Agent - Abnormal tool / capability usage mix
Agent Abnormal Tool Usage
Query
let baselineWindow = 14d;
let recentWindow = 1d;
let toolEvents =
AppDependencies
| where TimeGenerated > ago(baselineWindow)
| where isnotempty(Properties["gen_ai.tool.name"])
| extend
Agent = tostring(Properties["gen_ai.agent.name"]),
ToolName = tolower(tostring(Properties["gen_ai.tool.name"])),
ToolType = tolower(tostring(Properties["gen_ai.tool.type"]))
| where isnotempty(ToolName);
let baseline =
toolEvents
| where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
| summarize BaselineCalls = count() by Agent, ToolName;
let recent =
toolEvents
| where TimeGenerated > ago(recentWindow)
| summarize RecentCalls = count(), ToolTypes = make_set(ToolType, 8) by Agent, ToolName;
recent
| join kind=leftouter baseline on Agent, ToolName
| extend BaselineCalls = coalesce(BaselineCalls, 0)
| extend
IsNewTool = BaselineCalls == 0,
SpikeRatio = iff(BaselineCalls > 0, todouble(RecentCalls) / todouble(BaselineCalls), todouble(RecentCalls))
| where IsNewTool or SpikeRatio >= 5.0
| order by IsNewTool desc, SpikeRatio desc, RecentCalls descExplanation
This query is designed to detect unusual usage patterns of tools by agents within a system, specifically focusing on changes over a 24-hour period compared to a 14-day baseline. Here's a simplified breakdown:
-
Purpose: The query identifies agents whose tool usage has changed significantly, either by using a new tool or by showing a sharp increase in the usage of existing tools. This can help detect potential exploitation or misuse of high-impact tools like code interpreters, shells, HTTP, email, and SQL.
-
Data Source: It analyzes data from the
AppDependenciestable, focusing on tool names and types associated with each agent. -
Baseline and Recent Activity:
- Baseline: It calculates the average tool usage over the past 14 days.
- Recent Activity: It examines tool usage in the last 24 hours.
-
Comparison:
- It compares recent tool usage to the baseline to identify:
- New Tools: Tools that were not used in the baseline period.
- Usage Spikes: Tools whose usage has increased by at least five times compared to the baseline.
- It compares recent tool usage to the baseline to identify:
-
Output: The results are sorted to highlight new tools first, followed by those with the highest usage spikes, helping prioritize potential security concerns.
-
Security Context: The query is aligned with tactics like Execution and Privilege Escalation and techniques such as Command and Scripting Interpreter (T1059) and Account Manipulation (T1098), indicating its relevance in detecting suspicious activities.
Overall, this query helps security teams monitor and respond to abnormal tool usage patterns that could indicate security threats.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Tactics