Foundry - Sensitive tool / capability invoked by agent
Foundry Sensitive Tool Invocation
Query
let sensitiveTools = dynamic([
"code_interpreter", "code-interpreter", "python", "shell", "bash",
"cmd", "powershell", "file_search", "file-search", "filesystem",
"http", "fetch", "browser", "email", "sendmail", "sql", "database"
]);
AppDependencies
| where isnotempty(Properties["gen_ai.tool.name"])
or isnotempty(Properties["gen_ai.tool.type"])
| extend
Agent = tostring(Properties["gen_ai.agent.name"]),
Model = tostring(Properties["gen_ai.request.model"]),
ConvId = tostring(Properties["gen_ai.conversation.id"]),
ToolName = tolower(tostring(Properties["gen_ai.tool.name"])),
ToolType = tolower(tostring(Properties["gen_ai.tool.type"])),
ToolArgs = tostring(Properties["gen_ai.tool.call.arguments"])
| where ToolName has_any (sensitiveTools) or ToolType has_any (sensitiveTools)
| summarize
Invocations = count(),
Tools = make_set(ToolName, 16),
ToolTypes = make_set(ToolType, 16),
SampleArgs = take_any(ToolArgs),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by Agent, Model, ConvId
| extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
| project
LastSeen, AccountName, Agent, Model, ConvId, Invocations,
Tools, ToolTypes, SampleArgs, FirstSeen
| order by Invocations descExplanation
This query is designed to monitor and alert on potentially risky activities performed by agents using specific tools or capabilities within a system. Here's a simplified breakdown:
-
Purpose: The query identifies instances where an agent uses high-impact tools or capabilities, such as code interpreters, shell commands, file access, HTTP requests, database interactions, or email sending. These actions are significant because they can be exploited by attackers to perform unauthorized operations after gaining access.
-
Data Source: It uses data from
AppDependencies, which is part of the Application Insights data connector. -
Sensitive Tools: A list of sensitive tools and capabilities is defined, including items like "python", "shell", "http", "sql", etc. The query checks if any of these tools are used.
-
Data Extraction: It extracts relevant information such as the agent's name, the model used, conversation ID, tool name, tool type, and tool arguments from the data.
-
Filtering and Summarization: The query filters for records where the tool name or type matches any in the sensitive tools list. It then summarizes the data to count the number of invocations, list the tools and types used, sample arguments, and the first and last time these actions were seen.
-
Output: The results include details like the last seen time, agent name, model, conversation ID, number of invocations, tools used, tool types, sample arguments, and the first seen time. The results are ordered by the number of invocations.
-
Alerting: If any such activity is detected, an alert is triggered. The alert groups incidents by account and creates a new incident if necessary.
-
Severity and Tactics: The severity of the alert is set to medium, and it relates to tactics like execution and collection, with techniques T1059 (Command and Scripting Interpreter) and T1213 (Data from Information Repositories).
Overall, this query helps in identifying and alerting on potentially malicious or unauthorized use of sensitive tools by agents, which could indicate a security breach or misuse.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: PT1H