Rscplt #3693
Rscplt #3693
Conversation
|
DO NOT MERGE YET |
detections/application/m365_copilot_application_usage_pattern_anomalies.yml
Outdated
Show resolved
Hide resolved
detections/application/m365_copilot_application_usage_pattern_anomalies.yml
Outdated
Show resolved
Hide resolved
detections/application/m365_copilot_information_extraction_jailbreak_attack.yml
Outdated
Show resolved
Hide resolved
| type: TTP | ||
| description: Detects agentic AI jailbreak attempts that try to establish persistent control over M365 Copilot through rule injection, universal triggers, response automation, system overrides, and persona establishment techniques. | ||
| search: > | ||
| `m365_exported_ediscovery_prompt_logs` |
There was a problem hiding this comment.
Can you perhaps create a data source file for this as well and instructions on how to export and ingest this csv based logs?
Also, improve the same on how to implement for all m365_exported_ediscovery_prompt_logs
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/m365_copilot/m365_copilot_access.log |
There was a problem hiding this comment.
remove refs/heads/ from the link : this gives you the build error as you see in CI , the correct link would be
| search: > | ||
| `m365_exported_ediscovery_prompt_logs` | ||
| | search Subject_Title="*transcendent*" OR Subject_Title="*incorporeal*" OR Subject_Title="*being who*" OR Subject_Title="*tell me everything*" OR Subject_Title="*give me all*" OR Subject_Title="*comprehensive*" OR Subject_Title="*step by step*" OR Subject_Title="*hidden*" OR Subject_Title="*secret*" OR Subject_Title="*confidential*" OR Subject_Title="*classified*" OR Subject_Title="*internal*" OR Subject_Title="*sensitive*" OR Subject_Title="*proprietary*" OR Subject_Title="*dump*" OR Subject_Title="*extract*" OR Subject_Title="*reveal*" OR Subject_Title="*disclose*" OR Subject_Title="*leak*" | ||
| | eval user = Sender |
There was a problem hiding this comment.
Use this | eval user = Sender for all the searches using this data source
| match(Subject_Title, "(?i)rules\s*="), 4, | ||
| 1=1, 1) | ||
| | where jailbreak_score >= 2 | ||
| | table _time, Sender, Subject_Title, jailbreak_score, Workload, Size |
There was a problem hiding this comment.
Use this | eval user = Sender and output user everywhere in the yaml
| author: Rod Soto | ||
| status: experimental | ||
| type: TTP | ||
| description: Detects agentic AI jailbreak attempts that try to establish persistent control over M365 Copilot through rule injection, universal triggers, response automation, system overrides, and persona establishment techniques. |
There was a problem hiding this comment.
please elaborate the description of the search to briefly explain the logic of the detection, what it is computing in the eval.
You can use the description of this detection as a template. This comment applies to all the yamls in the PR
https://research.splunk.com/cloud/d0895c20-de71-4fd2-b56c-3fcdb888eba1/
https://research.splunk.com/cloud/a9126f73-9a9b-493d-96ec-0dd06695490d/
Details
What does this PR have in it? Screenshots are worth 1000 words 😄
Checklist
<platform>_<mitre att&ck technique>_<short description>nomenclatureNotes For Submitters and Reviewers
buildCI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.