As organizations deploy AI agents across Defender/Entra/Purview workflows, there's currently no community playbook template for automated incident response specific to agent misbehavior (e.g., an agent making excessive API calls, accessing out-of-scope resources, or exhibiting prompt injection symptoms). A starter Logic Apps playbook that isolates an agent's identity/service principal upon detecting anomalous BehaviorInfo patterns would help SOC teams respond faster to AI-specific incidents, similar to existing playbooks for compromised user accounts.
As organizations deploy AI agents across Defender/Entra/Purview workflows, there's currently no community playbook template for automated incident response specific to agent misbehavior (e.g., an agent making excessive API calls, accessing out-of-scope resources, or exhibiting prompt injection symptoms). A starter Logic Apps playbook that isolates an agent's identity/service principal upon detecting anomalous BehaviorInfo patterns would help SOC teams respond faster to AI-specific incidents, similar to existing playbooks for compromised user accounts.