Foundry - Agent grounded on untrusted tool / RAG source
Foundry Untrusted Tool Source
Query
let trusted =
_GetWatchlist('FoundryTrustedToolSources')
| project SourceUri = tolower(tostring(column_ifexists('SourceUri', '')))
| where isnotempty(SourceUri);
AppDependencies
| where isnotempty(Properties["gen_ai.tool.name"])
or isnotempty(Properties["gen_ai.tool.call.arguments"])
| extend
Agent = tostring(Properties["gen_ai.agent.name"]),
Model = tostring(Properties["gen_ai.request.model"]),
ConvId = tostring(Properties["gen_ai.conversation.id"]),
ToolName = tostring(Properties["gen_ai.tool.name"]),
ToolType = tostring(Properties["gen_ai.tool.type"]),
ToolArgs = tostring(Properties["gen_ai.tool.call.arguments"]),
ToolResult = tostring(Properties["gen_ai.tool.call.result"])
| extend SourceUri = tolower(extract(@"https?://([A-Za-z0-9.\-]+)", 1, strcat(ToolArgs, " ", ToolResult)))
| where isnotempty(SourceUri)
| join kind=leftanti trusted on SourceUri
| summarize
UntrustedHits = count(),
UntrustedSources = make_set(SourceUri, 64),
Tools = make_set(ToolName, 16),
ToolTypes = make_set(ToolType, 8),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by Agent, Model, ConvId
| extend AccountName = iff(isempty(Agent), "unknown-agent", Agent)
| project
LastSeen, AccountName, Agent, Model, ConvId, UntrustedHits,
UntrustedSources, Tools, ToolTypes, FirstSeen
| order by UntrustedHits descExplanation
This query is designed to detect potentially malicious activities involving a service called "Foundry" or an "Agent" that interacts with untrusted tools or sources. Here's a simplified breakdown:
-
Purpose: The query identifies when the Foundry or Agent service retrieves content from sources not listed as trusted. This is important for detecting attacks where an attacker might plant harmful content in a location that the agent accesses, a tactic known as "RAG poisoning" or "context smuggling."
-
Trusted Sources: A list of approved sources is maintained in a watchlist called "FoundryTrustedToolSources." Any source not on this list is considered untrusted.
-
Data Source: The query uses data from Application Insights, specifically the AppDependencies data type, which logs details about tool calls made by the service.
-
Process:
- It extracts URLs from tool call arguments and results.
- It checks if these URLs are in the list of trusted sources.
- If not, it flags them as untrusted.
-
Output: The query summarizes the findings by counting how many times untrusted sources were accessed, listing these sources, and providing details about the tools and agents involved.
-
Alerting: If any untrusted sources are detected, an alert is triggered. The alert includes details like the agent name, model, conversation ID, and timestamps of the first and last occurrences.
-
Severity and Tactics: The alert is classified as medium severity and is associated with tactics like Initial Access and Defense Evasion, which are common in cyber attack scenarios.
-
Incident Management: The query is set up to create incidents in a security monitoring system, grouping related alerts to manage them effectively.
Overall, this query helps security teams monitor and respond to potential security threats involving unapproved data sources in their AI-driven services.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Severity
MediumTactics
Frequency: PT1H
Period: PT1H