← Back to blog

Detecting MCP and OpenClaw with KQL

AI agents are redefining 'the weakest link' means in enterprise architecture. A KQL-based solution to detecting OpenClaw and MCP in modern environments.

DateApril 29, 2026
Authorkqlcat
Reading time3 min
Share

MCP: the protocol nobody's monitoring yet

The Model Context Protocol is an open standard released by Anthropic in November 2024. It standardizes how AI assistants interact with external tools and services (file systems, databases, APIs, calendars, email) through a JSON-RPC 2.0 message interface. Think of it as USB-C for AI; one protocol to connect any tool to any model.

mcp

An MCP client that is compromised gives an attacker access to all connected service tokens simultaneously including any corporate resources the user has connected. This year, Trend Micro found 492 MCP servers exposed to the internet with no authentication whatsoever.

Indirect Prompt Injections

The more interesting risk is semantic. An attacker who controls any text the model reads (for example an incoming mail, or an uploaded document) can influence agent behavior without touching application code at all. This is called indirect prompt injection at the protocol layer: an attacker embeds malicious instructions in data the agent processes, and the agent executes them as legitimate commands.

Real-world incidents confirm this isn't theoretical. Asana's MCP implementation exposed data across different customer instances and Check Point disclosed a RCE in Claude Code via poisoned repository config files, even before the Pentagon designated Anthropic a supply chain risk.

Detecting Claude MCP connector sign-ins with KQL

When a user authenticates their Microsoft account to the Anthropic M365 MCP connector, it shows up in SigninLogs against specific Anthropic app IDs. This gives visibility into which users have connected Claude to your M365 environment — often without security team awareness.

let ClaudeAppIds = dynamic([
    "08ad6f98-a4f8-4635-bb8d-f1a3044760f0",
    "07c030f6-5743-41b7-ba00-0a6e85f37c17"
]);
SigninLogs
| where AppId in (ClaudeAppIds)
| where ResultType == "0"
| extend DeviceName = tostring(DeviceDetail.displayName)
| project TimeGenerated, UserPrincipalName, DeviceName, IPAddress, AppDisplayName

OpenClaw: "Claude with hands"

OpenClaw is an open-source AI agent built by Austrian developer Peter Steinberger, first published in November 2025 under the name Clawdbot. It went viral in early January 2026, hitting 20,000 GitHub stars in 24 hours and eventually surpassing 247,000 stars - briefly becoming GitHub's most-starred repository.

It connects to LLMs like Claude or GPT-4 for reasoning while handling execution locally: shell commands, file read/write, browser automation, email, calendar, messaging platforms including WhatsApp and Telegram.

Within days, Antiy CERT confirmed 1,184 malicious skills across ClawHub, OpenClaw's public skill marketplace. A Cisco audit of 31,000 skills found 26% contained vulnerabilities or active malware. Censys found exposed instances leaking API keys, OAuth tokens, and plaintext credentials. CERT-Bund issued formal advisory WID-SEC-2026-0856 in March.

Detecting OpenClaw installations with KQL

The following snippet detects installation across all documented methods: npm global install (including legacy package names clawdbot and moltbot), the curl-based installer script, git clone, and the node process with OpenClaw config paths.

DeviceProcessEvents
| where (FileName in~ ("npm.cmd", "npm") and ProcessCommandLine has_any ("openclaw", "clawdbot", "moltbot") and ProcessCommandLine has "install")
    or (FileName in~ ("curl.exe", "curl", "wget") and ProcessCommandLine has "openclaw.ai/install")
    or (FileName in~ ("git.exe", "git") and ProcessCommandLine has "openclaw/openclaw")
    or (FileName in~ ("node.exe", "node") and ProcessCommandLine has_any (".openclaw", ".clawdbot", ".clawhub"))
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine

The bigger picture

OpenClaw and MCP are not isolated problems, rather early examples of a structural shift.

Agentic AI blends untrusted input, third-party code, persistent memory, and high-privilege execution into a single autonomous loop. Traditional security tooling is largely blind to this: endpoint security sees processes running but can't interpret agent behavior; network tools see API calls but can't distinguish legitimate automation from compromise.

"Millions of firewalls and encryption means nothing, if humans are the weakest link." — Kevin Mitnick, 2002

2026 changed that. Not because humans stopped being the weakest link, but because agents are now part of the chain.

"Millions of AI agents and MCP connectors means nothing — if the agent is the weakest link." — Inside Darknet, 2026