Listen to this Post
Introduction:
As AI agents (from OpenAI’s GPTs to Microsoft Copilot Studio and Foundry) race into production, security operations centers (SOCs) are often blind to their real-time behavior, privileges, and data flows. Without dedicated observability, malicious prompt injections, data exfiltration, or agent sprawl go undetected. This new detection pack for Microsoft Sentinel bridges that gap—turning raw telemetry from Application Insights and OpenTelemetry into structured hunting queries, analytic rules, and watchlist-based enrichment.
Learning Objectives:
- Deploy ARM-based detection content to monitor OpenAI organizations, Foundry agents, and Copilot Studio agents within Microsoft Sentinel.
- Implement Application Insights and OpenTelemetry to capture high‑fidelity agent telemetry for security investigations.
- Build hunting queries and analytic rules that reduce noise while detecting risky agent behaviors (e.g., excessive data access, anomalous invocation patterns).
You Should Know:
- Deploying the Detection Pack via ARM Template (Azure/Microsoft Sentinel)
This step‑by‑step guide installs the prebuilt analytics rules, hunting queries, and watchlists into your Sentinel workspace.
What it does: The ARM template provisions:
- Sentinel analytic rules (scheduled alerts for suspicious agent activities)
- Hunting queries (ad‑hoc threat hunting over AI agent logs)
- Watchlists for exclusion (ignore known safe agents) and enrichment (map agent IDs to owners)
How to use it:
- Access the GitHub repo (provided by David Alonso Dominguez – extract from post: `https://github.com/[repo-path]` – but since the exact URL is not given, assume you have the link or search “Microsoft Sentinel AI Agent Detection Pack”).
2. Click Deploy to Azure button or use Azure CLI:Azure CLI deployment az deployment group create --resource-group <YourResourceGroup> ` --template-file sentinel_ai_detection_pack.json ` --parameters workspaceName=<YourSentinelWorkspace>
- After deployment, verify the new content under Sentinel > Analytics and Hunting.
- Map watchlists: go to Sentinel > Watchlists and populate with your agent inventory (e.g., AgentID, Owner, RiskLevel).
Windows / Linux command for OpenTelemetry collector setup (if on‑prem or hybrid):
Linux - install OTEL collector curl -sL https://github.com/open-telemetry/opentelemetry-collector-releases/releases/download/v0.95.0/otelcol_0.95.0_linux_amd64.deb -o otelcol.deb sudo dpkg -i otelcol.deb Configure receiver for AI agent traces (e.g., OTLP over gRPC) sudo nano /etc/otelcol/config.yaml
Add an OTLP receiver for agent telemetry:
receivers: otlp: protocols: grpc: endpoint: 0.0.0.0:4317 http: endpoint: 0.0.0.0:4318 exporters: azuremonitor: connection_string: "InstrumentationKey=..." service: pipelines: traces: receivers: [bash] exporters: [bash]
2. Enabling Application Insights for Agent Telemetry
Application Insights acts as the ingestion endpoint for agent logs, traces, and custom events.
Step‑by‑step:
- In Azure, create an Application Insights resource (or use existing).
2. Copy the Connection String (under “Properties”).
- Configure your AI agent code (Python, C, etc.) to send telemetry:
Python example with OpenTelemetry from opentelemetry import trace from opentelemetry.exporter.azuremonitor import AzureMonitorTraceExporter from opentelemetry.sdk.trace import TracerProvider from opentelemetry.sdk.trace.export import BatchSpanProcessor</li> </ol> connection_string = "InstrumentationKey=..." exporter = AzureMonitorTraceExporter(connection_string=connection_string) provider = TracerProvider() provider.add_span_processor(BatchSpanProcessor(exporter)) trace.set_tracer_provider(provider) tracer = trace.get_tracer(<strong>name</strong>) with tracer.start_as_current_span("agent-invocation") as span: span.set_attribute("agent.id", "copilot-studio-agent-01") span.set_attribute("user.id", "[email protected]") Agent logic here4. Verify data appears in Application Insights → Transaction search or Logs (KQL).
- Core KQL Hunting Queries for Suspicious Agent Activity
The detection pack includes Sentinel hunting queries. Below are three essential examples to run manually or schedule.
Query 1 – Detect an agent accessing a sensitive data source for the first time:
// Requires Application Insights or custom tables (e.g., 'AgentTraces') let sensitiveSources = dynamic(["sql-prod-finance", "blob-pii-retention"]); AgentTraces | where timestamp > ago(7d) | where customDimensions.dataSource in (sensitiveSources) | summarize FirstAccess = min(timestamp) by agent_id, user_id, dataSource | where FirstAccess > ago(1h) // First access in last hour | project-rename FirstAccessTime = FirstAccess
Query 2 – Anomaly: unusually high volume of agent invocations per user:
AgentTraces | summarize InvocationCount = count() by user_id, bin(timestamp, 1h) | where InvocationCount > (avg(InvocationCount) + 3stdev(InvocationCount)) | join kind=inner ( AgentTraces | distinct agent_id, user_id ) on user_id
Query 3 – Potential prompt injection (detect unusual output length or special tokens):
AgentTraces | where customDimensions.has("prompt") and customDimensions.has("response") | extend promptLen = strlen(customDimensions.prompt) | extend responseLen = strlen(customDimensions.response) | where responseLen > promptLen 5 // Very long response relative to prompt | project timestamp, agent_id, user_id, promptLen, responseLen4. Creating Sentinel Analytic Rules from Hunting Queries
Convert hunting queries into automated alerts.
Step‑by‑step:
- In Microsoft Sentinel, go to Analytics → Create → Scheduled query rule.
- Paste the KQL query (e.g., “First time sensitive data access”).
- Set Query scheduling: Run every 1 hour, look back 2 hours.
4. Alert threshold: Number of results > 0.
- Entity mapping: Map `agent_id` to `CustomEntity` or
AzureResource, `user_id` toAccount. - Incident creation: Enable, set grouping to “Group all events into a single incident”.
- Automated response (playbook): Trigger a Logic App to send Teams message or block agent token.
5. Using Watchlists for Exclusion & Enrichment
Reduce false positives by maintaining a watchlist of trusted agents.
What it does: A CSV‑backed watchlist in Sentinel allows you to reference “safe” agents or enrich alerts with owner contact info.
How to create and query:
- Create watchlist (Sentinel → Watchlists → Add new):
– Name: `TrustedAgents`
– Columns:AgentID,Owner, `Justification`
– Upload CSV:AgentID,Owner,Justification copilot-agent-finance,[email protected],Internal finance bot openai-assist-jenkins,[email protected],CI/CD pipeline
2. Use in KQL to exclude trusted agents:
let Trusted = (_GetWatchlist('TrustedAgents') | project AgentID); AgentTraces | where agent_id !in (Trusted) | where customDimensions.response contains "confidential"- Hardening Telemetry Collection for OpenAI & Foundry Agents
For OpenAI (via Azure OpenAI or directly) and Foundry agents, you need to intercept API calls or use native logging.
For Azure OpenAI: Enable diagnostic settings → send `RequestResponse` logs to Log Analytics workspace.
KQL query to monitor Azure OpenAI token usage per agent:AzureDiagnostics | where Category == "RequestResponse" | where OperationName == "Completion" | extend agent_id = tostring(parse_json(properties)["user"]) // if you pass user=agent_id | summarize TotalTokens = sum(todouble(parse_json(properties)["total_tokens"])) by agent_id, bin(TimeGenerated, 1h) | where TotalTokens > 50000 // Alert on excessive token consumption
For Foundry (Palantir) agents: Use webhook forwarders to send agent actions (e.g., object reads, transforms) to Application Insights via OpenTelemetry collector.
7. Remediation Playbook: Isolate a Rogue AI Agent
When a detection fires (e.g., data exfiltration pattern), automate containment.
Step‑by‑step using Azure Logic App + Microsoft Graph:
1. Trigger: Sentinel incident creation.
2. Parse agent ID from incident.
- For Copilot Studio agent: Call Power Platform API to disable the agent:
PowerShell using Power Apps cmdlets Disable-PowerApp -EnvironmentName "Default-Environment" -AppName "agent-123"
- For custom OpenAI agent: Revoke the API key used by that agent (call Azure Key Vault to rotate key).
- Send notification to SOC channel with containment confirmation.
Linux command to block outbound traffic from an agent container (if self‑hosted):
sudo iptables -A OUTPUT -p tcp --dport 443 -m owner --uid-owner agentuid -j REJECT
What Undercode Say:
- Key Takeaway 1: The detection pack transforms AI agent observability from a “black box” into structured, huntable telemetry—but only if you enable OpenTelemetry and Application Insights first. Without those, the pack’s analytic rules and hunting queries return no data.
- Key Takeaway 2: SOC teams can finally answer “What are our agents doing right now?” with KQL queries, but watchlists are critical to avoid alert fatigue. The pack includes exclusions, yet you must proactively curate trusted agent inventories.
Analysis (10 lines):
This detection pack addresses a massive blind spot in modern security monitoring. AI agents often operate with elevated permissions to LLMs, internal APIs, and data stores—yet traditional SIEM rules don’t model agent behavior. By leveraging ARM templates, Microsoft Sentinel becomes a control plane for agent governance. The inclusion of OpenTelemetry is forward‑looking; it decouples telemetry collection from any single cloud provider. However, adoption requires engineering effort to instrument existing agents (especially custom OpenAI or Foundry deployments). The pack’s hunting queries are strong starting points, but teams must tune thresholds to their environment. One missing piece is real‑time rate limiting based on anomaly scores—Sentinel currently reacts post‑factum. Still, for organizations already on Azure, this is a low‑friction way to jumpstart AI agent security. Expect similar packs from AWS and GCP within 12 months.
Expected Output:
After deploying the detection pack, your SOC gains:
- Pre‑built alert rules that trigger on anomalous agent invocation patterns (e.g., first‑time data source access, token volume spikes).
- A hunting dashboard with KQL queries ready for threat hunting across OpenAI, Foundry, and Copilot Studio telemetry.
- Watchlist‑based noise reduction and enrichment, enabling analysts to focus on risky, unknown agents.
Prediction:
- +1 Positive: Within 6–9 months, Microsoft will integrate this detection pack into native Sentinel content, making AI agent monitoring a default feature for Azure OpenAI and Copilot customers—lowering the barrier for thousands of enterprises.
- +1 Positive: OpenTelemetry adoption for AI agents will accelerate, leading to cross‑cloud agent observability standards, allowing SOCs to monitor agents across AWS Bedrock, GCP Vertex AI, and Azure from a single pane.
- -1 Negative: Attackers will develop evasion techniques that mimic legitimate agent behavior (e.g., low‑and‑slow data harvesting), forcing detection engineers to build more sophisticated ML models on top of the pack’s baseline queries.
- -1 Negative: Organizations that deploy the pack without enabling verbose OpenTelemetry (due to cost concerns) will miss critical context, leading to false negatives and a false sense of security.
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by ThousandsIT/Security Reporter URL:
Reported By: David Alonso – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeTesting & Stay Tuned:
