Query Details

Foundry - Agent invoking a tool for the first time

Foundry New Tool First Seen

Query

let baselineWindow = 14d;
let recentWindow = 1h;
let toolEvents =
    AppDependencies
    | where TimeGenerated > ago(baselineWindow)
    | where isnotempty(Properties["gen_ai.tool.name"])
    | extend
        Agent     = tostring(Properties["gen_ai.agent.name"]),
        Model     = tostring(Properties["gen_ai.request.model"]),
        ProjectId = tostring(Properties["microsoft.foundry.project.id"]),
        ToolName  = tolower(tostring(Properties["gen_ai.tool.name"])),
        ToolType  = tolower(tostring(Properties["gen_ai.tool.type"]))
    | where isnotempty(ToolName);
let baseline =
    toolEvents
    | where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
    | distinct Agent, ToolName;
let recent =
    toolEvents
    | where TimeGenerated > ago(recentWindow)
    | summarize
        RecentCalls = count(),
        FirstSeen   = min(TimeGenerated),
        AnyModel    = take_any(Model),
        AnyProject  = take_any(ProjectId),
        ToolTypes   = make_set(ToolType, 8)
        by Agent, ToolName;
recent
| join kind=leftanti baseline on Agent, ToolName
| extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
| extend Model = AnyModel, ProjectId = AnyProject
| project
    FirstSeen, AccountName, Agent, Model, ProjectId, ToolName,
    ToolTypes, RecentCalls
| order by RecentCalls desc

Explanation

This query is designed to detect when a Foundry or Agent Service agent uses a tool for the first time within a 14-day period. Here's a simplified breakdown of what the query does:

  1. Purpose: The query identifies when an agent uses a tool it hasn't used in the last 14 days. This can indicate a new tool being added to the agent's capabilities, which might be a sign of potential security issues like supply-chain attacks or misconfigurations.

  2. Data Source: It uses data from Application Insights, specifically the AppDependencies data type.

  3. Time Frames:

    • Baseline Window: 14 days. This is used to establish a history of tool usage by the agent.
    • Recent Window: 1 hour. This is used to identify new tool usage events.
  4. Process:

    • Collects tool usage events from the last 14 days.
    • Filters out events where the tool name is not specified.
    • Establishes a baseline of tools used by each agent in the past 14 days, excluding the last hour.
    • Identifies recent tool usage events from the last hour.
    • Compares recent events against the baseline to find new tool usages.
  5. Output: The query outputs details about the first-time tool usage, including when it was first seen, the agent's name, the model used, the project ID, the tool name, types of tools used, and the number of recent calls.

  6. Severity and Tactics: The alert is marked with medium severity and is associated with tactics like Execution and Privilege Escalation, indicating potential security risks.

  7. Alert Configuration: If a new tool usage is detected, an alert is generated, and incidents are created for further investigation.

  8. Customization: The query allows for tuning the baseline window or suppressing alerts during known onboarding periods to reduce noise.

Overall, this query helps in monitoring and detecting unusual or potentially risky behavior by agents using new tools, which can be crucial for maintaining security and preventing unauthorized access or actions.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

FoundryAgentServiceToolCapabilitySupplyChainAbuseSignalCodeInterpreterShellHttpEmailSqlApplicationInsightsAppDependenciesModelProjectToolNameToolTypeAccountNameCloudApplicationSentinelAsCustomAIOWASPLLM07

Operators

letagoisnotemptytostringtolowerbetweendistinctsummarizecountmintake_anymake_setbyjoinkind=leftantiiffisemptyprojectorder bydesc

Severity

Medium

Tactics

ExecutionPrivilegeEscalation

MITRE Techniques

Frequency: PT1H

Period: P14D

Actions

GitHub