Query Details

Foundry - Sensitive data / secrets in agent prompt

Foundry Secrets In Prompt

Query

AppDependencies
| where isnotempty(Properties["gen_ai.input.messages"])
| extend
    Agent     = tostring(Properties["gen_ai.agent.name"]),
    Model     = tostring(Properties["gen_ai.request.model"]),
    ConvId    = tostring(Properties["gen_ai.conversation.id"]),
    ProjectId = tostring(Properties["microsoft.foundry.project.id"]),
    Input     = tostring(Properties["gen_ai.input.messages"])
| extend
    HasAwsKey     = Input matches regex @"AKIA[0-9A-Z]{16}",
    HasPrivateKey = Input contains "-----BEGIN" and Input contains "PRIVATE KEY-----",
    HasJwt        = Input matches regex @"eyJ[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}",
    HasCreditCard = Input matches regex @"\b(?:\d[ \-]?){13,16}\b",
    EmailCount    = array_length(extract_all(@"([A-Za-z0-9._%+\-]+@[A-Za-z0-9.\-]+\.[A-Za-z]{2,})", Input))
| where HasAwsKey or HasPrivateKey or HasJwt or HasCreditCard or EmailCount >= 10
| extend Signal = strcat(
    iff(HasAwsKey, "AWSAccessKey;", ""),
    iff(HasPrivateKey, "PrivateKey;", ""),
    iff(HasJwt, "JWT;", ""),
    iff(HasCreditCard, "CreditCardLike;", ""),
    iff(EmailCount >= 10, strcat("BulkEmails(", tostring(EmailCount), ");"), ""))
| extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
| project
    TimeGenerated, Signal, AccountName, Agent, Model, ProjectId,
    ConvId, EmailCount
| order by TimeGenerated desc

Explanation

This query is designed to detect sensitive data or secrets being input into a Foundry or Agent Service request. It specifically looks for:

  1. AWS Access Keys: Identified by a specific pattern.
  2. PEM Private-Key Blocks: Recognized by the presence of "BEGIN" and "PRIVATE KEY" in the text.
  3. JWTs (JSON Web Tokens): Detected using a regex pattern.
  4. Credit Card-like Numbers: Identified by a pattern that matches sequences of 13 to 16 digits.
  5. Bulk Email Addresses: Flags if there are 10 or more distinct email addresses in the input.

The query checks the gen_ai.input.messages property from the AppDependencies data in Application Insights. If any of these sensitive data types are found, it generates a signal indicating which type(s) of sensitive data were detected. The query runs every hour and triggers an alert if any sensitive data is found.

The alert includes details such as the agent name, model, project ID, conversation ID, and the number of email addresses detected. It organizes alerts by account and creates incidents if necessary, grouping them by account for better management. The query is part of a scheduled detection rule and is tagged for use with Sentinel, Foundry, AI, and OWASP guidelines.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

AppDependenciesPropertiesAgentModelConvIdProjectIdInputAWSAccessKeyPrivateKeyJWTCreditCardLikeBulkEmailsAccountNameTimeGeneratedSignalEmailCount

Operators

isnotemptyextendtostringmatches regexcontainsarray_lengthextract_allorstrcatiffisemptyprojectorder by

Severity

High

Tactics

CredentialAccessCollection

MITRE Techniques

Frequency: PT1H

Period: PT1H

Actions

GitHub