Rule Changelog
23-Nov-2025 15:41 (UTC): AI Detection & Response Rules Now Generally Available
Runtime detections require ongoing refinement as threat landscapes evolve. After demonstrating consistent value and stability, the following AI Detection & Response (AIDR) rules are now generally available:
| Rule Title | Rule ID(s) | AI Service(s) |
|---|---|---|
| Destructive query executed by AI agent | ZN_P00253 | Copilot Studio |
| Disallowed email address detected in AI agent trigger content | ZN_P00239 | Copilot Studio |
| Disallowed email sender triggered AI agent | ZN_P00232 | Copilot Studio |
| Disallowed recipient domain detected in email sent by AI agent | ZN_P00236 | Copilot Studio |
| Exposed secrets detected in AI message | ZN_V00501, ZN_F00501, ZN_P00501, ZN_M00501, ZN_G00501, ZN_C00501 | Vertex AI, Microsoft Foundry, Copilot Studio, M365 Copilot, ChatGPT Enterprise, Agentcore |
| Exposed secrets detected in user message | ZN_V00500, ZN_F00500, ZN_P00500, ZN_M00500, ZN_G00500, ZN_C00500 | Vertex AI, Microsoft Foundry, Copilot Studio, M365 Copilot, ChatGPT Enterprise, Agentcore |
| Financial information detected in AI message | ZN_V00505, ZN_F00505, ZN_P00505, ZN_M00505, ZN_G00505, ZN_C00505 | Vertex AI, Microsoft Foundry, Copilot Studio, M365 Copilot, ChatGPT Enterprise, Agentcore |
| Financial information detected in user message | ZN_V00504, ZN_F00504, ZN_P00504, ZN_M00504, ZN_G00504, ZN_C00504 | Vertex AI, Microsoft Foundry, Copilot Studio, M365 Copilot, ChatGPT Enterprise, Agentcore |
| PII detected in AI message | ZN_V00503, ZN_F00503, ZN_P00503, ZN_M00503, ZN_G00503, ZN_C00503 | Vertex AI, Microsoft Foundry, Copilot Studio, M365 Copilot, ChatGPT Enterprise, Agentcore |
| PII detected in user message | ZN_V00502, ZN_F00502, ZN_P00502, ZN_M00502, ZN_G00502, ZN_C00502 | Vertex AI, Microsoft Foundry, Copilot Studio, M365 Copilot, ChatGPT Enterprise, Agentcore |
| Promptware detected in Loops file snippet | ZN_M00041 | M365 Copilot |
| Reconnaissance query executed by AI agent | ZN_P00254 | Copilot Studio |
| Sensitive database name detected in AI agent action | ZN_P00252 | Copilot Studio |
| Server-side MCP secrets exposed by AI agent | ZN_P00277 | Copilot Studio |
| Suspicious database cluster name detected in AI agent action | ZN_P00251 | Copilot Studio |
| Suspicious IP address used to access AI agent | ZN_M00020 | M365 Copilot |
| System instructions encoded in leetspeak detected in user message | ZN_V00013, ZN_F00013, ZN_P00513, ZN_M00013, ZN_G00013, ZN_C00013 | Vertex AI, Microsoft Foundry, Copilot Studio, M365 Copilot, ChatGPT Enterprise, Agentcore |
| System instructions encoded with a Caesar cipher detected in user message | ZN_V00012, ZN_F00012, ZN_P00512, ZN_M00012, ZN_G00012, ZN_C00012 | Vertex AI, Microsoft Foundry, Copilot Studio, M365 Copilot, ChatGPT Enterprise, Agentcore |
| Unintended RAG access due to AI content misinterpretation | ZN_M00045 | M365 Copilot |
Deprecations and Updates
- “User message includes code with exposed secrets” (ZN_F00044, ZN_P00044, ZN_M00044) is deprecated. Use the new “Exposed secrets detected in user message” rule instead.
- “User message contains sensitive information (PCI/PHI/PII)” (ZN_M00006, ZN_F00242, ZN_V00242, ZN_P00242, ZN_G00242) is deprecated. Use the new “PII detected in user message” and “Financial information detected in user message” rules instead.
- “AI message contains sensitive information (PCI/PHI/PII)” (ZN_M00010, ZN_F00010, ZN_V00010, ZN_P00241, ZN_G00010) is deprecated. Use the new “PII detected in AI message” and “Financial information detected in AI message” rules instead.
- All GA rules are now categorized as threat detection and/or governance based on their detection focus.