KQL Search

Query Details

HomeAI ToolsDevice Query

HUNT 03 M365 Sensitivity Label Change History 90d

Query

// Hunt    : M365 - Sensitivity Label Change History on SharePoint / OneDrive (90d)
// Purpose : Enumerate all sensitivity label changes—upgrades and downgrades—on
//           SharePoint and OneDrive files over 90 days. Useful for compliance
//           audits, DLP investigations, and exfiltration-path reconstruction.
// Tables  : OfficeActivity
// Period  : P90D
//==========================================================================================

let LookbackDays = 90d;

OfficeActivity
| where TimeGenerated > ago(LookbackDays)
| where RecordType in ("SharePoint", "OneDrive")
| where Operation in (
    "SensitivityLabelChanged", "SensitivityLabelApplied",
    "SensitivityLabelRemoved", "FileSensitivityLabelChanged")
| extend
    OldLabelName        = tostring(OperationProperties.OldSensitivityLabelName),
    NewLabelName        = tostring(OperationProperties.NewSensitivityLabelName),
    LabelJustification  = tostring(OperationProperties.JustificationText),
    AutoLabeled         = tostring(OperationProperties.IsAutoLabel)
| extend
    ChangeType = case(
        Operation == "SensitivityLabelRemoved",          "Removed",
        isempty(OldLabelName) and isnotempty(NewLabelName), "Applied",
        OldLabelName != NewLabelName,                    "Changed",
        "Unknown")
| summarize
    ChangeCount        = count(),
    RemovedCount       = countif(ChangeType == "Removed"),
    DowngradeCount     = countif(ChangeType == "Changed"),
    FilesAffected      = make_set(SourceFileName, 20),
    SiteURLs           = make_set(Site_Url, 10)
    by UserId, ChangeType, OldLabelName, NewLabelName
| sort by ChangeCount desc
| project
    UserId,
    ChangeType,
    OldLabelName,
    NewLabelName,
    ChangeCount,
    RemovedCount,
    FilesAffected,
    SiteURLs

Explanation

This query is designed to track changes in sensitivity labels on files stored in SharePoint and OneDrive over the past 90 days. It is useful for compliance audits, data loss prevention (DLP) investigations, and understanding potential data exfiltration paths. Here's a simple breakdown of what the query does:

  1. Time Frame: It looks at activities from the last 90 days.

  2. Data Source: It examines records from the OfficeActivity table, specifically focusing on activities related to SharePoint and OneDrive.

  3. Operations of Interest: The query filters for operations where sensitivity labels were changed, applied, or removed.

  4. Extracted Information: For each operation, it extracts details such as the old and new sensitivity label names, the justification for the change, and whether the label was applied automatically.

  5. Change Type Classification: It categorizes the type of change as "Removed," "Applied," "Changed," or "Unknown" based on the operation and label names.

  6. Summary Statistics: It summarizes the data by counting the number of changes, removals, and downgrades, and lists up to 20 affected files and 10 site URLs for each user and change type.

  7. Sorting and Presentation: The results are sorted by the number of changes in descending order and include details such as user ID, change type, old and new label names, counts of changes and removals, affected files, and site URLs.

This query helps identify patterns and trends in sensitivity label changes, which can be critical for maintaining data security and compliance.

Details

David Alonso profile picture

David Alonso

Released: March 18, 2026

Tables

OfficeActivity

Keywords

OfficeActivitySharePointOneDriveSensitivityLabelUserIdChangeTypeOldLabelNameNewLabelNameFilesAffectedSiteURLs

Operators

letagoinextendtostringcaseisemptyisnotemptysummarizecountcountifmake_setbysortdescproject

Actions