Microsoft Defender for Cloud introduces a catalog of security alerts tailored to Azure Artificial Intelligence services, with coverage split between Artificial Intelligence applications and Artificial Intelligence agents. The alerts are designed to notify security operations teams about credential exposure, jailbreak attempts, phishing, anomalous access patterns and reconnaissance targeting models and agents. Each alert is aligned with specific mitre tactics such as Credential Access, Privilege Escalation, Defense Evasion, Execution, Reconnaissance, Impact and Collection, and carries a defined severity level from low to high.
For Artificial Intelligence applications, Defender for Cloud flags credential theft when credentials appear in generative Artificial Intelligence model responses, highlighting risks unique to generative workloads. Multiple jailbreak alerts focus on direct prompt injection attempts to manipulate system prompts and bypass safeguards, differentiating between cases blocked or only detected by Azure Responsible Artificial Intelligence Content Safety Prompt Shields. Phishing-focused alerts distinguish between corrupted applications or models that respond with known malicious URLs, user-originated phishing URLs, and unknown URL origins, mapping to Impact, Collection and data poisoning scenarios. Additional detections include suspicious user agents and Tor or other suspicious IP addresses accessing Artificial Intelligence resources, wallet attack patterns based on duplicate requests or anomalous traffic volumes, and access anomalies tied to shifts in user agents, IP ranges or authentication methods. Defender for Cloud also monitors anomalous tool invocation in applications connected to Azure OpenAI deployments, sensitive data anomalies in model responses, and reconnaissance patterns aimed at extracting system instructions or testing guardrails.
For Artificial Intelligence agents, Microsoft extends similar protections in preview for the Foundry Agent service. Jailbreak attempts against agents are detected or blocked by Prompt Shields, reflecting the same focus on prompt injection and safeguard bypass. Agent-specific alerts also watch for ascii smuggling attacks that hide instructions in invisible text, phishing URLs sent by users or produced in agent responses or tool outputs, and suspicious, anonymized or malicious user agent and IP access. Wallet attacks on agents are tracked through volume anomalies that diverge from historical usage. New detections highlight instruction prompt leakage, where attackers attempt to extract hidden system-level instructions, and agent reconnaissance behavior that can precede more invasive prompt injection or jailbreak attacks. Together these alerts provide a structured signal set that helps organizations monitor, triage and respond to threats across their Artificial Intelligence models, applications and agentic systems within Azure.
