Foundry - Multi-stage attack chain in a single conversation
Foundry Multi Stage Attack Chain
Query
let injectionMarkers = dynamic([
"ignore previous instructions", "ignore all previous", "disregard previous",
"you are now", "act as", "developer mode", "do anything now", "dan mode",
"reveal your system prompt", "show your system prompt", "bypass your rules",
"without any restrictions", "pretend you are", "from now on you"
]);
let escalationMarkers = dynamic([
"i am the ceo", "i am the cfo", "as an administrator", "as the administrator",
"as an admin", "i have admin", "i am authorised", "i am authorized",
"i have permission to", "on behalf of the", "grant me access", "elevate my access"
]);
let exfilMarkers = dynamic([
"show all", "list all", "list every", "export all", "give me every",
"give me the full list", "all records", "all customers", "every user",
"dump the", "entire database", "entire table", "select *"
]);
let jailbreakMarkers = dynamic([
"developer mode", "do anything now", "dan mode", "ignore your safety",
"without restrictions", "bypass your rules", "disable your guardrails",
"unrestricted mode", "you have no rules"
]);
let tools =
AppDependencies
| where isnotempty(Properties["gen_ai.tool.name"])
| where isnotempty(Properties["gen_ai.conversation.id"])
| extend ConvId = tostring(Properties["gen_ai.conversation.id"])
| summarize ToolCalls = count(), Tools = make_set(tolower(tostring(Properties["gen_ai.tool.name"])), 20),
DistinctTools = dcount(tolower(tostring(Properties["gen_ai.tool.name"]))) by ConvId;
AppDependencies
| where isnotempty(Properties["gen_ai.input.messages"])
| extend
ConvId = tostring(Properties["gen_ai.conversation.id"]),
Text = tolower(tostring(Properties["gen_ai.input.messages"]))
| where isnotempty(Text)
| extend
SigInjection = Text has_any (injectionMarkers),
SigEscalation = Text has_any (escalationMarkers),
SigExfil = Text has_any (exfilMarkers),
SigJailbreak = Text has_any (jailbreakMarkers)
| summarize
Injection = countif(SigInjection) > 0,
Escalation = countif(SigEscalation) > 0,
Exfil = countif(SigExfil) > 0,
Jailbreak = countif(SigJailbreak) > 0,
Messages = count(),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
Agent = take_any(tostring(Properties["gen_ai.agent.name"])),
Model = take_any(tostring(Properties["gen_ai.request.model"])),
ProjectId = take_any(tostring(Properties["microsoft.foundry.project.id"])),
SrcIp = take_any(tostring(column_ifexists("ClientIP", ""))),
SampleText = make_set(substring(tostring(Properties["gen_ai.input.messages"]), 0, 200), 5)
by ConvId
| extend Stages = toint(Injection) + toint(Escalation) + toint(Exfil) + toint(Jailbreak)
| where Stages >= 2
| join kind=leftouter tools on ConvId
| extend
AccountName = iff(isempty(Agent), "unknown-agent", Agent),
ToolCalls = coalesce(ToolCalls, 0),
TimeGenerated = LastSeen
| project
TimeGenerated, FirstSeen, LastSeen, AccountName, Agent, Model, ProjectId,
ConvId, SrcIp, Stages, Injection, Escalation, Exfil, Jailbreak,
Messages, ToolCalls, DistinctTools, Tools, SampleText
| order by Stages desc, LastSeen descExplanation
This query is designed to detect complex, multi-stage cyber attacks within a single conversation involving AI systems. Here's a simplified breakdown:
-
Purpose: The query identifies conversations that show signs of multiple attack stages, such as prompt injection, role impersonation, data exfiltration, and jailbreak attempts. If these stages occur together, it suggests a higher likelihood of a genuine attack.
-
Data Sources: It uses data from Application Insights, specifically focusing on AI-generated input messages and tool activities.
-
Detection Logic:
- Markers: It looks for specific phrases (markers) in conversations that indicate different attack stages:
- Injection Markers: Phrases that attempt to manipulate the AI's behavior.
- Escalation Markers: Phrases that suggest unauthorized access or privilege escalation.
- Exfiltration Markers: Phrases indicating attempts to extract large amounts of data.
- Jailbreak Markers: Phrases that try to bypass AI restrictions.
- Tool Activity: It also checks for tool usage within the same conversation.
- Markers: It looks for specific phrases (markers) in conversations that indicate different attack stages:
-
Alert Criteria: An alert is triggered if a conversation contains two or more of these attack stages.
-
Output: The query outputs details about the conversation, including the number of attack stages detected, the tools used, and sample text from the conversation.
-
Incident Management: If an alert is triggered, it creates an incident in the security system, grouping similar incidents based on the account involved.
-
Frequency: The query runs every hour, checking the past hour's data for potential threats.
This query is part of a security monitoring system, aiming to catch sophisticated attacks by correlating multiple suspicious activities within AI interactions.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: PT1H