Query Details

Foundry - Inter-agent permission / role mismatch

Foundry Inter Agent Permission Mismatch

Query

let baselineWindow = 14d;
let recentWindow   = 1h;
let calleeBaseline =
    AppDependencies
    | where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
    | extend Agent    = tostring(Properties["gen_ai.agent.name"]),
             ToolName = tolower(tostring(Properties["gen_ai.tool.name"]))
    | where isnotempty(Agent) and isnotempty(ToolName)
    | distinct Agent, ToolName;
let crossInvocations =
    AppDependencies
    | where TimeGenerated > ago(recentWindow)
    | extend
        Caller   = tostring(Properties["gen_ai.agent.name"]),
        ConvId   = tostring(Properties["gen_ai.conversation.id"]),
        ToolName = tolower(tostring(Properties["gen_ai.tool.name"])),
        ToolType = tolower(tostring(Properties["gen_ai.tool.type"])),
        Callee   = tolower(tostring(coalesce(
                      Properties["gen_ai.tool.target_agent"],
                      Properties["microsoft.agent.target_agent.name"],
                      Properties["gen_ai.tool.name"])))
    | where ToolType == "agent" or ToolName has "connected_agent" or ToolName has "agent_call"
    | project Caller, ConvId, Callee, InvocationTime = TimeGenerated;
let calleeUsage =
    AppDependencies
    | where TimeGenerated > ago(recentWindow)
    | extend Agent    = tostring(Properties["gen_ai.agent.name"]),
             ConvId   = tostring(Properties["gen_ai.conversation.id"]),
             ToolName = tolower(tostring(Properties["gen_ai.tool.name"])),
             ToolType = tolower(tostring(Properties["gen_ai.tool.type"]))
    | where isnotempty(ToolName)
    | project Agent, ConvId, ToolName, ToolType, ToolTime = TimeGenerated;
crossInvocations
| join kind=inner calleeUsage on ConvId
| where Agent == Callee or Agent has Callee or Callee has Agent
| where ToolTime between (InvocationTime .. (InvocationTime + 30m))
| join kind=leftanti calleeBaseline on Agent, ToolName
| summarize NewToolHits   = count(),
            NewTools      = make_set(ToolName, 16),
            NewToolTypes  = make_set(ToolType, 8),
            FirstSeen     = min(ToolTime),
            LastSeen      = max(ToolTime),
            AnyCaller     = take_any(Caller)
        by Agent, ConvId
| where NewToolHits >= 1
        and (array_length(NewTools) >= 2
             or NewToolTypes has_any ("code_interpreter","shell","exec","sql","email","http","deploy","azure_write"))
| extend AccountName = Agent, Caller = AnyCaller
| project LastSeen, AccountName, Caller, Agent, ConvId, NewToolHits,
          NewTools, NewToolTypes, FirstSeen
| order by NewToolHits desc

Explanation

This query is designed to detect potential security issues related to "inter-agent trust escalation" in a system where agents (or sub-agents) perform tasks. Here's a simplified breakdown of what the query does:

  1. Purpose: It identifies situations where a sub-agent, which is supposed to perform specific tasks, starts using tools that are not part of its usual activities over the past 14 days. This could indicate a security issue, similar to the "confused-deputy problem," where the orchestrator (main agent) doesn't verify the sub-agent's permissions properly.

  2. Process:

    • Identify Cross-Agent Invocations: The query looks for instances in the last hour where one agent delegates tasks to another (sub-agent).
    • Monitor Tool Usage: It checks what tools the sub-agent uses in the next 30 minutes within the same conversation.
    • Compare with Baseline: It compares the tools used by the sub-agent against its 14-day baseline of tool usage.
    • Trigger Conditions: An alert is triggered if:
      • The sub-agent uses at least two new tools, or
      • Any new tool is considered sensitive (e.g., code interpreter, shell, SQL, etc.).
  3. Alert Configuration:

    • The alert is set to medium severity.
    • It uses data from Application Insights to perform the analysis.
    • The query runs every hour and looks back over the past 14 days.
    • If the conditions are met, an incident is created for further investigation.
  4. Security Focus: The query is part of a security strategy to detect lateral movement and privilege escalation tactics, which are common techniques used in cyber attacks.

In essence, this query helps identify potentially unauthorized or suspicious behavior by sub-agents in a system, which could indicate a security breach or misconfiguration.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

ApplicationInsightsAppDependenciesAgentToolNameToolTypeCalleeConvIdCallerAccountName

Operators

letbetweenagoextendtostringtolowerisnotemptydistinctwherehasprojectjoinkind=innerkind=leftantisummarizecountmake_setminmaxtake_anybyarray_lengthhas_anyorder by

Severity

Medium

Tactics

LateralMovementPrivilegeEscalation

MITRE Techniques

Frequency: PT1H

Period: P14D

Actions

GitHub