Foundry - Extended capability / architecture disclosure
Foundry Capability Disclosure Extended
Query
let probes = dynamic([
"what tools","list your tools","what functions","describe your functions",
"what capabilities","what can you do","what actions","what plugins",
"list your plugins","list your skills","what skills","describe your tools",
"what is your schema","print your function","reveal your tools",
"when do you ask for approval","what triggers consent","what triggers hitl",
"what triggers your guardrails","describe your memory","what memories do you have",
"what are your operations","what is your tool list","describe your hooks",
"list your apis","what mcp servers"
]);
let leakMarkers = dynamic([
"function:","tool:","name:","schema:","parameters","arguments",
"i have access to","i can use the","my available tools","my tools include",
"the following tools","tools available","available functions",
"i ask for approval","i require consent","my memory","memory store",
"my operations are","my mcp server","my plugins are"
]);
let known =
toscalar(
AppDependencies
| where TimeGenerated between (ago(7d) .. ago(1h))
| extend ToolName = tolower(tostring(Properties["gen_ai.tool.name"]))
| where isnotempty(ToolName) and strlen(ToolName) >= 4
| summarize Calls = count() by ToolName
| where Calls >= 5
| summarize KnownTools = make_set(ToolName, 200)
);
AppDependencies
| where TimeGenerated > ago(1h)
| where isnotempty(Properties["gen_ai.input.messages"])
and isnotempty(Properties["gen_ai.output.messages"])
| extend
Agent = tostring(Properties["gen_ai.agent.name"]),
Model = tostring(Properties["gen_ai.request.model"]),
ConvId = tostring(Properties["gen_ai.conversation.id"]),
ProjectId = tostring(Properties["microsoft.foundry.project.id"]),
Input = tolower(tostring(Properties["gen_ai.input.messages"])),
Output = tolower(tostring(Properties["gen_ai.output.messages"]))
| extend AskedAboutCapabilities = Input has_any (probes)
| extend LeaksStructure = Output has_any (leakMarkers)
| where AskedAboutCapabilities and LeaksStructure
| extend OutputTokens = extract_all(@"([a-z][a-z0-9_\-]{3,})", Output)
| extend LeakedTools = set_intersect(OutputTokens, known)
| extend LeakedToolCount = array_length(LeakedTools)
| where LeakedToolCount >= 3
| extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
| project TimeGenerated, AccountName, Agent, Model, ProjectId, ConvId,
LeakedToolCount, LeakedTools,
InputSample = substring(Input, 0, 512),
OutputSample = substring(Output, 0, 1024)
| order by LeakedToolCount desc, TimeGenerated descExplanation
This query is designed to detect potential security risks related to the disclosure of an AI system's capabilities or architecture. Here's a simplified breakdown of what it does:
-
Purpose: It identifies situations where a user tries to probe an AI system for details about its tools, functions, or internal logic, and the system inadvertently reveals this information in its response. This is considered a security risk because it can lead to further exploitation.
-
Detection Mechanism:
- The query looks for specific phrases in user inputs that suggest probing for system capabilities (e.g., "what tools", "list your functions").
- It also checks the system's responses for markers that indicate it has leaked structural details (e.g., "function:", "tool:", "my available tools").
- It compares the leaked information against a list of known tools used by the system in the past week to ensure that the response includes real tool names, reducing false positives.
-
Conditions for Alert:
- The alert is triggered if the system's response includes at least three real tool names from the project's recent tool inventory.
- The query runs every hour and looks back over the past week for relevant data.
-
Severity and Response:
- The severity level is set to Medium, indicating a moderate risk.
- If the conditions are met, an incident is created for further investigation.
-
Technical Details:
- It uses data from Application Insights, focusing on application dependencies.
- The query extracts and processes input and output messages to identify potential leaks.
- It projects relevant details such as the time of the event, the agent involved, the model used, and samples of the input and output messages for context.
-
Entity Mapping and Incident Configuration:
- The query maps certain fields to entities like Account and CloudApplication for better tracking.
- It also includes settings for grouping related alerts into a single incident to streamline incident management.
Overall, this query is part of a security strategy to prevent unauthorized access to sensitive information about an AI system's internal workings.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: P7D