What Changed
The “Orphaned AI Agents” hunting query was updated to reference AccountUpn instead of AccountUPN in the IdentityInfo table distinct operation.
Detection Logic
The query identifies AI agents that may be orphaned by correlating:
- Enabled user accounts from IdentityInfo table (IsAccountEnabled == 1)
- AI agent information from AIAgentsInfo table with non-deleted status
- Entity mapping includes AI agent name to hostname for investigation workflow
The core logic joins these datasets to surface AI agents potentially lacking proper account association or oversight.
Security Impact
Per PR discussion: The original query was failing KQL validation due to case-sensitive field name mismatch. Deployments running the broken version would have had zero results from this hunting query, creating a blind spot for detecting orphaned AI agents that could represent unauthorized automation or compromised service accounts.
This fix restores the ability to identify AI agents operating without proper account linkage, which is critical for maintaining visibility into automated systems and preventing unauthorized AI agent deployment.
Affected Files
Hunting Queries/AI Agents/OrphanedAIAgents.yaml