Query Details

Copilot Studio - Secrets or bulk PII in agent response

Copilot Studio Sensitive Data In Response

Query

AppEvents
| where Name == "BotMessageSend"
| extend
    ConvId    = tostring(Properties["conversationId"]),
    ChannelId = tostring(Properties["channelId"]),
    Output    = tostring(Properties["text"])
| where isnotempty(Output)
| extend
    AwsKey     = Output matches regex @"AKIA[0-9A-Z]{16}",
    PrivateKey = Output contains "-----BEGIN" and Output contains "PRIVATE KEY-----",
    Jwt        = Output matches regex @"eyJ[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}",
    EmailCount = array_length(extract_all(@"([A-Za-z0-9._%+\-]+@[A-Za-z0-9.\-]+\.[A-Za-z]{2,})", Output))
| where AwsKey or PrivateKey or Jwt or EmailCount >= 10
| extend Signal = case(
    AwsKey,            "AwsAccessKey",
    PrivateKey,        "PrivateKey",
    Jwt,               "JwtToken",
    EmailCount >= 10,  "BulkEmailPII",
    "Unknown")
| extend AccountName = iff(isempty(UserId), "unknown-agent", UserId)
| project
    TimeGenerated, Signal, AccountName, ConvId, ChannelId, EmailCount,
    Output = substring(Output, 0, 1024), SessionId, ClientIP, AppVersion
| order by TimeGenerated desc

Explanation

This query is designed to monitor and detect potential data leaks from a Copilot Studio agent. It raises an alert if the agent's outbound messages contain sensitive information such as AWS access keys, private keys, JWT tokens, or a large number of email addresses (10 or more). Here's a simple breakdown of what the query does:

  1. Data Source: It analyzes outbound messages from the "BotMessageSend" events in Application Insights.

  2. Detection Criteria:

    • Checks if the message contains an AWS access key pattern.
    • Looks for private key indicators within the message.
    • Searches for JWT token patterns.
    • Counts email addresses in the message and flags if there are 10 or more.
  3. Alert Generation: If any of the above criteria are met, an alert is triggered, indicating a potential data leak.

  4. Severity and Tactics: The alert is marked as high severity and is associated with tactics like Exfiltration and Collection, which are techniques used to extract data.

  5. Incident Management: When an alert is triggered, it creates an incident, grouping alerts by account to manage them effectively.

  6. Additional Details: The query captures and projects relevant information such as the time of the event, type of signal detected, account name, conversation ID, channel ID, and a snippet of the message content.

Overall, this query helps in identifying and responding to incidents where sensitive information might be inadvertently or maliciously exposed by a Copilot Studio agent.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppEvents

Keywords

AppEventsPropertiesApplicationInsightsAccountIPClientIPSessionIdAppVersionUserIdEmailPIIAwsAccessKeyPrivateKeyJwtToken

Operators

whereextendtostringisnotemptymatches regexcontainsarray_lengthextract_allorcaseiffisemptyprojectsubstringorder bydesc

Severity

High

Tactics

ExfiltrationCollection

MITRE Techniques

Frequency: PT1H

Period: PT1H

Actions

GitHub