Agent - External exfiltration chain (sensitive output then egress)
Agent External Exfiltration
Query
let lookback = 1d;
let joinWindow = 30m;
let agentKeys =
_GetWatchlist('AgentIdentityMap')
| project AgentName = tostring(column_ifexists('AgentName', '')),
AppId = tolower(tostring(column_ifexists('AppId', ''))),
ObjectId = tolower(tostring(column_ifexists('ObjectId', ''))),
Upn = tolower(tostring(column_ifexists('Upn', '')))
| mv-expand Key = pack_array(Upn, AppId, ObjectId) to typeof(string)
| where isnotempty(Key)
| distinct AgentName, Key;
let sensitiveSpans =
AppDependencies
| where TimeGenerated > ago(lookback)
| where isnotempty(Properties["gen_ai.output.messages"])
| extend
AgentName = tostring(Properties["gen_ai.agent.name"]),
ConvId = tostring(Properties["gen_ai.conversation.id"]),
Output = tostring(Properties["gen_ai.output.messages"])
| extend Sensitive =
Output matches regex @"AKIA[0-9A-Z]{16}"
or (Output contains "-----BEGIN" and Output contains "PRIVATE KEY-----")
or Output matches regex @"eyJ[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}"
or array_length(extract_all(@"([A-Za-z0-9._%+\-]+@[A-Za-z0-9.\-]+\.[A-Za-z]{2,})", Output)) >= 10
| where Sensitive
| project SpanTime = TimeGenerated, AgentName, ConvId;
let egress =
OfficeActivity
| where TimeGenerated > ago(lookback)
| extend
Operation_ = tostring(column_ifexists('Operation', '')),
Recipients_ = tostring(column_ifexists('Recipients', '')),
UserId_ = tostring(column_ifexists('UserId', '')),
UserKey_ = tostring(column_ifexists('UserKey', '')),
SourceFileName_ = tostring(column_ifexists('SourceFileName', '')),
TargetUserOrGroupName_ = tostring(column_ifexists('TargetUserOrGroupName', '')),
SiteUrl_ = tostring(column_ifexists('SiteUrl', '')),
ClientIP_ = tostring(column_ifexists('ClientIP', ''))
| where Operation_ in (
"AnonymousLinkCreated", "SharingInvitationCreated",
"AddedToSecureLink", "CompanyLinkCreated", "SharingSet",
"FileSyncUploadedFull", "FileDownloaded")
or (Operation_ == "Send" and isnotempty(Recipients_))
| extend Actor = tolower(coalesce(UserId_, UserKey_))
| where isnotempty(Actor)
| join kind=inner agentKeys on $left.Actor == $right.Key
| project EgressTime = TimeGenerated, AgentName, Actor, EgressOp = Operation_,
Doc = SourceFileName_, Target = TargetUserOrGroupName_,
SiteUrl = SiteUrl_, ClientIP = ClientIP_;
egress
| join kind=inner sensitiveSpans on AgentName
| where EgressTime between (SpanTime .. (SpanTime + joinWindow))
| project
EgressTime, SpanTime, AgentName, Actor, EgressOp, Doc, Target,
SiteUrl, ConvId, ClientIP,
LagMinutes = datetime_diff('minute', EgressTime, SpanTime)
| order by EgressTime descExplanation
This query is designed to detect potential data exfiltration activities by analyzing two main components: sensitive data output and external data sharing actions. Here's a simplified breakdown:
-
Objective: The query aims to identify instances where an agent (user or application) outputs sensitive information and then performs an external data sharing action shortly afterward. This combination is a strong indicator of potential data exfiltration.
-
Components:
- Sensitive Data Output: The query looks for output from an agent that contains sensitive information, such as AWS keys, private keys, JWT tokens, or a large number of email addresses. This is detected using regular expressions and specific patterns.
- External Data Sharing: It checks for actions in OfficeActivity logs that indicate data sharing with external entities, such as creating anonymous links, sending sharing invitations, or uploading files to external domains.
-
Process:
- Agent Identity Mapping: The query uses a watchlist called
AgentIdentityMapto map agent identities to their corresponding keys, which helps in correlating actions across different logs. - Sensitive Spans: It filters logs from
AppDependenciesto find instances where sensitive data was output by an agent. - Egress Actions: It filters
OfficeActivitylogs to find external sharing actions performed by the same agent.
- Agent Identity Mapping: The query uses a watchlist called
-
Correlation: The query joins the sensitive data output logs with the egress actions based on the agent identity. It checks if both actions occurred within a short time window (30 minutes).
-
Output: The result is a list of potential exfiltration incidents, showing details like the time of egress, the agent involved, the operation performed, the document shared, and the target recipient.
-
Tactics and Techniques: The query is associated with tactics like Exfiltration and Collection, and techniques such as T1567 (Exfiltration Over Web Service), T1530 (Data from Cloud Storage Object), and T1213 (Data from Information Repositories).
In summary, this query helps in identifying suspicious activities where sensitive data might be leaked externally by correlating sensitive data outputs with subsequent external sharing actions.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Tactics