What Changed
Twenty-six connector-specific hunting queries targeting AIAgentsInfo (split across A365 Connector/ and Copilot Studio Connector/ subfolders) have been deleted and replaced by 7 unified queries directly under Hunting Queries/AI Agents/, all targeting the consolidated AgentsInfo Defender XDR table.
This is not a simple rename. The old queries queried a per-connector-scoped table; the new queries query a unified table and resolve owner object IDs to UPNs via IdentityInfo join, deduplicate to latest agent state via summarize arg_max(Timestamp, *) by AgentId, and filter out LifecycleStatus == Deleted agents.
Detection Logic
Primary data source: AgentsInfo (Defender XDR unified table) Identity enrichment: IdentityInfo joined on AccountObjectId to UPN
The 7 unified queries and their KQL logic:
| Query | Primary Signal |
|---|---|
| AgentsInfoMCPToolConfigured | Agents with ActionType == RemoteMCPServer configured |
| AgentsInfoHardCodedCredentials | Agent fields match regex for AWS keys, GCP tokens, Slack tokens, GitHub tokens, Stripe keys, SendGrid keys, Telegram bot tokens, JWTs, Basic auth headers, and URL-embedded credentials |
| AgentsInfoNoInstructions | Published agents (LifecycleStatus != Deleted) with empty Instructions field |
| AgentsInfoShortInstructions | Published agents where strlen(Instructions) < 50 |
| AgentsInfoMissingToolsInInstructions | Agents where declared tools in AgentToolsDetails are absent from Instructions text |
| AgentsInfoOrphanedAgents | Agents whose owner AccountObjectId has no matching AccountUpn in IdentityInfo (disabled/deleted account) |
| AgentsInfoOrganizationWideShared | Agents where SharedWith == * |
The credential regex was tightened from the A365 connector version to eliminate false positives from URL-credential pattern matches in JSON manifests.
Security Impact
Orgs that deployed the previous connector-specific queries against AIAgentsInfo need to update to these unified queries. The old queries:
- Targeted a connector-specific table that no longer reflects the unified agent registry
- Were split 9 A365 / 17 Copilot Studio – coverage was asymmetric and non-overlapping
- Did not perform LifecycleStatus filtering, meaning deleted agents could inflate results
The AgentsInfoOrphanedAgents query is particularly high-value for privilege hygiene: agents owned by disabled accounts retain their permissions and published state in the unified registry unless explicitly removed.
The MCP tool detection (AgentsInfoMCPToolConfigured) surfaces agents with external tool integrations that can execute code or access resources outside the M365 boundary – a direct lateral movement / exfiltration surface.
Note: the retired A365 connector queries covered HTTP non-HTTPS (T1071) and non-standard port (T1041) signalling. These detection angles are not replicated in the 7 new unified queries – verify whether equivalents will be added to avoid a coverage gap.
MITRE Mapping
- T1552 – Unsecured Credentials: AgentsInfoHardCodedCredentials
- T1078 – Valid Accounts: AgentsInfoOrphanedAgents (orphaned agent owner accounts)
- T1059 – Command and Scripting Interpreter: AgentsInfoMCPToolConfigured (MCP tools enabling external code execution)
- T1562 – Impair Defenses: AgentsInfoNoInstructions / AgentsInfoShortInstructions (agents with no guardrails, exploitable via prompt injection)
- T1071 / T1041 – Application Layer Protocol / Exfiltration Over C2: covered by now-retired A365 connector queries; not present in new unified set
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/AgentsInfo.json
Hunting Queries/AI Agents/A365 Connector/AIAgentsHTTPNonHTTPS.yaml
Hunting Queries/AI Agents/A365 Connector/AIAgentsHTTPNonStandardPorts.yaml
Hunting Queries/AI Agents/A365 Connector/AIAgentsHardCodedCredentials.yaml
Hunting Queries/AI Agents/A365 Connector/AIAgentsMCPToolConfigured.yaml
Hunting Queries/AI Agents/A365 Connector/AIAgentsMissingToolsInInstructions.yaml
Hunting Queries/AI Agents/A365 Connector/AIAgentsNoInstructions.yaml
Hunting Queries/AI Agents/A365 Connector/AIAgentsPubliclyShared.yaml
Hunting Queries/AI Agents/A365 Connector/AIAgentsShortInstructions.yaml
Hunting Queries/AI Agents/A365 Connector/OrphanedAIAgents.yaml
Hunting Queries/AI Agents/AgentsInfoHardCodedCredentials.yaml
Hunting Queries/AI Agents/AgentsInfoMCPToolConfigured.yaml
Hunting Queries/AI Agents/AgentsInfoMissingToolsInInstructions.yaml
Hunting Queries/AI Agents/AgentsInfoNoInstructions.yaml
Hunting Queries/AI Agents/AgentsInfoOrganizationWideShared.yaml
Hunting Queries/AI Agents/AgentsInfoOrphanedAgents.yaml
Hunting Queries/AI Agents/AgentsInfoShortInstructions.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsEmailAIControlledInputs.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsEmailExternalMailbox.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsGenerativeOrchestrationNoInstructions.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsHTTPConnectorEndpoints.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsHTTPNonHTTPS.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsHTTPNonStandardPorts.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsHardCodedCredentials.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsMCPToolConfigured.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsMCPToolMakerCredentials.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsOrganizationWideShared.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/AIAgentsUnusedActions.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/DormantAuthorAuthenticationAIAgents.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/NoAuthenticationRequiredAIAgents.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/OrphanedAIAgents.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/PublishedAIAgentsAuthorAuthentication.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/PublishedDormantAIAgents.yaml
Hunting Queries/AI Agents/Copilot Studio Connector/UnpublishedUnmodifiedAIAgents.yaml