AI adversaries may leverage maker credentials in Copilot Studio to deploy malicious MCP tools with elevated privileges, enabling persistence and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential compromise of AI agent environments.
KQL Query
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| mvexpand Action = AgentToolsDetails
| where Action.action.operationDetails["$kind"] == "ModelContextProtocolMetadata"
| where Action.action.connectionProperties.mode == "Maker"
| extend MCPName = tostring(Action.modelDisplayName)
| project-reorder AgentCreationTime ,AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns,MCPName
id: 7e9f6a0b-1c2d-3e4f-5a6b-7c8d9e0f1a2b
name: Copilot Studio AI Agents - MCP Tool with Maker Credentials
description: |
Identifies Copilot Studio AI agents with Model Context Protocol (MCP) tools configured using maker credentials.
This configuration can create security risks because the tool runs with the maker`s personal permissions.
Any user interacting with the agent could indirectly gain access to resources the maker can access.
I compromised, the agent could be used to perform actions with the maker`s privileges.
Recommended Action: Replace maker credentials with secure alternatives like managed identities or service principals.
requiredDataConnectors: []
tactics:
- CredentialAccess
- PrivilegeEscalation
relevantTechniques:
- T1078
- T1552
query: |
AIAgentsInfo
| where RegistrySource != "A365"
| summarize arg_max(Timestamp, *) by AIAgentId
| where AgentStatus != "Deleted"
| mvexpand Action = AgentToolsDetails
| where Action.action.operationDetails["$kind"] == "ModelContextProtocolMetadata"
| where Action.action.connectionProperties.mode == "Maker"
| extend MCPName = tostring(Action.modelDisplayName)
| project-reorder AgentCreationTime ,AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns,MCPName
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: CreatorAccountUpn
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: AIAgentName
version: 1.0.0Scenario: A system administrator configures a scheduled job to refresh data using the MCP tool with maker credentials for reporting purposes.
Filter/Exclusion: process.name != "scheduled_job_refresh" or process.command_line NOT LIKE '%refresh_data%'
Scenario: A developer uses the MCP tool with maker credentials to test a new AI agent configuration in a development environment.
Filter/Exclusion: process.user != "dev_user" or process.directory NOT LIKE '%/dev_env%'
Scenario: An admin task runs a script that leverages the MCP tool with maker credentials to update agent configurations across multiple environments.
Filter/Exclusion: process.name != "agent_config_update" or process.user != "admin_user"
Scenario: A CI/CD pipeline deploys a new AI agent using the MCP tool with maker credentials as part of an automated deployment process.
Filter/Exclusion: process.command_line NOT LIKE '%ci_cd_pipeline%' or process.user != "ci_cd_service"
Scenario: A support team member uses the MCP tool with maker credentials to troubleshoot an AI agent that is not responding, as part of a standard support procedure.
Filter/Exclusion: process.user != "support_team" or process.directory NOT LIKE '%/support_tools%'