removed samples from advanced hunting table, removed threat detection

Author: AbbyMSFT

defender-for-cloud-apps/ai-agent-inventory.md

@@ -10,24 +10,22 @@ ms.reviewer: gayasalomon
 #customer-intent: As a security administrator, I want view all of the AI Agents in my organization, and detect threats on my AI agents using advanced hunting.
 ---
 
-# Discover and protect your Copilot Studio custom AI Agents (Preview)
+# Discover and protect your custom AI Agents (Preview)
 
 Microsoft Defender detects all Copilot Studio custom AI agents in your tenant and provides tools to identify misconfigured or potentially risky agents, and collects data from Copilot Studio for use in [advanced hunting](/defender-xdr/advanced-hunting-overview).
 
 ## Prerequisites
-To enable AI agent threat protection inventory and detection you must opt in to public preview features of:
+To enable AI agent inventory and detection you must opt in to the [Microsoft Defender preview features](https://security.microsoft.com/securitysettings/defender/preview_features) of:
 - Microsoft Defender for Cloud Apps
 - Microsoft Defender for Cloud
 - Microsoft Defender XDR
 
-For more information, see [Microsoft Defender preview features](https://security.microsoft.com/securitysettings/defender/preview_features).
-
-## Enable Copilot Studio AI agent threat protection inventory
+## Enable the Copilot Studio AI agent inventory
 
 > [!NOTE]
-> The onboarding process for AI Agent threat protection inventory requires collaboration with Power Platform administrators.
+> The onboarding process for the AI agent inventory requires collaboration with Power Platform administrators.
 
-To enable Copilot Studio AI agent threat protection inventory, follow these steps:
+To enable the Copilot Studio AI agent inventory, follow these steps:
 
 1. **Sign in to the [Microsoft Defender portal](https://security.microsoft.com)** as the System Administrator.
 1. Go to **System > Settings > Cloud Apps > Copilot Studio AI Agents**.
@@ -42,19 +40,34 @@ To enable Copilot Studio AI agent threat protection inventory, follow these step
 When Copilot Studio AI Agents are connected, a green indicator appears in the **AI Agents Inventory** section in the Microsoft Defender system settings. It can take up to 30 minutes for the initial connection status to update. Depending on the size and complexity of your environment, it might take longer to see the full deployment of the AI agent inventory.
 
 
-## Identify misconfigured or risky AI agents
+## Identify misconfigured or risky AI agents using advanced hunting
 
 After you give Microsoft Defender access to your custom agents, you can use advanced hunting to help identify misconfigured or risky agents and minimize organizational exposure to potential threats.
+We recommend that you reach out to the owners of the risky agents for more information, and that you consider quarantining or deleting risky agents.
+
+1. Sign in to the Defender portal, and go **Investigation & response** -> **Hunting** -> **Advanced hunting**.
+1. In the **Apps & identities** section, the [AIAgentsInfo table](/defender-xdr/advanced-hunting-aiagentsinfo-table) contains data for all your custom AI agents created using Copilot Studio. You can use this data to create custom queries.
+
+### Sample queries
+
+Run this query to get a list of all the agents in your tenant:
+
+```kusto
+    AIAgentsInfo 
+    | summarize arg_max(Timestamp, *) by AIAgentId
+```
 
-1. Sign in to the Defender portal, and go to **Advanced hunting**.
-1. In the **Apps & identities** section, the [AIAgentsInfo](/defender-xdr/advanced-hunting-aiagentsinfo-table) contains data for all your custom AI agents created using Copilot Studio. You can use this data to create custom queries.
-1. In the **Queries** tab, see the **MCS AI Agents** section for predefined KQL queries to help identify misconfigured or risky agents.
+Run this query to identify all published agents that are configured with an incorrect authentication mechanism: 
 
-    For example, you can use queries to: :
-    - locate published agents that use maker authentication mechanisms, which might allow access to data users shouldn't have
-    - locate published agents that haven't been used for over 30 days, as they might create unnecessary exposure without contributing to productivity. 
+```kusto
+    AIAgentsInfo
+    | summarize arg_max(Timestamp, *) by AIAgentId 
+    | where AgentStatus != "Deleted"  
+    | where AgentStatus == "Published" 
+    | where UserAuthenticationType == "None" or AuthenticationTrigger == "As Needed"  
+    | project-reorder AgentCreationTime ,AIAgentId, AIAgentName, AgentStatus, CreatorAccountUpn, OwnerAccountUpns
+```
 
-We recommend that you reach out to the owners of the risky agents for more information, and that you consider quarantining or deleting the risky agents.
 
 See [Proactively hunt for threats with advanced hunting in Microsoft Defender](/defender-xdr/advanced-hunting-overview) to learn how to use queries to proactively hunt for threats.
 

defender-for-cloud-apps/ai-agent-protection.md

@@ -8,20 +8,20 @@ ms.reviewer: gayasalomon
 #customer-intent: As a security administrator, I want my Copilot Studio AI agents to be protected against suspicious or harmful actions so that I can reduce security risks to my organization.
 ---
 
-# Protect your Microsoft Copilot Studio AI agents (Preview)
+# Protect your Microsoft Copilot Studio custom AI agents (Preview)
 
-As no code/low code platforms become increasingly accessible, organizations face new types of security risks. These platforms empower non-technical users to build and deploy custom agents without centralized security review or controls in place. Attackers can attempt to manipulate these agents by:
-- injecting malicious prompts
-- triggering unintended tool executions
-- exploiting data sources to escalate privileges or exfiltrate data.
+As No code/Low code platforms become increasingly accessible, organizations face new types of security risks. These platforms empower non-technical users to build and deploy custom agents without centralized security review or controls in place. Attackers can attempt to manipulate these agents by:
+- Injecting malicious prompts
+- Triggering unintended tool executions
+- Exploiting data sources to escalate privileges or exfiltrate data.
 
-## AI agent threat protection features
+## AI agent protection features
 
 Microsoft Defender addresses critical security gaps with comprehensive AI agent protection that includes proactive exposure, threat hunting, real time protection, and alerts. With AI agent protection, Microsoft Defender:
 
-- Detects all of your custom AI agents created with Microsoft Copilot Studio, and integrates their data into advanced hunting for proactive threat detection. You can use this data to create custom queries and hunt for potential threats. See [Copilot Studio AI agent threat protection inventory (Preview)](ai-agent-inventory.md) to learn how to set up and make use of the AI agent inventory.
+- Detects all of your custom AI agents created with Microsoft Copilot Studio, and integrates their data into advanced hunting for proactive threat detection. You can use this data to create custom queries and hunt for potential threats. See [Copilot Studio AI agent inventory (Preview)](ai-agent-inventory.md) to learn how to set up and make use of the AI agent inventory.
 - Collects audit logs for your custom AI agents created with Copilot Studio, continuously monitors the agents for suspicious acitivity, and enables detections and alerts. To enable this monitoring, make sure that you:
-    - [Enable the AI agent threat protection inventory](ai-agent-inventory.md#enable-copilot-studio-ai-agent-threat-protection-inventory).
+    - [Enable the AI agent inventory](ai-agent-inventory.md#enable-copilot-studio-ai-agent-threat-protection-inventory).
     - [Enable the Microsoft 365 app connector](protect-office-365.md#connect-microsoft-365-to-microsoft-defender-for-cloud-apps).
 - Provides real-time protection to block suspicious or harmful actions initiated by your AI agents, and triggers an informative alert integrated into the XDR incidents and alerts environment. See [Enable real-time protection for Microsoft Copilot Studio Agents](/real-time-agent-protection-during-runtime.md) to learn how to set up real-time protection.