Query Details

Foundry - Excessive tool chaining in a single conversation

Foundry Excessive Tool Chaining

Query

AppDependencies
| where isnotempty(Properties["gen_ai.tool.name"])
| where isnotempty(Properties["gen_ai.conversation.id"])
| extend
    Agent     = tostring(Properties["gen_ai.agent.name"]),
    Model     = tostring(Properties["gen_ai.request.model"]),
    ProjectId = tostring(Properties["microsoft.foundry.project.id"]),
    ConvId    = tostring(Properties["gen_ai.conversation.id"]),
    ToolName  = tolower(tostring(Properties["gen_ai.tool.name"]))
| summarize
    ToolCalls     = count(),
    DistinctTools = dcount(ToolName),
    Tools         = make_set(ToolName, 25),
    FirstSeen     = min(TimeGenerated),
    LastSeen      = max(TimeGenerated),
    AnyAgent      = take_any(Agent),
    AnyModel      = take_any(Model),
    AnyProject    = take_any(ProjectId)
    by ConvId
| extend DurationMin = datetime_diff('minute', LastSeen, FirstSeen)
| where ToolCalls >= 15 or DistinctTools >= 6
| extend Agent = AnyAgent, Model = AnyModel, ProjectId = AnyProject
| extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
| project
    LastSeen, AccountName, Agent, Model, ProjectId, ConvId,
    ToolCalls, DistinctTools, DurationMin, Tools
| order by ToolCalls desc

Explanation

This query is designed to detect unusual patterns in conversations involving a Foundry or Agent Service, specifically looking for excessive tool usage within a short time frame. Here's a simplified breakdown:

  1. Purpose: The query identifies conversations that involve a large number of tool calls or a wide variety of distinct tools, which might indicate a potential security issue such as a runaway agent loop or unauthorized automation.

  2. Data Source: It analyzes data from the AppDependencies table, focusing on properties related to AI tools and conversations.

  3. Thresholds: It flags any conversation with 15 or more tool calls or 6 or more distinct tools as potentially suspicious.

  4. Output: For each flagged conversation, it provides details like the number of tool calls, distinct tools used, the duration of the conversation, and other metadata such as the agent name, model, and project ID.

  5. Severity and Tactics: The alert is marked with medium severity and is associated with the execution tactic, specifically technique T1059 (Command and Scripting Interpreter).

  6. Alerting and Incident Management: If the query finds any suspicious activity, it triggers an alert and can create an incident. The incidents are grouped by account for efficient management.

  7. Frequency: The query runs every hour and looks back over the past three hours to detect any anomalies.

  8. Customization: Users can adjust the thresholds based on their environment's typical activity levels to reduce false positives.

Overall, this query helps monitor and secure AI-driven environments by detecting potentially harmful or unauthorized tool chaining activities.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

AppDependenciesPropertiesAgentModelProjectIdConvIdToolNameTimeGeneratedAccountNameCloudApplicationAccount

Operators

isnotemptyextendtostringtolowersummarizecountdcountmake_setminmaxtake_anydatetime_diffiffisemptyprojectorder by

Severity

Medium

Tactics

Execution

MITRE Techniques

Frequency: PT1H

Period: PT3H

Actions

GitHub