KQL Search

Query Details

Agent Autonomous Azure Write

Query

id: b1f20304-9999-4d15-9109-0123456789cb
name: Agent - Autonomous privileged write in AzureActivity
description: |
  Correlates Foundry / Agent Service agents with privileged or write
  operations they performed directly against Azure (control plane). This
  is the Autonomous Action Risk shape: an agent creating cloud resources,
  changing configuration, assigning roles or deleting things on its own.

  The bridge is identity. Foundry telemetry records gen_ai.agent.name, but
  AzureActivity records the AAD identity in Caller. This hunt joins the
  AgentIdentityMap watchlist (agent -> AppId / ObjectId / Upn) so any
  AzureActivity write / action / delete by a mapped agent identity is
  surfaced, then enriches with the nearest agent span (conversation,
  model, tool) within 15 minutes so you can see what the agent was doing
  when it acted. Populate AgentIdentityMap or this hunt returns nothing.
query: |
  let lookback = 1d;
  let enrichWindow = 15m;
  let agentMap =
      _GetWatchlist('AgentIdentityMap')
      | project
          AgentName = tostring(column_ifexists('AgentName', '')),
          AppId     = tolower(tostring(column_ifexists('AppId', ''))),
          ObjectId  = tolower(tostring(column_ifexists('ObjectId', ''))),
          Upn       = tolower(tostring(column_ifexists('Upn', '')));
  let agentIds = materialize(agentMap);
  let agentSpans =
      AppDependencies
      | where TimeGenerated > ago(lookback + enrichWindow)
      | where isnotempty(Properties["gen_ai.agent.name"])
      | extend
          AgentName = tostring(Properties["gen_ai.agent.name"]),
          ConvId    = tostring(Properties["gen_ai.conversation.id"]),
          Model     = tostring(Properties["gen_ai.request.model"]),
          ToolName  = tolower(tostring(Properties["gen_ai.tool.name"]))
      | project SpanTime = TimeGenerated, AgentName, ConvId, Model, ToolName;
  AzureActivity
  | where TimeGenerated > ago(lookback)
  | extend
        OperationNameValue_  = tostring(column_ifexists('OperationNameValue', '')),
        ActivityStatusValue_ = tostring(column_ifexists('ActivityStatusValue', '')),
        Caller_              = tostring(column_ifexists('Caller', '')),
        ResourceGroup_       = tostring(column_ifexists('ResourceGroup', '')),
        CorrelationId_       = tostring(column_ifexists('CorrelationId', ''))
  | where OperationNameValue_ has_any ("write", "action", "delete")
       or ActivityStatusValue_ in ("Success", "Accepted", "Started")
       and OperationNameValue_ has_any (
          "roleAssignments", "roleDefinitions", "providers/Microsoft.Authorization",
          "deployments/write", "virtualMachines/write", "storageAccounts/write",
          "Microsoft.KeyVault", "networkSecurityGroups", "Microsoft.Resources/subscriptions/resourceGroups/write")
  | extend Actor = tolower(Caller_)
  | where isnotempty(Actor)
  | join kind=inner (
        agentIds
        | extend Key = coalesce(ObjectId, AppId, Upn)
        | mv-expand Key = pack_array(AppId, ObjectId, Upn) to typeof(string)
        | where isnotempty(Key)
        | project AgentName, Key
    ) on $left.Actor == $right.Key
  | extend OpTime = TimeGenerated
  | join kind=leftouter agentSpans on AgentName
  | where isnull(SpanTime) or abs(datetime_diff('minute', SpanTime, OpTime)) <= 15
  | summarize
        arg_min(abs(datetime_diff('second', coalesce(SpanTime, OpTime), OpTime)), SpanTime, ConvId, Model, ToolName)
        by OpTime, AgentName, Actor, OperationNameValue_, ActivityStatusValue_,
           ResourceGroup_, _ResourceId, CorrelationId_
  | project
      OpTime, AgentName, Actor, OperationNameValue = OperationNameValue_,
      ActivityStatusValue = ActivityStatusValue_,
      ResourceGroup = ResourceGroup_, _ResourceId, ConvId, Model, ToolName,
      CorrelationId = CorrelationId_
  | order by OpTime desc
tactics:
  - PrivilegeEscalation
  - Impact
techniques:
  - T1098
  - T1078
  - T1496
tags:
  - Sentinel-As-Code
  - Custom
  - Foundry
  - AI

Explanation

This query is designed to identify and analyze actions performed by autonomous agents in Azure that involve privileged or write operations. Here's a simplified breakdown of what the query does:

  1. Purpose: The query aims to detect when autonomous agents (from Foundry/Agent Service) perform significant actions like creating, modifying, or deleting resources in Azure. It focuses on actions that could indicate a risk, such as role assignments or resource deletions.

  2. Data Sources:

    • AgentIdentityMap: A watchlist that maps agent names to their Azure Active Directory (AAD) identities (AppId, ObjectId, Upn).
    • AppDependencies: Logs that provide context about what the agent was doing (conversation, model, tool) around the time of the action.
    • AzureActivity: Logs of activities performed in Azure, including who performed them and what was done.

  3. Process:

    • Lookback Period: The query examines activities from the past day (1d).
    • Enrichment Window: It considers agent activities within a 15-minute window around the Azure activity.
    • Agent Mapping: It retrieves and processes the agent identity mappings to correlate with Azure activities.
    • Activity Filtering: It filters Azure activities to focus on those involving write, action, or delete operations, especially those related to roles, deployments, VMs, storage accounts, and security groups.
    • Correlation: It matches Azure activities with agent identities using the mapped identities and enriches the data with context from the nearest agent activity (conversation, model, tool).

  4. Output:

    • The query summarizes and orders the results by the time of operation, showing details like the agent name, the actor (identity), the operation performed, the status of the activity, and additional context from the agent's activity.

  5. Security Context:

    • Tactics: The query is associated with detecting Privilege Escalation and Impact tactics.
    • Techniques: It relates to specific MITRE ATT&CK techniques like T1098 (Account Manipulation), T1078 (Valid Accounts), and T1496 (Resource Hijacking).

  6. Tags: The query is tagged with relevant labels such as Sentinel-As-Code, Custom, Foundry, and AI, indicating its context and purpose.

In summary, this query helps security teams monitor and investigate potentially risky autonomous actions by agents in Azure, providing insights into what the agents were doing at the time of these actions.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AgentIdentityMapAppDependenciesAzureActivity

Keywords

AgentAzureActivityAppDependenciesAgentIdentityMapAzureActivityAppIdObjectIdUpnPropertiesConversationModelToolNameOperationNameValueActivityStatusValueCallerResourceGroupCorrelationIdRoleAssignmentsRoleDefinitionsMicrosoftAuthorizationDeploymentsVirtualMachinesStorageAccountsMicrosoftKeyVaultNetworkSecurityGroupsMicrosoftResourcesSubscriptionsResourceGroups

Operators

letprojecttolowertostringcolumn_ifexistsmaterializewhereisnotemptyextendagohas_anyincoalescemv-expandpack_arrayjoinkind=innerkind=leftouterisnullabsdatetime_diffsummarizearg_minbyorder by

Actions