Skip to content

Control 1.8: Runtime Protection and External Threat Detection

Control ID: 1.8
Pillar: Security
Regulatory Reference: FINRA Rule 3110, FINRA 25-07, SEC 2025 Examination Priorities, GLBA 501(b), NIST SP 800-53 SI-3/SI-4/SI-10
Last UI Verified: February 2026
Governance Levels: Baseline / Recommended / Regulated

Agent 365 Architecture Update

Agent 365 provides a centralized security posture dashboard showing misconfigurations, policy violations, and risk scores across all agent types in real time. This offers unified threat visibility beyond per-platform detection (such as Defender for Cloud Apps for Copilot Studio). See Unified Agent Governance for security posture management details.

Sovereign Cloud Availability (GCC / GCC High / DoD)

Several Control 1.8 surfaces are Preview or Prerelease in commercial cloud and have not been documented at parity for US Government clouds:

  • Defender for Cloud Apps AI Agent Protection — Preview in commercial; no documented GCC / GCC High / DoD parity (verify against Defender for Cloud Apps – AI Agent Protection)
  • Additional Threat Detection / Security Webhooks API — Prerelease in commercial; verify Azure Entra Federated Identity Credential parity in DoD (see external security provider)
  • Copilot Studio Prompt Shields and content moderation — Copilot Studio is GA in GCC and GCC High (requirements-licensing-gcc); generative-AI dependencies have separate availability constraints by cloud
  • AISPM dashboard in Defender XDR — Verify per-cloud availability against current Microsoft 365 Roadmap

For GCC High / DoD tenants: confirm per-capability availability against the live Learn pages and Power Platform service availability matrix before committing to native Defender or webhook-based runtime protection. Record any gap in your Zone-3 exception register and use the alternative surfaces (Prompt Shields + content moderation) until parity is confirmed.

Objective

Implement runtime security controls for Copilot Studio agents to detect and block prompt injection attacks, jailbreak attempts, and malicious agent behavior. This control provides real-time protection against adversarial inputs and external threats targeting AI agents.

Why This Matters for FSI

  • FINRA Rule 3110 / 25-07: Demonstrate AI governance and risk controls for agent operations; FINRA 25-07 requires real-time monitoring of AI outputs and comprehensive decision logging
  • SEC 2025 Examination Priorities: Implement appropriate safeguards for AI-driven customer interactions; examination focus includes adequacy of AI monitoring and supervision policies
  • GLBA 501(b): Protect customer NPI from exfiltration via AI agents
  • OCC 2011-12 / Fed SR 11-7: Model risk controls including ongoing performance monitoring and output controls for AI/ML systems handling financial data
  • NIST SP 800-53 SI-3/SI-4/SI-10: Malicious code protection, system monitoring, and input validation map directly to agent runtime protection requirements
  • FFIEC IT Handbook: Continuous monitoring and anomaly detection requirements for cybersecurity controls

Automation Available

Companion solutions in FSI-AgentGov-Solutions:

Control Description

Runtime Protection provides real-time security controls for Copilot Studio agents, detecting and blocking attacks before they execute. Combined with egress controls and SIEM integration, this creates a defense-in-depth approach to agent security.

Capability Description
AI Prompt Shield Block attempts to manipulate agent behavior through malicious inputs (prompt injection prevention)
Jailbreak detection Identify attempts to bypass agent guardrails
Content moderation Filter harmful, inappropriate, or sensitive content via Azure AI Content Safety
Egress controls Prevent data exfiltration via tools and connectors
External threat detection Real-time evaluation via third-party security providers (preview)
Defender integration Environment-level threat detection for Copilot Studio agents (Preview — verify GA status)
Native Defender for Cloud Apps AI agent inventory, activity logging, and real-time protection via Microsoft Defender

Native Microsoft Defender Integration (Defender for Cloud Apps)

Verify GA Status Before Production Deployment

Native Microsoft Defender integration for Copilot Studio agents provides comprehensive security capabilities through Defender for Cloud Apps, including agent discovery, activity logging, and real-time runtime protection. As of February 2026, Microsoft Learn documentation still indicates this feature may be in Preview. Verify current GA status at Microsoft Learn before deploying in production environments.

The Microsoft Defender - Copilot Studio AI Agents toggle in Power Platform Admin Center enables native integration with Microsoft Defender for Cloud Apps. This is distinct from the "Additional Threat Detection" feature (third-party webhooks) and provides three core capabilities:

Capability Description Data Population Time
AI Agents Inventory Discovers and catalogs all Copilot Studio agents across the tenant with security posture visibility Connection status: up to 30 minutes; full inventory: variable, depending on tenant size and complexity (Learn)
AI Agents Activity Logging Captures audit logs of agent runtime invocations via the MDA M365 Connector to Microsoft Purview Near real-time
Real-Time Protection Blocks suspicious tool invocations before execution with UPIA/XPIA detection Synchronous evaluation prior to tool execution; latency documented per Microsoft Learn

Prerequisites:

Requirement Details
Licensing (one of) (a) Microsoft Agent 365 license, OR (b) Microsoft Defender for Cloud Apps license AND Microsoft Copilot Studio license — per ai-agent-inventory
Defender preview opt-in Mandatory opt-in to preview features in both Microsoft Defender for Cloud and Microsoft Defender XDR
Roles Microsoft Defender XDR System Administrator (or Security Administrator) for Defender preview opt-in and portal toggle; Power Platform Administrator for the PPAC handshake. See role catalog.
Connector Microsoft 365 App Connector must be in Connected state in the Defender portal (Settings → Cloud apps → App connectors)
Agent Type Generative orchestration agents only (not "classic" agents)

Two-Portal Configuration Required:

  1. Microsoft Defender Portal - Enable Copilot Studio AI Agents feature and verify M365 App Connector
  2. Power Platform Admin Center - Enable the "Microsoft Defender - Copilot Studio AI Agents" toggle

Propagation Timeline:

  • Initial connection status: up to 30 minutes (Learn)
  • Full agent inventory population: variable; depends on tenant size and complexity (no Microsoft-published ceiling)
  • Real-time protection: active immediately after enablement

Defender XDR Integration:

When enabled, blocked agent actions create Defender XDR incidents that integrate with your SOC workflows:

  • Alert Generation: Blocked tool invocations generate Defender alerts
  • Advanced Hunting: Agent data available in Defender advanced hunting queries
  • Incident Correlation: Agent security events correlate with other M365 security signals

Security Event Visibility Gap

Blocked prompt events from Copilot Studio agents may not consistently appear in Defender advanced hunting. This inconsistency is acknowledged by Microsoft and under review. Organizations relying on advanced hunting queries for comprehensive blocked-prompt visibility should implement supplementary monitoring through Power Platform Admin Center analytics and Purview audit logs until this gap is resolved.

Defender XDR Retention Boundary (Records-Retention Disclaimer)

Defender XDR alerts and CloudAppEvents are operational telemetry with product-default retention windows — they are not WORM and not the system of record for SEC 17a-4 / FINRA 4511 records-retention obligations. For books-and-records retention of agent transcripts, blocked-prompt evidence, and tool-invocation artifacts, rely on Audit Premium long-term retention (Control 1.7) and Microsoft Purview retention policies (Control 1.5). Do not present Defender alerts as books-and-records evidence.

Licensing Consideration

Defender for Cloud Apps licensing is required for all users interacting with protected agents. Verify licensing coverage before enabling for production environments.

Regulatory Alignment for FSI:

Regulation Alignment
FINRA Rule 3110 Real-time monitoring of AI agent behavior supports supervisory requirements
SEC Regulation SCI System integrity controls for AI systems processing financial data
NYDFS Cyber Threat detection capabilities for AI-enabled attack patterns
GLBA 501(b) Protection of customer NPI accessed by AI agents

Additional Threat Detection (Third-Party/Custom Webhook)

Additional Threat Detection vs. Native Defender

Additional Threat Detection (this section) enables integration with third-party security providers or custom webhooks. For native Microsoft Defender integration (recommended for most FSI organizations), see the "Native Microsoft Defender Integration" section above.

The Additional Threat Detection capability in Power Platform Admin Center enables organizations to connect Copilot Studio agents to third-party security providers or custom webhooks for real-time threat evaluation. When enabled, every tool invocation by a generative agent is evaluated by the security provider before execution.

Configuration Item Description
Azure Entra App ID App registration for webhook authentication (with Federated Identity Credentials)
Endpoint Link Security provider webhook URL receiving tool invocation payloads
Error Behavior Action when provider is unavailable: Allow agent to respond OR Block query
Data Sharing Consent to share agent interaction data with the security provider

Key Characteristics:

  • Scope: Applies to generative orchestration agents only (not "classic" agents)
  • Response Timeout (provider-side requirement): The third-party security provider must respond within 1 second per external-security-provider — this is a publisher requirement on the third-party webhook, not a Microsoft-delivered SLA
  • Propagation Delay: App ID changes may take up to 1 minute to propagate
  • Environment-Level: Configured per environment or via Environment Groups for bulk deployment

Error Behavior Recommendation for FSI:

Setting Use Case FSI Recommendation
Allow agent to respond Lower friction, availability prioritized Zone 1 (Personal Productivity)
Block the query Higher security, fail-closed Zone 2/3 (Team/Enterprise)

For regulated financial services environments, select Block the query to maintain strict security posture when the threat detection provider is unavailable.

Security Webhooks API (External Threat Detection)

The Security Webhooks API enables integration with third-party security providers for real-time threat evaluation of Copilot Studio agent interactions. This preview capability allows organizations to extend runtime protection with specialized security services.

Provider Type Integration Pattern Example Providers
Prompt Security Webhook evaluates prompts before execution Palo Alto Networks, Robust Intelligence
Content Filtering External content safety evaluation Third-party content moderation APIs
Threat Intelligence Real-time threat lookup SIEM integration, threat feeds
Custom Rules Organization-specific detection logic Internal security services

Configuration Requirements:

  1. Entra App Registration - Create app registration for webhook authentication
  2. Webhook Endpoint - Deploy secure HTTPS endpoint (Azure Function, API Gateway)
  3. Response Format - Return allow, block, or warn decisions per message
  4. SLA Requirements - Webhook must respond within 1 second to avoid timeout

Security Webhooks API vs. Additional Threat Detection

The Security Webhooks API (documented below) is the underlying mechanism that powers the Additional Threat Detection feature in Power Platform Admin Center. Organizations can use either:

  • Power Platform Admin Center UI (recommended) - Simplified configuration via Security → Threat Protection (URL slug: /security/threatdetection)
  • Security Webhooks API (advanced) - Direct API configuration for automation scenarios

Third-Party Provider Assessment

When integrating third-party security providers (non-Microsoft Defender), evaluate provider security posture per Control 2.7 (Vendor Risk Management) before production deployment.

Vendor Assessment for Security Webhooks:

Before integrating third-party security providers, complete vendor risk assessment per Control 2.7:

  • Data handling: Does the provider process or store conversation content?
  • Geographic location: Where is the webhook endpoint hosted?
  • SOC 2 compliance: Is the provider SOC 2 Type II certified?
  • Breach notification: What is the provider's incident response SLA?

AI-Enabled Threat Patterns (NYDFS Cyber Guidance)

NYDFS cybersecurity guidance emphasizes detection of AI-enabled attack techniques. Runtime protection should address:

Threat Pattern Detection Approach FSI Impact
AI-Generated Phishing Analyze prompts for social engineering patterns targeting employee credentials or customer data Account takeover, unauthorized transactions
Deepfake Impersonation Detect requests referencing voice/video verification or C-suite authorization claims Wire fraud, unauthorized approvals
Synthetic Identity Prompts Flag prompts containing combinations of personal data that may indicate synthetic identities KYC/AML bypass, fraudulent account creation
Adversarial Data Extraction Block multi-turn conversations attempting to aggregate sensitive data incrementally Data exfiltration, MNPI exposure
AI-Assisted Reconnaissance Detect prompts probing for system architecture, security controls, or employee information Targeted attacks, insider threat enablement

Detection Configuration:

  1. Enable runtime protection with expanded pattern library for AI-enabled attacks
  2. Configure alert thresholds for social engineering indicators
  3. Integrate with security awareness training for detected attack patterns
  4. Report AI-enabled attack attempts to security operations within 15-minute SLA (Zone 3)

Key Configuration Points

  • Enable Managed Environments (required prerequisite)
  • Configure agent security settings in Power Platform Admin Center
  • Enable runtime protection with prompt injection and jailbreak detection
  • Configure content moderation with strict thresholds for regulated agents (see zone-specific levels below)
  • Implement egress controls via DLP and connector allowlists (Control 1.4)
  • Set up alert policies in Microsoft Purview for security events
  • Integrate with SIEM for real-time monitoring (Zone 2-3)
  • Enable native Microsoft Defender integration (recommended for non-production validation while in Preview; defer Zone 3 enablement until GA, or document explicit risk acceptance per Control 2.7 / Control 2.13)
  • Consider additional threat detection webhook for third-party providers (Prerelease — requires vendor assessment per Control 2.7 and TPRM sign-off; not recommended for Zone 3 customer-data agents until GA)

Content Moderation Level Configuration

Copilot Studio provides configurable content moderation levels that control how aggressively the Azure AI Content Safety service filters agent responses. Configure per agent in Copilot Studio > Agent > Settings > Generative AI > Content moderation.

Moderation Level Behavior Recommended Zone
Low Minimal filtering; allows broader responses Not recommended for FSI
Medium Balanced filtering; blocks clearly harmful content Zone 1 (Personal) minimum
High Strict filtering; blocks potentially sensitive or harmful content Zone 2 (Team) and Zone 3 (Enterprise)

FSI Recommendation: Set Content Moderation to High

For regulated financial services environments, set content moderation to High for all Zone 2 and Zone 3 agents. Zone 1 agents should use Medium at minimum. Agents with lower settings should be explicitly approved and documented with risk acceptance.

Zone-Specific Requirements

Zone Requirement Rationale
Zone 1 (Personal) Runtime protection optional; log-only mode; best-effort response; content moderation set to Medium minimum Low risk, reduced friction
Zone 2 (Team) Runtime protection required; block and log; 4-hour response SLA; content moderation set to High Shared agents require accountability
Zone 3 (Enterprise) Maximum protection; block and investigate; 15-minute response SLA; incident playbook required; content moderation set to High Customer-facing, highest risk

Roles & Responsibilities

Role Responsibility
Power Platform Admin Environment configuration, runtime protection settings, PPAC handshake (Security → Threat Protection) for native Defender, and Additional Threat Detection toggle
Microsoft Defender XDR System Administrator (or Security Administrator) Defender preview-feature opt-in (both Defender for Cloud and Defender XDR) and Defender portal toggle for Copilot Studio AI Agents; Defender XDR alert tuning and AISPM dashboard
Application Administrator (or Cloud Application Administrator) Entra app registration and Federated Identity Credential creation for Additional Threat Detection webhook
Compliance / Audit Admin Audit Logs / Audit Reader role for Unified Audit Log search of runtime events
Security Operations Monitor Defender XDR alerts and AISPM, investigate threats, route incidents to FSI Incident Handling
AI Governance Lead Agent security policies, exception register, incident playbooks, regulatory reportability decisions
Control Relationship
2.1 - Managed Environments Required prerequisite for runtime protection
1.7 - Audit Logging Logs runtime protection events
1.4 - Advanced Connector Policies Egress controls complement runtime protection
1.6 - Microsoft Purview DSPM for AI DSPM Activity Explorer ingests Defender agent activity events for compliance monitoring
1.12 - Insider Risk Detection Insider threat correlation
2.7 - Vendor Risk Management Third-party webhook provider assessment
FSI Incident Handling Playbook Incident-handling workflow and regulatory reportability for confirmed AI threat events

Regulatory Reportability for Confirmed AI Threat Events

Confirmed prompt-injection, jailbreak, or data-exfiltration events on Zone 2 / Zone 3 customer-facing agents may trigger one or more US regulatory notification obligations:

  • NY DFS Part 500 (23 NYCRR 500.17(a)) — 72-hour notification of cybersecurity events to the Superintendent
  • SEC Regulation S-P §248.30(a)(4) — customer notification timing for unauthorized access to NPI
  • FINRA Rule 4530(b) — written reports of specified events including security breaches affecting customer accounts

The determination of whether a given runtime-protection event triggers a reportable obligation is a Compliance / Legal decision, not an automated one. Use the FSI Incident Handling playbook above to route confirmed events to the firm's incident-response and reportability workflow within the documented intake SLA.

Automated Validation: Deny Event Correlation Report

For runtime threat detection correlation across RAI telemetry, Purview Audit, and DLP events with anomaly detection and zone-based alerting, see the Deny Event Correlation Report solution.

Capabilities:

  • Multi-source deny event extraction (RAI telemetry, Purview Audit, Purview DLP)
  • Daily correlation engine with 7-day trend analysis and volume anomaly detection
  • Zone-based alerting with Teams adaptive cards and email notifications
  • Dataverse persistence with zone-based retention (90d/365d/730d)
  • SHA-256 integrity-hashed evidence export with regulatory alignment mapping

Deployable Solution: deny-event-correlation-report provides PowerShell extraction scripts, Dataverse infrastructure, Power Automate orchestration flow, and evidence export pipeline.

Automated Validation: Content Moderation Governance Monitor

For automated detection of non-compliant content moderation settings on Copilot Studio agents per governance zone, see the Content Moderation Governance Monitor solution.

Capabilities:

  • Per-agent content moderation level validation (Low/Medium/High vs zone requirements)
  • Zone-based compliance checking (Zone 1: Medium minimum, Zone 2/3: High)
  • Drift detection with baseline comparison for configuration change tracking
  • Teams adaptive card alerts with severity classification and regulatory context
  • SHA-256 integrity-hashed evidence export for examination support

Deployable Solution: content-moderation-monitor provides PowerShell validation scripts, Power Automate flow definitions, and Dataverse schema for persistent governance state.

RAI Telemetry Capture (Copilot Studio)

For Copilot Studio agents, Application Insights integration enables capture of Responsible AI (RAI) content filtering events that are not available in Microsoft Purview audit logs.

Why RAI Telemetry Matters

Event Type Source What It Captures
ContentFiltered Application Insights RAI safety filter blocked agent response
PolicyDetails Purview Audit DLP/sensitivity policy enforcement
ResponseOutcome=Blocked Purview Audit Agent response blocked by policy
UPIA/XPIA Detection Defender CloudAppEvents Prompt injection attempts (requires Defender for Cloud Apps)

Prompt Injection Detection Locations

UPIA (User Prompt Injection Attack) and XPIA (Cross-domain Prompt Injection Attack) detections are available in both locations:

  • Purview CopilotInteraction schema: Contains JailbreakDetected and XPIADetected boolean flags as native fields (audit trail)
  • Defender CloudAppEvents: Provides threat analysis context, attack patterns, and investigation tools (security operations)

For compliance, Purview flags which resources had attacks detected. For security response, Defender provides the investigation context. Organizations without Defender for Cloud Apps can still audit detections through Purview, but should use Application Insights ContentFiltered events for RAI-layer blocking visibility.

RAI telemetry captures blocking events at the model layer (Azure AI Content Safety) rather than the governance layer (Microsoft Purview). Both are necessary for complete deny event visibility.

Application Insights Setup

Prerequisites: - Azure subscription with Application Insights resource - Copilot Studio license that supports generative agents (Application Insights configuration is part of the Generative AI advanced settings; not gated on a specific Premium SKU per current Microsoft Learn) - Application Insights connection string

Configuration per Agent:

  1. Open Copilot Studio > Select agent > Settings > Generative AI
  2. Enable Advanced settings toggle
  3. Under Application Insights, enter connection string
  4. Save and publish agent

Per-Agent Configuration

Application Insights must be configured for each Copilot Studio agent individually. There is no tenant-wide setting. Include this in agent onboarding checklists for Zone 2/3 agents.

KQL Query for ContentFiltered Events

Schema Verification Required

The Application Insights customDimensions schema for Copilot Studio events has not been published verbatim on Microsoft Learn. The query below is a starting point — validate customDimensions field names against your tenant's emitted telemetry before using it as audit evidence, and re-verify after each Copilot Studio platform update.

customEvents
| where timestamp > ago(24h)
| where name == "MicrosoftCopilotStudio"
| extend eventType = tostring(customDimensions["EventType"])
| where eventType == "ContentFiltered"
| extend
    agentId = tostring(customDimensions["BotId"]),
    sessionId = tostring(customDimensions["ConversationId"]),
    filterReason = tostring(customDimensions["FilterReason"])
| project timestamp, agentId, sessionId, filterReason, customDimensions
| order by timestamp desc

Zone-Specific Requirements

Zone RAI Telemetry Requirement
Zone 1 Optional; log-only for awareness
Zone 2 Required for shared agents; daily review
Zone 3 Required; real-time alerting; 15-minute response SLA

Correlation with Purview Audit

For comprehensive deny event correlation across RAI telemetry, Purview audit, and DLP events, see:

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Advanced Implementation: Configuration Hardening Baseline

This control is covered by the Configuration Hardening Baseline, which consolidates SSPM-detectable settings across all 7 mapped controls into a single reviewable checklist with automation classification and evidence export procedures.

Verification Criteria

Confirm control effectiveness by verifying:

  1. Managed Environment is enabled for all regulated environments
  2. Runtime protection settings are configured and active
  3. Test prompt injection is blocked with log entry
  4. Egress controls block unauthorized connector/tool invocations
  5. Alert policies trigger on security events
  6. SIEM integration streams events within SLA (Zone 2-3)
  7. Native Microsoft Defender integration enabled (Zone 2/3)
  8. AI agent inventory populated in Defender portal
  9. Defender XDR alerts generated for blocked actions
  10. Content moderation level is set to High for all Zone 2/3 agents (Copilot Studio > Agent > Settings > Generative AI)
  11. No agents have content moderation set below Medium without documented risk acceptance

Additional Resources

Updated: February 2026 | Version: v1.4.0 | UI Verification Status: Current