A365 AI Agents - Published Agents without Instructions

Hunt Hypothesis

Adversaries may exploit published A365 AI agents without instructions to inject malicious prompts and manipulate agent responses. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential prompt injection vulnerabilities and mitigate the risk of unauthorized influence over AI agent operations.

KQL Query

let IdentityIdtoUPN = materialize (
IdentityInfo
| distinct AccountObjectId, AccountUpn
| extend AccountObjectId = tostring(AccountObjectId)
| where isnotempty(AccountObjectId) and isnotempty(AccountUpn));
AIAgentsInfo 
| summarize arg_max(Timestamp, *) by AIAgentId 
| where RegistrySource == "A365"
| where IsBlocked == 0 // not blocked
| where isnotnull(Instructions)
| where isempty(Instructions) or Instructions == "N/A"
| extend RawAgentInfoJson = parse_json(RawAgentInfo)
| extend DeveloperName = RawAgentInfoJson.developerName
| extend PublishedStatus = RawAgentInfoJson.publishedStatus
| where PublishedStatus == "Published" //published
| extend OwnerId = tostring(RawAgentInfoJson.owners[0].entityId)
| extend CreatorId = tostring(RawAgentInfoJson.creatorId)
| join kind=leftouter IdentityIdtoUPN on $left.OwnerId == $right.AccountObjectId
| project-rename OwnerUpn = AccountUpn
| join kind=leftouter IdentityIdtoUPN on $left.CreatorId == $right.AccountObjectId
| project-rename CreatorUpn = AccountUpn
| project-away RawAgentInfoJson, OwnerId, CreatorId, AccountObjectId, AccountObjectId1
| project-reorder AgentCreationTime, AIAgentId, AIAgentName, Instructions, OwnerUpn, CreatorUpn ,DeveloperName

Analytic Rule Definition

id: 3a4b5c6d-7e8f-9a0b-1c2d-3e4f5a6b7c8d
name: A365 AI Agents - Published Agents without Instructions
description: |
  This query identifies A365 AI agents that are published but lack configured instructions. 
  Missing instructions increase the risk of prompt injection attacks, where malicious input can influence the agent to deviate from its intended behavior. 
  Without clear guidance, the agent may respond unpredictably or expose sensitive data.
  Recommended Action: Ensure all generative orchestration components have well-defined instructions that specify the agent`s purpose, boundaries, and allowed actions. 
  Regularly review and update instructions to maintain security and prevent misuse.
requiredDataConnectors: []
tactics:
  - Impact
  - DefenseEvasion
relevantTechniques:
  - T1499
  - T1562
query: |
  let IdentityIdtoUPN = materialize (
  IdentityInfo
  | distinct AccountObjectId, AccountUpn
  | extend AccountObjectId = tostring(AccountObjectId)
  | where isnotempty(AccountObjectId) and isnotempty(AccountUpn));
  AIAgentsInfo 
  | summarize arg_max(Timestamp, *) by AIAgentId 
  | where RegistrySource == "A365"
  | where IsBlocked == 0 // not blocked
  | where isnotnull(Instructions)
  | where isempty(Instructions) or Instructions == "N/A"
  | extend RawAgentInfoJson = parse_json(RawAgentInfo)
  | extend DeveloperName = RawAgentInfoJson.developerName
  | extend PublishedStatus = RawAgentInfoJson.publishedStatus
  | where PublishedStatus == "Published" //published
  | extend OwnerId = tostring(RawAgentInfoJson.owners[0].entityId)
  | extend CreatorId = tostring(RawAgentInfoJson.creatorId)
  | join kind=leftouter IdentityIdtoUPN on $left.OwnerId == $right.AccountObjectId
  | project-rename OwnerUpn = AccountUpn
  | join kind=leftouter IdentityIdtoUPN on $left.CreatorId == $right.AccountObjectId
  | project-rename CreatorUpn = AccountUpn
  | project-away RawAgentInfoJson, OwnerId, CreatorId, AccountObjectId, AccountObjectId1
  | project-reorder AgentCreationTime, AIAgentId, AIAgentName, Instructions, OwnerUpn, CreatorUpn ,DeveloperName
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: CreatorUpn
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: AIAgentName
version: 1.0.0

Required Data Sources

Sentinel Table	Notes
`IdentityInfo`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Impact
Tactic: DefenseEvasion
Technique: T1499 — T1499
Technique: T1562 — T1562

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/AI Agents/A365 Connector/AIAgentsNoInstructions.yaml)

False Positive Guidance

Scenario: A system administrator publishes a new AI agent for a scheduled job to automate report generation, but forgets to configure instructions during setup.
Filter/Exclusion: where ActivityDisplayName != "Publish AI Agent for Report Generation"
Scenario: A developer creates a temporary AI agent to test a new feature in Microsoft Power Automate, publishes it, but removes the instructions before final deployment.
Filter/Exclusion: where ActivityDisplayName != "Test AI Agent in Power Automate"
Scenario: An IT admin publishes an AI agent as part of a standard user onboarding process, but the instructions are not yet populated due to a workflow delay.
Filter/Exclusion: where ActivityDisplayName != "Onboard New User with AI Agent"
Scenario: A DevOps team deploys a CI/CD pipeline using Azure DevOps and includes an AI agent for code analysis, but the instructions field is left blank during initial deployment.
Filter/Exclusion: where ActivityDisplayName != "Deploy Code Analysis AI Agent via Azure DevOps"
Scenario: A security team publishes an AI agent for threat detection in Microsoft Defender for Endpoint, but the instructions are not yet configured as part of a phased rollout.
Filter/Exclusion: where ActivityDisplayName != "Threat Detection AI Agent - Phase 1 Deployment"