Skip to content

Control 1.8: Runtime Protection and External Threat Detection

Control ID: 1.8 Pillar: Security Regulatory Reference: FINRA Rule 3110, SEC AI priorities, GLBA 501(b) Last UI Verified: February 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03

Agent 365 Architecture Update

Agent 365 provides a centralized security posture dashboard showing misconfigurations, policy violations, and risk scores across all agent types in real time. This offers unified threat visibility beyond per-platform detection (such as Defender for Cloud Apps for Copilot Studio). See Unified Agent Governance for security posture management details.

Objective

Implement runtime security controls for Copilot Studio agents to detect and block prompt injection attacks, jailbreak attempts, and malicious agent behavior. This control provides real-time protection against adversarial inputs and external threats targeting AI agents.

Why This Matters for FSI

  • FINRA Rule 3110: Demonstrate AI governance and risk controls for agent operations
  • SEC AI Priorities: Implement appropriate safeguards for AI-driven customer interactions
  • GLBA 501(b): Protect customer NPI from exfiltration via AI agents
  • OCC 2011-12: Model risk controls for AI/ML systems handling financial data
  • FFIEC Guidance: Cybersecurity controls for fintech and AI applications

Control Description

Runtime Protection provides real-time security controls for Copilot Studio agents, detecting and blocking attacks before they execute. Combined with egress controls and SIEM integration, this creates a defense-in-depth approach to agent security.

Capability Description
AI Prompt Shield Block attempts to manipulate agent behavior through malicious inputs (prompt injection prevention)
Jailbreak detection Identify attempts to bypass agent guardrails
Content moderation Filter harmful, inappropriate, or sensitive content via Azure AI Content Safety
Egress controls Prevent data exfiltration via tools and connectors
External threat detection Real-time evaluation via third-party security providers (preview)
Defender integration Environment-level threat detection for Copilot Studio agents (GA February 2026)
Native Defender for Cloud Apps AI agent inventory, activity logging, and real-time protection via Microsoft Defender

Native Microsoft Defender Integration (Defender for Cloud Apps)

Verify GA Status Before Production Deployment

Native Microsoft Defender integration for Copilot Studio agents provides comprehensive security capabilities through Defender for Cloud Apps, including agent discovery, activity logging, and real-time runtime protection. As of February 2026, Microsoft Learn documentation still indicates this feature may be in Preview. Verify current GA status at Microsoft Learn before deploying in production environments.

The Microsoft Defender - Copilot Studio AI Agents toggle in Power Platform Admin Center enables native integration with Microsoft Defender for Cloud Apps. This is distinct from the "Additional Threat Detection" feature (third-party webhooks) and provides three core capabilities:

Capability Description Data Population Time
AI Agents Inventory Discovers and catalogs all Copilot Studio agents across the tenant with security posture visibility 2-24 hours initial
AI Agents Activity Logging Captures audit logs of agent runtime invocations via the MDA M365 Connector to Microsoft Purview Near real-time
Real-Time Protection Blocks suspicious tool invocations before execution with UPIA/XPIA detection 1-second response

Prerequisites:

Requirement Details
Licensing Microsoft Defender for Cloud Apps (included in Microsoft 365 E5)
Roles Power Platform Admin + Entra Security Admin (Defender XDR access)
Connector Microsoft 365 App Connector must be configured in Defender portal
Agent Type Generative orchestration agents only (not "classic" agents)

Two-Portal Configuration Required:

  1. Microsoft Defender Portal - Enable Copilot Studio AI Agents feature and verify M365 App Connector
  2. Power Platform Admin Center - Enable the "Microsoft Defender - Copilot Studio AI Agents" toggle

Propagation Timeline:

  • Initial connection: Up to 30 minutes
  • Full agent inventory population: Up to 24 hours
  • Real-time protection: Active immediately after enablement

Defender XDR Integration:

When enabled, blocked agent actions create Defender XDR incidents that integrate with your SOC workflows:

  • Alert Generation: Blocked tool invocations generate Defender alerts
  • Advanced Hunting: Agent data available in Defender advanced hunting queries
  • Incident Correlation: Agent security events correlate with other M365 security signals

Security Event Visibility Gap

Blocked prompt events from Copilot Studio agents may not consistently appear in Defender advanced hunting. This inconsistency is acknowledged by Microsoft and under review. Organizations relying on advanced hunting queries for comprehensive blocked-prompt visibility should implement supplementary monitoring through Power Platform Admin Center analytics and Purview audit logs until this gap is resolved.

Licensing Consideration

Defender for Cloud Apps licensing is required for all users interacting with protected agents. Verify licensing coverage before enabling for production environments.

Regulatory Alignment for FSI:

Regulation Alignment
FINRA Rule 3110 Real-time monitoring of AI agent behavior supports supervisory requirements
SEC Regulation SCI System integrity controls for AI systems processing financial data
NYDFS Cyber Threat detection capabilities for AI-enabled attack patterns
GLBA 501(b) Protection of customer NPI accessed by AI agents

Additional Threat Detection (Third-Party/Custom Webhook)

Additional Threat Detection vs. Native Defender

Additional Threat Detection (this section) enables integration with third-party security providers or custom webhooks. For native Microsoft Defender integration (recommended for most FSI organizations), see the "Native Microsoft Defender Integration" section above.

The Additional Threat Detection capability in Power Platform Admin Center enables organizations to connect Copilot Studio agents to third-party security providers or custom webhooks for real-time threat evaluation. When enabled, every tool invocation by a generative agent is evaluated by the security provider before execution.

Configuration Item Description
Azure Entra App ID App registration for webhook authentication (with Federated Identity Credentials)
Endpoint Link Security provider webhook URL receiving tool invocation payloads
Error Behavior Action when provider is unavailable: Allow agent to respond OR Block query
Data Sharing Consent to share agent interaction data with the security provider

Key Characteristics:

  • Scope: Applies to generative orchestration agents only (not "classic" agents)
  • Response Timeout: Security provider must respond within 1 second
  • Propagation Delay: App ID changes may take up to 1 minute to propagate
  • Environment-Level: Configured per environment or via Environment Groups for bulk deployment

Error Behavior Recommendation for FSI:

Setting Use Case FSI Recommendation
Allow agent to respond Lower friction, availability prioritized Zone 1 (Personal Productivity)
Block the query Higher security, fail-closed Zone 2/3 (Team/Enterprise)

For regulated financial services environments, select Block the query to maintain strict security posture when the threat detection provider is unavailable.

Security Webhooks API (External Threat Detection)

The Security Webhooks API enables integration with third-party security providers for real-time threat evaluation of Copilot Studio agent interactions. This preview capability allows organizations to extend runtime protection with specialized security services.

Provider Type Integration Pattern Example Providers
Prompt Security Webhook evaluates prompts before execution Palo Alto Networks, Robust Intelligence
Content Filtering External content safety evaluation Third-party content moderation APIs
Threat Intelligence Real-time threat lookup SIEM integration, threat feeds
Custom Rules Organization-specific detection logic Internal security services

Configuration Requirements:

  1. Entra App Registration - Create app registration for webhook authentication
  2. Webhook Endpoint - Deploy secure HTTPS endpoint (Azure Function, API Gateway)
  3. Response Format - Return allow, block, or warn decisions per message
  4. SLA Requirements - Webhook must respond within 1 second to avoid timeout

Security Webhooks API vs. Additional Threat Detection

The Security Webhooks API (documented below) is the underlying mechanism that powers the Additional Threat Detection feature in Power Platform Admin Center. Organizations can use either:

  • Power Platform Admin Center UI (recommended) - Simplified configuration via Security → Threat Detection
  • Security Webhooks API (advanced) - Direct API configuration for automation scenarios

Third-Party Provider Assessment

When integrating third-party security providers (non-Microsoft Defender), evaluate provider security posture per Control 2.7 (Vendor Risk Management) before production deployment.

Vendor Assessment for Security Webhooks:

Before integrating third-party security providers, complete vendor risk assessment per Control 2.7:

  • Data handling: Does the provider process or store conversation content?
  • Geographic location: Where is the webhook endpoint hosted?
  • SOC 2 compliance: Is the provider SOC 2 Type II certified?
  • Breach notification: What is the provider's incident response SLA?

AI-Enabled Threat Patterns (NYDFS Cyber Guidance)

NYDFS cybersecurity guidance emphasizes detection of AI-enabled attack techniques. Runtime protection should address:

Threat Pattern Detection Approach FSI Impact
AI-Generated Phishing Analyze prompts for social engineering patterns targeting employee credentials or customer data Account takeover, unauthorized transactions
Deepfake Impersonation Detect requests referencing voice/video verification or C-suite authorization claims Wire fraud, unauthorized approvals
Synthetic Identity Prompts Flag prompts containing combinations of personal data that may indicate synthetic identities KYC/AML bypass, fraudulent account creation
Adversarial Data Extraction Block multi-turn conversations attempting to aggregate sensitive data incrementally Data exfiltration, MNPI exposure
AI-Assisted Reconnaissance Detect prompts probing for system architecture, security controls, or employee information Targeted attacks, insider threat enablement

Detection Configuration:

  1. Enable runtime protection with expanded pattern library for AI-enabled attacks
  2. Configure alert thresholds for social engineering indicators
  3. Integrate with security awareness training for detected attack patterns
  4. Report AI-enabled attack attempts to security operations within 15-minute SLA (Zone 3)

Key Configuration Points

  • Enable Managed Environments (required prerequisite)
  • Configure agent security settings in Power Platform Admin Center
  • Enable runtime protection with prompt injection and jailbreak detection
  • Configure content moderation with strict thresholds for regulated agents (see zone-specific levels below)
  • Implement egress controls via DLP and connector allowlists (Control 1.4)
  • Set up alert policies in Microsoft Purview for security events
  • Integrate with SIEM for real-time monitoring (Zone 2-3)
  • Enable native Microsoft Defender integration (recommended for FSI)
  • Consider additional threat detection webhook for third-party providers (requires vendor assessment)

Content Moderation Level Configuration

Copilot Studio provides configurable content moderation levels that control how aggressively the Azure AI Content Safety service filters agent responses. Configure per agent in Copilot Studio > Agent > Settings > Generative AI > Content moderation.

Moderation Level Behavior Recommended Zone
Low Minimal filtering; allows broader responses Not recommended for FSI
Medium Balanced filtering; blocks clearly harmful content Zone 1 (Personal) minimum
High Strict filtering; blocks potentially sensitive or harmful content Zone 2 (Team) and Zone 3 (Enterprise)

FSI Recommendation: Set Content Moderation to High

For regulated financial services environments, set content moderation to High for all Zone 2 and Zone 3 agents. Zone 1 agents should use Medium at minimum. Agents with lower settings should be explicitly approved and documented with risk acceptance.

Zone-Specific Requirements

Zone Requirement Rationale
Zone 1 (Personal) Runtime protection optional; log-only mode; best-effort response; content moderation set to Medium minimum Low risk, reduced friction
Zone 2 (Team) Runtime protection required; block and log; 4-hour response SLA; content moderation set to High Shared agents require accountability
Zone 3 (Enterprise) Maximum protection; block and investigate; 15-minute response SLA; incident playbook required; content moderation set to High Customer-facing, highest risk

Roles & Responsibilities

Role Responsibility
Power Platform Admin Environment configuration and runtime protection settings
Entra Security Admin Enable Copilot Studio AI Agents feature in Defender portal; app registration for external threat detection
Security Operations Monitor alerts and investigate threats
AI Governance Lead Agent security policies and incident playbooks
Control Relationship
2.1 - Managed Environments Required prerequisite for runtime protection
1.7 - Audit Logging Logs runtime protection events
1.4 - Advanced Connector Policies Egress controls complement runtime protection
1.6 - Microsoft Purview DSPM for AI DSPM Activity Explorer ingests Defender agent activity events for compliance monitoring
1.12 - Insider Risk Detection Insider threat correlation
2.7 - Vendor Risk Management Third-party webhook provider assessment

Automated Validation: Deny Event Correlation Report

For runtime threat detection correlation across RAI telemetry, Purview Audit, and DLP events with anomaly detection and zone-based alerting, see the Deny Event Correlation Report solution.

Capabilities:

  • Multi-source deny event extraction (RAI telemetry, Purview Audit, Purview DLP)
  • Daily correlation engine with 7-day trend analysis and volume anomaly detection
  • Zone-based alerting with Teams adaptive cards and email notifications
  • Dataverse persistence with zone-based retention (90d/365d/730d)
  • SHA-256 integrity-hashed evidence export with regulatory alignment mapping

Deployable Solution: deny-event-correlation-report provides PowerShell extraction scripts, Dataverse infrastructure, Power Automate orchestration flow, and evidence export pipeline.

Automated Validation: Content Moderation Governance Monitor

For automated detection of non-compliant content moderation settings on Copilot Studio agents per governance zone, see the Content Moderation Governance Monitor solution.

Capabilities:

  • Per-agent content moderation level validation (Low/Medium/High vs zone requirements)
  • Zone-based compliance checking (Zone 1: Medium minimum, Zone 2/3: High)
  • Drift detection with baseline comparison for configuration change tracking
  • Teams adaptive card alerts with severity classification and regulatory context
  • SHA-256 integrity-hashed evidence export for examination support

Deployable Solution: content-moderation-monitor provides PowerShell validation scripts, Power Automate flow definitions, and Dataverse schema for persistent governance state.

RAI Telemetry Capture (Copilot Studio)

For Copilot Studio agents, Application Insights integration enables capture of Responsible AI (RAI) content filtering events that are not available in Microsoft Purview audit logs.

Why RAI Telemetry Matters

Event Type Source What It Captures
ContentFiltered Application Insights RAI safety filter blocked agent response
PolicyDetails Purview Audit DLP/sensitivity policy enforcement
ResponseOutcome=Blocked Purview Audit Agent response blocked by policy
UPIA/XPIA Detection Defender CloudAppEvents Prompt injection attempts (requires Defender for Cloud Apps)

Prompt Injection Detection Locations

UPIA (User Prompt Injection Attack) and XPIA (Cross-domain Prompt Injection Attack) detections are available in both locations:

  • Purview CopilotInteraction schema: Contains JailbreakDetected and XPIADetected boolean flags as native fields (audit trail)
  • Defender CloudAppEvents: Provides threat analysis context, attack patterns, and investigation tools (security operations)

For compliance, Purview flags which resources had attacks detected. For security response, Defender provides the investigation context. Organizations without Defender for Cloud Apps can still audit detections through Purview, but should use Application Insights ContentFiltered events for RAI-layer blocking visibility.

RAI telemetry captures blocking events at the model layer (Azure AI Content Safety) rather than the governance layer (Microsoft Purview). Both are necessary for complete deny event visibility.

Application Insights Setup

Prerequisites: - Azure subscription with Application Insights resource - Copilot Studio Premium license (per-agent telemetry configuration) - Application Insights connection string

Configuration per Agent:

  1. Open Copilot Studio > Select agent > Settings > Generative AI
  2. Enable Advanced settings toggle
  3. Under Application Insights, enter connection string
  4. Save and publish agent

Per-Agent Configuration

Application Insights must be configured for each Copilot Studio agent individually. There is no tenant-wide setting. Include this in agent onboarding checklists for Zone 2/3 agents.

KQL Query for ContentFiltered Events

customEvents
| where timestamp > ago(24h)
| where name == "MicrosoftCopilotStudio"
| extend eventType = tostring(customDimensions["EventType"])
| where eventType == "ContentFiltered"
| extend
    agentId = tostring(customDimensions["BotId"]),
    sessionId = tostring(customDimensions["ConversationId"]),
    filterReason = tostring(customDimensions["FilterReason"])
| project timestamp, agentId, sessionId, filterReason, customDimensions
| order by timestamp desc

Zone-Specific Requirements

Zone RAI Telemetry Requirement
Zone 1 Optional; log-only for awareness
Zone 2 Required for shared agents; daily review
Zone 3 Required; real-time alerting; 15-minute response SLA

Correlation with Purview Audit

For comprehensive deny event correlation across RAI telemetry, Purview audit, and DLP events, see:

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Advanced Implementation: Configuration Hardening Baseline

This control is covered by the Configuration Hardening Baseline, which consolidates SSPM-detectable settings across all 7 mapped controls into a single reviewable checklist with automation classification and evidence export procedures.

Verification Criteria

Confirm control effectiveness by verifying:

  1. Managed Environment is enabled for all regulated environments
  2. Runtime protection settings are configured and active
  3. Test prompt injection is blocked with log entry
  4. Egress controls block unauthorized connector/tool invocations
  5. Alert policies trigger on security events
  6. SIEM integration streams events within SLA (Zone 2-3)
  7. Native Microsoft Defender integration enabled (Zone 2/3)
  8. AI agent inventory populated in Defender portal
  9. Defender XDR alerts generated for blocked actions
  10. Content moderation level is set to High for all Zone 2/3 agents (Copilot Studio > Agent > Settings > Generative AI)
  11. No agents have content moderation set below Medium without documented risk acceptance

Additional Resources

Updated: February 2026 | Version: v1.3 | UI Verification Status: Current