Foundry Prompt Injection Patterns

id: 92a3b4c5-8888-4b02-9205-0123456789d5 name: Foundry - Prompt-injection patterns in agent input description: | Hunts Foundry / Agent Service inputs and tool arguments for known prompt-injection markers: instructions to ignore previous guidance, role-override phrases, tool-coercion phrases, system-prompt disclosure requests, and base64 / data-URI blobs embedded in user content. This catches injection attempts that Prompt Shields may not have flagged (custom phrasings, novel jailbreaks) - pair it with the guardrail-jailbreak rule for the model-verdict view. Reads the real Foundry telemetry shape: spans in AppDependencies, bag in Properties. The prompt text lives in gen_ai.input.messages and tool arguments in gen_ai.tool.call.arguments, so both require AZURE_TRACING_GEN_AI_CONTENT_RECORDING_ENABLED. Without content recording this rule will not fire. severity: Medium requiredDataConnectors: - connectorId: ApplicationInsights dataTypes: - AppDependencies queryFrequency: PT1H queryPeriod: PT1H triggerOperator: gt triggerThreshold: 0 enabled: true tactics: - InitialAccess - Execution relevantTechniques: - T1059 - T1204 query: | let injectionPhrases = dynamic([ "ignore previous instructions", "ignore prior instructions", "disregard the above", "you are now", "act as system", "system prompt:", "developer mode", "bypass safety", "reveal your prompt", "print your instructions", "exfiltrate", "send to attacker" ]); let toolCoercion = dynamic([ "regardless of restrictions", "without confirming", "skip approval", "use admin privileges", "elevate to" ]); AppDependencies | where isnotempty(Properties["gen_ai.input.messages"]) or isnotempty(Properties["gen_ai.tool.call.arguments"]) | extend Agent = tostring(Properties["gen_ai.agent.name"]), Model = tostring(Properties["gen_ai.request.model"]), ConvId = tostring(Properties["gen_ai.conversation.id"]), ProjectId = tostring(Properties["microsoft.foundry.project.id"]), Prompt = tostring(Properties["gen_ai.input.messages"]), ToolName = tostring(Properties["gen_ai.tool.name"]), ToolArgs = tostring(Properties["gen_ai.tool.call.arguments"]) | extend Haystack = tolower(strcat(Prompt, " ", ToolArgs)) | where Haystack has_any (injectionPhrases) or Haystack has_any (toolCoercion) or Haystack matches regex @"data:[a-z/+.\-]+;base64,[A-Za-z0-9+/=]{200,}" | extend AccountName = iff(isempty(Agent), "unknown-agent", Agent) | project TimeGenerated, AccountName, Agent, Model, ProjectId, ConvId, ToolName, Prompt, ToolArgs | order by TimeGenerated desc entityMappings: - entityType: Account fieldMappings: - identifier: Name columnName: AccountName - entityType: CloudApplication fieldMappings: - identifier: Name columnName: Model eventGroupingSettings: aggregationKind: SingleAlert incidentConfiguration: createIncident: true groupingConfiguration: enabled: true reopenClosedIncident: false lookbackDuration: PT6H matchingMethod: Selected groupByEntities: - Account groupByAlertDetails: [] groupByCustomDetails: [] version: 1.0.0 kind: Scheduled tags: - Sentinel-As-Code - Custom - Foundry - AI - OWASP-LLM01

Explanation

This query is designed to detect potential prompt-injection attacks on a system that uses AI agents and tools. Here's a simplified breakdown of what it does:

Purpose: The query looks for specific patterns in the input given to AI agents and tools that might indicate an attempt to manipulate or bypass the system's intended behavior. These patterns include phrases that suggest ignoring instructions, overriding roles, coercing tools, or revealing system prompts. It also checks for encoded data that could be used for malicious purposes.
Data Source: It analyzes telemetry data from the Foundry platform, specifically looking at application dependencies and properties related to AI inputs and tool arguments. This requires a specific Azure setting to be enabled for content recording.
Detection Logic:
- It defines two lists of suspicious phrases: one for prompt-injection and another for tool coercion.
- It checks if the AI input messages or tool arguments contain any of these phrases or if they match a pattern for base64 encoded data.
- If any of these conditions are met, it flags the input as suspicious.
Output: The query outputs details such as the time of the event, the name of the agent, the AI model used, project ID, conversation ID, tool name, and the suspicious input or arguments.
Alerting and Incident Management:
- If the query finds any suspicious activity, it creates an alert.
- It groups related alerts into a single incident based on the account involved, helping to manage and investigate potential security incidents efficiently.
Operational Details:
- The query runs every hour and looks back over the past hour for any suspicious activity.
- It is set to trigger if it finds more than zero instances of suspicious activity.

Overall, this query is part of a security monitoring system that helps identify and respond to attempts to manipulate AI systems through prompt-injection techniques.

Details

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

FoundryAgentServiceInputsToolArgumentsPromptInjectionMarkersInstructionsRoleOverridePhrasesToolCoercionPhrasesSystemPromptDisclosureRequestsBase64DataURIBlobsUserContentFoundryTelemetryShapeAppDependenciesPropertiesPromptTextMessagesToolArgumentsAzureTracingGenAIContentRecordingApplicationInsightsAppDependenciesAgentModelConversationProjectPromptToolNameToolArgsAccountNameTimeGeneratedAccountNameAgentModelProjectIDConversationIDToolNamePromptToolArgsAccountCloudApplicationSentinelAsCodeCustomFoundryAIOWASPLLM01

Operators

letdynamicisnotemptytostringtolowerstrcathas_anymatchesregexiffisemptyprojectorder bydesc

KQL Search