Reconstructing AI activity in investigations
Summary
AI systems are now used in everyday work, and investigators need structured ways to understand what happened when problems occur. Microsoft has published a playbook that helps security teams investigate activity in Microsoft 365 Copilot and Azure AI services (cloud-based AI tools) by using telemetry (data about system activity) collected across Microsoft security products. The playbook uses a scope-context-signal approach: first identifying who used the AI system and when, then checking what data was accessed, and finally evaluating suspicious signals like prompt injection attempts (tricking AI by hiding instructions in its input) or unusual usage patterns.
Solution / Mitigation
Microsoft has published an investigator playbook for Microsoft 365 Copilot and Azure AI services that provides a structured approach for investigating AI-related activity. The playbook includes required configuration, KQL queries (code used to search security logs), and detection patterns, and operationalizes a scope-context-signal methodology across Microsoft security products. Download the playbook at: https://aka.ms/AIIRplaybook
Classification
Affected Vendors
Related Issues
CVE-2026-30308: In its design for automatic terminal command execution, HAI Build Code Generator offers two options: Execute safe comman
CVE-2026-40087: LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-str
Original source: https://www.microsoft.com/en-us/security/blog/2026/06/09/reconstructing-ai-activity-investigations/
First tracked: June 9, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%