KQL Search

Query Details

Agent Cost Anomaly By Dimension

Query

id: a0e1f203-8888-4d14-9108-0123456789ca
name: Agent - Token / cost anomaly by model dimension
description: |
  Hunts hourly token-consumption anomalies broken out per model, using
  series_decompose_anomalies over a 14-day baseline. Where the per-agent
  token-spike analytic rule answers "which agent spiked", this hunt slices
  the spend by model dimension so you can spot cost / denial-of-wallet
  anomalies concentrated on a specific (and often more expensive) model -
  including ones spread thinly across many agents that no single per-agent
  rule would catch.

  Reads gen_ai.usage.input_tokens + gen_ai.usage.output_tokens from the
  AppDependencies span property bag (Properties). Swap the "by Model"
  grouping for Agent or a tool dimension to pivot cost differently. The
  anomaly sensitivity (2.5) and the recentWindow filter are tunable.
query: |
  let lookback = 14d;
  let step = 1h;
  let recentWindow = 1d;
  AppDependencies
  | where TimeGenerated > ago(lookback)
  | where isnotempty(Properties["gen_ai.usage.input_tokens"])
       or isnotempty(Properties["gen_ai.usage.output_tokens"])
  | extend
      Model  = tostring(Properties["gen_ai.request.model"]),
      InTok  = tolong(Properties["gen_ai.usage.input_tokens"]),
      OutTok = tolong(Properties["gen_ai.usage.output_tokens"])
  | extend Model = iff(isempty(Model), "unknown-model", Model)
  | extend TotalTok = coalesce(InTok, 0) + coalesce(OutTok, 0)
  | make-series Tokens = sum(TotalTok) default = 0
      on TimeGenerated from ago(lookback) to now() step step by Model
  | extend (anom, score, baseline) = series_decompose_anomalies(Tokens, 2.5)
  | mv-expand
      TimeGenerated to typeof(datetime),
      Tokens   to typeof(long),
      anom     to typeof(long),
      score    to typeof(double),
      baseline to typeof(long)
  | where anom == 1 and Tokens > baseline and TimeGenerated > ago(recentWindow)
  | project TimeGenerated, Model, Tokens, BaselineTokens = baseline, AnomalyScore = score
  | order by AnomalyScore desc
tactics:
  - Impact
techniques:
  - T1496
tags:
  - Sentinel-As-Code
  - Custom
  - Foundry
  - AI

Explanation

This query is designed to identify unusual patterns in token usage for different AI models over a 14-day period. Here's a simple breakdown:

  1. Purpose: The query aims to detect anomalies in the number of tokens consumed by AI models, which could indicate unusual or unexpected costs associated with specific models.

  2. Data Source: It pulls data from the AppDependencies table, specifically looking at input and output tokens used by AI models.

  3. Time Frame: It examines data from the past 14 days, with a focus on hourly intervals.

  4. Anomaly Detection: The query uses a function called series_decompose_anomalies to identify anomalies in token usage. An anomaly is flagged if the token usage is significantly higher than the baseline (normal usage pattern).

  5. Filtering: It only considers anomalies that occurred within the last day and where the token usage exceeded the baseline.

  6. Output: The results include the time of the anomaly, the model affected, the number of tokens used, the baseline token usage, and an anomaly score. The results are sorted by the anomaly score in descending order, highlighting the most significant anomalies.

  7. Customization: The query can be adjusted to group data by different dimensions (like agent or tool) and to change the sensitivity of anomaly detection.

Overall, this query helps in identifying cost anomalies related to AI model usage, which might otherwise go unnoticed if spread across multiple agents.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

AppDependenciesPropertiesModelTokensTimeGeneratedAnomalyScoreBaselineTokens

Operators

letagowhereisnotemptyextendtostringtolongiffisemptycoalescemake-seriessumseries_decompose_anomaliesmv-expandtypeofprojectorder by

Actions