Microsoft publishes playbook for investigating AI system activity

Security teams investigating incidents involving AI systems now have a structured methodology for reconstructing what occurred during interactions with Microsoft 365 Copilot and Azure AI services.

Microsoft published an investigator playbook on June 9 that provides a framework for analyzing AI-related activity using telemetry already captured across Microsoft Purview, Defender, and Sentinel. The guidance addresses a growing operational need as organizations investigate everything from prompt injection attempts to unexpected data access patterns in AI systems.

Why it matters

As AI tools become embedded in daily workflows, security teams need the same investigative rigor for AI interactions that they apply to endpoints, identities, and cloud infrastructure. Without a structured approach, telemetry signals remain isolated rather than forming a coherent account of what happened—making it difficult to determine whether activity represents normal usage, policy violations, or active threats.

The scope-context-signal methodology

The playbook follows a three-stage investigative sequence. Investigations begin by establishing scope: identifying who interacted with AI systems, when activity occurred, and which services were involved.

Investigators then expand into resource context, examining what the system accessed, what data may have been exposed, and how activity aligns with expected behavior patterns. Finally, detection signals—including prompt injection attempts, anomalous usage patterns, or credential exposure alerts—are evaluated within the broader chain of activity.

According to Phillip Misner, Head of AI Incident Detection & Response, and the Microsoft AI Red Team, AI telemetry is constructed metadata-first, providing identity, time, and resource context across interactions. This structure enables investigators to move from isolated signals to a coherent account of observed activity.

Practical implementation

The playbook operationalizes this approach with specific tools for Microsoft 365 Copilot and Azure AI services. It includes schema references, KQL queries, and detection logic that allow investigators to follow AI activity across tools with fewer ad hoc pivots.

The methodology extends to agent-based systems, where the investigative picture expands to include which agents are deployed, how they are configured, what data they are authorized to access, and whether that authorization was used as expected.

The telemetry captures who initiated an interaction, when it occurred, and which resources were involved—providing the foundation for reconstructing AI activity in enterprise environments.

Moving from signals to accounts

Response teams can use the framework to move from isolated signals to a reconstructed account of observed activity. This includes scoping AI usage, understanding what data was accessed during interactions, and assessing whether observed behavior is consistent with normal usage, policy violations, or indicators of active threat conditions.

The playbook is available for download at https://aka.ms/AIIRplaybook.

These details were first reported by Microsoft Security in a blog post by Phillip Misner and the Microsoft AI Red Team.