Foundry - Human-in-the-loop / consent bypass pattern
Foundry Hit L Consent Bypass
Query
let sensitiveTools = dynamic([
"code_interpreter","python","shell","bash","powershell","exec","run_code",
"http_request","web_request","fetch","invoke_url","curl",
"send_email","send_message","post_message","slack_post",
"execute_sql","query_database","run_query",
"file_write","write_file","upload","copy_file",
"create_resource","delete_resource","deploy","provision","azure_write"
]);
let toolEvents =
AppDependencies
| where TimeGenerated > ago(2h)
| where isnotempty(Properties["gen_ai.tool.name"])
and isnotempty(Properties["gen_ai.conversation.id"])
| extend
Agent = tostring(Properties["gen_ai.agent.name"]),
ConvId = tostring(Properties["gen_ai.conversation.id"]),
ProjectId = tostring(Properties["microsoft.foundry.project.id"]),
ToolName = tolower(tostring(Properties["gen_ai.tool.name"])),
ToolType = tolower(tostring(Properties["gen_ai.tool.type"])),
Approved = tobool(coalesce(
Properties["gen_ai.tool.user_approved"],
Properties["gen_ai.tool.consent.granted"],
Properties["microsoft.agent.tool.user_approved"])),
Required = tobool(coalesce(
Properties["gen_ai.tool.consent.required"],
Properties["gen_ai.tool.requires_consent"],
Properties["microsoft.agent.tool.requires_consent"]))
| extend IsSensitive = ToolName has_any (sensitiveTools)
or ToolType has_any (sensitiveTools);
let consentFatigue =
toolEvents
| where Required == true and Approved == true
| summarize Approvals = count(),
Tools = make_set(ToolName, 16),
AnyConv = take_any(ConvId),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by Agent, Bucket = bin(TimeGenerated, 5m)
| where Approvals >= 5
| extend Signal = "ConsentFatigue";
let compoundAction =
toolEvents
| where IsSensitive
| summarize Approvals = count(),
Tools = make_set(ToolName, 16),
DistinctTools = dcount(ToolName),
AnyAgent = take_any(Agent),
AnyConv = take_any(ConvId),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by ConvId, Bucket = bin(TimeGenerated, 2m)
| where Approvals >= 3 and DistinctTools >= 2
| project Agent = AnyAgent, Bucket, FirstSeen, LastSeen, Tools, AnyConv,
Approvals, Signal = "CompoundActionWithoutPause";
union consentFatigue, compoundAction
| summarize Signals = make_set(Signal, 4),
ApprovalsTotal = sum(Approvals),
ToolsAll = make_set(Tools, 32),
SampleConv = take_any(AnyConv),
FirstSeen = min(FirstSeen),
LastSeen = max(LastSeen)
by Agent
| where ApprovalsTotal >= 5
| extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
| project LastSeen, AccountName, Agent, Signals, ApprovalsTotal, ToolsAll, SampleConv, FirstSeen
| order by ApprovalsTotal descExplanation
This query is designed to detect suspicious patterns in user interactions with AI tools, specifically focusing on two main issues: "consent fatigue" and "compound action chains." Here's a simplified breakdown:
-
Consent Fatigue: This occurs when a user approves multiple sensitive tool actions in a short period without likely having time to review them properly. The query flags this if a user approves five or more consent-required tool actions within a 5-minute window.
-
Compound Action Chains: This pattern involves multiple sensitive tool actions happening quickly in a single conversation. It flags if there are three or more sensitive tool actions, involving at least two different tools, within a 2-minute window.
-
Detection Mechanism:
- The query checks explicit consent telemetry and uses a heuristic for sensitive tools (like code interpreters, shell commands, HTTP requests, etc.) to detect these patterns.
- It combines data from these two patterns and only triggers an alert if there are at least five total approvals across both patterns, reducing false positives.
-
Severity and Response: The severity is marked as high, and the query is set to run every hour, looking back over the past two hours. If the conditions are met, it creates an incident for further investigation.
-
Technical Details:
- The query uses data from Application Insights, specifically the AppDependencies data type.
- It maps detected issues to specific user accounts and orders results by the number of approvals.
-
Purpose: This query is part of a security monitoring setup to prevent misuse of AI tools by detecting patterns that suggest users might be bypassing consent mechanisms or performing potentially harmful actions without proper oversight.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: PT2H