X 3 Insider Risk X Confidential Label Movement
Query
// X-3 - Insider Risk behavior ⨯ Purview confidential label movement (±1h)
// Run in: security.microsoft.com -> Hunting -> Advanced hunting (UNIFIED PORTAL)
let irBehaviors =
DataSecurityBehaviors
| where Timestamp > ago(7d)
| where IsAnomalous == 1
| project IrTime=Timestamp, AccountUpn, ActionType, Categories, ActivityCount;
let confMoves =
MicrosoftPurviewInformationProtection
| where TimeGenerated > ago(7d)
| where LabelName has_any ("Confidential","Highly Confidential","Restricted")
| project MoveTime=TimeGenerated, AccountUpn=UserId, ItemName, ObjectId, Operation, LabelName, Receivers;
irBehaviors
| join kind=inner confMoves on AccountUpn
| where MoveTime between (IrTime - 1h .. IrTime + 1h)
| project IrTime, MoveTime, AccountUpn, ActionType, Categories, Operation, LabelName, ItemName, Receivers
| order by IrTime descExplanation
This query is designed to identify potential insider risk behaviors related to the movement of files labeled as confidential within the last seven days. Here's a simplified breakdown of what the query does:
-
Identify Anomalous Behaviors:
- It starts by looking at data from the
DataSecurityBehaviorstable to find any anomalous activities (marked byIsAnomalous == 1) that occurred in the past seven days. - It extracts the timestamp of the behavior, the user account involved, the type of action, categories of the behavior, and the count of activities.
- It starts by looking at data from the
-
Track Confidential Label Movements:
- It then examines the
MicrosoftPurviewInformationProtectiontable for any movements of items labeled as "Confidential," "Highly Confidential," or "Restricted" within the same seven-day period. - It collects details such as the time of the movement, the user account, the item name, the operation performed, the label name, and the receivers of the item.
- It then examines the
-
Correlate Behaviors and Movements:
- The query joins these two datasets based on the user account (
AccountUpn). - It filters the results to find instances where the movement of confidential items occurred within one hour before or after the anomalous behavior.
- The query joins these two datasets based on the user account (
-
Output and Order Results:
- Finally, it outputs relevant details such as the times of the insider risk behavior and the label movement, the user account, action type, operation performed, label name, item name, and receivers.
- The results are ordered by the time of the insider risk behavior in descending order.
In summary, this query helps security analysts detect and investigate potential insider threats by correlating suspicious user behaviors with the movement of sensitive information.
Details

David Alonso
Released: May 25, 2026
Tables
DataSecurityBehaviorsMicrosoftPurviewInformationProtection
Keywords
DataSecurityBehaviorsMicrosoftPurviewInformationProtectionTimestampAccountUpnActionTypeCategoriesActivityCountTimeGeneratedLabelNameUserIdItemNameObjectIdOperationReceivers
Operators
let|where>ago()==projecthas_any()join kind=inneronbetween ()..order bydesc