Foundry - Authority / role-impersonation claim in agent input
Foundry Privilege Escalation Claim
Query
let escalationMarkers = dynamic([
"i am the ceo", "i'm the ceo", "i am the cfo", "i'm the cfo",
"i am the cto", "i am your administrator", "as an administrator",
"as the administrator", "as an admin", "i am an admin", "i'm an admin",
"i have admin", "i am authorised", "i am authorized", "i'm authorised",
"i'm authorized", "i am allowed to", "i have permission to",
"on behalf of the", "i am from it", "i'm from security",
"by order of", "override the policy", "i outrank", "elevate my access",
"give me access to", "grant me access", "i should have access"
]);
AppDependencies
| where isnotempty(Properties["gen_ai.input.messages"])
| extend
Agent = tostring(Properties["gen_ai.agent.name"]),
Model = tostring(Properties["gen_ai.request.model"]),
ConvId = tostring(Properties["gen_ai.conversation.id"]),
ProjectId = tostring(Properties["microsoft.foundry.project.id"]),
Prompt = tostring(Properties["gen_ai.input.messages"]),
SrcIp = tostring(column_ifexists("ClientIP", ""))
| extend Text = tolower(Prompt)
| where isnotempty(Text)
| mv-apply Marker = escalationMarkers to typeof(string) on (
where Text contains Marker
| summarize Markers = make_set(Marker)
)
| extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
| project
TimeGenerated, AccountName, Agent, Model, ProjectId, ConvId,
Markers, Prompt = substring(Prompt, 0, 1024), SrcIp
| order by TimeGenerated descExplanation
This query is designed to detect potential social engineering attempts where someone tries to impersonate an authority figure (like a CEO or administrator) in order to trick an autonomous agent into performing unauthorized actions or releasing restricted information. Here's a simplified breakdown:
- Purpose: The query raises an alert when someone claims a role or authority that the system cannot verify, such as "I am the CFO" or "as an administrator," to manipulate the agent.
- Data Source: It examines messages from the
gen_ai.input.messagesfield within theAppDependenciesdata type, which is part of the Application Insights data. - Conditions: The rule only triggers if content recording is enabled (
AZURE_TRACING_GEN_AI_CONTENT_RECORDING_ENABLED). - Severity: The alert is classified as medium severity.
- Frequency: The query runs every hour and checks data from the past hour.
- Detection Logic: It looks for specific phrases that indicate role impersonation and logs these incidents.
- Output: If such phrases are found, it logs details like the agent name, model, project ID, conversation ID, and the source IP address.
- Incident Management: If an incident is detected, it creates an alert and groups similar alerts together based on the account involved.
- Tactics and Techniques: The query is associated with privilege escalation and initial access tactics, specifically techniques T1548 and T1078. Overall, this query helps identify and alert on attempts to exploit autonomous agents through social engineering tactics.
Details

David Alonso
Released: June 8, 2026
Tables
AppDependencies
Keywords
ApplicationInsightsAppDependenciesPropertiesAgentModelProjectIdConvIdPromptSrcIpAccountNameTimeGeneratedMarkers
Operators
letdynamictostringcolumn_ifexiststolowermv-applycontainssummarizemake_setiffisemptyprojectsubstringorder bydescwhereextendisnotempty
Severity
MediumTactics
PrivilegeEscalationInitialAccess
Frequency: PT1H
Period: PT1H