Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Copilot - Jailbreak Attempt Detected

Copilot - Jailbreak Attempt Detected

Back
Ide5f6a7b8-c9d0-41e2-f3a4-b5c6d7e8f9a0
RulenameCopilot - Jailbreak Attempt Detected
DescriptionDetects jailbreak attempts in Copilot interactions where users are trying to bypass Copilot guardrails and security controls.

This rule identifies prompt injection and LLM abuse scenarios that could lead to initial access, credential access, or system impact.
SeverityHigh
TacticsInitialAccess
CredentialAccess
Impact
TechniquesT1078
T1110
T1565
Required data connectorsMicrosoftCopilot
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotJailbreakAttempt.yaml
Version1.0.0
Arm templatee5f6a7b8-c9d0-41e2-f3a4-b5c6d7e8f9a0.json
Deploy To Azure
CopilotActivity
| where RecordType == "CopilotInteraction"
| where LLMEventData has "JailbreakDetected"
| extend Data = parse_json(LLMEventData)
| extend Jailbreak = tostring(Data.Messages[0].JailbreakDetected)
| where Jailbreak == "true"
| project TimeGenerated, ActorName, AIModelName, Jailbreak

relevantTechniques:
- T1078
- T1110
- T1565
name: Copilot - Jailbreak Attempt Detected
queryFrequency: 5m
version: 1.0.0
triggerThreshold: 0
severity: High
requiredDataConnectors:
- connectorId: MicrosoftCopilot
  dataTypes:
  - CopilotActivity
tactics:
- InitialAccess
- CredentialAccess
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotJailbreakAttempt.yaml
query: |
  CopilotActivity
  | where RecordType == "CopilotInteraction"
  | where LLMEventData has "JailbreakDetected"
  | extend Data = parse_json(LLMEventData)
  | extend Jailbreak = tostring(Data.Messages[0].JailbreakDetected)
  | where Jailbreak == "true"
  | project TimeGenerated, ActorName, AIModelName, Jailbreak  
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: ActorName
    identifier: FullName
  entityType: Account
queryPeriod: 5m
triggerOperator: gt
id: e5f6a7b8-c9d0-41e2-f3a4-b5c6d7e8f9a0
status: Available
description: |
  'Detects jailbreak attempts in Copilot interactions where users are trying to bypass Copilot guardrails and security controls.
  This rule identifies prompt injection and LLM abuse scenarios that could lead to initial access, credential access, or system impact.'