Foundry - Inter-agent permission / role mismatch
Foundry Inter Agent Permission Mismatch
Query
let baselineWindow = 14d;
let recentWindow = 1h;
let calleeBaseline =
AppDependencies
| where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
| extend Agent = tostring(Properties["gen_ai.agent.name"]),
ToolName = tolower(tostring(Properties["gen_ai.tool.name"]))
| where isnotempty(Agent) and isnotempty(ToolName)
| distinct Agent, ToolName;
let crossInvocations =
AppDependencies
| where TimeGenerated > ago(recentWindow)
| extend
Caller = tostring(Properties["gen_ai.agent.name"]),
ConvId = tostring(Properties["gen_ai.conversation.id"]),
ToolName = tolower(tostring(Properties["gen_ai.tool.name"])),
ToolType = tolower(tostring(Properties["gen_ai.tool.type"])),
Callee = tolower(tostring(coalesce(
Properties["gen_ai.tool.target_agent"],
Properties["microsoft.agent.target_agent.name"],
Properties["gen_ai.tool.name"])))
| where ToolType == "agent" or ToolName has "connected_agent" or ToolName has "agent_call"
| project Caller, ConvId, Callee, InvocationTime = TimeGenerated;
let calleeUsage =
AppDependencies
| where TimeGenerated > ago(recentWindow)
| extend Agent = tostring(Properties["gen_ai.agent.name"]),
ConvId = tostring(Properties["gen_ai.conversation.id"]),
ToolName = tolower(tostring(Properties["gen_ai.tool.name"])),
ToolType = tolower(tostring(Properties["gen_ai.tool.type"]))
| where isnotempty(ToolName)
| project Agent, ConvId, ToolName, ToolType, ToolTime = TimeGenerated;
crossInvocations
| join kind=inner calleeUsage on ConvId
| where Agent == Callee or Agent has Callee or Callee has Agent
| where ToolTime between (InvocationTime .. (InvocationTime + 30m))
| join kind=leftanti calleeBaseline on Agent, ToolName
| summarize NewToolHits = count(),
NewTools = make_set(ToolName, 16),
NewToolTypes = make_set(ToolType, 8),
FirstSeen = min(ToolTime),
LastSeen = max(ToolTime),
AnyCaller = take_any(Caller)
by Agent, ConvId
| where NewToolHits >= 1
and (array_length(NewTools) >= 2
or NewToolTypes has_any ("code_interpreter","shell","exec","sql","email","http","deploy","azure_write"))
| extend AccountName = Agent, Caller = AnyCaller
| project LastSeen, AccountName, Caller, Agent, ConvId, NewToolHits,
NewTools, NewToolTypes, FirstSeen
| order by NewToolHits descExplanation
This query is designed to detect potential security issues related to "inter-agent trust escalation" in a system where agents (or sub-agents) perform tasks. Here's a simplified breakdown of what the query does:
-
Purpose: It identifies situations where a sub-agent, which is supposed to perform specific tasks, starts using tools that are not part of its usual activities over the past 14 days. This could indicate a security issue, similar to the "confused-deputy problem," where the orchestrator (main agent) doesn't verify the sub-agent's permissions properly.
-
Process:
- Identify Cross-Agent Invocations: The query looks for instances in the last hour where one agent delegates tasks to another (sub-agent).
- Monitor Tool Usage: It checks what tools the sub-agent uses in the next 30 minutes within the same conversation.
- Compare with Baseline: It compares the tools used by the sub-agent against its 14-day baseline of tool usage.
- Trigger Conditions: An alert is triggered if:
- The sub-agent uses at least two new tools, or
- Any new tool is considered sensitive (e.g., code interpreter, shell, SQL, etc.).
-
Alert Configuration:
- The alert is set to medium severity.
- It uses data from Application Insights to perform the analysis.
- The query runs every hour and looks back over the past 14 days.
- If the conditions are met, an incident is created for further investigation.
-
Security Focus: The query is part of a security strategy to detect lateral movement and privilege escalation tactics, which are common techniques used in cyber attacks.
In essence, this query helps identify potentially unauthorized or suspicious behavior by sub-agents in a system, which could indicate a security breach or misconfiguration.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: P14D