A365 AI Agents - MCP Tool Configured

Hunt Hypothesis

Adversaries may configure MCP tools in A365 AI agents to extend their capabilities and potentially execute malicious payloads. SOC teams should proactively hunt for this behavior to identify and mitigate potential security risks associated with unauthorized tool configurations in AI agents.

KQL Query

let IdentityIdtoUPN = materialize (
IdentityInfo
| distinct AccountObjectId, AccountUpn
| extend AccountObjectId = tostring(AccountObjectId)
| where isnotempty(AccountObjectId) and isnotempty(AccountUpn));
AIAgentsInfo
| where RegistrySource == "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| extend RawAgentInfoJson = parse_json(RawAgentInfo)
| extend DeveloperName = RawAgentInfoJson.developerName
| extend OwnerId = tostring(RawAgentInfoJson.owners[0].entityId)
| extend CreatorId = tostring(RawAgentInfoJson.creatorId)
| join kind=leftouter IdentityIdtoUPN on $left.OwnerId == $right.AccountObjectId
| project-rename OwnerUpn = AccountUpn
| join kind=leftouter IdentityIdtoUPN on $left.CreatorId == $right.AccountObjectId
| project-rename CreatorUpn = AccountUpn
| where isnotempty(AgentActionTriggers)
| extend AgentActionTriggersJson = parse_json(AgentActionTriggers)
| where array_length(AgentActionTriggersJson) > 1
| mv-expand Trigger = AgentActionTriggersJson
| extend ActionType = Trigger.type
| where ActionType == "RemoteMCPServer"
| project-away Trigger, RawAgentInfoJson, AgentActionTriggersJson, OwnerId, CreatorId, AccountObjectId, AccountObjectId1
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, ActionType, OwnerUpn, CreatorUpn, DeveloperName

Analytic Rule Definition

id: 2c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
name: A365 AI Agents - MCP Tool Configured
description: |
  This query identifies A365 AI agents that have Model Context Protocol (MCP) tools configured.
  MCP tools extend agent capabilities but introduce additional security considerations because they can execute advanced operations and interact with external resources.
  If misconfigured or unnecessary, these tools may increase the attack surface and expose sensitive data or functionality.
  Recommended Action: Confirm with the agent owner whether the MCP tool is still required. If it is, review its configuration for compliance with security best practices and ensure least privilege access.
  Remove any unused or unnecessary MCP tools to reduce risk.
requiredDataConnectors: []
tactics:
  - Execution
relevantTechniques:
  - T1059
query: |
  let IdentityIdtoUPN = materialize (
  IdentityInfo
  | distinct AccountObjectId, AccountUpn
  | extend AccountObjectId = tostring(AccountObjectId)
  | where isnotempty(AccountObjectId) and isnotempty(AccountUpn));
  AIAgentsInfo
  | where RegistrySource == "A365"
  | summarize arg_max(Timestamp, *) by AIAgentId
  | extend RawAgentInfoJson = parse_json(RawAgentInfo)
  | extend DeveloperName = RawAgentInfoJson.developerName
  | extend OwnerId = tostring(RawAgentInfoJson.owners[0].entityId)
  | extend CreatorId = tostring(RawAgentInfoJson.creatorId)
  | join kind=leftouter IdentityIdtoUPN on $left.OwnerId == $right.AccountObjectId
  | project-rename OwnerUpn = AccountUpn
  | join kind=leftouter IdentityIdtoUPN on $left.CreatorId == $right.AccountObjectId
  | project-rename CreatorUpn = AccountUpn
  | where isnotempty(AgentActionTriggers)
  | extend AgentActionTriggersJson = parse_json(AgentActionTriggers)
  | where array_length(AgentActionTriggersJson) > 1
  | mv-expand Trigger = AgentActionTriggersJson
  | extend ActionType = Trigger.type
  | where ActionType == "RemoteMCPServer"
  | project-away Trigger, RawAgentInfoJson, AgentActionTriggersJson, OwnerId, CreatorId, AccountObjectId, AccountObjectId1
  | project-reorder AgentCreationTime, AIAgentId, AIAgentName, ActionType, OwnerUpn, CreatorUpn, DeveloperName  
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: CreatorAccountUpn
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: AIAgentName
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`IdentityInfo`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution
Technique: T1059 — Command and Scripting Interpreter

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/AI Agents/A365 Connector/AIAgentsMCPToolConfigured.yaml)

False Positive Guidance

Scenario: Admin configuring MCP tool for internal knowledge base integration
Filter/Exclusion: where ToolName != "InternalKnowledgeBaseConfigurator"
Scenario: Scheduled job to sync user data with MCP tool for reporting
Filter/Exclusion: where JobName contains "UserSyncJob" and ToolName != "ReportingMCP"
Scenario: IT support team using MCP tool to troubleshoot user issues
Filter/Exclusion: where UserEmail contains "[email protected]" and ToolName != "TroubleshootMCP"
Scenario: Regular maintenance task to update MCP tool configurations
Filter/Exclusion: where TaskName contains "MCPConfigUpdate" and ToolName != "ConfigManager"
Scenario: Development team using MCP tool for code documentation and integration
Filter/Exclusion: where UserEmail contains "[email protected]" and ToolName != "CodeDocMCP"