Lab: OWASP Agentic AI — Sentinel Detection Engineering

Overview

This lab deploys detection and hunting capabilities for agentic AI threats in Microsoft Sentinel. Every analytics rule maps to a specific OWASP Top 10 for Agentic Applications risk.

What gets deployed:

Companion blog post: Detecting Agentic AI Threats with Microsoft Sentinel

Prerequisites

• Microsoft Sentinel workspace with Entra ID data connector enabled
• AADServicePrincipalSignInLogs table populated (requires P1/P2 license)
• MicrosoftGraphActivityLogs enabled (preview — enable via Diagnostic Settings on the Entra ID blade)
• AuditLogs and AzureActivity tables populated
• PowerShell 7+ with Azure CLI installed
• Contributor role on the Sentinel workspace resource group

Quick Start

git clone https://github.com/j-dahl7/owasp-agentic-sentinel.git
cd owasp-agentic-sentinel

./scripts/Deploy-Lab.ps1 -ResourceGroup "rg-sentinel-lab" -WorkspaceName "law-sentinel-lab"

Analytics Rules

Rule 1: Agent Identity Accessing Resources Outside Established Baseline

• OWASP Risk: ASI03 (Identity & Privilege Abuse)
• MITRE ATT&CK: T1078.004 (Valid Accounts: Cloud Accounts)
• Severity: Medium
• Frequency: Hourly
• Lookback: 14 days baseline, 1 hour detection window

Rule 2: Agent Privilege Escalation — New High-Privilege Role Assignment

• OWASP Risk: ASI03 (Identity & Privilege Abuse)
• MITRE ATT&CK: T1098.003 (Account Manipulation: Additional Cloud Roles)
• Severity: High
• Frequency: Hourly
• Lookback: 24 hours

Rule 3: Excessive Agent API Activity — Runaway or Hijacked Agent

• OWASP Risk: ASI09 (Uncontrolled Agentic Actions)
• MITRE ATT&CK: T1119 (Automated Collection)
• Severity: High
• Frequency: Every 15 minutes
• Lookback: 1 hour

Rule 4: New OAuth App with Agent-Like Characteristics

• OWASP Risk: ASI04 (Supply Chain Vulnerabilities)
• MITRE ATT&CK: T1195.002 (Supply Chain Compromise)
• Severity: Medium
• Frequency: Hourly
• Lookback: 24 hours

Hunting Queries

1. Agent Identity Inventory — All service principals with sign-in activity (30 days)
2. Agent Permission Audit — Cross-reference app role assignments against baseline
3. Agent Activity Heatmap — Time-of-day/day-of-week API activity patterns
4. Cross-Agent Token Flow Analysis — Token exchange patterns between service principals
5. Agent Data Access Anomalies — New data store access by established agents

Workbook Panels

1. Agent Identity Overview — Active agents, new registrations, permission changes
2. Agent Activity Patterns — API call timechart by service principal
3. Privilege Escalation Timeline — Role assignments targeting service principals
4. OWASP Risk Heatmap — Detected events mapped to OWASP risk categories

Testing

After deployment, verify the rules are active:

# Check analytics rules
az sentinel alert-rule list --resource-group "rg-sentinel-lab" --workspace-name "law-sentinel-lab" --query "[?contains(displayName, 'LAB')].{Name:displayName, Severity:severity, Enabled:enabled}" -o table

Test with a simulated agent action:

# Create a test service principal and grant it a role
$sp = az ad sp create-for-rbac --name "test-agent-owasp-lab" --role "Reader" --scopes "/subscriptions/$(az account show --query id -o tsv)/resourceGroups/rg-sentinel-lab"

# Wait for sign-in log ingestion (5-10 minutes)
# Then check if Rule 1 fires for the new SP accessing a resource

Cleanup

./scripts/Deploy-Lab.ps1 -ResourceGroup "rg-sentinel-lab" -WorkspaceName "law-sentinel-lab" -Cleanup

Troubleshooting