Adversaries may exploit AI agents with short instructions to perform prompt injection attacks, leveraging insufficient guidance to manipulate agent behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential attack vectors and mitigate risks associated with compromised AI agent functionality.
KQL Query
let IdentityIdtoUPN = materialize (
IdentityInfo
| distinct AccountObjectId, AccountUpn
| extend AccountObjectId = tostring(AccountObjectId)
| where isnotempty(AccountObjectId) and isnotempty(AccountUpn));
AIAgentsInfo
| summarize arg_max(Timestamp, *) by AIAgentId
| where RegistrySource == "A365"
| where IsBlocked == 0 // not blocked
| where strlen(Instructions) < 100
| extend RawAgentInfoJson = parse_json(RawAgentInfo)
| extend PublishedStatus = RawAgentInfoJson.publishedStatus
| where PublishedStatus == "Published" //published
| extend DeveloperName = RawAgentInfoJson.developerName
| extend OwnerId = tostring(RawAgentInfoJson.owners[0].entityId)
| extend CreatorId = tostring(RawAgentInfoJson.creatorId)
| join kind=leftouter IdentityIdtoUPN on $left.OwnerId == $right.AccountObjectId
| project-rename OwnerUpn = AccountUpn
| join kind=leftouter IdentityIdtoUPN on $left.CreatorId == $right.AccountObjectId
| project-rename CreatorUpn = AccountUpn
| project-away RawAgentInfoJson, OwnerId, CreatorId, AccountObjectId, AccountObjectId1
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, OwnerUpn, CreatorUpn, DeveloperName
id: 5f6a7b8c-9d0e-1f2a-3b4c-5d6e7f8a9b0c
name: A365 AI Agents - Published Agents with Short Instructions
description: |
This query identifies A365 AI agents that are published but have short or insufficient instructions.
Short instructions increase the risk of prompt injection attacks, where malicious input can influence the agent to deviate from its intended behavior.
Without clear guidance, the agent may respond unpredictably or expose sensitive data.
Recommended Action: Ensure all generative orchestration components have well-defined instructions that specify the agent`s purpose, boundaries, and allowed actions.
Regularly review and update instructions to maintain security and prevent misuse.
requiredDataConnectors: []
tactics:
- Impact
- DefenseEvasion
relevantTechniques:
- T1499
- T1562
query: |
let IdentityIdtoUPN = materialize (
IdentityInfo
| distinct AccountObjectId, AccountUpn
| extend AccountObjectId = tostring(AccountObjectId)
| where isnotempty(AccountObjectId) and isnotempty(AccountUpn));
AIAgentsInfo
| summarize arg_max(Timestamp, *) by AIAgentId
| where RegistrySource == "A365"
| where IsBlocked == 0 // not blocked
| where strlen(Instructions) < 100
| extend RawAgentInfoJson = parse_json(RawAgentInfo)
| extend PublishedStatus = RawAgentInfoJson.publishedStatus
| where PublishedStatus == "Published" //published
| extend DeveloperName = RawAgentInfoJson.developerName
| extend OwnerId = tostring(RawAgentInfoJson.owners[0].entityId)
| extend CreatorId = tostring(RawAgentInfoJson.creatorId)
| join kind=leftouter IdentityIdtoUPN on $left.OwnerId == $right.AccountObjectId
| project-rename OwnerUpn = AccountUpn
| join kind=leftouter IdentityIdtoUPN on $left.CreatorId == $right.AccountObjectId
| project-rename CreatorUpn = AccountUpn
| project-away RawAgentInfoJson, OwnerId, CreatorId, AccountObjectId, AccountObjectId1
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, OwnerUpn, CreatorUpn, DeveloperName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: CreatorUpn
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: AIAgentName
version: 1.0.0| Sentinel Table | Notes |
|---|---|
IdentityInfo | Ensure this data connector is enabled |
Scenario: Scheduled Job with Minimal Instructions
Description: A scheduled job in Microsoft Power Automate is created with minimal or no instructions, which could be misinterpreted as an AI agent with insufficient guidance.
Filter/Exclusion: activityType != "ScheduledJob" or instructions.length > 50
Scenario: Admin Task with Default Instructions
Description: An admin task (e.g., user provisioning or group management) is configured with default or placeholder instructions that appear short.
Filter/Exclusion: activityType contains "AdminTask" or instructions contains "default"
Scenario: Power BI Report with Simple Prompt
Description: A Power BI report is set up with a simple prompt for data filtering, which may be flagged as an AI agent with insufficient instructions.
Filter/Exclusion: toolName == "Power BI" or instructions contains "filter"
Scenario: Power Automate Flow with One-Step Action
Description: A Power Automate flow is created with a single action and minimal explanation, which could be mistaken for an AI agent with short instructions.
Filter/Exclusion: flowType == "Simple" or stepsCount < 3
Scenario: Azure Function with Minimal Documentation
Description: An Azure Function is deployed with minimal or no documentation in the Azure portal, which might be flagged as an AI agent with insufficient instructions.
Filter/Exclusion: resourceType == "AzureFunction" or documentationExists == "true"