>
    Strata Copilot
    Configure SaaS Agent Security as an External Threat Detection System
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Agent Security
    3. Configure SaaS Agent Security as an External Threat Detection System
    Download PDF
    SaaS Agent Security

    Configure SaaS Agent Security as an External Threat Detection System

    Table of Contents

    Configure SaaS Agent Security as an External Threat Detection System

    Learn how to use SaaS Agent Security as an external threat detection system for identifying malicious prompts.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Agent Security license
    Or any of the following licenses that include the SaaS Agent Security license:
    • CASB-X
    • CASB-PA
    • SaaS Security Posture Management license
    You can use SaaS Agent Security as an external threat detection system for Microsoft Copilot Studio. While Microsoft Copilot Studio includes its own built-in safeguards, SaaS Agent Security provides an independent security layer for additional oversight.
    To serve as an external threat detection system, SaaS Agent Security exposes a REST API endpoint for its threat detection service. Microsoft Copilot Studio uses this endpoint to send requests for real-time risk assessment of user prompts. SaaS Agent Security receives details about the prompts and analyzes them for malicious intent. If SaaS Agent Security detects malicious intent, it instructs Microsoft Copilot Studio to block the prompt request. The user is notified that the request was blocked, and event details are made available to Microsoft Copilot Studio administrators through audit logs and Microsoft security tools.
    If an active Strata Logging Service instance is present on your tenant, SaaS Agent Security also records these blocked-prompt events in the SaaS Security/Detection log. You can examine this log in the Strata Cloud Manager Log Viewer.
    1. Locate the REST API endpoint for theSaaS Agent Security threat detection service.
      You complete the steps to configure an external threat detection system from within the Microsoft environment. When following those configuration steps, you will need to provide the REST API endpoint for the SaaS Agent Security threat detection service. To locate the endpoint, complete the following steps:
      1. Log in to Strata Cloud Manager.
      2. Select AI SecuritySaaS Agents.
        In the AI Security menu, the SaaS Agents item is located in the AI AGENT SECURITY section.
      3. In the upper-right corner of the SaaS Agent Security dashboard, click the settings icon.
      4. On the Settings page, select Runtime Settings.
      5. Copy both versions of the service endpoint (the standard URI and the Base64 version), and paste them into a text file.
    2. By following the Microsoft Copilot Studio documentation, register a Microsoft Entra application and authorize it to exchange data with SaaS Agent Security. To complete this step, you will need to provide the Base64-encoded version of the service endpoint that you copied earlier.
    3. By following the Microsoft Copilot Studio documentation, use the Microsoft Power Platform Admin Center (PPAC) to configure the threat detection system to use the SaaS Agent Security threat detection service. To complete this step, you will need to provide the service endpoint URI that you copied earlier.
      After you finish the configuration, PPAC establishes a secure connection to the SaaS Agent Security threat detection service through the Microsoft Entra application that you registered. PPOC verifies that the endpoint is reachable and functioning.
    4. Verify runtime blocking with our test prompt.
      To confirm that the SaaS Agent Security threat detection service can instruct Microsoft Copilot Studio to block a prompt request, we have created a prompt that will always result in a "Block" decision. In any agent deployed in the Microsoft Copilot Studio, enter the following prompt:
      PANW-REDACT-TRIGGER:hi
      SaaS Agent Security should return a "Block" decision to the agent within a second, and the agent will display an error message that the prompt was blocked.
    5. (Optional) If you have the Strata Logging Service, verify that SaaS Agent Security recorded the blocked prompt event to the SaaS Security/Detection log.
      You can examine this log in the Strata Cloud Manager Log Viewer to locate the event details.
      1. In Strata Cloud Manager, select Log Viewer.
      2. From the list of logs to view, select SaaS SecurityDetection.
      3. Locate the blocked-prompt event in the SaaS Security/Detection table.
        The Detector Type column for the blocked-prompt event will have the value AGENT_USER_PROMPT_INJECTION, and the Detection Details column will show the prompt that was blocked.

    © 2026 Palo Alto Networks, Inc. All rights reserved.