KQL Search

Query Details

Foundry Secrets In Prompt

Query

id: 1a2b3c4d-0a0a-430a-920d-0123456789de
name: Foundry - Sensitive data / secrets in agent prompt
description: |
  Detects a Foundry / Agent Service request whose prompt contains
  secret-like or bulk-PII content: AWS access keys, PEM private-key
  blocks, JWTs, credit-card-like number runs, or a large number of
  distinct email addresses in a single input. This is the inbound
  sensitive-data shape - a user (or an upstream system / RAG context)
  pasting credentials or regulated data into an agent, which then risks
  logging, retention and downstream exfiltration.

  Mirror of the "Sensitive data in agent output" rule but reads
  gen_ai.input.messages from the AppDependencies span property bag
  (Properties). The input text only exists when
  AZURE_TRACING_GEN_AI_CONTENT_RECORDING_ENABLED is set. The regexes are
  deliberately broad - review hits and tune the patterns / bulk-email
  threshold to your tenant to manage false positives.
severity: High
requiredDataConnectors:
- connectorId: ApplicationInsights
  dataTypes:
  - AppDependencies
queryFrequency: PT1H
queryPeriod: PT1H
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- CredentialAccess
- Collection
relevantTechniques:
- T1552
- T1213
query: |
  AppDependencies
  | where isnotempty(Properties["gen_ai.input.messages"])
  | extend
      Agent     = tostring(Properties["gen_ai.agent.name"]),
      Model     = tostring(Properties["gen_ai.request.model"]),
      ConvId    = tostring(Properties["gen_ai.conversation.id"]),
      ProjectId = tostring(Properties["microsoft.foundry.project.id"]),
      Input     = tostring(Properties["gen_ai.input.messages"])
  | extend
      HasAwsKey     = Input matches regex @"AKIA[0-9A-Z]{16}",
      HasPrivateKey = Input contains "-----BEGIN" and Input contains "PRIVATE KEY-----",
      HasJwt        = Input matches regex @"eyJ[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}",
      HasCreditCard = Input matches regex @"\b(?:\d[ \-]?){13,16}\b",
      EmailCount    = array_length(extract_all(@"([A-Za-z0-9._%+\-]+@[A-Za-z0-9.\-]+\.[A-Za-z]{2,})", Input))
  | where HasAwsKey or HasPrivateKey or HasJwt or HasCreditCard or EmailCount >= 10
  | extend Signal = strcat(
      iff(HasAwsKey, "AWSAccessKey;", ""),
      iff(HasPrivateKey, "PrivateKey;", ""),
      iff(HasJwt, "JWT;", ""),
      iff(HasCreditCard, "CreditCardLike;", ""),
      iff(EmailCount >= 10, strcat("BulkEmails(", tostring(EmailCount), ");"), ""))
  | extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
  | project
      TimeGenerated, Signal, AccountName, Agent, Model, ProjectId,
      ConvId, EmailCount
  | order by TimeGenerated desc
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: Model
eventGroupingSettings:
  aggregationKind: SingleAlert
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
    - Account
    groupByAlertDetails: []
    groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- Foundry
- AI
- OWASP-LLM06

Explanation

This query is designed to detect sensitive data or secrets being input into a Foundry or Agent Service request. It specifically looks for:

  1. AWS Access Keys: Identified by a specific pattern.
  2. PEM Private-Key Blocks: Recognized by the presence of "BEGIN" and "PRIVATE KEY" in the text.
  3. JWTs (JSON Web Tokens): Detected using a regex pattern.
  4. Credit Card-like Numbers: Identified by a pattern that matches sequences of 13 to 16 digits.
  5. Bulk Email Addresses: Flags if there are 10 or more distinct email addresses in the input.

The query checks the gen_ai.input.messages property from the AppDependencies data in Application Insights. If any of these sensitive data types are found, it generates a signal indicating which type(s) of sensitive data were detected. The query runs every hour and triggers an alert if any sensitive data is found.

The alert includes details such as the agent name, model, project ID, conversation ID, and the number of email addresses detected. It organizes alerts by account and creates incidents if necessary, grouping them by account for better management. The query is part of a scheduled detection rule and is tagged for use with Sentinel, Foundry, AI, and OWASP guidelines.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

AppDependenciesPropertiesAgentModelConvIdProjectIdInputAWSAccessKeyPrivateKeyJWTCreditCardLikeBulkEmailsAccountNameTimeGeneratedSignalAccountNameAgentModelProjectIdConvIdEmailCount

Operators

isnotemptyextendtostringmatches regexcontainsarray_lengthextract_allorstrcatiffisemptyprojectorder by

Actions