Query Details
Agent Abnormal Tool Usage
Query
id: 6a7b8c9d-4444-4d10-9104-0123456789c4
name: Agent - Abnormal tool / capability usage mix
description: |
Hunts Foundry / Agent Service agents whose 24-hour tool-invocation
profile differs sharply from their 14-day baseline: a new tool
appearing, or a per-tool call rate spiking far above baseline. Useful
for finding agent-exploitation and abuse of high-impact tools
(code interpreter, shell, http, email, sql) by an agent that previously
did not touch them - the Foundry equivalent of the Copilot abnormal
plugin-usage hunt.
Reads gen_ai.tool.name / gen_ai.tool.type from the AppDependencies span
property bag (Properties). Tools are pivoted per agent
(gen_ai.agent.name) because Foundry telemetry has no human-user field.
query: |
let baselineWindow = 14d;
let recentWindow = 1d;
let toolEvents =
AppDependencies
| where TimeGenerated > ago(baselineWindow)
| where isnotempty(Properties["gen_ai.tool.name"])
| extend
Agent = tostring(Properties["gen_ai.agent.name"]),
ToolName = tolower(tostring(Properties["gen_ai.tool.name"])),
ToolType = tolower(tostring(Properties["gen_ai.tool.type"]))
| where isnotempty(ToolName);
let baseline =
toolEvents
| where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
| summarize BaselineCalls = count() by Agent, ToolName;
let recent =
toolEvents
| where TimeGenerated > ago(recentWindow)
| summarize RecentCalls = count(), ToolTypes = make_set(ToolType, 8) by Agent, ToolName;
recent
| join kind=leftouter baseline on Agent, ToolName
| extend BaselineCalls = coalesce(BaselineCalls, 0)
| extend
IsNewTool = BaselineCalls == 0,
SpikeRatio = iff(BaselineCalls > 0, todouble(RecentCalls) / todouble(BaselineCalls), todouble(RecentCalls))
| where IsNewTool or SpikeRatio >= 5.0
| order by IsNewTool desc, SpikeRatio desc, RecentCalls desc
tactics:
- Execution
- PrivilegeEscalation
techniques:
- T1059
- T1098
tags:
- Sentinel-As-Code
- Custom
- Foundry
- AI
Explanation
This query is designed to detect unusual usage patterns of tools by agents within a system, specifically focusing on changes over a 24-hour period compared to a 14-day baseline. Here's a simplified breakdown:
-
Purpose: The query identifies agents whose tool usage has changed significantly, either by using a new tool or by showing a sharp increase in the usage of existing tools. This can help detect potential exploitation or misuse of high-impact tools like code interpreters, shells, HTTP, email, and SQL.
-
Data Source: It analyzes data from the
AppDependenciestable, focusing on tool names and types associated with each agent. -
Baseline and Recent Activity:
- Baseline: It calculates the average tool usage over the past 14 days.
- Recent Activity: It examines tool usage in the last 24 hours.
-
Comparison:
- It compares recent tool usage to the baseline to identify:
- New Tools: Tools that were not used in the baseline period.
- Usage Spikes: Tools whose usage has increased by at least five times compared to the baseline.
- It compares recent tool usage to the baseline to identify:
-
Output: The results are sorted to highlight new tools first, followed by those with the highest usage spikes, helping prioritize potential security concerns.
-
Security Context: The query is aligned with tactics like Execution and Privilege Escalation and techniques such as Command and Scripting Interpreter (T1059) and Account Manipulation (T1098), indicating its relevance in detecting suspicious activities.
Overall, this query helps security teams monitor and respond to abnormal tool usage patterns that could indicate security threats.
Details
David Alonso
Released: June 8, 2026
Tables
Keywords
Operators