What Changed
Agent 365 solution version 3.1.0 adds the Microsoft Agent Identities data connector as Public Preview. This expands the solution from a single connector to bundling two distinct data sources under the Agent 365 umbrella.
Data Source
Microsoft Agent Identities connector ingests Entra non-human identity (NHI) asset data into Microsoft Sentinel. The connector focuses on agent identity management, blueprint tracking, and ownership correlation across enterprise environments.
Ingestion Mechanism
The connector uses type “EntraNHIAssets” with Microsoft-managed ingestion requiring GlobalAdmin or SecurityAdmin permissions. Data flows into four distinct tables:
- EntraAgentIdentities — core agent identity records
- EntraAgentIdentityBlueprintPrincipals — blueprint-to-principal mappings
- EntraAgentIdentityBlueprints — agent blueprint definitions
- EntraAgentUsers — associated user identity context
Detection Surface Unlocked
This data source enables correlation of agent identity activity with security events, providing visibility into:
- Non-human identity privilege escalation and lateral movement patterns
- Agent blueprint misuse or unauthorized modifications
- Identity governance gaps in automated service accounts
- Asset ownership tracking for incident response attribution
No bundled detections are included with the initial Public Preview release.
Affected Files
Solutions/Agent 365/Data Connectors/EntraNHIAssets_DataConnectorDefinition.json
(packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_A365.json, createUiDefinition.json, mainTemplate.json)