KQL Search

Query Details

Foundry Excessive Tool Chaining

Query

id: 091a2b3c-ffff-4209-920c-0123456789dd
name: Foundry - Excessive tool chaining in a single conversation
description: |
  Detects a Foundry / Agent Service conversation that fans out into an
  unusually long or wide tool-call chain in a short window: many tool
  invocations or many distinct tools driven by one conversation. This is
  the autonomous-overreach / tool-abuse shape - a runaway agent loop, an
  injection that turns the agent into an automation engine, or chained
  capabilities being strung together toward a larger objective
  (discovery -> data access -> exfiltration).

  Reads gen_ai.tool.name from the AppDependencies span property bag
  (Properties), grouped by gen_ai.conversation.id. Thresholds (>= 15 tool
  calls or >= 6 distinct tools per conversation) are starting points -
  tune to your busiest legitimate agents. Pair with the new-tool and
  abnormal-tool-usage content for context.
severity: Medium
requiredDataConnectors:
- connectorId: ApplicationInsights
  dataTypes:
  - AppDependencies
queryFrequency: PT1H
queryPeriod: PT3H
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- Execution
relevantTechniques:
- T1059
query: |
  AppDependencies
  | where isnotempty(Properties["gen_ai.tool.name"])
  | where isnotempty(Properties["gen_ai.conversation.id"])
  | extend
      Agent     = tostring(Properties["gen_ai.agent.name"]),
      Model     = tostring(Properties["gen_ai.request.model"]),
      ProjectId = tostring(Properties["microsoft.foundry.project.id"]),
      ConvId    = tostring(Properties["gen_ai.conversation.id"]),
      ToolName  = tolower(tostring(Properties["gen_ai.tool.name"]))
  | summarize
      ToolCalls     = count(),
      DistinctTools = dcount(ToolName),
      Tools         = make_set(ToolName, 25),
      FirstSeen     = min(TimeGenerated),
      LastSeen      = max(TimeGenerated),
      AnyAgent      = take_any(Agent),
      AnyModel      = take_any(Model),
      AnyProject    = take_any(ProjectId)
      by ConvId
  | extend DurationMin = datetime_diff('minute', LastSeen, FirstSeen)
  | where ToolCalls >= 15 or DistinctTools >= 6
  | extend Agent = AnyAgent, Model = AnyModel, ProjectId = AnyProject
  | extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
  | project
      LastSeen, AccountName, Agent, Model, ProjectId, ConvId,
      ToolCalls, DistinctTools, DurationMin, Tools
  | order by ToolCalls desc
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: Model
eventGroupingSettings:
  aggregationKind: SingleAlert
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
    - Account
    groupByAlertDetails: []
    groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- Foundry
- AI
- OWASP-LLM08

Explanation

This query is designed to detect unusual patterns in conversations involving a Foundry or Agent Service, specifically looking for excessive tool usage within a short time frame. Here's a simplified breakdown:

  1. Purpose: The query identifies conversations that involve a large number of tool calls or a wide variety of distinct tools, which might indicate a potential security issue such as a runaway agent loop or unauthorized automation.

  2. Data Source: It analyzes data from the AppDependencies table, focusing on properties related to AI tools and conversations.

  3. Thresholds: It flags any conversation with 15 or more tool calls or 6 or more distinct tools as potentially suspicious.

  4. Output: For each flagged conversation, it provides details like the number of tool calls, distinct tools used, the duration of the conversation, and other metadata such as the agent name, model, and project ID.

  5. Severity and Tactics: The alert is marked with medium severity and is associated with the execution tactic, specifically technique T1059 (Command and Scripting Interpreter).

  6. Alerting and Incident Management: If the query finds any suspicious activity, it triggers an alert and can create an incident. The incidents are grouped by account for efficient management.

  7. Frequency: The query runs every hour and looks back over the past three hours to detect any anomalies.

  8. Customization: Users can adjust the thresholds based on their environment's typical activity levels to reduce false positives.

Overall, this query helps monitor and secure AI-driven environments by detecting potentially harmful or unauthorized tool chaining activities.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

AppDependenciesPropertiesAgentModelProjectIdConvIdToolNameTimeGeneratedAccountNameCloudApplicationAccount

Operators

isnotemptyextendtostringtolowersummarizecountdcountmake_setminmaxtake_anydatetime_diffiffisemptyprojectorder by

Actions