Query Details

Foundry - Multi-stage attack chain in a single conversation

Foundry Multi Stage Attack Chain

Query

let injectionMarkers = dynamic([
    "ignore previous instructions", "ignore all previous", "disregard previous",
    "you are now", "act as", "developer mode", "do anything now", "dan mode",
    "reveal your system prompt", "show your system prompt", "bypass your rules",
    "without any restrictions", "pretend you are", "from now on you"
]);
let escalationMarkers = dynamic([
    "i am the ceo", "i am the cfo", "as an administrator", "as the administrator",
    "as an admin", "i have admin", "i am authorised", "i am authorized",
    "i have permission to", "on behalf of the", "grant me access", "elevate my access"
]);
let exfilMarkers = dynamic([
    "show all", "list all", "list every", "export all", "give me every",
    "give me the full list", "all records", "all customers", "every user",
    "dump the", "entire database", "entire table", "select *"
]);
let jailbreakMarkers = dynamic([
    "developer mode", "do anything now", "dan mode", "ignore your safety",
    "without restrictions", "bypass your rules", "disable your guardrails",
    "unrestricted mode", "you have no rules"
]);
let tools =
    AppDependencies
    | where isnotempty(Properties["gen_ai.tool.name"])
    | where isnotempty(Properties["gen_ai.conversation.id"])
    | extend ConvId = tostring(Properties["gen_ai.conversation.id"])
    | summarize ToolCalls = count(), Tools = make_set(tolower(tostring(Properties["gen_ai.tool.name"])), 20),
                DistinctTools = dcount(tolower(tostring(Properties["gen_ai.tool.name"]))) by ConvId;
AppDependencies
| where isnotempty(Properties["gen_ai.input.messages"])
| extend
    ConvId = tostring(Properties["gen_ai.conversation.id"]),
    Text   = tolower(tostring(Properties["gen_ai.input.messages"]))
| where isnotempty(Text)
| extend
    SigInjection  = Text has_any (injectionMarkers),
    SigEscalation = Text has_any (escalationMarkers),
    SigExfil      = Text has_any (exfilMarkers),
    SigJailbreak  = Text has_any (jailbreakMarkers)
| summarize
    Injection  = countif(SigInjection) > 0,
    Escalation = countif(SigEscalation) > 0,
    Exfil      = countif(SigExfil) > 0,
    Jailbreak  = countif(SigJailbreak) > 0,
    Messages   = count(),
    FirstSeen  = min(TimeGenerated),
    LastSeen   = max(TimeGenerated),
    Agent      = take_any(tostring(Properties["gen_ai.agent.name"])),
    Model      = take_any(tostring(Properties["gen_ai.request.model"])),
    ProjectId  = take_any(tostring(Properties["microsoft.foundry.project.id"])),
    SrcIp      = take_any(tostring(column_ifexists("ClientIP", ""))),
    SampleText = make_set(substring(tostring(Properties["gen_ai.input.messages"]), 0, 200), 5)
    by ConvId
| extend Stages = toint(Injection) + toint(Escalation) + toint(Exfil) + toint(Jailbreak)
| where Stages >= 2
| join kind=leftouter tools on ConvId
| extend
    AccountName = iff(isempty(Agent), "unknown-agent", Agent),
    ToolCalls   = coalesce(ToolCalls, 0),
    TimeGenerated = LastSeen
| project
    TimeGenerated, FirstSeen, LastSeen, AccountName, Agent, Model, ProjectId,
    ConvId, SrcIp, Stages, Injection, Escalation, Exfil, Jailbreak,
    Messages, ToolCalls, DistinctTools, Tools, SampleText
| order by Stages desc, LastSeen desc

Explanation

This query is designed to detect complex, multi-stage cyber attacks within a single conversation involving AI systems. Here's a simplified breakdown:

  1. Purpose: The query identifies conversations that show signs of multiple attack stages, such as prompt injection, role impersonation, data exfiltration, and jailbreak attempts. If these stages occur together, it suggests a higher likelihood of a genuine attack.

  2. Data Sources: It uses data from Application Insights, specifically focusing on AI-generated input messages and tool activities.

  3. Detection Logic:

    • Markers: It looks for specific phrases (markers) in conversations that indicate different attack stages:
      • Injection Markers: Phrases that attempt to manipulate the AI's behavior.
      • Escalation Markers: Phrases that suggest unauthorized access or privilege escalation.
      • Exfiltration Markers: Phrases indicating attempts to extract large amounts of data.
      • Jailbreak Markers: Phrases that try to bypass AI restrictions.
    • Tool Activity: It also checks for tool usage within the same conversation.
  4. Alert Criteria: An alert is triggered if a conversation contains two or more of these attack stages.

  5. Output: The query outputs details about the conversation, including the number of attack stages detected, the tools used, and sample text from the conversation.

  6. Incident Management: If an alert is triggered, it creates an incident in the security system, grouping similar incidents based on the account involved.

  7. Frequency: The query runs every hour, checking the past hour's data for potential threats.

This query is part of a security monitoring system, aiming to catch sophisticated attacks by correlating multiple suspicious activities within AI interactions.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

ApplicationInsightsAppDependenciesPropertiesConversationAgentModelProjectIdSrcIpAccountNameToolsMessages

Operators

letdynamictostringtolowerisnotemptysummarizecountmake_setdcounthas_anycountifminmaxtake_anysubstringtointjoinkindleftouteriffisemptycoalesceprojectorder by

Severity

High

Tactics

InitialAccessPrivilegeEscalationExfiltration

MITRE Techniques

Frequency: PT1H

Period: PT1H

Actions

GitHub