KQL Search

Query Details

Foundry Sensitive Tool Invocation

Query

id: e7f8091a-dddd-4007-920a-0123456789da
name: Foundry - Sensitive tool / capability invoked by agent
description: |
  Surfaces Foundry / Agent Service runs where the agent invoked a
  high-impact tool / capability: code interpreters, shell / OS command
  execution, file-system or file-search access, outbound HTTP / browser
  fetch, database / SQL, or email send. These are the capabilities an
  attacker abuses after a successful injection to pivot from "the model
  said something" to "the agent did something".

  Reads gen_ai.tool.name / gen_ai.tool.type from the AppDependencies span
  property bag (Properties). Pair with the untrusted-tool-source rule
  (to see whether the tool reached an unapproved host) and the
  prompt-injection rule (to see whether the invocation followed an
  injection). Tune the sensitiveTools list to match the tools your agents
  are expected - or not expected - to use.
severity: Medium
requiredDataConnectors:
- connectorId: ApplicationInsights
  dataTypes:
  - AppDependencies
queryFrequency: PT1H
queryPeriod: PT1H
triggerOperator: gt
triggerThreshold: 0
enabled: true
tactics:
- Execution
- Collection
relevantTechniques:
- T1059
- T1213
query: |
  let sensitiveTools = dynamic([
      "code_interpreter", "code-interpreter", "python", "shell", "bash",
      "cmd", "powershell", "file_search", "file-search", "filesystem",
      "http", "fetch", "browser", "email", "sendmail", "sql", "database"
  ]);
  AppDependencies
  | where isnotempty(Properties["gen_ai.tool.name"])
      or isnotempty(Properties["gen_ai.tool.type"])
  | extend
      Agent    = tostring(Properties["gen_ai.agent.name"]),
      Model    = tostring(Properties["gen_ai.request.model"]),
      ConvId   = tostring(Properties["gen_ai.conversation.id"]),
      ToolName = tolower(tostring(Properties["gen_ai.tool.name"])),
      ToolType = tolower(tostring(Properties["gen_ai.tool.type"])),
      ToolArgs = tostring(Properties["gen_ai.tool.call.arguments"])
  | where ToolName has_any (sensitiveTools) or ToolType has_any (sensitiveTools)
  | summarize
      Invocations = count(),
      Tools       = make_set(ToolName, 16),
      ToolTypes   = make_set(ToolType, 16),
      SampleArgs  = take_any(ToolArgs),
      FirstSeen   = min(TimeGenerated),
      LastSeen    = max(TimeGenerated)
      by Agent, Model, ConvId
  | extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
  | project
      LastSeen, AccountName, Agent, Model, ConvId, Invocations,
      Tools, ToolTypes, SampleArgs, FirstSeen
  | order by Invocations desc
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: Model
eventGroupingSettings:
  aggregationKind: SingleAlert
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: PT6H
    matchingMethod: Selected
    groupByEntities:
    - Account
    groupByAlertDetails: []
    groupByCustomDetails: []
version: 1.0.0
kind: Scheduled
tags:
- Sentinel-As-Code
- Custom
- Foundry
- AI
- OWASP-LLM07

Explanation

This query is designed to monitor and alert on potentially risky activities performed by agents using specific tools or capabilities within a system. Here's a simplified breakdown:

  1. Purpose: The query identifies instances where an agent uses high-impact tools or capabilities, such as code interpreters, shell commands, file access, HTTP requests, database interactions, or email sending. These actions are significant because they can be exploited by attackers to perform unauthorized operations after gaining access.

  2. Data Source: It uses data from AppDependencies, which is part of the Application Insights data connector.

  3. Sensitive Tools: A list of sensitive tools and capabilities is defined, including items like "python", "shell", "http", "sql", etc. The query checks if any of these tools are used.

  4. Data Extraction: It extracts relevant information such as the agent's name, the model used, conversation ID, tool name, tool type, and tool arguments from the data.

  5. Filtering and Summarization: The query filters for records where the tool name or type matches any in the sensitive tools list. It then summarizes the data to count the number of invocations, list the tools and types used, sample arguments, and the first and last time these actions were seen.

  6. Output: The results include details like the last seen time, agent name, model, conversation ID, number of invocations, tools used, tool types, sample arguments, and the first seen time. The results are ordered by the number of invocations.

  7. Alerting: If any such activity is detected, an alert is triggered. The alert groups incidents by account and creates a new incident if necessary.

  8. Severity and Tactics: The severity of the alert is set to medium, and it relates to tactics like execution and collection, with techniques T1059 (Command and Scripting Interpreter) and T1213 (Data from Information Repositories).

Overall, this query helps in identifying and alerting on potentially malicious or unauthorized use of sensitive tools by agents, which could indicate a security breach or misuse.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

ApplicationInsightsAppDependenciesPropertiesAgentModelConvIdToolNameToolTypeToolArgsAccountNameTimeGenerated

Operators

letdynamicwhereisnotemptyextendtostringtolowerhas_anysummarizecountmake_settake_anyminmaxbyiffisemptyprojectorder by

Actions