Foundry - URL / domain / IP matched against threat intelligence
Foundry Threat Intel Url Match
Query
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
let networkIocTypes = dynamic(["url:value", "domain-name:value", "ipv4-addr:value", "ipv6-addr:value"]);
let TI =
ThreatIntelIndicators
| where TimeGenerated > ago(ioc_lookBack)
| where IsActive == true and Revoked == false
| where ObservableKey in (networkIocTypes)
| where isempty(ValidUntil) or ValidUntil > now()
| summarize arg_max(TimeGenerated, *) by IndicatorId = Id
| extend IOC = tolower(ObservableValue)
| where isnotempty(IOC);
let Spans =
AppDependencies
| where TimeGenerated > ago(dt_lookBack)
| where isnotempty(Properties["gen_ai.input.messages"]) or isnotempty(Properties["gen_ai.output.messages"])
| extend
Agent = tostring(Properties["gen_ai.agent.name"]),
Model = tostring(Properties["gen_ai.request.model"]),
ConvId = tostring(Properties["gen_ai.conversation.id"]),
ProjectId = tostring(Properties["microsoft.foundry.project.id"]),
Input = tostring(Properties["gen_ai.input.messages"]),
Output = tostring(Properties["gen_ai.output.messages"]),
SrcIp = tostring(column_ifexists("ClientIP", ""));
let FromInput = Spans | where isnotempty(Input) | extend Direction = "UserPrompt", Text = Input;
let FromOutput = Spans | where isnotempty(Output) | extend Direction = "AgentResponse", Text = Output;
let Content =
union FromInput, FromOutput
| mv-expand Url = extract_all(@"(https?://[^\s\)\]\}""'<>]+)", Text) to typeof(string)
| extend
Url = tolower(Url),
Host = tolower(tostring(extract(@"https?://([^/:\s]+)", 1, Url)))
| mv-expand IOC = pack_array(Url, Host) to typeof(string)
| where isnotempty(IOC);
Content
| join kind=inner TI on IOC
| extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
| project
TimeGenerated, Direction, AccountName, Agent, Model, ProjectId, ConvId,
MatchedIOC = IOC, ObservableKey, Confidence,
ThreatType = tostring(todynamic(Data).indicator_types[0]),
Description = tostring(todynamic(Data).description),
Url, Host, SrcIp
| order by TimeGenerated descExplanation
This query is designed to detect potentially malicious URLs, domains, or IP addresses that are involved in interactions with an AI agent. Here's a simplified breakdown of what it does:
-
Purpose: The query checks if any URLs, domains, or IPs extracted from AI agent conversations match known threat intelligence indicators. This helps identify if the AI agent is interacting with or being targeted by malicious entities.
-
Data Sources: It uses data from two main sources:
- AppDependencies: Contains conversation content from the AI agent, including user inputs and agent responses.
- ThreatIntelIndicators: Contains threat intelligence data with known malicious URLs, domains, and IPs.
-
Process:
- Extract URLs: It extracts URLs from both user inputs and agent outputs.
- Match with Threat Intelligence: It compares these URLs against active threat intelligence indicators to find matches.
- Filter Criteria: Only considers indicators that are active, not revoked, and within a valid date range.
-
Output: If a match is found, it provides details such as the time of the event, the direction of the conversation (user input or agent response), the agent's name, the model used, and the matched threat intelligence data.
-
Severity and Alerts: The severity of the alert is marked as high, and it triggers an alert if any matches are found. It also creates incidents for further investigation.
-
Frequency: The query runs every hour and looks back over the past 14 days for threat intelligence data.
-
Use Case: This is useful for identifying potential security threats like phishing attempts or compromised AI agents interacting with malicious infrastructure.
Overall, this query helps in monitoring and securing AI agent interactions by leveraging threat intelligence data to detect and alert on suspicious activities.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: PT1H
Period: P14D