raises an incident when an inbound Copilot Studio user message carries
  classic prompt-injection / instruction-override markers ("ignore
  previous instructions", "you are now", "developer mode", "reveal your
  system prompt", tool-coercion phrasing). These are the cheapest and
  most common attempts to subvert an agent's guardrails or exfiltrate its
  configuration.

  Reads the real Copilot Studio telemetry shape: bot turns land in the
  AppEvents table (Name == "BotMessageReceived") with the property bag in
  the dynamic Properties column (conversationId, channelId, text). The
  text key is only populated when "Log sensitive properties" is enabled
  on the agent's Application Insights settings.
severity: Medium
requiredDataConnectors:
- connectorId: ApplicationInsights
  dataTypes:
  - AppEvents
queryFrequency: PT1H
queryPeriod: PT1H
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- InitialAccess
- DefenseEvasion
relevantTechniques:
- T1566
- T1562
query: |
  let injectionMarkers = dynamic([
      "ignore previous instructions", "ignore all previous", "ignore your instructions",
      "disregard the above", "disregard previous", "you are now", "act as",
      "developer mode", "do anything now", "dan mode", "jailbreak",
      "reveal your system prompt", "show your system prompt", "print your instructions",
      "repeat the words above", "what are your instructions", "bypass your rules",
      "without any restrictions", "pretend you are", "from now on you"
  ]);
  AppEvents
  | where Name == "BotMessageReceived"
  | extend
      ConvId    = tostring(Properties["conversationId"]),
      ChannelId = tostring(Properties["channelId"]),
      Locale    = tostring(Properties["locale"]),
      DesignMode = tostring(Properties["DesignMode"]),
      Text      = tolower(tostring(Properties["text"]))
  | where isnotempty(Text)
  | mv-apply Marker = injectionMarkers to typeof(string) on (
        where Text contains Marker
        | summarize Markers = make_set(Marker)
    )
  | extend AccountName = iff(isempty(UserId), "unknown-agent", UserId)
  | project
      TimeGenerated, AccountName, ConvId, ChannelId, Locale, DesignMode,
      Markers, Text = substring(tostring(Properties["text"]), 0, 1024),
      SessionId, ClientIP, AppVersion
  | order by TimeGenerated desc
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: ClientIP
eventGroupingSettings:
  aggregationKind: SingleAlert
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
    - Account
    groupByAlertDetails: []
    groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- CopilotStudio
- AI
- PromptInjection
- Guardrails

Explanation

This query is designed to monitor and detect potential prompt-injection or instruction-override attempts in user messages sent to a Copilot Studio bot. Here's a simplified breakdown of what it does:

  1. Purpose: The query identifies messages that contain specific phrases commonly used to bypass or manipulate the bot's intended behavior. These phrases include things like "ignore previous instructions" or "developer mode."

  2. Data Source: It analyzes data from the AppEvents table, specifically looking at events where the bot received a message (Name == "BotMessageReceived"). The message content is stored in the Properties column.

  3. Detection Logic: The query checks if the message text contains any of the predefined suspicious phrases (injection markers). If a match is found, it logs the incident.

  4. Incident Creation: When such a message is detected, an incident is raised with a medium severity level. This helps in identifying and responding to potential security threats.

  5. Frequency and Scope: The query runs every hour and looks back over the past hour to catch any new incidents.

  6. Additional Details: It captures various details like conversation ID, channel ID, locale, and the message text (up to 1024 characters) for further analysis.

  7. Entity Mapping: It maps the detected incidents to user accounts and IP addresses for better tracking and response.

  8. Incident Grouping: Incidents are grouped by account to avoid duplicate alerts and to manage them more efficiently.

Overall, this query helps in maintaining the security and integrity of the Copilot Studio bot by detecting and alerting on attempts to manipulate its behavior through prompt-injection techniques.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppEvents

Keywords

CopilotStudioAppEventsPropertiesAccountIPClientApplicationInsights

Operators

letdynamictostringtolowerisnotemptymv-applycontainssummarizemake_setiffisemptyprojectsubstringorder bydesc

Actions