Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Deployed AI agents operate autonomously, invoking tools, accessing data, and taking actions across systems in response to natural‑language input. This makes continuous detection, runtime protection, and investigation critical. Microsoft Defender detects suspicious and malicious agent behavior, blocks dangerous actions in real time, provides alerts in near‑real‑time, and enables security teams to investigate incidents and trace the full root cause and blast radius.
This article explains how Microsoft Defender detects, blocks, and enables security teams to investigate threats to AI agents managed through Microsoft Agent 365, including the extended detection and protection capabilities available for supported agent platforms.
Note
Some capabilities described in this article currently require onboarding through Microsoft Defender for Cloud Apps. This is a temporary configuration that will be part of the Agent 365 product experience. Starting July 1, 2026, your organization needs an Agent 365 subscription to continue using agent protection and visibility capabilities.
Block unsafe AI agent actions in real time
Microsoft Defender provides real-time protection (RTP) to prevent AI agents from performing unsafe actions during runtime. Defender integrates directly with Work IQ MCP to evaluate supported agent-initiated tool invocations before they execute. If Defender determines that an action is risky, it blocks the action before the agent performs it, preventing harmful behavior.
Note
Real-time protection is available only for AI agents that use tools currently supported in Work IQ MCP. Agents that rely on unsupported tools or do not integrate with Work IQ MCP are outside the scope of this capability.
Real-time protection focuses on high-confidence threats, including:
- Attempts to extract or exfiltrate system instructions or internal tool details
- Direct attempts to leak sensitive data
- Misuse of internal-only tools
- Routing information to untrusted or malicious destinations
- Use of obfuscated or hidden content to manipulate agent behavior
- Credential leakage through legitimate channels such as email or external APIs
Note
For agents built with Microsoft Copilot Studio, Microsoft Defender also provides real-time protection by evaluating model prompts and responses. This capability doesn't depend on Work IQ.
When Microsoft Defender blocks an action, it generates a detailed alert that explains what was blocked, why the action was considered risky, and which agent, user, and tool were involved. This ensures security teams can investigate blocked actions using familiar Defender workflows.
Enable real-time protection
To enable real-time protection for your AI agents:
Open the Microsoft Defender portal
Select System > Settings > Security for AI agents. This opens the Security for AI agents settings page.
Make sure that Security for AI agents is toggled on.
Make sure that Agent 365 is connected under AI real-time protection & investigation.
To enable the extended real-time protection capabilities for Microsoft Copilot Studio agents, make sure that Copilot Studio is connected under AI real-time protection & investigation.
For more information, see Copilot Studio integration in Microsoft Defender for Cloud Apps.
Detect AI agent threats in near-real-time
Microsoft Defender continuously monitors AI agent activity and detects suspicious and malicious behavior across all Agent 365‑managed agents. Defender analyzes agent telemetry, tool usage, and execution patterns to identify threats such as persistent jailbreak attempts, suspicious user activity involving a jailbreak attempt, and suspicious agent execution attempts.
Microsoft Defender surfaces detections as near‑real‑time alerts in the Defender portal and enables security teams to investigate them using familiar security operations workflows, including alert triage, incident correlation, and Advanced Hunting.
For more information, see Incidents and alerts in the Microsoft Defender portal.
Near-real-time detections rely on Agent 365 observability data, which also provides valuable context for investigating incidents and threat hunting. Microsoft Defender analyzes this data to identify suspicious agent behavior and generate alerts.
Note
For agents built with Microsoft Copilot Studio and Microsoft Foundry, Microsoft Defender also supports detections based on evaluation of model prompts and responses.
Enable near-real-time detections and advanced threat hunting
To enable near-real-time alerts and threat hunting:
- Enable the Microsoft 365 app connector to collect Agent 365 observability data for AI agent actions. For more information, see Connect Microsoft 365 to Microsoft Defender for Cloud Apps.
- Ensure that your AI agent emits observability data to Microsoft 365.
- Agents built with Microsoft Copilot Studio send observability data to Microsoft 365 by default.
- For AI agents built on other platforms, enable observability using the Microsoft Agent 365 SDK, as described in the Agent 365 development lifecycle documentation.
Enable extended near-real-time detections for Microsoft Copilot Studio and Microsoft Foundry agents
When you enable the relevant features, agents built with Microsoft Copilot Studio and Microsoft Foundry have an extended set of near-real-time detection alerts beyond the baseline available to all Microsoft Agent 365‑managed agents.
To enable these extended capabilities:
- For Microsoft Foundry agents, see Enable threat protection for Microsoft Foundry AI workloads.
- For Microsoft Copilot Studio agents, see Copilot Studio integration in Microsoft Defender for Cloud Apps.
Investigate AI agent threats and hunt for risks using Advanced Hunting
Microsoft Defender correlates AI agent alerts into incidents and surfaces the related context so security teams can quickly assess impact and prioritize response. Advanced Hunting then lets analysts query Agent 365 observability data by using Kusto Query Language (KQL) to investigate incidents and hunt for risks across their environment.
Investigate incidents and alerts
Microsoft Defender correlates AI agent alerts, including near‑real‑time detections and alerts generated when real‑time protection blocks an action, into incidents.
Security analysts can use the incident graph and investigation experience to understand the full context of a potential attack, including relationships between involved entities and the blast radius of AI agent threats. For more information, see Incidents and alerts in the Microsoft Defender portal.
Correlate alerts and Agent 365 observability data and hunt for risks using Advanced Hunting
Advanced Hunting in Microsoft Defender enables security teams to query Agent 365 observability data alongside other security data by using Kusto Query Language (KQL). This supports proactive threat hunting, incident investigation, and root‑cause analysis across agents, applications, identities, and devices.
For example, use Advanced Hunting to:
- Trace specific agent tool invocations and correlate them with related alerts or block events
- Investigate the root cause and scope of a detected AI agent threat
- Identify anomalous execution patterns or risky agent behavior across environments
- Build custom detection rules based on agent activity signals
Advanced Hunting tables for AI agent investigation
The following Advanced Hunting tables provide visibility into AI agent configuration, alerts, and activity. You can query these tables individually or correlate them to investigate incidents and hunt for agent-related risks.
| Table name | Description | Common use cases |
|---|---|---|
| AlertInfo | Contains alert metadata generated by Microsoft Defender, including alerts related to near-real-time detections and real-time protection block events. | Investigate AI agent alerts, understand alert context, and pivot into related incidents and entities. |
| CloudAppEvents | Contains Agent 365 observability data for AI agent activity, including agent actions, tool invocations, and data access events. | Hunt for suspicious agent behavior, trace agent actions, and perform root-cause analysis using Agent 365 observability data. |
| AIAgentsInfo | Contains inventory and configuration details for AI agents, including agent identity, platform, ownership, and metadata. | Review agent posture, identify risky or misconfigured agents, and correlate agent identity with alerts and activity. |
| AlertEvidence | Contains entities and artifacts associated with alerts, such as agents, users, tools, URLs, or resources. | Understand the scope of an alert and identify related entities involved in an AI agent incident. |