Agent - Sensitive document retrieval via OfficeActivity
Agent Sensitive Retrieval Office
Query
let lookback = 1d;
let sensitiveName = dynamic([
"secret", "password", "passwd", "credential", "confidential",
"salary", "payroll", "ssn", "passport", "private", "api key",
"apikey", "token", "pii", "gdpr", "restricted", "do not share"]);
let agentKeys =
_GetWatchlist('AgentIdentityMap')
| project AgentName = tostring(column_ifexists('AgentName', '')),
AppId = tolower(tostring(column_ifexists('AppId', ''))),
ObjectId = tolower(tostring(column_ifexists('ObjectId', ''))),
Upn = tolower(tostring(column_ifexists('Upn', '')))
| mv-expand Key = pack_array(Upn, AppId, ObjectId) to typeof(string)
| where isnotempty(Key)
| distinct AgentName, Key;
OfficeActivity
| where TimeGenerated > ago(lookback)
| extend
RecordType_ = tostring(column_ifexists('RecordType', '')),
Operation_ = tostring(column_ifexists('Operation', '')),
UserId_ = tostring(column_ifexists('UserId', '')),
UserKey_ = tostring(column_ifexists('UserKey', '')),
OfficeObjectId_ = tostring(column_ifexists('OfficeObjectId', '')),
SourceFileName_ = tostring(column_ifexists('SourceFileName', '')),
OfficeWorkload_ = tostring(column_ifexists('OfficeWorkload', ''))
| where RecordType_ in ("SharePointFileOperation", "OneDrive")
or Operation_ in ("FileAccessed", "FileDownloaded", "FileSyncDownloadedFull",
"FileAccessedExtended", "FilePreviewed")
| extend Actor = tolower(coalesce(UserId_, UserKey_))
| where isnotempty(Actor)
| join kind=inner agentKeys on $left.Actor == $right.Key
| extend FileLower = tolower(OfficeObjectId_), Doc = SourceFileName_
| extend SensitiveHit = SourceFileName_ has_any (sensitiveName)
or FileLower has_any (sensitiveName)
| summarize
FileReads = count(),
DistinctFiles = dcount(OfficeObjectId_),
SensitiveReads = countif(SensitiveHit),
SampleDocs = make_set(Doc, 15),
Sites = make_set(OfficeWorkload_, 8),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by AgentName, Actor
| where SensitiveReads > 0 or DistinctFiles >= 50
| project
LastSeen, AgentName, Actor, FileReads, DistinctFiles,
SensitiveReads, Sites, SampleDocs, FirstSeen
| order by SensitiveReads desc, DistinctFiles descExplanation
This query is designed to detect and analyze potentially sensitive document access activities in SharePoint and OneDrive. Here's a simplified breakdown:
-
Purpose: The query aims to identify instances where specific agent identities (from a predefined list) access files that might be sensitive. It focuses on files with names suggesting they contain confidential information, such as "password," "salary," or "PII."
-
Data Sources: It uses data from OfficeActivity logs, which record file access events in SharePoint and OneDrive.
-
Agent Mapping: The query first retrieves a list of agent identities from a watchlist called
AgentIdentityMap. This list maps agents to their respective user or application identifiers. -
Filtering: It filters the OfficeActivity logs to include only relevant file operations (like file access or download) within the last day.
-
Correlation: The query correlates these file operations with the mapped agent identities to focus only on activities performed by these agents.
-
Sensitive File Detection: It checks if the accessed files have names that match a list of sensitive keywords.
-
Summarization: The query summarizes the data by counting the number of file reads, distinct files accessed, and sensitive file reads for each agent. It also collects sample document names and the sites where the activities occurred.
-
Filtering Results: It only returns results where there are either sensitive reads or a large number of distinct files accessed (50 or more).
-
Output: The results are sorted by the number of sensitive reads and distinct files accessed, providing a prioritized view of potentially risky activities.
Overall, this query helps identify and prioritize potential security incidents involving sensitive document access by specific agents, aiding in threat detection and response efforts.
Details

David Alonso
Released: June 8, 2026
Tables
Keywords
Operators
Tactics