What Changed

Twenty-six connector-specific hunting queries targeting AIAgentsInfo (split across A365 Connector/ and Copilot Studio Connector/ subfolders) have been deleted and replaced by 7 unified queries directly under Hunting Queries/AI Agents/, all targeting the consolidated AgentsInfo Defender XDR table.

This is not a simple rename. The old queries queried a per-connector-scoped table; the new queries query a unified table and resolve owner object IDs to UPNs via IdentityInfo join, deduplicate to latest agent state via summarize arg_max(Timestamp, *) by AgentId, and filter out LifecycleStatus == Deleted agents.

Detection Logic

Primary data source: AgentsInfo (Defender XDR unified table) Identity enrichment: IdentityInfo joined on AccountObjectId to UPN

The 7 unified queries and their KQL logic:

QueryPrimary Signal
AgentsInfoMCPToolConfiguredAgents with ActionType == RemoteMCPServer configured
AgentsInfoHardCodedCredentialsAgent fields match regex for AWS keys, GCP tokens, Slack tokens, GitHub tokens, Stripe keys, SendGrid keys, Telegram bot tokens, JWTs, Basic auth headers, and URL-embedded credentials
AgentsInfoNoInstructionsPublished agents (LifecycleStatus != Deleted) with empty Instructions field
AgentsInfoShortInstructionsPublished agents where strlen(Instructions) < 50
AgentsInfoMissingToolsInInstructionsAgents where declared tools in AgentToolsDetails are absent from Instructions text
AgentsInfoOrphanedAgentsAgents whose owner AccountObjectId has no matching AccountUpn in IdentityInfo (disabled/deleted account)
AgentsInfoOrganizationWideSharedAgents where SharedWith == *

The credential regex was tightened from the A365 connector version to eliminate false positives from URL-credential pattern matches in JSON manifests.

Security Impact

Orgs that deployed the previous connector-specific queries against AIAgentsInfo need to update to these unified queries. The old queries:

  • Targeted a connector-specific table that no longer reflects the unified agent registry
  • Were split 9 A365 / 17 Copilot Studio – coverage was asymmetric and non-overlapping
  • Did not perform LifecycleStatus filtering, meaning deleted agents could inflate results

The AgentsInfoOrphanedAgents query is particularly high-value for privilege hygiene: agents owned by disabled accounts retain their permissions and published state in the unified registry unless explicitly removed.

The MCP tool detection (AgentsInfoMCPToolConfigured) surfaces agents with external tool integrations that can execute code or access resources outside the M365 boundary – a direct lateral movement / exfiltration surface.

Note: the retired A365 connector queries covered HTTP non-HTTPS (T1071) and non-standard port (T1041) signalling. These detection angles are not replicated in the 7 new unified queries – verify whether equivalents will be added to avoid a coverage gap.

MITRE Mapping

  • T1552 – Unsecured Credentials: AgentsInfoHardCodedCredentials
  • T1078 – Valid Accounts: AgentsInfoOrphanedAgents (orphaned agent owner accounts)
  • T1059 – Command and Scripting Interpreter: AgentsInfoMCPToolConfigured (MCP tools enabling external code execution)
  • T1562 – Impair Defenses: AgentsInfoNoInstructions / AgentsInfoShortInstructions (agents with no guardrails, exploitable via prompt injection)
  • T1071 / T1041 – Application Layer Protocol / Exfiltration Over C2: covered by now-retired A365 connector queries; not present in new unified set

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/AgentsInfo.json
Hunting Queries/AI Agents/A365 Connector/AIAgentsHTTPNonHTTPS.yaml
Hunting Queries/AI Agents/A365 Connector/AIAgentsHTTPNonStandardPorts.yaml
Hunting Queries/AI Agents/A365 Connector/AIAgentsHardCodedCredentials.yaml
Hunting Queries/AI Agents/A365 Connector/AIAgentsMCPToolConfigured.yaml
Hunting Queries/AI Agents/A365 Connector/AIAgentsMissingToolsInInstructions.yaml
Hunting Queries/AI Agents/A365 Connector/AIAgentsNoInstructions.yaml
Hunting Queries/AI Agents/A365 Connector/AIAgentsPubliclyShared.yaml
Hunting Queries/AI Agents/A365 Connector/AIAgentsShortInstructions.yaml
Hunting Queries/AI Agents/A365 Connector/OrphanedAIAgents.yaml
Hunting Queries/AI Agents/AgentsInfoHardCodedCredentials.yaml
Hunting Queries/AI Agents/AgentsInfoMCPToolConfigured.yaml
Hunting Queries/AI Agents/AgentsInfoMissingToolsInInstructions.yaml
Hunting Queries/AI Agents/AgentsInfoNoInstructions.yaml
Hunting Queries/AI Agents/AgentsInfoOrganizationWideShared.yaml
Hunting Queries/AI Agents/AgentsInfoOrphanedAgents.yaml
Hunting Queries/AI Agents/AgentsInfoShortInstructions.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsEmailAIControlledInputs.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsEmailExternalMailbox.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsGenerativeOrchestrationNoInstructions.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsHTTPConnectorEndpoints.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsHTTPNonHTTPS.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsHTTPNonStandardPorts.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsHardCodedCredentials.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsMCPToolConfigured.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsMCPToolMakerCredentials.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsOrganizationWideShared.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsUnusedActions.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/DormantAuthorAuthenticationAIAgents.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/NoAuthenticationRequiredAIAgents.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/OrphanedAIAgents.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/PublishedAIAgentsAuthorAuthentication.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/PublishedDormantAIAgents.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/UnpublishedUnmodifiedAIAgents.yaml