Adversaries may configure MCP tools in AI agents to exfiltrate data or execute malicious commands through extended agent capabilities. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential misuse of AI agents and mitigate associated security risks.
KQL Query
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| mvexpand Action = AgentToolsDetails
| where Action.action.operationDetails["$kind"] == "ModelContextProtocolMetadata"
| extend MCPName = tostring(Action.modelDisplayName)
| summarize MCPTools = make_set(MCPName) by AIAgentName, AIAgentId, EnvironmentId, CreatorAccountUpn
id: 6d8e5f9a-0b1c-2d3e-4f5a-6b7c8d9e0f1a
name: AI Agents - MCP Tool Configured
description: |
This query identifies Copilot Studio AI agents that have Model Context Protocol (MCP) tools configured.
MCP tools extend agent capabilities but introduce additional security considerations because they can execute advanced operations and interact with external resources.
If misconfigured or unnecessary, these tools may increase the attack surface and expose sensitive data or functionality.
Recommended Action: Confirm with the agent owner whether the MCP tool is still required. If it is, review its configuration for compliance with security best practices and ensure least privilege access.
Remove any unused or unnecessary MCP tools to reduce risk.
requiredDataConnectors: []
tactics:
- Execution
relevantTechniques:
- T1059
query: |
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| mvexpand Action = AgentToolsDetails
| where Action.action.operationDetails["$kind"] == "ModelContextProtocolMetadata"
| extend MCPName = tostring(Action.modelDisplayName)
| summarize MCPTools = make_set(MCPName) by AIAgentName, AIAgentId, EnvironmentId, CreatorAccountUpn
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: CreatorAccountUpn
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: AIAgentName
version: 1.0.0Scenario: Admin configuring MCP tool for internal documentation tool
Description: An administrator is setting up an MCP tool to integrate with an internal documentation platform like Azure DevDocs or Confluence.
Filter/Exclusion: Exclude events where the MCP tool is associated with internal documentation tools or where the configuration is done by a known admin account with elevated privileges.
Scenario: Scheduled job using MCP tool for data enrichment
Description: A scheduled job runs daily to fetch and process data from an external API using an MCP tool for data enrichment purposes.
Filter/Exclusion: Exclude events where the MCP tool is used in scheduled jobs with known job names or execution times, and where the API is whitelisted.
Scenario: MCP tool used for internal code review tool integration
Description: A developer is configuring an MCP tool to integrate with an internal code review tool like GitHub Enterprise or Azure DevOps for enhanced collaboration.
Filter/Exclusion: Exclude events where the MCP tool is linked to code review platforms or where the user has a role such as “Developer” or “Code Reviewer.”
Scenario: MCP tool configured for internal analytics dashboard
Description: A data analyst configures an MCP tool to connect to an internal analytics dashboard for real-time data visualization.
Filter/Exclusion: Exclude events where the MCP tool is associated with internal analytics platforms or where the user has a role such as “Data Analyst” or “Business Intelligence.”
Scenario: MCP tool used for internal CI/CD pipeline integration
Description: A DevOps engineer is setting up an MCP tool to integrate with an internal CI/CD pipeline for automated testing and deployment.
Filter/Exclusion: Exclude events where the MCP tool is linked to CI/CD platforms like Jenkins, GitLab CI, or Azure DevOps, and where the user has a DevOps-related role