text code block:`m365_exported_ediscovery_prompt_logs` | search Subject_Title IN ( "*act as*", "*bypass*", "*ignore*", "*override*", "*pretend you are*", "*rules=*" ) | eval user = Sender | eval jailbreak_score=case( match(Subject_Title, "(?i)pretend you are.*amoral"), 4, match(Subject_Title, "(?i)act as.*entities"), 3, match(Subject_Title, "(?i)(ignore|bypass|override)"), 3, match(Subject_Title, "(?i)rules\s*="), 4, 1=1, 1 ) | where jailbreak_score >= 2 | table _time, user, Subject_Title, jailbreak_score, Workload, Size | sort -jailbreak_score, -_time | `m365_copilot_jailbreak_attempts_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).