Query Details
RULE 07 M365 Share Point Sensitivity Label Downgraded
Query
// Rule : M365 - SharePoint Sensitivity Label Downgraded on Document
// Severity: High
// Tactics : DefenseEvasion, Collection
// MITRE : T1565.001 (Data Manipulation: Stored Data Manipulation),
// T1078.004
// Freq : PT1H Period: PT1H
// Description: Detects when the sensitivity label on a SharePoint / OneDrive document
// is changed to a lower classification (e.g., Confidential → Public),
// potentially enabling unauthorized sharing or data exfiltration.
//==========================================================================================
let LookbackPeriod = 1h;
// Ordered severity levels — lower index = higher sensitivity
let LabelOrder = dynamic([
"Top Secret", "Highly Confidential", "Confidential",
"Internal", "General", "Public"
]);
OfficeActivity
| where TimeGenerated > ago(LookbackPeriod)
| where RecordType in ("SharePoint", "OneDrive")
| where Operation in (
"SensitivityLabelChanged", "SensitivityLabelApplied",
"SensitivityLabelRemoved", "FileSensitivityLabelChanged")
| extend
OldLabel = tostring(parse_json(SensitivityLabelEventData).OldSensitivityLabelId),
NewLabel = tostring(parse_json(SensitivityLabelEventData).NewSensitivityLabelId),
OldLabelName = tostring(parse_json(SensitivityLabelEventData).OldSensitivityLabelName),
NewLabelName = tostring(parse_json(SensitivityLabelEventData).NewSensitivityLabelName),
LabelJustification = tostring(parse_json(SensitivityLabelEventData).JustificationText)
| extend
OldRank = indexof_regex(strcat_array(LabelOrder, "|"), OldLabelName),
NewRank = indexof_regex(strcat_array(LabelOrder, "|"), NewLabelName)
| extend IsDowngrade = (Operation == "SensitivityLabelRemoved")
or (isnotempty(OldLabelName) and isnotempty(NewLabelName) and OldRank < NewRank)
| where IsDowngrade or Operation == "SensitivityLabelRemoved"
| project
TimeGenerated,
UserId,
ClientIP,
SourceFileName,
SiteUrl,
ObjectId,
Operation,
OldLabelName,
NewLabelName,
LabelJustification,
IsDowngrade,
AlertSeverity = case(
Operation == "SensitivityLabelRemoved", "High",
IsDowngrade, "High",
"Medium")
Explanation
This query is designed to detect when a sensitivity label on a document in SharePoint or OneDrive is downgraded, which could potentially allow unauthorized sharing or data exfiltration. Here's a simplified breakdown:
-
Lookback Period: The query examines activities from the past hour.
-
Label Order: Sensitivity labels are ranked from highest to lowest sensitivity: "Top Secret", "Highly Confidential", "Confidential", "Internal", "General", "Public".
-
Data Source: It looks at activities in SharePoint and OneDrive.
-
Operations of Interest: The query focuses on operations where sensitivity labels are changed, applied, or removed.
-
Label Change Detection:
- It extracts the old and new sensitivity labels and their names from the activity data.
- It determines the rank of these labels based on their sensitivity.
-
Downgrade Identification:
- A downgrade is identified if a label is removed or if the new label is of lower sensitivity than the old one.
-
Filtering and Projection:
- The query filters for activities where a downgrade or label removal occurred.
- It then selects relevant details such as the time of the event, user ID, client IP, file name, site URL, and justification for the label change.
-
Alert Severity:
- If a label is removed or downgraded, the alert severity is marked as "High".
- Otherwise, the severity is "Medium".
This query helps in identifying potential security risks by flagging instances where document sensitivity is reduced, which could lead to data leaks.
Details
David Alonso
Released: March 18, 2026
Tables
Keywords
Operators