Query Details

Agent - Autonomous privileged write in AzureActivity

Agent Autonomous Azure Write

Query

let lookback = 1d;
let enrichWindow = 15m;
let agentMap =
    _GetWatchlist('AgentIdentityMap')
    | project
        AgentName = tostring(column_ifexists('AgentName', '')),
        AppId     = tolower(tostring(column_ifexists('AppId', ''))),
        ObjectId  = tolower(tostring(column_ifexists('ObjectId', ''))),
        Upn       = tolower(tostring(column_ifexists('Upn', '')));
let agentIds = materialize(agentMap);
let agentSpans =
    AppDependencies
    | where TimeGenerated > ago(lookback + enrichWindow)
    | where isnotempty(Properties["gen_ai.agent.name"])
    | extend
        AgentName = tostring(Properties["gen_ai.agent.name"]),
        ConvId    = tostring(Properties["gen_ai.conversation.id"]),
        Model     = tostring(Properties["gen_ai.request.model"]),
        ToolName  = tolower(tostring(Properties["gen_ai.tool.name"]))
    | project SpanTime = TimeGenerated, AgentName, ConvId, Model, ToolName;
AzureActivity
| where TimeGenerated > ago(lookback)
| extend
      OperationNameValue_  = tostring(column_ifexists('OperationNameValue', '')),
      ActivityStatusValue_ = tostring(column_ifexists('ActivityStatusValue', '')),
      Caller_              = tostring(column_ifexists('Caller', '')),
      ResourceGroup_       = tostring(column_ifexists('ResourceGroup', '')),
      CorrelationId_       = tostring(column_ifexists('CorrelationId', ''))
| where OperationNameValue_ has_any ("write", "action", "delete")
     or ActivityStatusValue_ in ("Success", "Accepted", "Started")
     and OperationNameValue_ has_any (
        "roleAssignments", "roleDefinitions", "providers/Microsoft.Authorization",
        "deployments/write", "virtualMachines/write", "storageAccounts/write",
        "Microsoft.KeyVault", "networkSecurityGroups", "Microsoft.Resources/subscriptions/resourceGroups/write")
| extend Actor = tolower(Caller_)
| where isnotempty(Actor)
| join kind=inner (
      agentIds
      | extend Key = coalesce(ObjectId, AppId, Upn)
      | mv-expand Key = pack_array(AppId, ObjectId, Upn) to typeof(string)
      | where isnotempty(Key)
      | project AgentName, Key
  ) on $left.Actor == $right.Key
| extend OpTime = TimeGenerated
| join kind=leftouter agentSpans on AgentName
| where isnull(SpanTime) or abs(datetime_diff('minute', SpanTime, OpTime)) <= 15
| summarize
      arg_min(abs(datetime_diff('second', coalesce(SpanTime, OpTime), OpTime)), SpanTime, ConvId, Model, ToolName)
      by OpTime, AgentName, Actor, OperationNameValue_, ActivityStatusValue_,
         ResourceGroup_, _ResourceId, CorrelationId_
| project
    OpTime, AgentName, Actor, OperationNameValue = OperationNameValue_,
    ActivityStatusValue = ActivityStatusValue_,
    ResourceGroup = ResourceGroup_, _ResourceId, ConvId, Model, ToolName,
    CorrelationId = CorrelationId_
| order by OpTime desc

Explanation

This query is designed to identify and analyze actions performed by autonomous agents in Azure that involve privileged or write operations. Here's a simplified breakdown of what the query does:

  1. Purpose: The query aims to detect when autonomous agents (from Foundry/Agent Service) perform significant actions like creating, modifying, or deleting resources in Azure. It focuses on actions that could indicate a risk, such as role assignments or resource deletions.

  2. Data Sources:

    • AgentIdentityMap: A watchlist that maps agent names to their Azure Active Directory (AAD) identities (AppId, ObjectId, Upn).
    • AppDependencies: Logs that provide context about what the agent was doing (conversation, model, tool) around the time of the action.
    • AzureActivity: Logs of activities performed in Azure, including who performed them and what was done.
  3. Process:

    • Lookback Period: The query examines activities from the past day (1d).
    • Enrichment Window: It considers agent activities within a 15-minute window around the Azure activity.
    • Agent Mapping: It retrieves and processes the agent identity mappings to correlate with Azure activities.
    • Activity Filtering: It filters Azure activities to focus on those involving write, action, or delete operations, especially those related to roles, deployments, VMs, storage accounts, and security groups.
    • Correlation: It matches Azure activities with agent identities using the mapped identities and enriches the data with context from the nearest agent activity (conversation, model, tool).
  4. Output:

    • The query summarizes and orders the results by the time of operation, showing details like the agent name, the actor (identity), the operation performed, the status of the activity, and additional context from the agent's activity.
  5. Security Context:

    • Tactics: The query is associated with detecting Privilege Escalation and Impact tactics.
    • Techniques: It relates to specific MITRE ATT&CK techniques like T1098 (Account Manipulation), T1078 (Valid Accounts), and T1496 (Resource Hijacking).
  6. Tags: The query is tagged with relevant labels such as Sentinel-As-Code, Custom, Foundry, and AI, indicating its context and purpose.

In summary, this query helps security teams monitor and investigate potentially risky autonomous actions by agents in Azure, providing insights into what the agents were doing at the time of these actions.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AgentIdentityMapAppDependenciesAzureActivity

Keywords

AgentAzureActivityAppDependenciesAgentIdentityMapAppIdObjectIdUpnPropertiesConversationModelToolNameOperationNameValueActivityStatusValueCallerResourceGroupCorrelationIdRoleAssignmentsRoleDefinitionsMicrosoftAuthorizationDeploymentsVirtualMachinesStorageAccountsKeyVaultNetworkSecurityGroupsResourcesSubscriptionsResourceGroups

Operators

letprojecttolowertostringcolumn_ifexistsmaterializewhereisnotemptyextendagohas_anyincoalescemv-expandpack_arrayjoinkind=innerkind=leftouterisnullabsdatetime_diffsummarizearg_minbyorder by

Tactics

PrivilegeEscalationImpact

MITRE Techniques

Actions

GitHub