Control 1.8: Runtime Protection and External Threat Detection

Overview

Control ID: 1.8 Control Name: Runtime Protection and External Threat Detection Regulatory Reference: FINRA Notice 25-07, SEC AI priorities, GLBA 501(b) Setup Time: 1-2 hours (initial); ongoing monitoring

---

Purpose

Runtime Protection provides real-time security controls for Copilot Studio agents, detecting and blocking prompt injection attacks, jailbreak attempts, and malicious agent behavior. For financial services, runtime protection is critical for:

• Prompt Injection Prevention: Blocking attempts to manipulate agent behavior through malicious inputs
• Jailbreak Detection: Identifying attempts to bypass agent guardrails
• FINRA 25-07 Compliance: Demonstrating AI risk controls and monitoring
• GLBA 501(b): Protecting customer data from exfiltration via AI agents
• SEC AI Priorities: Implementing appropriate governance for AI-driven systems
• External Threat Detection: Identifying and blocking known malicious patterns

---

Prerequisites

Primary Owner Admin Role: Entra Security Admin Supporting Roles: None

Required Licenses

• Power Platform with Managed Environments (Premium)
• Microsoft Defender for Cloud Apps (recommended for SaaS threat detection and session controls)
• Microsoft Defender XDR (optional, for SOC correlation across identities/endpoints/email)
• Microsoft Sentinel (optional, for SIEM/SOAR correlation and advanced detections)

Required Permissions

• Power Platform Administrator (tenant-level configuration)
• Environment Administrator (environment-level settings)
• Security Administrator (alert configuration)

Dependencies

• Control 2.1 (Managed Environments): Required for runtime protection
• Control 1.7 (Audit Logging): Logging infrastructure for threats
• Control 1.4 (ACP): Connector controls complement runtime protection

Pre-Setup Checklist

• [ ] Managed Environments enabled
• [ ] Security operations team identified
• [ ] Incident response procedures documented
• [ ] Alert recipients and escalation paths defined
• [ ] SIEM integration requirements assessed

---

Governance Levels

Baseline (Level 1)

Implement secure prompt practices and manual review; restrict risky actions and external data access.

Recommended (Level 2-3)

Enable runtime protections and monitor threats; integrate alerts with security operations.

Regulated/High-Risk (Level 4)

Runtime protection required with external threat detection; defined incident response playbooks and SLAs.

---

Setup & Configuration

Step 1: Enable Managed Environments (Prerequisite)

Portal Path: Power Platform Admin Center → Environments → [Environment] → Enable Managed Environment

1. Navigate to Power Platform Admin Center
2. Select target environment
3. Click Enable Managed Environment (if not already enabled)
4. Confirm enablement
5. Wait for activation (may take up to 30 minutes)

Step 2: Configure Agent Security Settings

Portal Path: Power Platform Admin Center → Environments → [Environment] → Settings → Features → Agent capabilities

1. Navigate to environment settings
2. Go to Features → Agent capabilities
3. Configure security settings:

Setting	Recommended Value	Tier 3 Value
Allow AI-generated responses	On	On (with guardrails)
Moderation and safety	Enabled	Enabled - Strict
Block prompt injection attempts	Enabled	Enabled
Log AI interactions	Enabled	Enabled - Verbose

1. Click Save

Step 3: Enable Runtime Protection for Agents

Portal Path: Power Platform Admin Center → Policies → Agent security

1. Navigate to Policies → Agent security (or similar section)
2. Enable Runtime protection
3. Configure protection levels:

Protection Configuration:

Prompt Injection Detection: Enabled
├── Sensitivity: High (recommended for FSI)
├── Action: Block and log
└── Notify: Security team

Jailbreak Prevention: Enabled
├── Detection mode: Active
├── Action: Block and alert
└── Log level: Detailed

Content Safety: Enabled
├── Categories: All (hate, violence, self-harm, sexual)
├── Threshold: Strict
└── Action: Block and log

Sensitive Data Protection: Enabled
├── PII detection: On
├── Financial data: On
├── Action: Mask in responses, log attempts
└── Alert: On threshold breach

Step 4: Configure Copilot Studio Security Settings

Portal Path: Copilot Studio → [Agent] → Settings → Security

For each agent, configure:

1. Open agent in Copilot Studio
2. Navigate to Settings → Security
3. Configure:

Setting	Tier 1	Tier 2	Tier 3
Authentication	Optional	Required	Required + MFA
Secure input	Off	On	On
Secure output	Off	On	On
Log conversations	Optional	Required	Required

1. Under Moderation:
2. Enable content moderation
3. Set appropriate topic scope
4. Configure fallback responses

Step 5: Implement Egress Controls and Tool/Connector Guardrails (Required for evidence-grade runtime protection)

Runtime protection must be paired with egress controls so agents cannot exfiltrate data via tools/connectors even if a malicious prompt is attempted.

Required outcomes - Allowed tools are explicit: Each agent has an approved list of actions/tools/connectors it may call. - Allowed destinations are explicit: Outbound network destinations (domains/endpoints) are allowlisted where feasible. - Sensitive operations are gated: High-risk actions require authentication/authorization and are logged with sufficient detail for investigation.

Configuration expectations (Power Platform + Copilot Studio) 1. Connector allowlist + environment DLP (Control 1.4, Control 2.1) - Restrict environments to approved connectors only. - Treat HTTP, Custom connectors, SQL/File, and any connector enabling arbitrary outbound calls as high-risk and block by default unless explicitly approved with documented justification. 2. Constrain “generic fetch” patterns - If a connector enables arbitrary URLs, enforce an allowlist (domain/path patterns) in the connector implementation where supported. - For custom connectors, restrict base URL(s) and methods to approved endpoints only. 3. Least-privilege identity for tool execution - Use dedicated app identities/service accounts with scoped permissions for each agent/tool integration. - Separate read-only vs write actions where possible; prevent “write” by default. 4. Abuse controls - Define operational thresholds (requests/min, tool calls/session, auth failures/session) and alert on breaches as potential automation abuse or exfiltration attempts.

Evidence requirements for egress controls - Screenshot/export of DLP policies applied to the environment. - Screenshot/export of ACP/connector allowlist (or documented compensating control if allowlisting is not technically supported for a specific connector). - For each Tier 3 agent: list of approved connectors/tools and approved external destinations (domains/endpoints) if applicable.

Step 6: Set Up External Threat Detection (Optional)

Portal Path: Power Platform Admin Center → Settings → Tenant settings → Security

External threat detection is for correlation and enrichment (known bad IPs/domains, identity risk, malware signals, suspicious sign-in context). It must not be described or configured as a SOC “tier” mapped to governance zones.

For integration with external threat detection:

1. Navigate to Tenant settings → Security
2. Under External threat detection:
3. Enable integration
4. Configure provider (if applicable)
5. For Microsoft Defender integration (recommended):
6. Connect to Microsoft Defender for Cloud Apps
7. Enable relevant discovery/controls for Power Platform where available
8. Ensure alert routing to the SOC toolchain (email, ticketing, incident system)

Step 6: Configure Alert Policies

Portal Path: Microsoft Purview → Policies → Alert policies

Create alerts for runtime protection events:

Alert 1: Agent Prompt Injection Detected

1. Click + New alert policy
2. Configure:
3. Name: FSI-Agent-PromptInjection
4. Description: "Prompt injection attempt detected"
5. Category: Threat management
6. Severity: High
7. Activity: Custom activity (Power Platform audit log)
8. Condition: Operation = PromptInjectionBlocked
9. Notification:
10. Email: security-operations@contoso.com
11. Frequency: Immediately
12. Click Save

Alert 2: Agent Jailbreak Attempt

1. Click + New alert policy
2. Configure:
3. Name: FSI-Agent-JailbreakAttempt
4. Description: "Agent jailbreak attempt detected"
5. Severity: Critical
6. Activity: Jailbreak detection event
7. Notification: SOC immediate alert
8. Click Save

Alert 3: Unusual Agent Activity

1. Click + New alert policy
2. Configure:
3. Name: FSI-Agent-UnusualActivity
4. Description: "Unusual volume or pattern of agent usage"
5. Severity: Medium
6. Activity: Agent session count threshold exceeded
7. Click Save

Step 7: Configure SIEM Integration (Recommended for higher-risk tiers; SOC-dependent)

Portal Path: Power Platform Admin Center → Settings → Data export

For Microsoft Sentinel integration:

Sentinel/SIEM severity tiering and SOC routing are operational decisions and are not mapped to the Agent Governance zones.

1. Navigate to Settings → Data export
2. Enable activity log export to Event Hub
3. In Microsoft Sentinel:
4. Add Power Platform data connector

5. Enable relevant log categories:

   • ✅ Copilot Studio events
   • ✅ Security events
   • ✅ Admin activities

6. Create detection rules in Sentinel:

   // Prompt Injection Detection
   PowerPlatformAdminActivity
   | where Operation == "PromptInjectionDetected"
   | extend AgentName = tostring(parse_json(ExtendedProperties).AgentName)
   | project TimeGenerated, UserId, AgentName, ClientIP, Operation
   | order by TimeGenerated desc
   

---

PowerShell Configuration

# Runtime Protection Configuration and Monitoring
# Requires: Power Platform Admin PowerShell, Microsoft Graph

# ===== CONNECT TO POWER PLATFORM =====

Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Force
Add-PowerAppsAccount

# ===== GET MANAGED ENVIRONMENT STATUS =====

$Environments = Get-AdminPowerAppEnvironment

$EnvReport = @()
foreach ($Env in $Environments) {
    $EnvReport += [PSCustomObject]@{
        DisplayName = $Env.DisplayName
        EnvironmentName = $Env.EnvironmentName
        IsManaged = $Env.Properties.protectionLevel -eq "Standard"
        Location = $Env.Location
        EnvironmentType = $Env.EnvironmentType
    }
}

Write-Host "Managed Environment Status:" -ForegroundColor Cyan
$EnvReport | Format-Table -AutoSize

# ===== ENABLE MANAGED ENVIRONMENT =====

# Enable for specific environment
$EnvName = "00000000-0000-0000-0000-000000000000"  # Replace with environment ID

# Set-AdminPowerAppEnvironmentProtectionLevel -EnvironmentName $EnvName -ProtectionLevel "Standard"

# ===== GET AGENT SECURITY SETTINGS =====

# Note: Direct PowerShell for runtime protection settings may be limited
# Use Power Platform Admin Center or APIs for full configuration

# Get environment policies
$EnvPolicies = Get-AdminPowerAppEnvironmentPolicies -EnvironmentName $EnvName

Write-Host "`nEnvironment Policies:" -ForegroundColor Yellow
$EnvPolicies | Format-List

# ===== AUDIT LOG ANALYSIS FOR THREATS =====

# Connect to Security & Compliance
Connect-IPPSSession

$StartDate = (Get-Date).AddDays(-7)
$EndDate = Get-Date

# Search for Copilot Studio security events
$SecurityEvents = Search-UnifiedAuditLog `
    -StartDate $StartDate `
    -EndDate $EndDate `
    -RecordType CopilotInteraction `
    -ResultSize 1000

Write-Host "`nCopilot interaction events found: $($SecurityEvents.Count)" -ForegroundColor Yellow

# Parse for security-relevant events
$SecurityAnalysis = $SecurityEvents | ForEach-Object {
    $AuditData = $_.AuditData | ConvertFrom-Json

    [PSCustomObject]@{
        Date = $_.CreationDate
        User = $_.UserIds
        Operation = $AuditData.Operation
        AppName = $AuditData.AppName
        Result = $AuditData.ResultStatus
        # Look for security indicators
        SecurityFlag = if ($AuditData.Operation -match "block|inject|jailbreak") { "ALERT" } else { "Normal" }
    }
}

# Identify potential threats
$Threats = $SecurityAnalysis | Where-Object { $_.SecurityFlag -eq "ALERT" }

if ($Threats.Count -gt 0) {
   Write-Host "`nPOTENTIAL THREATS DETECTED:" -ForegroundColor Red
    $Threats | Format-Table
} else {
   Write-Host "`nNo threat indicators found in period" -ForegroundColor Green
}

# ===== GENERATE SECURITY REPORT =====

$Report = @{
    ReportDate = Get-Date
    AnalysisPeriod = "$StartDate to $EndDate"
    TotalCopilotEvents = $SecurityEvents.Count
    ThreatIndicators = $Threats.Count
    ManagedEnvironments = ($EnvReport | Where-Object { $_.IsManaged }).Count
    UnmanagedEnvironments = ($EnvReport | Where-Object { -not $_.IsManaged }).Count
}

Write-Host "`n=== RUNTIME PROTECTION SECURITY SUMMARY ===" -ForegroundColor Cyan
$Report | Format-List

# Export detailed report
$SecurityAnalysis | Export-Csv "C:\Governance\RuntimeProtection-Analysis-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

# ===== CHECK CONNECTOR SECURITY =====

# Get connectors used by agents in managed environments
$Connectors = Get-AdminPowerAppConnector

$HighRiskConnectors = $Connectors | Where-Object {
    $_.Properties.displayName -match "HTTP|Custom|SQL|File"
}

if ($HighRiskConnectors.Count -gt 0) {
    Write-Host "`nHigh-risk connectors requiring review:" -ForegroundColor Yellow
    $HighRiskConnectors | Select-Object @{N='Name'; E={$_.Properties.displayName}}, ConnectorId | Format-Table
}

---

Financial Sector Considerations

Regulatory Alignment

Regulation	Runtime Protection Requirement
FINRA 25-07	Demonstrate AI governance and risk controls
SEC AI Priorities	Appropriate safeguards for AI systems
GLBA 501(b)	Protect customer NPI from exfiltration
OCC 2011-12	Model risk controls for AI/ML systems
FFIEC Guidance	Cybersecurity controls for fintech

Zone-Specific Configuration

Zone 1 (Personal Productivity)

Runtime Protection: Optional (recommended)
Prompt Injection: Log only
Jailbreak Detection: Alert only
Content Moderation: Basic
SIEM Integration: Not required
Response SLA: Best effort

Zone 2 (Team Collaboration)

Runtime Protection: Required
Prompt Injection: Block and log
Jailbreak Detection: Block and alert
Content Moderation: Standard
SIEM Integration: Recommended
Response SLA: 4 hours

Zone 3 (Enterprise Managed)

Runtime Protection: Required - Maximum
Prompt Injection: Block, log, and investigate
Jailbreak Detection: Block and immediate SOC alert
Content Moderation: Strict
SIEM Integration: Required
Response SLA: 15 minutes
Incident Playbook: Required

Threat Categories and Response

Threat Type	Detection	Response	FSI Priority
Prompt Injection	Pattern matching, AI analysis	Block, log, alert	Critical
Jailbreak Attempt	Behavioral analysis	Block, investigate, remediate	Critical
Data Exfiltration	DLP + content analysis	Block, preserve evidence	Critical
Credential Theft	Pattern recognition	Block, reset credentials	High
Malicious Content	Content moderation	Block, quarantine	Medium
Denial of Service	Rate limiting	Throttle, alert	Medium

FSI Configuration Example: Investment Bank

Scenario: An investment bank deploys customer-facing agents that handle trade inquiries and account information.

Runtime Protection Configuration:

Customer Service Agent (Tier 3)
├── Prompt Injection Protection
│   ├── Sensitivity: Maximum
│   ├── Patterns: Financial manipulation, account access
│   ├── Action: Block immediately
│   └── Alert: SOC + Compliance
│
├── Jailbreak Prevention
│   ├── Detection: All categories
│   ├── Historical behavior analysis: Enabled
│   ├── Action: Block + session termination
│   └── Alert: Immediate + incident ticket
│
├── Content Safety
│   ├── PII in responses: Mask (show last 4 only)
│   ├── Account numbers: Require authentication
│   ├── Trading data: Read-only, no execution
│   └── Sensitive topics: Redirect to human
│
├── Session Controls
│   ├── Max session duration: 30 minutes
│   ├── Idle timeout: 5 minutes
│   ├── Re-authentication: Required for sensitive ops
│   └── Session logging: Complete
│
└── SIEM Integration
    ├── Real-time streaming: Enabled
    ├── Alert correlation: Trading anomalies
    ├── Playbook: Auto-create incident
    └── Response SLA: 15 minutes

---

Verification & Testing

Verification Steps

1. Confirm Managed Environment:
2. Power Platform Admin Center → Environment → Verify "Managed" status

3. EXPECTED: Environment shows as Managed

4. Test Prompt Injection Detection:

5. Submit test prompt with injection pattern

6. EXPECTED: Blocked with log entry

7. Validate Egress Controls (tools/connectors):

8. Attempt to invoke a blocked/high-risk connector (e.g., HTTP/custom connector) from the agent
9. Attempt to reach a non-approved destination (where allowlisting is implemented)

10. EXPECTED: Invocation blocked; audit log/event captured with agent name, user, time, and policy reason

11. Verify Alert Configuration:

12. Check alert policies in Purview

13. EXPECTED: FSI alerts created and enabled

14. Test Content Moderation:

15. Submit content that should be blocked

16. EXPECTED: Appropriate moderation response

17. Validate SIEM Integration (Tier 3):

18. Generate test security event
19. Verify event appears in SIEM
20. EXPECTED: Events streaming within SLA

Verification Evidence

• [ ] Screenshot: Managed environment confirmation
• [ ] Screenshot: Runtime protection settings
• [ ] Export: Alert policy configurations
• [ ] Log: Prompt injection detection test
• [ ] Export/screenshot: DLP policy and connector restrictions applied to the environment (Control 1.4 linkage)
• [ ] Log: Egress/tool blocking test (blocked connector/tool call, policy reason, correlation ID if available)
• [ ] Documentation: Incident response playbook
• [ ] SIEM: Power Platform connector status

---

Troubleshooting & Validation

Issue: Runtime Protection Not Blocking Threats

Symptoms: Malicious prompts not being blocked

Solutions:

1. Verify Managed Environment is enabled
2. Check runtime protection settings are active
3. Review sensitivity threshold (may need adjustment)
4. Ensure agent security settings are configured
5. Check for policy conflicts

Issue: Too Many False Positives

Symptoms: Legitimate queries being blocked

Solutions:

1. Review blocking patterns
2. Adjust sensitivity from High to Medium
3. Add exclusions for common legitimate patterns
4. Tune content moderation thresholds
5. Review and whitelist specific scenarios

Issue: Alerts Not Being Generated

Symptoms: Security events not triggering alerts

Solutions:

1. Verify alert policy is enabled
2. Check activity matches alert conditions
3. Confirm notification recipients are valid
4. Review alert threshold settings
5. Check mailflow for alert delivery

Issue: SIEM Not Receiving Events

Symptoms: Power Platform events missing in SIEM

Solutions:

1. Verify data export is configured
2. Check Event Hub connectivity
3. Confirm data connector is enabled in Sentinel
4. Review permissions for data streaming
5. Check for throttling or quota issues

---

Additional Resources

• Managed Environments Overview
• Copilot Studio Security
• Power Platform Security Best Practices
• Microsoft Sentinel Power Platform Connector
• AI Safety and Content Moderation

---

Related Controls

Control	Relationship
Control 2.1	Managed Environments prerequisite
Control 1.7	Audit logging for threats
Control 1.4	Connector-level security
Control 1.12	Insider threat correlation
Control 4.5	SharePoint security monitoring

---

Support & Questions

For implementation support or questions about this control, contact:

• Security Operations: Runtime protection monitoring
• Power Platform Administrator: Environment configuration
• AI Governance Lead: Agent security policies
• Incident Response Team: Threat response procedures

---

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification