KQL Search

Query Details

HomeAI ToolsDevice Query

AI Agent Third Party Plugin With Internal Data Access

Query

# *AI Agent Third-Party Plugin with Internal Data Access*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1567 | Exfiltration Over Web Service | https://attack.mitre.org/techniques/T1567/ |

#### Description

Detects AI agents configured with third-party plugins or allowances that also have access to sensitive internal data sources like SharePoint, OneDrive, or Teams. This configuration could pose a data exfiltration risk if the third-party plugin is compromised or malicious.

#### Author <Optional>
- **Name: Benjamin Zulliger**
- **Github: https://github.com/benscha/KQLAdvancedHunting**
- **LinkedIn: https://www.linkedin.com/in/benjamin-zulliger/**


## Defender XDR
```KQL
// Detection of data exfiltration risks via third-party plugins in sensitive agents
AIAgentsInfo 
| where TimeGenerated >= ago(1d)
| extend RawInfo = parse_json(RawAgentInfo)
| extend ImpactedSettings = RawInfo.impactedSettings
| extend AppType = tostring(RawInfo.appType)
| extend PublishedStatus = tostring(RawInfo.publishedStatus)
// Detection of third-party allowances
| where AppType =~ "thirdParty" 
    or ImpactedSettings has "allowThirdParty"
    or AgentToolsDetails has "thirdParty"
// Focus on agents with access to internal data sources such as SharePoint or Teams
| where AIAgentName has_any ("Sharepoint", "OneDrive", "Teams", "Internal", "Intranet")
    or ConnectedAgentsSchemaNames has_any ("Sharepoint", "OneDrive")
| extend HostCustomEntity = LastModifiedByUpn
```

Explanation

This query is designed to identify potential security risks involving AI agents that have access to sensitive internal data and are configured to use third-party plugins. Here's a simplified breakdown of what the query does:

  1. Data Source: It analyzes information from AIAgentsInfo, which contains details about AI agents.

  2. Time Frame: The query looks at data generated within the last day (TimeGenerated >= ago(1d)).

  3. Data Parsing: It extracts and processes specific fields from the raw agent information, such as impactedSettings, appType, and publishedStatus.

  4. Third-Party Detection: It filters for AI agents that are either classified as third-party (AppType =~ "thirdParty") or have settings that allow third-party interactions (ImpactedSettings has "allowThirdParty" or AgentToolsDetails has "thirdParty").

  5. Internal Data Access: The query focuses on agents that have access to internal data sources like SharePoint, OneDrive, Teams, or other internal systems (AIAgentName or ConnectedAgentsSchemaNames containing these terms).

  6. Output: It extends the results with the HostCustomEntity, which identifies the user who last modified the agent (LastModifiedByUpn).

Overall, this query helps in detecting AI agents that could pose a data exfiltration risk due to their configuration with third-party plugins and access to sensitive internal data.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: June 8, 2026

Tables

AIAgentsInfo

Keywords

AIAgentsInfoRawAgentInfoImpactedSettingsAppTypePublishedStatusAgentToolsDetailsAIAgentNameConnectedAgentsSchemaNamesHostCustomEntitySharePointOneDriveTeamsInternalIntranet

Operators

AIAgentsInfowhereTimeGenerated>=ago1dextendRawInfoparse_jsonRawAgentInfoImpactedSettingsAppTypetostringPublishedStatus=~orhasAgentToolsDetailshas_anyAIAgentNameConnectedAgentsSchemaNamesHostCustomEntityLastModifiedByUpn

Actions