In previous operations, we analyzed how attackers abuse Azure infrastructure through techniques like password spraying via APIM. Today, we switch hats. We are going to build an autonomous Incident Response pipeline using the Gemini CLI, the Azure CLI, and specialized KQL skills. We aren't just running scripts; we are teaching an AI to hunt.
Before we can hunt, we need access. In a WSL (Windows Subsystem for Linux) environment, the most reliable way to authenticate the Azure CLI is via the device code flow. This ensures your local environment holds the tokens needed for high-velocity API interrogation.
To make Gemini a true security analyst, we provide it with specialized knowledge through integrated skill sets. By feeding it weaponized KQL examples from Defender XDR and Sentinel, the agent doesn't just "chat"—it executes high-fidelity queries against your live telemetry.
Integrated Skillsets:
When an anomaly is detected, our Gemini-powered agent follows a structured "sweep" protocol. This is where autonomous mode (YOLO) truly shines. The agent writes a query that clusters logins by source IP, focusing on successful authentications over the last 24 hours.
In Blue Teaming, YOLO mode isn't about recklessness; it's about reducing Mean Time to Respond (MTTR). By delegating the initial hunt and enrichment to the agent, the human analyst only steps in when a high-confidence, enriched lead is presented. You shift from being a "log searcher" to a "security architect," orchestrating a fleet of autonomous hunters.