<span class="pill kill-chain">Added by</span>
<span class="pill kill-chain">Author</span>
<span class="pill kill-chain">Compound path</span>
<span class="pill kill-chain">Contains deleted message</span>
<span class="pill kill-chain">Contains edited message</span>
<span class="pill kill-chain">Conversation name</span>
<span class="pill kill-chain">Conversation type</span>
<span class="pill kill-chain">Created</span>
<span class="pill kill-chain">Created by</span>
<span class="pill kill-chain">Data source</span>
<span class="pill kill-chain">Date</span>
<span class="pill kill-chain">Doc authors</span>
<span class="pill kill-chain">Doc date modified</span>
<span class="pill kill-chain">Doc modified by</span>
<span class="pill kill-chain">Document ID index</span>
<span class="pill kill-chain">Email date sent</span>
<span class="pill kill-chain">Email importance</span>
<span class="pill kill-chain">Email participant domains</span>
<span class="pill kill-chain">Email recipient domains</span>
<span class="pill kill-chain">Email recipients</span>
<span class="pill kill-chain">Email sender domain</span>
<span class="pill kill-chain">Error warning</span>
<span class="pill kill-chain">File extension</span>
<span class="pill kill-chain">File name</span>
<span class="pill kill-chain">Has attachment</span>
<span class="pill kill-chain">Has text</span>
<span class="pill kill-chain">Immutable ID</span>
<span class="pill kill-chain">Internet message ID</span>
<span class="pill kill-chain">Is attachment from transcript</span>
<span class="pill kill-chain">Is doc from conversation</span>
<span class="pill kill-chain">Is modern attachment</span>
<span class="pill kill-chain">Is read</span>
<span class="pill kill-chain">Item class</span>
<span class="pill kill-chain">Item source</span>
<span class="pill kill-chain">Last modified by</span>
<span class="pill kill-chain">Last modified time</span>
<span class="pill kill-chain">Location ID</span>
<span class="pill kill-chain">Location sub type</span>
<span class="pill kill-chain">Message kind</span>
<span class="pill kill-chain">Modern attachment parent ID</span>
<span class="pill kill-chain">Original path</span>
<span class="pill kill-chain">Participants</span>
<span class="pill kill-chain">Received</span>
<span class="pill kill-chain">Recipient count</span>
<span class="pill kill-chain">Retention label</span>
<span class="pill kill-chain">SPO unique ID</span>
<span class="pill kill-chain">Sender</span>
<span class="pill kill-chain">Sensitive type</span>
<span class="pill kill-chain">Size</span>
<span class="pill kill-chain">Source ID</span>
<span class="pill kill-chain">Status</span>
<span class="pill kill-chain">Subject_Title</span>
<span class="pill kill-chain">Target path</span>
<span class="pill kill-chain">Title</span>
<span class="pill kill-chain">To</span>
<span class="pill kill-chain">Type</span>
<span class="pill kill-chain">Workload</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestamp</span>
<span class="pill kill-chain">timestartpos</span>
</div>
Data Source: M365 Exported eDiscovery Prompts
Description
M365 exported eDiscovery prompt logs from Microsoft Purview contain user interactions with M365 Copilot, including the actual prompt text (Subject_Title), sender information, timestamps, and metadata about the AI conversations. These logs are exported through Purview's eDiscovery functionality and provide visibility into how users are querying and attempting to interact with Copilot, making them valuable for detecting jailbreak attempts, data exfiltration requests, policy violations, and other security-relevant AI usage patterns. The logs capture the full conversational context necessary for identifying malicious prompt injection, social engineering attempts against the AI, and unauthorized information disclosure requests.
Details
| Property | Value |
|---|---|
| Source | csv |
| Sourcetype | csv |
Event Fields
Fields
Example Log
1Succeeded,,IndexQuery,,,,,,,,,,rodsoto@rodsoto.onmicrosoft.com/TeamsMessagesData/Card.html,False,False,,,,,,,,,All people and groups,2025-08-25 20:58:43Z,,,,,,,,,,,,,,,,1591522,,,,2025-08-25T20:58:43Z,,Normal,,,rodsoto.onmicrosoft.com,,,Copilot in Word,,rodsoto.onmicrosoft.com,,,,,,,,,,,,,html,Card.html,,,,True,False,,,Exchange/sourceE83F8E164F7280A5033281941716356F/TEAMS/19I5dhdbjE2GdGNAYuFGzQrEHvS-vIfpjDDRO05LjzN01threadv2/2025082512/19I5dhdbjE2GdGNAYuFGzQrEHvS-vIfpjDDRO05LjzN01threadv2-2025082512.html-mimeatt64601eefbf644a2a940f679f8ae1d4be-1,,,,1756155523926,False,,False,,,,,,True,,True,,,,IPM.SkypeTeams.Message.Copilot.Word,rodsoto@rodsoto.onmicrosoft.com,,2025-08-25T20:58:45Z,,,d03dab29-e210-4507-8932-ce3c7e74e5ae,PrimaryMailBox,,,,,,,Exchange/sourceE83F8E164F7280A5033281941716356F/TEAMS/19I5dhdbjE2GdGNAYuFGzQrEHvS-vIfpjDDRO05LjzN01threadv2/2025082512/19I5dhdbjE2GdGNAYuFGzQrEHvS-vIfpjDDRO05LjzN01threadv2-2025082512.html,,,,,,,,,/TeamsMessagesData,,,Rod Soto <rodsoto@rodsoto.onmicrosoft.com>;Copilot in Word,,,,,,2025-08-25T20:58:43Z,1,,,,,,rodsoto@rodsoto.onmicrosoft.com,,,,,,,49292,rodsoto@rodsoto.onmicrosoft.com,,,00000000-0000-0000-0000-000000000000,,,Items.1.001.zip\Exchange\rodsoto@rodsoto.onmicrosoft.com\TeamsMessagesData\Card_46.html,,,,,,,,,Copilot in Word,,Message,,,,,Exchange
Source: GitHub | Version: 1