KQL Search

Query Details

HomeAI ToolsDevice Query

IP Label Downgrade Then Email

Query

// Detects when a user downgrades a label on a file and that file is then emailed outbound 

//Data connector required for this query - Azure Information Protection
//Data connector required for this query - M365 Defender - Email* tables

// Starttime = the amount of data to look back on
// Timeframe = the time between the label downgrade and email event
let starttime=7d;
let timeframe=4h;
InformationProtectionEvents
| where Time > ago(starttime)
| where Activity == "DowngradeLabel"
| project LabelChangeTime=Time, User, FileName=ItemName
| join kind=inner(
    EmailEvents
    | where EmailDirection == "Outbound"
    | project
        TimeGenerated,
        SenderMailFromAddress,
        RecipientEmailAddress,
        EmailDirection,
        NetworkMessageId
    | join kind=inner (EmailAttachmentInfo) on NetworkMessageId
    | project
        TimeGenerated,
        SenderMailFromAddress,
        RecipientEmailAddress,
        EmailDirection,
        FileName
    )
    on FileName
| project
    LabelChangeTime,
    EmailSendTime=TimeGenerated,
    SenderMailFromAddress,
    RecipientEmailAddress,
    EmailDirection,
    FileName
| where (EmailSendTime - LabelChangeTime) between (0min .. timeframe)

Explanation

This query detects when a user downgrades a label on a file and then emails that file outbound. It uses data connectors for Azure Information Protection and M365 Defender - Email tables. The query looks back a specified amount of time and checks for events where the label is downgraded. It then joins this information with email events that are outbound. The query projects the relevant fields and filters for events where the time between the label downgrade and email event falls within a specified timeframe.

Details

Matt Zorich profile picture

Matt Zorich

Released: June 17, 2022

Tables

InformationProtectionEventsEmailEventsEmailAttachmentInfo

Keywords

Keywords:Devices,Intune,User,Label,File,Email,Downgrade,Outbound,Dataconnector,AzureInformationProtection,M365Defender,EmailEvents,EmailAttachmentInfo,Time,Activity,ItemName,TimeGenerated,SenderMailFromAddress,RecipientEmailAddress,EmailDirection,NetworkMessageId,FileName,LabelChangeTime,EmailSendTime

Operators

whereprojectjoinkindagowhereprojectjoinkindwhereprojectwhereprojectwherebetween

Actions