Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Copilot - Jailbreak Attempt Detected

Copilot - Jailbreak Attempt Detected

Back
Ide5f6a7b8-c9d0-41e2-f3a4-b5c6d7e8f9a0
RulenameCopilot - Jailbreak Attempt Detected
DescriptionDetects jailbreak attempts in Copilot interactions where users are trying to bypass Copilot guardrails and security controls.

This rule identifies prompt injection and LLM abuse scenarios that could lead to initial access, credential access, or system impact.
SeverityHigh
TacticsInitialAccess
CredentialAccess
Impact
TechniquesT1078
T1110
T1565
Required data connectorsMicrosoftCopilot
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotJailbreakAttempt.yaml
Version1.0.0
Arm templatee5f6a7b8-c9d0-41e2-f3a4-b5c6d7e8f9a0.json
Deploy To Azure
CopilotActivity
| where RecordType == "CopilotInteraction"
| where LLMEventData has "JailbreakDetected"
| extend Data = parse_json(LLMEventData)
| extend Jailbreak = tostring(Data.Messages[0].JailbreakDetected)
| where Jailbreak == "true"
| project TimeGenerated, ActorName, AIModelName, Jailbreak

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Copilot/Analytic Rules/CopilotJailbreakAttempt.yaml
queryPeriod: 5m
description: |
  'Detects jailbreak attempts in Copilot interactions where users are trying to bypass Copilot guardrails and security controls.
  This rule identifies prompt injection and LLM abuse scenarios that could lead to initial access, credential access, or system impact.'  
triggerThreshold: 0
name: Copilot - Jailbreak Attempt Detected
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: ActorName
kind: Scheduled
requiredDataConnectors:
- connectorId: MicrosoftCopilot
  dataTypes:
  - CopilotActivity
queryFrequency: 5m
tactics:
- InitialAccess
- CredentialAccess
- Impact
id: e5f6a7b8-c9d0-41e2-f3a4-b5c6d7e8f9a0
status: Available
version: 1.0.0
query: |
  CopilotActivity
  | where RecordType == "CopilotInteraction"
  | where LLMEventData has "JailbreakDetected"
  | extend Data = parse_json(LLMEventData)
  | extend Jailbreak = tostring(Data.Messages[0].JailbreakDetected)
  | where Jailbreak == "true"
  | project TimeGenerated, ActorName, AIModelName, Jailbreak  
severity: High
relevantTechniques:
- T1078
- T1110
- T1565