KQL Search

Query Details

Rag Source Poisoning Writes

Query

id: e4150617-cccc-4d18-910c-0123456789ce
name: Agent - RAG / memory source poisoning via OfficeActivity
description: |
  Surfaces write / upload / modification activity against the SharePoint
  and OneDrive locations that feed Foundry / Agent Service retrieval (RAG)
  and agent memory. This covers RAG Poisoning and Memory Poisoning: an
  attacker (or a compromised account) planting or editing documents in a
  grounding source so the agent later retrieves adversarial content,
  hidden directives or smuggled instructions.

  This is a content-integrity hunt on the source side, complementary to
  the retrieval-side AgentGroundingSourceEnumeration / FoundryUntrusted
  ToolSource content. It flags writes to hosts on the FoundryTrustedTool
  Sources watchlist (your known RAG sources) and, separately, any upload
  of a file whose name carries instruction-like markers. Tune the
  grounding-site list to the actual SharePoint sites your agents index.
query: |
  let lookback = 1d;
  let injectionMarker = dynamic([
      "ignore previous", "system prompt", "you must", "as an ai",
      "disregard", "new instructions", "do not tell", "override",
      ".prompt", ".instructions", "jailbreak"]);
  let ragHosts =
      _GetWatchlist('FoundryTrustedToolSources')
      | project Host = tolower(tostring(column_ifexists('SourceUri', '')))
      | where isnotempty(Host);
  OfficeActivity
  | where TimeGenerated > ago(lookback)
  | extend
      RecordType_     = tostring(column_ifexists('RecordType', '')),
      Operation_      = tostring(column_ifexists('Operation', '')),
      UserId_         = tostring(column_ifexists('UserId', '')),
      UserKey_        = tostring(column_ifexists('UserKey', '')),
      SiteUrl_        = tostring(column_ifexists('SiteUrl', '')),
      SourceFileName_ = tostring(column_ifexists('SourceFileName', '')),
      ClientIP_       = tostring(column_ifexists('ClientIP', '')),
      UserAgent_      = tostring(column_ifexists('UserAgent', ''))
  | where RecordType_ in ("SharePointFileOperation", "OneDrive")
  | where Operation_ in ("FileUploaded", "FileModified", "FileModifiedExtended",
                        "FileCheckedIn", "FileRenamed", "FileMoved",
                        "FileSyncUploadedFull")
  | extend
      Actor    = tolower(coalesce(UserId_, UserKey_)),
      SiteHost = tolower(tostring(parse_url(SiteUrl_).Host)),
      Doc      = SourceFileName_
  | extend
      TargetsRagHost  = SiteHost in (ragHosts)
                     or tolower(SiteUrl_) has_any (toscalar(ragHosts | summarize make_list(Host))),
      InjectionInName = tolower(Doc) has_any (injectionMarker)
  | where TargetsRagHost or InjectionInName
  | project
      TimeGenerated, Operation = Operation_, Actor, SiteUrl = SiteUrl_, SiteHost, Doc,
      TargetsRagHost, InjectionInName, ClientIP = ClientIP_, UserAgent = UserAgent_
  | order by TimeGenerated desc
tactics:
  - InitialAccess
  - Persistence
techniques:
  - T1195
  - T1565
tags:
  - Sentinel-As-Code
  - Custom
  - Foundry
  - AI

Explanation

This query is designed to detect suspicious activities related to potential tampering with SharePoint and OneDrive files, which could affect AI systems that rely on these files for data retrieval. Here's a simplified breakdown:

  1. Purpose: The query identifies activities that could indicate an attacker is trying to manipulate or "poison" the data sources (SharePoint and OneDrive) used by AI agents. This could involve planting or modifying documents to include malicious content or hidden instructions.

  2. Scope: It focuses on file operations such as uploads, modifications, and renames within the last day (lookback = 1d).

  3. Detection Criteria:

    • RAG Hosts: It checks if the activity targets known trusted sources (RAG hosts) by comparing the site URLs against a watchlist of trusted sources.
    • Injection Markers: It looks for suspicious phrases in file names that might indicate an attempt to include hidden instructions or adversarial content.

  4. Output: The query returns a list of activities that either target trusted sources or have suspicious file names, including details like the time of the activity, the operation performed, the user involved, the site URL, and the client IP address.

  5. Security Context: The query is part of a broader security strategy to maintain the integrity of content used by AI systems, addressing tactics like Initial Access and Persistence, and techniques such as Supply Chain Compromise (T1195) and Data Manipulation (T1565).

Overall, this query helps in identifying and flagging potential security threats related to data integrity in AI systems by monitoring file activities in critical data sources.

Details

David Alonso profile picture

David Alonso

Released: June 8, 2026

Tables

OfficeActivity

Keywords

AgentOfficeActivitySharePointOneDriveFoundryUserFileHostSiteUrlClientIPUserAgent

Operators

letdynamicprojecttolowertostringcolumn_ifexistswhereisnotemptyagoextendcoalesceparse_urlhas_anytoscalarsummarizemake_listorder by

Actions