Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Copilot - Jailbreak Attempt Detected

Copilot - Jailbreak Attempt Detected

Back
Ide5f6a7b8-c9d0-41e2-f3a4-b5c6d7e8f9a0
RulenameCopilot - Jailbreak Attempt Detected
DescriptionDetects jailbreak attempts in Copilot interactions where users are trying to bypass Copilot guardrails and security controls.

This rule identifies prompt injection and LLM abuse scenarios that could lead to initial access, credential access, or system impact.
SeverityHigh
TacticsInitialAccess
CredentialAccess
Impact
TechniquesT1078
T1110
T1565
Required data connectorsMicrosoftCopilot
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotJailbreakAttempt.yaml
Version1.0.0
Arm templatee5f6a7b8-c9d0-41e2-f3a4-b5c6d7e8f9a0.json
Deploy To Azure
CopilotActivity
| where RecordType == "CopilotInteraction"
| where LLMEventData has "JailbreakDetected"
| extend Data = parse_json(LLMEventData)
| extend Jailbreak = tostring(Data.Messages[0].JailbreakDetected)
| where Jailbreak == "true"
| project TimeGenerated, ActorName, AIModelName, Jailbreak

entityMappings:
- fieldMappings:
  - columnName: ActorName
    identifier: FullName
  entityType: Account
triggerOperator: gt
tactics:
- InitialAccess
- CredentialAccess
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotJailbreakAttempt.yaml
version: 1.0.0
query: |
  CopilotActivity
  | where RecordType == "CopilotInteraction"
  | where LLMEventData has "JailbreakDetected"
  | extend Data = parse_json(LLMEventData)
  | extend Jailbreak = tostring(Data.Messages[0].JailbreakDetected)
  | where Jailbreak == "true"
  | project TimeGenerated, ActorName, AIModelName, Jailbreak  
triggerThreshold: 0
relevantTechniques:
- T1078
- T1110
- T1565
queryPeriod: 5m
status: Available
severity: High
kind: Scheduled
name: Copilot - Jailbreak Attempt Detected
queryFrequency: 5m
id: e5f6a7b8-c9d0-41e2-f3a4-b5c6d7e8f9a0
description: |
  'Detects jailbreak attempts in Copilot interactions where users are trying to bypass Copilot guardrails and security controls.
  This rule identifies prompt injection and LLM abuse scenarios that could lead to initial access, credential access, or system impact.'  
requiredDataConnectors:
- dataTypes:
  - CopilotActivity
  connectorId: MicrosoftCopilot