KQL Search

Query Details

HomeAI ToolsDevice Query

X 3 Insider Risk X Confidential Label Movement

Query

// X-3 - Insider Risk behavior ⨯ Purview confidential label movement (±1h)
// Run in: security.microsoft.com -> Hunting -> Advanced hunting (UNIFIED PORTAL)
let irBehaviors =
    DataSecurityBehaviors
    | where Timestamp > ago(7d)
    | where IsAnomalous == 1
    | project IrTime=Timestamp, AccountUpn, ActionType, Categories, ActivityCount;
let confMoves =
    MicrosoftPurviewInformationProtection
    | where TimeGenerated > ago(7d)
    | where LabelName has_any ("Confidential","Highly Confidential","Restricted")
    | project MoveTime=TimeGenerated, AccountUpn=UserId, ItemName, ObjectId, Operation, LabelName, Receivers;
irBehaviors
| join kind=inner confMoves on AccountUpn
| where MoveTime between (IrTime - 1h .. IrTime + 1h)
| project IrTime, MoveTime, AccountUpn, ActionType, Categories, Operation, LabelName, ItemName, Receivers
| order by IrTime desc

Explanation

This query is designed to identify potential insider risk behaviors related to the movement of files labeled as confidential within the last seven days. Here's a simplified breakdown of what the query does:

  1. Identify Anomalous Behaviors:

    • It starts by looking at data from the DataSecurityBehaviors table to find any anomalous activities (marked by IsAnomalous == 1) that occurred in the past seven days.
    • It extracts the timestamp of the behavior, the user account involved, the type of action, categories of the behavior, and the count of activities.

  2. Track Confidential Label Movements:

    • It then examines the MicrosoftPurviewInformationProtection table for any movements of items labeled as "Confidential," "Highly Confidential," or "Restricted" within the same seven-day period.
    • It collects details such as the time of the movement, the user account, the item name, the operation performed, the label name, and the receivers of the item.

  3. Correlate Behaviors and Movements:

    • The query joins these two datasets based on the user account (AccountUpn).
    • It filters the results to find instances where the movement of confidential items occurred within one hour before or after the anomalous behavior.

  4. Output and Order Results:

    • Finally, it outputs relevant details such as the times of the insider risk behavior and the label movement, the user account, action type, operation performed, label name, item name, and receivers.
    • The results are ordered by the time of the insider risk behavior in descending order.

In summary, this query helps security analysts detect and investigate potential insider threats by correlating suspicious user behaviors with the movement of sensitive information.

Details

David Alonso profile picture

David Alonso

Released: May 25, 2026

Tables

DataSecurityBehaviorsMicrosoftPurviewInformationProtection

Keywords

DataSecurityBehaviorsMicrosoftPurviewInformationProtectionTimestampAccountUpnActionTypeCategoriesActivityCountTimeGeneratedLabelNameUserIdItemNameObjectIdOperationReceivers

Operators

let|where>ago()==projecthas_any()join kind=inneronbetween ()..order bydesc

Actions