Query Details

Foundry - Sensitive tool / capability invoked by agent

Foundry Sensitive Tool Invocation

Query

let sensitiveTools = dynamic([
    "code_interpreter", "code-interpreter", "python", "shell", "bash",
    "cmd", "powershell", "file_search", "file-search", "filesystem",
    "http", "fetch", "browser", "email", "sendmail", "sql", "database"
]);
AppDependencies
| where isnotempty(Properties["gen_ai.tool.name"])
    or isnotempty(Properties["gen_ai.tool.type"])
| extend
    Agent    = tostring(Properties["gen_ai.agent.name"]),
    Model    = tostring(Properties["gen_ai.request.model"]),
    ConvId   = tostring(Properties["gen_ai.conversation.id"]),
    ToolName = tolower(tostring(Properties["gen_ai.tool.name"])),
    ToolType = tolower(tostring(Properties["gen_ai.tool.type"])),
    ToolArgs = tostring(Properties["gen_ai.tool.call.arguments"])
| where ToolName has_any (sensitiveTools) or ToolType has_any (sensitiveTools)
| summarize
    Invocations = count(),
    Tools       = make_set(ToolName, 16),
    ToolTypes   = make_set(ToolType, 16),
    SampleArgs  = take_any(ToolArgs),
    FirstSeen   = min(TimeGenerated),
    LastSeen    = max(TimeGenerated)
    by Agent, Model, ConvId
| extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
| project
    LastSeen, AccountName, Agent, Model, ConvId, Invocations,
    Tools, ToolTypes, SampleArgs, FirstSeen
| order by Invocations desc

Explanation

This query is designed to monitor and alert on potentially risky activities performed by agents using specific tools or capabilities within a system. Here's a simplified breakdown:

  1. Purpose: The query identifies instances where an agent uses high-impact tools or capabilities, such as code interpreters, shell commands, file access, HTTP requests, database interactions, or email sending. These actions are significant because they can be exploited by attackers to perform unauthorized operations after gaining access.

  2. Data Source: It uses data from AppDependencies, which is part of the Application Insights data connector.

  3. Sensitive Tools: A list of sensitive tools and capabilities is defined, including items like "python", "shell", "http", "sql", etc. The query checks if any of these tools are used.

  4. Data Extraction: It extracts relevant information such as the agent's name, the model used, conversation ID, tool name, tool type, and tool arguments from the data.

  5. Filtering and Summarization: The query filters for records where the tool name or type matches any in the sensitive tools list. It then summarizes the data to count the number of invocations, list the tools and types used, sample arguments, and the first and last time these actions were seen.

  6. Output: The results include details like the last seen time, agent name, model, conversation ID, number of invocations, tools used, tool types, sample arguments, and the first seen time. The results are ordered by the number of invocations.

  7. Alerting: If any such activity is detected, an alert is triggered. The alert groups incidents by account and creates a new incident if necessary.

  8. Severity and Tactics: The severity of the alert is set to medium, and it relates to tactics like execution and collection, with techniques T1059 (Command and Scripting Interpreter) and T1213 (Data from Information Repositories).

Overall, this query helps in identifying and alerting on potentially malicious or unauthorized use of sensitive tools by agents, which could indicate a security breach or misuse.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

AppDependencies

Keywords

ApplicationInsightsAppDependenciesPropertiesAgentModelConvIdToolNameToolTypeToolArgsAccountNameTimeGenerated

Operators

letdynamicwhereisnotemptyextendtostringtolowerhas_anysummarizecountmake_settake_anyminmaxbyiffisemptyprojectorder by

Severity

Medium

Tactics

ExecutionCollection

MITRE Techniques

Frequency: PT1H

Period: PT1H

Actions

GitHub