This query identifies AI agents that remain unpublished and have not been modified for at least 30 days. While these agents may not pose an immediate security threat, they can create operational inef
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| where AgentStatus == "Created" and AgentCreationTime < ago(30d) and LastModifiedTime < ago(30d)
id: 7c0f3a6b-9d2e-1f4a-5b7c-8d0e2f5a8b1c
name: AI Agents - Unpublished Unmodified (30d)
description: |
This query identifies AI agents that remain unpublished and have not been modified for at least 30 days.
While these agents may not pose an immediate security threat, they can create operational inefficiencies and increase clutter in the environment.
Unmaintained agents might also contain outdated configurations or sensitive connection details that were never properly retired, which could become a risk if the agent is later published without review.
Recommended Action: Review these agents to determine if they should be published, updated, or removed. Regular cleanup helps maintain a secure and organized environment.
requiredDataConnectors: []
tactics: []
relevantTechniques: []
query: |
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| where AgentStatus == "Created" and AgentCreationTime < ago(30d) and LastModifiedTime < ago(30d)
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: CreatorAccountUpn
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: AIAgentName
version: 1.0.0