Microsoft has published a practitioner playbook for investigating Microsoft 365 Copilot and Azure AI activity, giving security teams a workflow for reconstructing incidents involving prompt injection, jailbreak attempts, credential exposure or suspected data access.
The June 2026 playbook, See What Happened: A Practitioner’s Playbook for Microsoft 365 Copilot and Azure AI Services, was produced by Microsoft’s AeGIS organization and introduced in a June 9 Microsoft Security Blog post.
“AI systems are now part of everyday work. Investigators need a consistent way to reconstruct what happened within them,” the blog states. The post says security teams are already investigating Microsoft 365 Copilot and Azure AI activity, including prompt-injection attempts and unexpected data access.
Microsoft wrote that organizations are integrating AI services into workflows faster than most security teams can update threat models and response capabilities. Employees are using Copilot across Microsoft 365 workloads, while development teams are deploying custom agents through Azure AI Foundry, expanding the attack surface with each new capability.
Mapping the investigation workflow and telemetry requirements
The guidance organizes AI investigations around a familiar sequence: who used the system, when the activity occurred, which service was involved, what resources were touched and whether alerts such as prompt injection, anomalous usage or credential exposure fit the wider activity chain.
The workflow depends on telemetry already available across Microsoft security products. The playbook lists Microsoft Purview with Unified Audit Log capabilities, Defender for Cloud Apps, Defender XDR and Microsoft Sentinel as licensing dependencies.
It also requires Global Administrator or Security Administrator permissions and a Sentinel-enabled Log Analytics workspace for configuration.
Microsoft’s reference architecture sends Microsoft 365 Copilot activity into the Purview Unified Audit Log, routes security signals through Defender for Cloud Apps and Defender XDR, then moves correlation and analytics into Sentinel.
Separating metadata from full prompt content
The telemetry gives investigators identity, time, workload, accessed-resource, correlation and AI safety metadata. Microsoft draws a hard line around content evidence: ‘Audit logs do not store full prompt and response text.’ For prompt, response or memory content, the playbook directs investigators to Microsoft Purview eDiscovery or DSPM for AI.
For Microsoft 365 Copilot, the playbook uses CopilotActivity to build a timeline of user activity and identify the files, emails, calendar items or other resources referenced during an interaction.
Microsoft tells investigators to use those referenced resources to determine the ‘blast radius’ of Copilot activity and cross-check unusual access patterns against DLP or data-classification systems.
The playbook also defines that a JailbreakDetected true value is a potential jailbreak signal, not a confirmed attack. The same caution applies to usage volume: more than 50 Copilot events per user-hour is an outlier worth checking, but power users, automated workflows or testing activity can produce similar patterns.
Tracking credential theft and agent trails in Azure AI
Azure AI and Foundry investigations use a different surface. The playbook directs teams to Defender for Cloud alerts in Sentinel’s SecurityAlert table and Azure operations in AzureActivity. Credential-theft alerts cover cases where credentials appeared in a model response. Jailbreak alerts cover attempts blocked or detected by content filtering.
Microsoft also gives investigators a one-hour correlation pattern that connects Azure AI credential-theft alerts with deployment writes and key-listing actions. A credential-theft alert followed by key listing can suggest follow-on access, while exposed credentials still require remediation even without matching activity.
The agent section widens the investigation beyond prompts. Defender XDR Advanced Hunting queries list active Agent 365 agents, identify agents configured with Model Context Protocol tools and find agents with no user authentication configured.
Microsoft says MCP tool configurations allow agents to invoke external tools, widening the investigation beyond prompts and responses. The playbook also flags agents that can be used without authenticating the person interacting with them. In those cases, activity may be harder to attribute to a named user, weakening one of the basic requirements of incident response: knowing who did what.
Microsoft includes Sentinel analytic rule templates for credential theft, jailbreak attempts, suspicious access patterns and several preview agent-related detections.
Aligning response strategies with industry frameworks
The Microsoft guidance aligns with NIST’s Generative AI Profile, which recommends incident monitoring, after-action reviews, AI system inventory and documentation practices for generative AI systems. The same profile says logging, recording and analyzing generative AI incidents can help organizations share information with relevant AI actors.
OWASP’s 2025 Top 10 for LLMs and GenAI Apps identifies prompt injection, sensitive information disclosure, improper output handling and excessive agency among core risks. Microsoft’s playbook gives those categories an investigation path inside its own stack: identify the user, map the resources, correlate the alert, review agent configuration and preserve the evidence.