Troubleshooting: Control 1.21 - Adversarial Input Logging
Last Updated: January 2026
Common Issues
| Issue | Cause | Resolution |
|---|---|---|
| Events not appearing | Audit delay | Wait 15-30 minutes |
| Sentinel rule not firing | Query syntax error | Validate KQL |
| High false positive rate | Pattern too broad | Refine detection patterns |
| Encoding not detected | Pattern mismatch | Update regex patterns |
Detailed Troubleshooting
Issue: Detection Events Not Appearing
Symptoms: Known adversarial input not logged
Resolution:
- Verify audit logging is enabled
- Check retention period includes timeframe
- Verify Copilot activities are in scope
- Wait 15-30 minutes for processing
Issue: Too Many False Positives
Symptoms: Legitimate queries triggering alerts
Resolution:
- Review triggered events to identify patterns
- Add exclusions for legitimate use cases
- Increase confidence threshold
- Add context requirements to rules
Escalation Path
- Security Operations - Detection rules
- Entra Security Admin - Sentinel configuration
- Compliance - Evidence retention
- Microsoft Support - Audit logging issues
Known Limitations
| Limitation | Impact | Workaround |
|---|---|---|
| Audit delay 15-30 min | Not real-time | Use Sentinel for faster detection |
| Pattern matching only | May miss novel attacks | Regular pattern updates |
| No native blocking | Must integrate with other controls | Use DLP or CA for blocking |
Back to Control 1.21 | Portal Walkthrough | PowerShell Setup | Verification Testing