Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Copilot - Jailbreak Attempt Detected

Copilot - Jailbreak Attempt Detected

Back
Ide5f6a7b8-c9d0-41e2-f3a4-b5c6d7e8f9a0
RulenameCopilot - Jailbreak Attempt Detected
DescriptionDetects jailbreak attempts in Copilot interactions where users are trying to bypass Copilot guardrails and security controls.

This rule identifies prompt injection and LLM abuse scenarios that could lead to initial access, credential access, or system impact.
SeverityHigh
TacticsInitialAccess
CredentialAccess
Impact
TechniquesT1078
T1110
T1565
Required data connectorsMicrosoftCopilot
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotJailbreakAttempt.yaml
Version1.0.0
Arm templatee5f6a7b8-c9d0-41e2-f3a4-b5c6d7e8f9a0.json
Deploy To Azure
CopilotActivity
| where RecordType == "CopilotInteraction"
| where LLMEventData has "JailbreakDetected"
| extend Data = parse_json(LLMEventData)
| extend Jailbreak = tostring(Data.Messages[0].JailbreakDetected)
| where Jailbreak == "true"
| project TimeGenerated, ActorName, AIModelName, Jailbreak

name: Copilot - Jailbreak Attempt Detected
query: |
  CopilotActivity
  | where RecordType == "CopilotInteraction"
  | where LLMEventData has "JailbreakDetected"
  | extend Data = parse_json(LLMEventData)
  | extend Jailbreak = tostring(Data.Messages[0].JailbreakDetected)
  | where Jailbreak == "true"
  | project TimeGenerated, ActorName, AIModelName, Jailbreak  
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorName
    identifier: FullName
queryPeriod: 5m
version: 1.0.0
tactics:
- InitialAccess
- CredentialAccess
- Impact
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotJailbreakAttempt.yaml
relevantTechniques:
- T1078
- T1110
- T1565
id: e5f6a7b8-c9d0-41e2-f3a4-b5c6d7e8f9a0
severity: High
requiredDataConnectors:
- connectorId: MicrosoftCopilot
  dataTypes:
  - CopilotActivity
status: Available
description: |
  'Detects jailbreak attempts in Copilot interactions where users are trying to bypass Copilot guardrails and security controls.
  This rule identifies prompt injection and LLM abuse scenarios that could lead to initial access, credential access, or system impact.'  
queryFrequency: 5m