splunk · rosplk · Sep 24, 2025 · Sep 24, 2025 · Sep 24, 2025 · Sep 24, 2025
@@ -0,0 +1,67 @@
+name: M365 Copilot Graph API
+id: 30dd2202-869c-47fb-ad37-4f4d4c93c6b7
+version: 1
+date: '2025-09-30'
+author: Rod Soto, Splunk
+description: Access Logs from M365 Copilot access via Graph API
+source: AuditLogs.SignIns
+sourcetype: o365:graph:api
+supported_TA:
+- name:  Splunk Add-on for Microsoft Office 365 
+  url: https://splunkbase.splunk.com/app/4055
+  version: 4.9.0
+fields:
+- appDisplayName
+- appId
+- clientAppUsed
+- conditionalAccessStatus
+- correlationId
+- createdDateTime
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- deviceDetail.browser
+- deviceDetail.deviceId
+- deviceDetail.displayName
+- deviceDetail.isCompliant
+- deviceDetail.isManaged
+- deviceDetail.operatingSystem
+- deviceDetail.trustType
+- eventtype
+- host
+- id
+- index
+- ipAddress
+- isInteractive
+- linecount	
+- location.city	
+- location.countryOrRegion
+- location.geoCoordinates.altitude
+- location.geoCoordinates.latitude
+- location.geoCoordinates.longitude	
+- location.state
+- punct
+- resourceDisplayName
+- resourceId
+- riskDetail
+- riskLevelAggregated
+- riskLevelDuringSignIn
+- riskState
+- source
+- sourcetype
+- splunk_server
+- status.additionalDetails
+- status.errorCode
+- status.failureReason
+- timeendpos
+- timestartpos
+- userDisplayName
+- userId
+- userPrincipalName
+output_fields: []
+example_log: '{"id": "7fbc0a97-7f78-4cc8-9377-dc94d2ad1e00", "createdDateTime": "2025-09-30T12:34:20Z", "userDisplayName": "Rod  Soto", "userPrincipalName": "[email protected]", "userId": "bfb8c366-0406-41a5-b3e3-328f4a3b4484", "appId": "9199bf20-a13f-4107-85dc-02114787ef48", "appDisplayName": "One Outlook Web", "ipAddress": "127.0.0.1", "clientAppUsed": "Browser", "correlationId": "8fe7aa9b-42c8-b52e-c6f2-8e4dfc07996b", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "00000002-0000-0ff1-ce00-000000000000", "status": {"errorCode": 0, "failureReason": "Other.", "additionalDetails": "MFA requirement satisfied by claim in the token"}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "MacOs", "browser": "Chrome 140.0.0", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "Miami", "state": "Florida", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": 25.76286, "longitude": -80.31196}}, "appliedConditionalAccessPolicies": []}'
@@ -0,0 +1,88 @@
+name: M365 Exported eDiscovery Prompts
+id: 4fc2d127-ba47-45df-b56c-4ec626ee735b
+version: 1
+date: '2025-10-07'
+author: Rod Soto, Splunk
+description: M365 exported eDiscovery prompt logs from Microsoft Purview contain user interactions with M365 Copilot, including the actual prompt text (Subject_Title), sender information, timestamps, and metadata about the AI conversations. These logs are exported through Purview's eDiscovery functionality and provide visibility into how users are querying and attempting to interact with Copilot, making them valuable for detecting jailbreak attempts, data exfiltration requests, policy violations, and other security-relevant AI usage patterns. The logs capture the full conversational context necessary for identifying malicious prompt injection, social engineering attempts against the AI, and unauthorized information disclosure requests.
+source: csv
+sourcetype: csv
+fields:
+- Added by
+- Author
+- Compound path	
+- Contains deleted message
+- Contains edited message
+- Conversation name
+- Conversation type
+- Created	
+- Created by
+- Data source
+- Date
+- Doc authors
+- Doc date modified
+- Doc modified by
+- Document ID index
+- Email date sent
+- Email importance
+- Email participant domains
+- Email recipient domains
+- Email recipients
+- Email sender domain
+- Error warning
+- File extension
+- File name
+- Has attachment
+- Has text
+- Immutable ID
+- Internet message ID	
+- Is attachment from transcript
+- Is doc from conversation
+- Is modern attachment
+- Is read
+- Item class
+- Item source	
+- Last modified by
+- Last modified time
+- Location ID
+- Location sub type
+- Message kind
+- Modern attachment parent ID
+- Original path
+- Participants
+- Received
+- Recipient count
+- Retention label
+- SPO unique ID	
+- Sender
+- Sensitive type
+- Size
+- Source ID	
+- Status
+- Subject_Title
+- Target path
+- Title
+- To
+- Type
+- Workload
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year	
+- date_zone	
+- eventtype	
+- host
+- index	
+- linecount
+- punct
+- source
+- sourcetype
+- splunk_server
+- tag
+- timeendpos
+- timestamp
+- timestartpos
+output_fields: []
+example_log: 'Succeeded,,IndexQuery,,,,,,,,,,[email protected]/TeamsMessagesData/Card.html,False,False,,,,,,,,,All people and groups,2025-08-25 20:58:43Z,,,,,,,,,,,,,,,,1591522,,,,2025-08-25T20:58:43Z,,Normal,,,rodsoto.onmicrosoft.com,,,Copilot in Word,,rodsoto.onmicrosoft.com,,,,,,,,,,,,,html,Card.html,,,,True,False,,,Exchange/sourceE83F8E164F7280A5033281941716356F/TEAMS/19I5dhdbjE2GdGNAYuFGzQrEHvS-vIfpjDDRO05LjzN01threadv2/2025082512/19I5dhdbjE2GdGNAYuFGzQrEHvS-vIfpjDDRO05LjzN01threadv2-2025082512.html-mimeatt64601eefbf644a2a940f679f8ae1d4be-1,,,,1756155523926,False,,False,,,,,,True,,True,,,,IPM.SkypeTeams.Message.Copilot.Word,[email protected],,2025-08-25T20:58:45Z,,,d03dab29-e210-4507-8932-ce3c7e74e5ae,PrimaryMailBox,,,,,,,Exchange/sourceE83F8E164F7280A5033281941716356F/TEAMS/19I5dhdbjE2GdGNAYuFGzQrEHvS-vIfpjDDRO05LjzN01threadv2/2025082512/19I5dhdbjE2GdGNAYuFGzQrEHvS-vIfpjDDRO05LjzN01threadv2-2025082512.html,,,,,,,,,/TeamsMessagesData,,,Rod  Soto <[email protected]>;Copilot in Word,,,,,,2025-08-25T20:58:43Z,1,,,,,,[email protected],,,,,,,49292,[email protected],,,00000000-0000-0000-0000-000000000000,,,Items.1.001.zip\Exchange\[email protected]\TeamsMessagesData\Card_46.html,,,,,,,,,Copilot in Word,,Message,,,,,Exchange'
@@ -0,0 +1,59 @@
+name: M365 Copilot Agentic Jailbreak Attack
+id: e5c7b380-19da-42e9-9e53-0af4cd27aee3
+version: 1
+date: '2025-09-25'
+author: Rod Soto
+status: experimental
+type: TTP
+data_source:
+- M365 Exported eDiscovery Prompts
+description: Detects agentic AI jailbreak attempts that try to establish persistent control over M365 Copilot through rule injection, universal triggers, response automation, system overrides, and persona establishment techniques. The detection analyzes the PromptText field for keywords like "from now on," "always respond," "ignore previous," "new rule," "override," and role-playing commands (e.g., "act as," "you are now") that attempt to inject persistent instructions. The search computes risk by counting distinct jailbreak indicators per user session, flagging coordinated manipulation attempts.
+search: >
+  `m365_exported_ediscovery_prompt_logs`
+  | eval user = Sender
+  | eval rule_injection=if(match(Subject_Title, "(?i)(rules|instructions)\s*="), "YES", "NO")
+  | eval universal_trigger=if(match(Subject_Title, "(?i)(every|all).*prompt"), "YES", "NO")
+  | eval response_automation=if(match(Subject_Title, "(?i)(always|automatic).*respond"), "YES", "NO")
+  | eval system_override=if(match(Subject_Title, "(?i)(override|bypass|ignore).*(system|default)"), "YES", "NO")
+  | eval persona_establishment=if(match(Subject_Title, "(?i)(with.*\[.*\]|persona)"), "YES", "NO")
+  | where rule_injection="YES" OR universal_trigger="YES" OR response_automation="YES" OR system_override="YES" OR persona_establishment="YES"
+  | table _time, "Source ID", user, Subject_Title, rule_injection, universal_trigger, response_automation, system_override, persona_establishment, Workload
+  | sort -_time
+  | `m365_copilot_agentic_jailbreak_attack_filter`
+how_to_implement: To export M365 Copilot prompt logs, navigate to the Microsoft Purview compliance portal (compliance.microsoft.com) and access eDiscovery. Create a new eDiscovery case, add target user accounts or date ranges as data sources, then create a search query targeting M365 Copilot interactions across relevant workloads. Once the search completes, export the results to generate a package containing prompt logs with fields like Subject_Title (prompt text), Sender, timestamps, and workload metadata. Download the exported files using the eDiscovery Export Tool and ingest them into Splunk for security analysis and detection of jailbreak attempts, data exfiltration requests, and policy violations.
+known_false_positives: Legitimate users discussing AI ethics research, security professionals testing system robustness, developers creating training materials for AI safety, or academic discussions about AI limitations and behavioral constraints may trigger false positives.
+references:
+  - https://www.splunk.com/en_us/blog/artificial-intelligence/m365-copilot-log-analysis-splunk.html
+drilldown_searches:
+  - name: View the detection results for - "$user$"
+    search: '%original_detection_search% | search user="$user$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$user$"
+    search: '| from datamodel Risk.All_Risk | search normalized_risk_object="$user$" starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+rba:
+  message: User $user$ attempted to establish persistent agentic control over M365 Copilot through advanced jailbreak techniques including rule injection, universal triggers, and system overrides, potentially compromising AI security across multiple sessions.
+  risk_objects:
+    - field: user
+      type: user
+      score: 10
+  threat_objects: []
+tags:
+  analytic_story:
+    - Suspicious Microsoft 365 Copilot Activities
+  asset_type: Web Application
+  mitre_attack_id:
+    - T1562
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+  security_domain: endpoint
+tests:
+  - name: True Positive Test
+    attack_data:
+      - data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/m365_copilot/copilot_prompt_logs.csv
+        sourcetype: csv
+        source: csv
@@ -0,0 +1,71 @@
+name: M365 Copilot Application Usage Pattern Anomalies
+id: e3308b0c-d1a1-40d5-9486-4500f0d34731
+version: 1
+date: '2025-09-24'
+author: Rod Soto
+status: production
+type: Anomaly
+description: Detects M365 Copilot users exhibiting suspicious application usage patterns including multi-location access, abnormally high activity volumes, or access to multiple Copilot applications that may indicate account compromise or automated abuse. The detection aggregates M365 Copilot Graph API events per user, calculating metrics like distinct cities/countries accessed, unique IP addresses, number of different Copilot apps used, and average events per day over the observation period. Users are flagged when they access Copilot from multiple cities (cities_count > 1), generate excessive daily activity (events_per_day > 100), or use more than two different Copilot applications (app_count > 2), which are anomalous patterns suggesting credential compromise or bot-driven abuse.
+search: >
+  `m365_copilot_graph_api` (appDisplayName="*Copilot*" OR appDisplayName="M365ChatClient" OR appDisplayName="OfficeAIAppChatCopilot")
+  | eval user = userPrincipalName
+  | stats count as events,
+      dc(location.city) as cities_count,
+      values(location.city) as city_list,
+      dc(location.countryOrRegion) as countries_count,
+      values(location.countryOrRegion) as country_list,
+      dc(ipAddress) as ip_count,
+      values(ipAddress) as ip_addresses,
+      dc(appDisplayName) as app_count,
+      values(appDisplayName) as apps_used,
+      dc(resourceDisplayName) as resource_count,
+      values(resourceDisplayName) as resources_accessed,
+      min(_time) as first_seen,
+      max(_time) as last_seen
+      by user
+  | eval days_active = round((last_seen - first_seen)/86400, 1)
+  | eval first_seen = strftime(first_seen, "%Y-%m-%d %H:%M:%S")
+  | eval last_seen = strftime(last_seen, "%Y-%m-%d %H:%M:%S")
+  | eval events_per_day = if(days_active > 0, round(events/days_active, 2), events)
+  | where cities_count > 1 OR events_per_day > 100 OR app_count > 2
+  | sort -events_per_day, -countries_count
+  | `m365_copilot_application_usage_pattern_anomalies_filter`
+data_source: 
+- M365 Copilot Graph API
+how_to_implement: This detection requires ingesting M365 Copilot access logs via the Splunk Add-on for Microsoft Office 365. Configure the add-on to collect Azure AD Sign-in logs (AuditLogs.SignIns) through the Graph API data input. Ensure proper authentication and permissions are configured to access sign-in audit logs. The `m365_copilot_graph_api` macro should be defined to filter for sourcetype o365:graph:api data containing Copilot application activity.
+known_false_positives: Power users, executives with heavy AI workloads, employees traveling for business, users accessing multiple Copilot applications legitimately, or teams using shared corporate accounts across different office locations may trigger false positives.
+references:
+  - https://www.splunk.com/en_us/blog/artificial-intelligence/m365-copilot-log-analysis-splunk.html
+drilldown_searches:
+  - name: View the detection results for "$user$"
+    search: '%original_detection_search% | search  user="$user$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for "$user$"
+    search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+rba:
+  message: User $user$ exhibited anomalous M365 Copilot usage patterns including multi-location access, excessive activity levels, or multiple application usage indicating potential account compromise or automated abuse.
+  risk_objects:
+    - field: user
+      type: user
+      score: 10
+  threat_objects: []
+tags:
+  analytic_story:
+    - Suspicious Microsoft 365 Copilot Activities
+  asset_type: Web Application
+  mitre_attack_id:
+    - T1078
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+  security_domain: endpoint
+tests:
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/m365_copilot/m365_copilot_access.log
+        sourcetype: o365:graph:api
+        source: AuditLogs.SignIns
@@ -0,0 +1,72 @@
+name: M365 Copilot Failed Authentication Patterns
+id: 0ae94cdd-021a-4a62-a96d-9cec90b61530
+version: 1
+date: '2025-09-24'
+author: Rod Soto
+status: production
+type: Anomaly
+description: Detects M365 Copilot users with failed authentication attempts, MFA failures, or multi-location access patterns indicating potential credential attacks or account compromise. The detection aggregates M365 Copilot Graph API authentication events per user, calculating metrics like distinct cities/countries accessed, unique IP addresses and browsers, failed login attempts (status containing "fail" or "error"), and MFA failures (error code 50074). Users are flagged when they access Copilot from multiple cities (cities_count > 1), experience any authentication failures (failed_attempts > 0), or encounter MFA errors (mfa_failures > 0), which are indicators of credential stuffing, brute force attacks, or compromised accounts attempting to bypass multi-factor authentication.
+search: '`m365_copilot_graph_api` (appDisplayName="*Copilot*" OR appDisplayName="M365ChatClient" OR appDisplayName="OfficeAIAppChatCopilot")
+| eval user = userPrincipalName
+| stats count as events,
+    dc(location.city) as cities_count,
+    values(location.city) as city_list,
+    dc(location.countryOrRegion) as countries_count,
+    values(location.countryOrRegion) as country_list,
+    dc(ipAddress) as ip_count,
+    values(ipAddress) as ip_addresses,
+    sum(eval(if(match(status, "(?i)fail|error"), 1, 0))) as failed_attempts,
+    sum(eval(if(match(_raw, "50074"), 1, 0))) as mfa_failures,
+    dc(deviceDetail.browser) as browser_count,
+    values(deviceDetail.browser) as browsers_used,
+    min(_time) as first_seen,
+    max(_time) as last_seen
+    by user
+| eval first_seen = strftime(first_seen, "%Y-%m-%d %H:%M:%S")
+| eval last_seen = strftime(last_seen, "%Y-%m-%d %H:%M:%S")
+| where cities_count > 1 OR failed_attempts > 0 OR mfa_failures > 0
+| sort -mfa_failures, -failed_attempts, -countries_count | `m365_copilot_failed_authentication_patterns_filter`'
+data_source: 
+- M365 Copilot Graph API
+how_to_implement:  This detection requires ingesting M365 Copilot access logs via the Splunk Add-on for Microsoft Office 365. Configure the add-on to collect Azure AD Sign-in logs (AuditLogs.SignIns) through the Graph API data input. Ensure proper authentication and permissions are configured to access sign-in audit logs. The `m365_copilot_graph_api` macro should be defined to filter for sourcetype o365:graph:api data containing Copilot application activity.
+known_false_positives: Legitimate users experiencing network connectivity issues, traveling employees with intermittent VPN connections, users in regions with unstable internet infrastructure, or password reset activities during business travel may trigger false positives.
+references:
+- https://www.splunk.com/en_us/blog/artificial-intelligence/m365-copilot-log-analysis-splunk.html
+drilldown_searches:
+- name: View the detection results for "$user$"
+  search: '%original_detection_search% | search  "$user = $user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for "$user$"
+  search: '| from datamodel Risk.All_Risk 
+  | search normalized_risk_object="$user$" 
+  | where _time >= relative_time(now(), "-168h@h") 
+  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: User $user$ exhibited suspicious M365 Copilot authentication patterns with $failed_attempts$ failed login attempts, $mfa_failures$ MFA failures, and access from $cities_count$ different locations, indicating potential credential compromise or brute force attack. 
+  risk_objects:
+  - field: user
+    type: user
+    score: 10
+  threat_objects: []
+tags:
+  analytic_story:
+  - Suspicious Microsoft 365 Copilot Activities
+  asset_type: Web Application
+  mitre_attack_id:
+  - T1110
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/m365_copilot/m365_copilot_access.log
+    sourcetype: "o365:graph:api"
+    source: "AuditLogs.SignIns"