SaaS Agent Security
Configure SaaS Agent Security as an External Threat Detection System
Table of Contents
Configure SaaS Agent Security as an External Threat Detection System
Learn how to use SaaS Agent Security as an external threat detection system
for identifying malicious prompts.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Or any of the following licenses that include the SaaS Agent Security license:
|
You can use SaaS Agent Security as an external threat detection system for
Microsoft Copilot Studio. While Microsoft Copilot Studio includes its own built-in
safeguards, SaaS Agent Security provides an independent security layer for
additional oversight.
To serve as an external threat detection system, SaaS Agent Security
exposes a REST API endpoint for its threat detection service. Microsoft Copilot
Studio uses this endpoint to send requests for real-time risk assessment of user
prompts. SaaS Agent Security receives details about the prompts and
analyzes them for malicious intent. If SaaS Agent Security detects
malicious intent, it instructs Microsoft Copilot Studio to block the prompt request.
The user is notified that the request was blocked, and details of the event are made
available to Microsoft Copilot Studio administrators through audit logs and
Microsoft security tools.
- Locate the REST API endpoint for theSaaS Agent Security threat detection service.You complete the steps to configure an external threat detection system from within the Microsoft environment. When following those configuration steps, you will need to provide the REST API endpoint for the SaaS Agent Security threat detection service. To locate the endpoint, complete the following steps:
- Log in to Strata Cloud Manager.Select .In the Insights menu, the SaaS Agents item is located in the AI AGENT SECURITY section.In the upper-right corner of the SaaS Agent Security dashboard, click the settings icon.On the Settings page, select Runtime Settings.Copy both versions of the service endpoint (the standard URI and the Base64 version), and paste them into a text file.By following the Microsoft Copilot Studio documentation, register a Microsoft Entra application and authorize it to exchange data with SaaS Agent Security. To complete this step, you will need to provide the Base64-encoded version of the service endpoint that you copied earlier.By following the Microsoft Copilot Studio documentation, use the Microsoft Power Platform Admin Center (PPAC) to configure the threat detection system to use the SaaS Agent Security threat detection service. To complete this step, you will need to provide the service endpoint URI that you copied earlier.After you finish the configuration, PPAC establishes a secure connection to the SaaS Agent Security threat detection service through the Microsoft Entra application that you registered. PPOC verifies that the endpoint is reachable and functioning.Verify runtime blocking with our test prompt.To confirm that the SaaS Agent Security threat detection service can instruct Microsoft Copilot Studio to block a prompt request, we have created a prompt that will always result in a "Block" decision. In any agent deployed in the Microsoft Copilot Studio, enter the following prompt:PANW-REDACT-TRIGGER:hiSaaS Agent Security should return a "Block" decision to the agent within a second, and the agent will display an error message that the prompt was blocked.
