Query Details

Agent - Abnormal tool / capability usage mix

Agent Abnormal Tool Usage

Query

let baselineWindow = 14d;
let recentWindow = 1d;
let toolEvents =
    AppDependencies
    | where TimeGenerated > ago(baselineWindow)
    | where isnotempty(Properties["gen_ai.tool.name"])
    | extend
        Agent    = tostring(Properties["gen_ai.agent.name"]),
        ToolName = tolower(tostring(Properties["gen_ai.tool.name"])),
        ToolType = tolower(tostring(Properties["gen_ai.tool.type"]))
    | where isnotempty(ToolName);
let baseline =
    toolEvents
    | where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
    | summarize BaselineCalls = count() by Agent, ToolName;
let recent =
    toolEvents
    | where TimeGenerated > ago(recentWindow)
    | summarize RecentCalls = count(), ToolTypes = make_set(ToolType, 8) by Agent, ToolName;
recent
| join kind=leftouter baseline on Agent, ToolName
| extend BaselineCalls = coalesce(BaselineCalls, 0)
| extend
    IsNewTool  = BaselineCalls == 0,
    SpikeRatio = iff(BaselineCalls > 0, todouble(RecentCalls) / todouble(BaselineCalls), todouble(RecentCalls))
| where IsNewTool or SpikeRatio >= 5.0
| order by IsNewTool desc, SpikeRatio desc, RecentCalls desc

Explanation

This query is designed to detect unusual usage patterns of tools by agents within a system, specifically focusing on changes over a 24-hour period compared to a 14-day baseline. Here's a simplified breakdown:

  1. Purpose: The query identifies agents whose tool usage has changed significantly, either by using a new tool or by showing a sharp increase in the usage of existing tools. This can help detect potential exploitation or misuse of high-impact tools like code interpreters, shells, HTTP, email, and SQL.

  2. Data Source: It analyzes data from the AppDependencies table, focusing on tool names and types associated with each agent.

  3. Baseline and Recent Activity:

    • Baseline: It calculates the average tool usage over the past 14 days.
    • Recent Activity: It examines tool usage in the last 24 hours.
  4. Comparison:

    • It compares recent tool usage to the baseline to identify:
      • New Tools: Tools that were not used in the baseline period.
      • Usage Spikes: Tools whose usage has increased by at least five times compared to the baseline.
  5. Output: The results are sorted to highlight new tools first, followed by those with the highest usage spikes, helping prioritize potential security concerns.

  6. Security Context: The query is aligned with tactics like Execution and Privilege Escalation and techniques such as Command and Scripting Interpreter (T1059) and Account Manipulation (T1098), indicating its relevance in detecting suspicious activities.

Overall, this query helps security teams monitor and respond to abnormal tool usage patterns that could indicate security threats.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

AgentServiceToolsAppDependenciesPropertiesTelemetry

Operators

letagowhereisnotemptyextendtostringtolowerbetweensummarizecountmake_setjoinkindcoalesceifftodoubleorder by

Tactics

ExecutionPrivilegeEscalation

MITRE Techniques

Actions

GitHub