KQL Search

Query Details

Agent Sensitive Retrieval Office

Query

id: d3140516-bbbb-4d17-910b-0123456789cd
name: Agent - Sensitive document retrieval via OfficeActivity
description: |
  Correlates Foundry / Agent Service agent identities with SharePoint /
  OneDrive file access recorded in OfficeActivity. This covers Sensitive
  Retrieval and the data-access stage of the agent kill chain: an agent
  identity reading documents - especially in bulk, or files whose names
  look sensitive (secret, password, salary, confidential, PII, etc.).

  OfficeActivity records the actor in UserId (UPN) or the app context.
  This hunt joins the AgentIdentityMap watchlist (agent -> Upn / AppId /
  ObjectId) so only file reads performed by a mapped agent identity are
  returned, then ranks them by volume and sensitive-name matches. Populate
  AgentIdentityMap (Upn especially) or this hunt returns nothing.
query: |
  let lookback = 1d;
  let sensitiveName = dynamic([
      "secret", "password", "passwd", "credential", "confidential",
      "salary", "payroll", "ssn", "passport", "private", "api key",
      "apikey", "token", "pii", "gdpr", "restricted", "do not share"]);
  let agentKeys =
      _GetWatchlist('AgentIdentityMap')
      | project AgentName = tostring(column_ifexists('AgentName', '')),
                AppId = tolower(tostring(column_ifexists('AppId', ''))),
                ObjectId = tolower(tostring(column_ifexists('ObjectId', ''))),
                Upn = tolower(tostring(column_ifexists('Upn', '')))
      | mv-expand Key = pack_array(Upn, AppId, ObjectId) to typeof(string)
      | where isnotempty(Key)
      | distinct AgentName, Key;
  OfficeActivity
  | where TimeGenerated > ago(lookback)
  | extend
      RecordType_     = tostring(column_ifexists('RecordType', '')),
      Operation_      = tostring(column_ifexists('Operation', '')),
      UserId_         = tostring(column_ifexists('UserId', '')),
      UserKey_        = tostring(column_ifexists('UserKey', '')),
      OfficeObjectId_ = tostring(column_ifexists('OfficeObjectId', '')),
      SourceFileName_ = tostring(column_ifexists('SourceFileName', '')),
      OfficeWorkload_ = tostring(column_ifexists('OfficeWorkload', ''))
  | where RecordType_ in ("SharePointFileOperation", "OneDrive")
       or Operation_ in ("FileAccessed", "FileDownloaded", "FileSyncDownloadedFull",
                        "FileAccessedExtended", "FilePreviewed")
  | extend Actor = tolower(coalesce(UserId_, UserKey_))
  | where isnotempty(Actor)
  | join kind=inner agentKeys on $left.Actor == $right.Key
  | extend FileLower = tolower(OfficeObjectId_), Doc = SourceFileName_
  | extend SensitiveHit = SourceFileName_ has_any (sensitiveName)
                       or FileLower has_any (sensitiveName)
  | summarize
      FileReads      = count(),
      DistinctFiles  = dcount(OfficeObjectId_),
      SensitiveReads = countif(SensitiveHit),
      SampleDocs     = make_set(Doc, 15),
      Sites          = make_set(OfficeWorkload_, 8),
      FirstSeen      = min(TimeGenerated),
      LastSeen       = max(TimeGenerated)
      by AgentName, Actor
  | where SensitiveReads > 0 or DistinctFiles >= 50
  | project
      LastSeen, AgentName, Actor, FileReads, DistinctFiles,
      SensitiveReads, Sites, SampleDocs, FirstSeen
  | order by SensitiveReads desc, DistinctFiles desc
tactics:
  - Collection
  - Exfiltration
techniques:
  - T1213
  - T1530
tags:
  - Sentinel-As-Code
  - Custom
  - Foundry
  - AI

Explanation

This query is designed to detect and analyze potentially sensitive document access activities in SharePoint and OneDrive. Here's a simplified breakdown:

  1. Purpose: The query aims to identify instances where specific agent identities (from a predefined list) access files that might be sensitive. It focuses on files with names suggesting they contain confidential information, such as "password," "salary," or "PII."

  2. Data Sources: It uses data from OfficeActivity logs, which record file access events in SharePoint and OneDrive.

  3. Agent Mapping: The query first retrieves a list of agent identities from a watchlist called AgentIdentityMap. This list maps agents to their respective user or application identifiers.

  4. Filtering: It filters the OfficeActivity logs to include only relevant file operations (like file access or download) within the last day.

  5. Correlation: The query correlates these file operations with the mapped agent identities to focus only on activities performed by these agents.

  6. Sensitive File Detection: It checks if the accessed files have names that match a list of sensitive keywords.

  7. Summarization: The query summarizes the data by counting the number of file reads, distinct files accessed, and sensitive file reads for each agent. It also collects sample document names and the sites where the activities occurred.

  8. Filtering Results: It only returns results where there are either sensitive reads or a large number of distinct files accessed (50 or more).

  9. Output: The results are sorted by the number of sensitive reads and distinct files accessed, providing a prioritized view of potentially risky activities.

Overall, this query helps identify and prioritize potential security incidents involving sensitive document access by specific agents, aiding in threat detection and response efforts.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

OfficeActivity

Keywords

AgentOfficeActivitySharePointOneDriveUserFileSensitiveDocumentActor

Operators

letdynamic_GetWatchlistprojecttostringcolumn_ifexiststolowermv-expandpack_arraytypeofwhereisnotemptydistinctagoextendcoalescejoinonhas_anysummarizecountdcountcountifmake_setminmaxbyorderdescproject

Actions