External Activity Policies
Detect and control data egress to third-party domains, SaaS platforms, and unapproved AI services.
External Activity policies monitor data leaving your environment — egress to third-party domains, SaaS tools, cloud APIs, and AI services.
When to use:
- Detecting shadow AI (data sent to unapproved LLMs)
- Monitoring uploads to code repositories
- Tracking large or rapid data egress to unknown domains
Unique Step: Select Third Party
This policy type adds a Select Third Party step not present in other policy types. Target by:
- Domain or subdomain (e.g.
openai.com,*.openai.com) - IP address or CIDR range
Use IN for focused control (only monitor the listed destinations) or NOT IN for an allowlist approach (alert on everything except approved destinations).
Condition Fields
| Field | Description |
|---|---|
| First-time contact | First time this service accessed this destination |
| Access window | Time-of-day or day-of-week constraints |
| Destination geo/IP | Country or IP range |
| Packet size | Request/response bytes threshold |
| Protocol | HTTP, HTTPS, gRPC, etc. |
| Sensitive data types | PII, PHI, PCI detected in payload |
| Access frequency | Requests per hour/day |
Ready-to-Use Recipes
Shadow AI Egress
Third party: unapproved LLM domains | Condition: sensitive type includes PII AND packet size ≥ 1MB | Severity: Critical
Contractor Code Upload
Third party: github.com, gitlab.com | Accessor: contractor group | Severity: High
Large After-Hours Export
Third party: ALL | Condition: packet size ≥ 10MB AND access window NOT IN 09:00–18:00 | Severity: High
Unknown Domain First Contact
Third party: NOT IN approved-domains group | Condition: first-time contact = true | Severity: Medium