KQL Search

Query Details

Foundry Privilege Escalation Claim

Query

id: 718293a4-1616-4315-9215-0123456789e5
name: Foundry - Authority / role-impersonation claim in agent input
description: |
  Raises an incident when Foundry / Agent Service input asserts an
  authority or role the channel cannot verify ("I am the CFO", "as an
  administrator", "I'm authorised to", "on behalf of the board") in order
  to coax the agent into releasing restricted data or running privileged
  tools. Because the agent has no way to validate the claim, this
  social-engineering pattern is a common privilege-escalation lever
  against autonomous agents.

  Reads gen_ai.input.messages from the AppDependencies span property bag
  (Properties). The prompt text only exists when
  AZURE_TRACING_GEN_AI_CONTENT_RECORDING_ENABLED is set, so without
  content recording this rule will not fire.
severity: Medium
requiredDataConnectors:
- connectorId: ApplicationInsights
  dataTypes:
  - AppDependencies
queryFrequency: PT1H
queryPeriod: PT1H
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- PrivilegeEscalation
- InitialAccess
relevantTechniques:
- T1548
- T1078
query: |
  let escalationMarkers = dynamic([
      "i am the ceo", "i'm the ceo", "i am the cfo", "i'm the cfo",
      "i am the cto", "i am your administrator", "as an administrator",
      "as the administrator", "as an admin", "i am an admin", "i'm an admin",
      "i have admin", "i am authorised", "i am authorized", "i'm authorised",
      "i'm authorized", "i am allowed to", "i have permission to",
      "on behalf of the", "i am from it", "i'm from security",
      "by order of", "override the policy", "i outrank", "elevate my access",
      "give me access to", "grant me access", "i should have access"
  ]);
  AppDependencies
  | where isnotempty(Properties["gen_ai.input.messages"])
  | extend
      Agent     = tostring(Properties["gen_ai.agent.name"]),
      Model     = tostring(Properties["gen_ai.request.model"]),
      ConvId    = tostring(Properties["gen_ai.conversation.id"]),
      ProjectId = tostring(Properties["microsoft.foundry.project.id"]),
      Prompt    = tostring(Properties["gen_ai.input.messages"]),
      SrcIp     = tostring(column_ifexists("ClientIP", ""))
  | extend Text = tolower(Prompt)
  | where isnotempty(Text)
  | mv-apply Marker = escalationMarkers to typeof(string) on (
        where Text contains Marker
        | summarize Markers = make_set(Marker)
    )
  | extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
  | project
      TimeGenerated, AccountName, Agent, Model, ProjectId, ConvId,
      Markers, Prompt = substring(Prompt, 0, 1024), SrcIp
  | order by TimeGenerated desc
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: Model
eventGroupingSettings:
  aggregationKind: SingleAlert
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
    - Account
    groupByAlertDetails: []
    groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- Foundry
- AI
- PrivilegeEscalation
- SocialEngineering

Explanation

This query is designed to detect potential social engineering attempts where someone tries to impersonate an authority figure (like a CEO or administrator) in order to trick an autonomous agent into performing unauthorized actions or releasing restricted information. Here's a simplified breakdown:

  • Purpose: The query raises an alert when someone claims a role or authority that the system cannot verify, such as "I am the CFO" or "as an administrator," to manipulate the agent.
  • Data Source: It examines messages from the gen_ai.input.messages field within the AppDependencies data type, which is part of the Application Insights data.
  • Conditions: The rule only triggers if content recording is enabled (AZURE_TRACING_GEN_AI_CONTENT_RECORDING_ENABLED).
  • Severity: The alert is classified as medium severity.
  • Frequency: The query runs every hour and checks data from the past hour.
  • Detection Logic: It looks for specific phrases that indicate role impersonation and logs these incidents.
  • Output: If such phrases are found, it logs details like the agent name, model, project ID, conversation ID, and the source IP address.
  • Incident Management: If an incident is detected, it creates an alert and groups similar alerts together based on the account involved.
  • Tactics and Techniques: The query is associated with privilege escalation and initial access tactics, specifically techniques T1548 and T1078. Overall, this query helps identify and alert on attempts to exploit autonomous agents through social engineering tactics.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

ApplicationInsightsAppDependenciesPropertiesAgentModelProjectIdConvIdPromptSrcIpAccountNameTimeGeneratedMarkers

Operators

letdynamictostringcolumn_ifexiststolowermv-applycontainssummarizemake_setiffisemptyprojectsubstringorder bydescwhereextendisnotempty

Actions