KQL Search

Query Details

HomeAI ToolsDevice Query

X 4 Label Removed X External Email

Query

// X-4 - Sensitivity-label removal ⨯ EmailEvents send to external recipient (within 30 min)
// Run in: security.microsoft.com -> Hunting -> Advanced hunting (UNIFIED PORTAL)
// NOTE: Edit "int.zava-corp.com" to your internal domain.
let labelStripped =
    MicrosoftPurviewInformationProtection
    | where TimeGenerated > ago(1d)
    | where LabelEventType == "LabelRemoved"
       or (isnotempty(OldSensitivityLabelId) and isempty(SensitivityLabelId))
    | project StripTime=TimeGenerated, AccountUpn=UserId, ItemName, ObjectId,
              OldLabel=OldSensitivityLabelId;
let extEmail =
    EmailEvents
    | where Timestamp > ago(1d)
    | where SenderFromDomain == "int.zava-corp.com"
    | where RecipientEmailAddress !endswith "@int.zava-corp.com"
    | project EmailTime=Timestamp, AccountUpn=SenderFromAddress, Subject, RecipientEmailAddress,
              AttachmentCount, NetworkMessageId;
labelStripped
| join kind=inner extEmail on AccountUpn
| where EmailTime between (StripTime .. (StripTime + 30m))
| project StripTime, EmailTime, AccountUpn, ItemName, OldLabel,
          RecipientEmailAddress, Subject, AttachmentCount
| order by StripTime desc

Explanation

This query is designed to identify instances where a sensitivity label was removed from an item, and then an email was sent to an external recipient within 30 minutes of that removal. Here's a simple breakdown of what the query does:

  1. Label Removal Detection:

    • It looks for events in the last day where a sensitivity label was removed from an item. This is determined by checking if the label event type is "LabelRemoved" or if there was a previous label that is now empty.

  2. External Email Detection:

    • It searches for emails sent in the last day from the internal domain "int.zava-corp.com" to recipients outside this domain.

  3. Correlation of Events:

    • The query then joins these two sets of data based on the user account (AccountUpn) to find cases where the same user removed a label and sent an email externally within a 30-minute window.

  4. Output:

    • It outputs details such as the time of label removal, time of email, user account, item name, old label, recipient email address, email subject, and attachment count, sorted by the time of label removal in descending order.

This query is useful for security monitoring, helping to identify potentially suspicious behavior where sensitive information might be at risk of being shared externally shortly after its protection label is removed.

Details

David Alonso profile picture

David Alonso

Released: May 25, 2026

Tables

MicrosoftPurviewInformationProtectionEmailEvents

Keywords

MicrosoftPurviewInformationProtectionEmailEventsSecurityHuntingAdvancedHuntingUnifiedPortal

Operators

letwhereorisnotemptyisemptyprojectjoinkindonbetweenorder bydesc

Actions