Query Details

Foundry - Custom blocklist term matched

Foundry Blocklist Term Matched

Query

AppDependencies
| where isnotempty(Properties["microsoft.foundry.content_filter.results"])
| extend
    Agent     = tostring(Properties["gen_ai.agent.name"]),
    Model     = tostring(Properties["gen_ai.request.model"]),
    ConvId    = tostring(Properties["gen_ai.conversation.id"]),
    ProjectId = tostring(Properties["microsoft.foundry.project.id"]),
    Prompt    = tostring(Properties["gen_ai.input.messages"]),
    FilterArr = todynamic(tostring(Properties["microsoft.foundry.content_filter.results"]))
| mv-expand Entry = FilterArr
| extend
    SourceType = tostring(Entry.source_type),
    Cfr        = todynamic(Entry.content_filter_results)
// Custom blocklists surface as named keys inside content_filter_results
// (e.g. "Profanity", or your own blocklist name) alongside the standard
// harm categories. Treat any non-standard key that tripped as a blocklist
// hit so the rule works regardless of the blocklist name.
| mv-expand Key = bag_keys(Cfr)
| extend BlockListName = tostring(Key)
| where BlockListName !in~ ("jailbreak", "prompt_shield", "indirect_attack", "hate", "sexual", "violence", "self_harm", "protected_material", "protected_material_code", "protected_material_text")
| extend Verdict = todynamic(Cfr[BlockListName])
| where tobool(Verdict.filtered) or tobool(Verdict.detected)
| extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
| project
    TimeGenerated, AccountName, SourceType, Agent, Model, ProjectId, ConvId,
    BlockListName, VerdictJson = tostring(Verdict), Prompt
| order by TimeGenerated desc

Explanation

This query is designed to monitor and raise alerts when specific custom blocklist terms, defined by an organization, are detected in prompts or completions within a Foundry or Agent Service. Here's a simplified breakdown:

  1. Purpose: The query identifies when users interact with restricted terms, such as project code names or regulated keywords, by checking against a custom blocklist.

  2. Data Source: It uses data from Application Insights, specifically from the AppDependencies data type.

  3. Frequency: The query runs every hour and looks back over the past hour to check for any matches.

  4. Severity: The alert generated from this query is considered to have a medium severity level.

  5. Detection Logic:

    • It examines telemetry data to find entries where custom blocklist terms are matched.
    • The query extracts relevant information such as the agent name, model, conversation ID, project ID, and the prompt text.
    • It checks for any non-standard blocklist keys that have been triggered, indicating a blocklist hit.
    • If a blocklist term is detected or filtered, it logs details like the time, account name, source type, and the blocklist name.
  6. Alert Configuration:

    • An incident is created if any blocklist term is matched.
    • Alerts are grouped by account, and incidents are not reopened once closed.
  7. Tags and Metadata: The query is tagged with keywords like Sentinel-As-Code, Custom, Foundry, AI, ContentSafety, and Blocklist, indicating its context and purpose.

Overall, this query helps organizations monitor and respond to potential misuse or probing of sensitive terms by generating alerts when such terms are detected in AI-generated content.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

FoundryAgentServiceUsersBlocklistTermsAppDependenciesPropertiesAzureTracingContentRecordingApplicationInsightsExecutionDefenseEvasionAccountCloudModelProjectConversationPromptTimeGeneratedAccountNameSourceTypeProjectIdConvIdBlockListNameVerdictJsonSentinelCustomAIContentSafety

Operators

isnotemptyextendtostringtodynamicmv-expandbag_keys!in~tobooliffisemptyprojectorder by

Severity

Medium

Tactics

ExecutionDefenseEvasion

MITRE Techniques

Frequency: PT1H

Period: PT1H

Actions

GitHub