Query Details
Agent External Exfiltration
Query
id: f5160718-dddd-4d19-910d-0123456789cf
name: Agent - External exfiltration chain (sensitive output then egress)
description: |
Stitches the exfiltration stage of the agent kill chain together: a
Foundry / Agent Service span that emitted sensitive / secret-like
content (or a tool fetch to an untrusted host), followed shortly by an
external egress action by the same agent identity in OfficeActivity -
an anonymous sharing link, external sharing invitation, or a file sent
to an external domain. Either half is suspicious; the two within a short
window is a strong external-exfiltration signal.
Bridges Foundry telemetry (gen_ai.*) to OfficeActivity through the
AgentIdentityMap watchlist. The sensitive-output detection reuses the
same secret / bulk-PII regexes as the FoundrySensitiveDataInOutput
rule. Requires content recording for the output half and a populated
AgentIdentityMap for the egress half.
query: |
let lookback = 1d;
let joinWindow = 30m;
let agentKeys =
_GetWatchlist('AgentIdentityMap')
| project AgentName = tostring(column_ifexists('AgentName', '')),
AppId = tolower(tostring(column_ifexists('AppId', ''))),
ObjectId = tolower(tostring(column_ifexists('ObjectId', ''))),
Upn = tolower(tostring(column_ifexists('Upn', '')))
| mv-expand Key = pack_array(Upn, AppId, ObjectId) to typeof(string)
| where isnotempty(Key)
| distinct AgentName, Key;
let sensitiveSpans =
AppDependencies
| where TimeGenerated > ago(lookback)
| where isnotempty(Properties["gen_ai.output.messages"])
| extend
AgentName = tostring(Properties["gen_ai.agent.name"]),
ConvId = tostring(Properties["gen_ai.conversation.id"]),
Output = tostring(Properties["gen_ai.output.messages"])
| extend Sensitive =
Output matches regex @"AKIA[0-9A-Z]{16}"
or (Output contains "-----BEGIN" and Output contains "PRIVATE KEY-----")
or Output matches regex @"eyJ[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}"
or array_length(extract_all(@"([A-Za-z0-9._%+\-]+@[A-Za-z0-9.\-]+\.[A-Za-z]{2,})", Output)) >= 10
| where Sensitive
| project SpanTime = TimeGenerated, AgentName, ConvId;
let egress =
OfficeActivity
| where TimeGenerated > ago(lookback)
| extend
Operation_ = tostring(column_ifexists('Operation', '')),
Recipients_ = tostring(column_ifexists('Recipients', '')),
UserId_ = tostring(column_ifexists('UserId', '')),
UserKey_ = tostring(column_ifexists('UserKey', '')),
SourceFileName_ = tostring(column_ifexists('SourceFileName', '')),
TargetUserOrGroupName_ = tostring(column_ifexists('TargetUserOrGroupName', '')),
SiteUrl_ = tostring(column_ifexists('SiteUrl', '')),
ClientIP_ = tostring(column_ifexists('ClientIP', ''))
| where Operation_ in (
"AnonymousLinkCreated", "SharingInvitationCreated",
"AddedToSecureLink", "CompanyLinkCreated", "SharingSet",
"FileSyncUploadedFull", "FileDownloaded")
or (Operation_ == "Send" and isnotempty(Recipients_))
| extend Actor = tolower(coalesce(UserId_, UserKey_))
| where isnotempty(Actor)
| join kind=inner agentKeys on $left.Actor == $right.Key
| project EgressTime = TimeGenerated, AgentName, Actor, EgressOp = Operation_,
Doc = SourceFileName_, Target = TargetUserOrGroupName_,
SiteUrl = SiteUrl_, ClientIP = ClientIP_;
egress
| join kind=inner sensitiveSpans on AgentName
| where EgressTime between (SpanTime .. (SpanTime + joinWindow))
| project
EgressTime, SpanTime, AgentName, Actor, EgressOp, Doc, Target,
SiteUrl, ConvId, ClientIP,
LagMinutes = datetime_diff('minute', EgressTime, SpanTime)
| order by EgressTime desc
tactics:
- Exfiltration
- Collection
techniques:
- T1567
- T1530
- T1213
tags:
- Sentinel-As-Code
- Custom
- Foundry
- AI
Explanation
This query is designed to detect potential data exfiltration activities by analyzing two main components: sensitive data output and external data sharing actions. Here's a simplified breakdown:
-
Objective: The query aims to identify instances where an agent (user or application) outputs sensitive information and then performs an external data sharing action shortly afterward. This combination is a strong indicator of potential data exfiltration.
-
Components:
- Sensitive Data Output: The query looks for output from an agent that contains sensitive information, such as AWS keys, private keys, JWT tokens, or a large number of email addresses. This is detected using regular expressions and specific patterns.
- External Data Sharing: It checks for actions in OfficeActivity logs that indicate data sharing with external entities, such as creating anonymous links, sending sharing invitations, or uploading files to external domains.
-
Process:
- Agent Identity Mapping: The query uses a watchlist called
AgentIdentityMapto map agent identities to their corresponding keys, which helps in correlating actions across different logs. - Sensitive Spans: It filters logs from
AppDependenciesto find instances where sensitive data was output by an agent. - Egress Actions: It filters
OfficeActivitylogs to find external sharing actions performed by the same agent.
- Agent Identity Mapping: The query uses a watchlist called
-
Correlation: The query joins the sensitive data output logs with the egress actions based on the agent identity. It checks if both actions occurred within a short time window (30 minutes).
-
Output: The result is a list of potential exfiltration incidents, showing details like the time of egress, the agent involved, the operation performed, the document shared, and the target recipient.
-
Tactics and Techniques: The query is associated with tactics like Exfiltration and Collection, and techniques such as T1567 (Exfiltration Over Web Service), T1530 (Data from Cloud Storage Object), and T1213 (Data from Information Repositories).
In summary, this query helps in identifying suspicious activities where sensitive data might be leaked externally by correlating sensitive data outputs with subsequent external sharing actions.
Details
David Alonso
Released: June 8, 2026
Tables
Keywords
Operators