Microsoft Defender XDR provides blast radius analysis as an advanced graph visualization integrated directly into the incident investigation experience. Built on the Microsoft Sentinel data lake and graph infrastructure, blast radius analysis extends and replaces Attack Path Analysis. When investigating an incident, analysts select any node in the incident graph, open the context menu, and choose View blast radius. Defender loads an interactive graph showing up to eight top-rated attack paths from the compromised node to predefined critical targets, with a full list accessible via the right-side panel. Path length is bounded to a maximum of seven hops from the source node, with environment-specific limits of five hops for cloud and on-premises environments and three hops for hybrid environments. AI agents managed through Microsoft Agent 365 are assigned identities tracked in Microsoft Entra. Each agent in the AIAgentsInfo Advanced Hunting table carries an EntraObjectId field (the agent's unique enterprise application object identifier in Microsoft Entra ID) and an EntraBlueprintId field (the identity blueprint principal identifier by Microsoft Entra Agent ID). These fields link agent activity to its Entra identity so analysts can pivot from a blast radius node to the agent's authentication configuration, ownership, and tool access. The AgentAppId field records the unique app identifier registered for the agent in Microsoft Entra, providing a further tie to Entra-managed credentials. Defender XDR correlates AI agent alerts from near-real-time detections and real-time protection block events into incidents, then surfaces the full attack context through the incident graph. Analysts see both the current impact of a breach and possible future propagation in one consolidated view. Advanced Hunting tables for AI agent investigation include AIAgentsInfo (agent inventory and configuration), CloudAppEvents (Agent 365 observability data covering tool invocations), AlertInfo (alert metadata), and AlertEvidence (entities associated with alerts). Analysts use KQL queries across these tables to trace agent tool invocations, correlate them with block events, and identify the scope of a detected threat. To use blast radius analysis, the organization must be onboarded to the Microsoft Sentinel data lake and the viewing user must hold Exposure Management read permission or higher. Blast radius graphs rely on known attack vectors and reflect only nodes within the user's RBAC scope; paths through out-of-scope nodes are not displayed. Data freshness latency can cause the graph to be temporarily incomplete when the environment changes.
Blast radius analysis extends and replaces Attack Path Analysis, providing a unified pre-breach and post-breach view within the incident graph; analysts trigger it by selecting View blast radius on any incident node.
Path calculations are bounded to a maximum of seven hops from the source node, with five hops for cloud and on-premises and three hops for hybrid environments.
Each AI agent in the AIAgentsInfo Advanced Hunting table carries EntraObjectId and EntraBlueprintId fields that link the agent to its Microsoft Entra Agent ID identity, enabling pivot from blast radius nodes to the agent's Entra-managed credentials.
Defender XDR correlates AI agent alerts from near-real-time detections and real-time protection block events into incidents, then exposes the full relationship graph through the incident investigation experience.
Four Advanced Hunting tables support AI agent blast radius investigation: AIAgentsInfo, CloudAppEvents, AlertInfo, and AlertEvidence; analysts query these individually or correlate them using KQL.
Blast radius analysis requires Microsoft Sentinel data lake onboarding and Exposure Management read permission; the graph is scoped to the user's RBAC permissions, so out-of-scope paths are not displayed.