Query Details
Copilot Studio Sensitive Data In Response
Query
id: a1b2c3d4-1002-4a11-9c01-0123456789a2
name: Copilot Studio - Secrets or bulk PII in agent response
description: |
Raises an incident when a Copilot Studio agent's outbound response
contains secret-like material (AWS access key, PEM private key, JWT) or
bulk PII (>=10 email addresses) - a strong indicator the agent has been
coerced into leaking credentials, knowledge-base content, or a customer
list.
Reads outbound turns from AppEvents (Name == "BotMessageSend") with the
response text in Properties.text. The text key requires "Log sensitive
properties" to be enabled on the agent's Application Insights settings.
severity: High
requiredDataConnectors:
- connectorId: ApplicationInsights
dataTypes:
- AppEvents
queryFrequency: PT1H
queryPeriod: PT1H
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- Exfiltration
- Collection
relevantTechniques:
- T1567
- T1213
query: |
AppEvents
| where Name == "BotMessageSend"
| extend
ConvId = tostring(Properties["conversationId"]),
ChannelId = tostring(Properties["channelId"]),
Output = tostring(Properties["text"])
| where isnotempty(Output)
| extend
AwsKey = Output matches regex @"AKIA[0-9A-Z]{16}",
PrivateKey = Output contains "-----BEGIN" and Output contains "PRIVATE KEY-----",
Jwt = Output matches regex @"eyJ[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}",
EmailCount = array_length(extract_all(@"([A-Za-z0-9._%+\-]+@[A-Za-z0-9.\-]+\.[A-Za-z]{2,})", Output))
| where AwsKey or PrivateKey or Jwt or EmailCount >= 10
| extend Signal = case(
AwsKey, "AwsAccessKey",
PrivateKey, "PrivateKey",
Jwt, "JwtToken",
EmailCount >= 10, "BulkEmailPII",
"Unknown")
| extend AccountName = iff(isempty(UserId), "unknown-agent", UserId)
| project
TimeGenerated, Signal, AccountName, ConvId, ChannelId, EmailCount,
Output = substring(Output, 0, 1024), SessionId, ClientIP, AppVersion
| order by TimeGenerated desc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIP
eventGroupingSettings:
aggregationKind: SingleAlert
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: PT6H
matchingMethod: Selected
groupByEntities:
- Account
groupByAlertDetails: []
groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- CopilotStudio
- AI
- DataLeak
- Secrets
Explanation
This query is designed to monitor and detect potential data leaks from a Copilot Studio agent. It raises an alert if the agent's outbound messages contain sensitive information such as AWS access keys, private keys, JWT tokens, or a large number of email addresses (10 or more). Here's a simple breakdown of what the query does:
-
Data Source: It analyzes outbound messages from the "BotMessageSend" events in Application Insights.
-
Detection Criteria:
- Checks if the message contains an AWS access key pattern.
- Looks for private key indicators within the message.
- Searches for JWT token patterns.
- Counts email addresses in the message and flags if there are 10 or more.
-
Alert Generation: If any of the above criteria are met, an alert is triggered, indicating a potential data leak.
-
Severity and Tactics: The alert is marked as high severity and is associated with tactics like Exfiltration and Collection, which are techniques used to extract data.
-
Incident Management: When an alert is triggered, it creates an incident, grouping alerts by account to manage them effectively.
-
Additional Details: The query captures and projects relevant information such as the time of the event, type of signal detected, account name, conversation ID, channel ID, and a snippet of the message content.
Overall, this query helps in identifying and responding to incidents where sensitive information might be inadvertently or maliciously exposed by a Copilot Studio agent.
Details
David Alonso
Released: June 8, 2026
Tables
Keywords
Operators