KQL Search

Query Details

Foundry New Tool First Seen

Query

id: f8091a2b-eeee-4108-920b-0123456789dc
name: Foundry - Agent invoking a tool for the first time
description: |
  Detects a Foundry / Agent Service agent invoking a tool it has never
  used in the preceding 14 days. A genuinely new tool / capability in an
  agent's repertoire is a strong supply-chain and abuse signal: a
  poisoned tool definition, an injection that coaxes the agent into a
  high-impact capability (code interpreter, shell, http, email, sql), or
  a misconfigured agent suddenly gaining reach.

  Reads gen_ai.tool.name / gen_ai.tool.type from the AppDependencies span
  property bag (Properties). Uses a leftanti join against the 14-day
  baseline so only the first appearance of an (agent, tool) pair fires.
  New agents bootstrapping legitimately will be noisy for their first day
  - tune the baseline window or suppress known onboarding windows.
severity: Medium
requiredDataConnectors:
- connectorId: ApplicationInsights
  dataTypes:
  - AppDependencies
queryFrequency: PT1H
queryPeriod: P14D
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- Execution
- PrivilegeEscalation
relevantTechniques:
- T1059
- T1098
query: |
  let baselineWindow = 14d;
  let recentWindow = 1h;
  let toolEvents =
      AppDependencies
      | where TimeGenerated > ago(baselineWindow)
      | where isnotempty(Properties["gen_ai.tool.name"])
      | extend
          Agent     = tostring(Properties["gen_ai.agent.name"]),
          Model     = tostring(Properties["gen_ai.request.model"]),
          ProjectId = tostring(Properties["microsoft.foundry.project.id"]),
          ToolName  = tolower(tostring(Properties["gen_ai.tool.name"])),
          ToolType  = tolower(tostring(Properties["gen_ai.tool.type"]))
      | where isnotempty(ToolName);
  let baseline =
      toolEvents
      | where TimeGenerated between (ago(baselineWindow) .. ago(recentWindow))
      | distinct Agent, ToolName;
  let recent =
      toolEvents
      | where TimeGenerated > ago(recentWindow)
      | summarize
          RecentCalls = count(),
          FirstSeen   = min(TimeGenerated),
          AnyModel    = take_any(Model),
          AnyProject  = take_any(ProjectId),
          ToolTypes   = make_set(ToolType, 8)
          by Agent, ToolName;
  recent
  | join kind=leftanti baseline on Agent, ToolName
  | extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
  | extend Model = AnyModel, ProjectId = AnyProject
  | project
      FirstSeen, AccountName, Agent, Model, ProjectId, ToolName,
      ToolTypes, RecentCalls
  | order by RecentCalls desc
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: Model
eventGroupingSettings:
  aggregationKind: SingleAlert
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
    - Account
    groupByAlertDetails: []
    groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- Foundry
- AI
- OWASP-LLM07

Explanation

This query is designed to detect when a Foundry or Agent Service agent uses a tool for the first time within a 14-day period. Here's a simplified breakdown of what the query does:

  1. Purpose: The query identifies when an agent uses a tool it hasn't used in the last 14 days. This can indicate a new tool being added to the agent's capabilities, which might be a sign of potential security issues like supply-chain attacks or misconfigurations.

  2. Data Source: It uses data from Application Insights, specifically the AppDependencies data type.

  3. Time Frames:

    • Baseline Window: 14 days. This is used to establish a history of tool usage by the agent.
    • Recent Window: 1 hour. This is used to identify new tool usage events.

  4. Process:

    • Collects tool usage events from the last 14 days.
    • Filters out events where the tool name is not specified.
    • Establishes a baseline of tools used by each agent in the past 14 days, excluding the last hour.
    • Identifies recent tool usage events from the last hour.
    • Compares recent events against the baseline to find new tool usages.

  5. Output: The query outputs details about the first-time tool usage, including when it was first seen, the agent's name, the model used, the project ID, the tool name, types of tools used, and the number of recent calls.

  6. Severity and Tactics: The alert is marked with medium severity and is associated with tactics like Execution and Privilege Escalation, indicating potential security risks.

  7. Alert Configuration: If a new tool usage is detected, an alert is generated, and incidents are created for further investigation.

  8. Customization: The query allows for tuning the baseline window or suppressing alerts during known onboarding periods to reduce noise.

Overall, this query helps in monitoring and detecting unusual or potentially risky behavior by agents using new tools, which can be crucial for maintaining security and preventing unauthorized access or actions.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

FoundryAgentServiceToolCapabilitySupplyChainAbuseSignalCodeInterpreterShellHttpEmailSqlApplicationInsightsAppDependenciesAgentModelProjectToolNameToolTypeAccountNameCloudApplicationSentinelAsCodeCustomAIOWASPLLM07

Operators

letagoisnotemptytostringtolowerbetweendistinctsummarizecountmintake_anymake_setbyjoinkind=leftantiiffisemptyprojectorder bydesc

Actions