Query Details
XDR 3 Sensitive Label Leaving Tenant
Query
DataSecurityEvents
| where Timestamp > ago(7d)
| where isnotempty(SensitivityLabelId)
| where ActionType in ("FileUploadedToCloud","FileSharedExternally","FileSentInEmail")
| project Timestamp, AccountUpn, ActionType, ObjectId, SourceRelativeUrl, TargetFilePath,
ApplicationNames, Workload, SensitivityLabelId,
TargetUrlDomain, EmailSubject, NetworkMessageId
| order by Timestamp descExplanation
This query is designed to analyze data security events from the past week. It filters for events where a sensitivity label is present and the action involves uploading a file to the cloud, sharing a file externally, or sending a file via email. The query then selects specific details about these events, such as the timestamp, user account, action type, and various identifiers and URLs related to the file and its handling. Finally, it sorts the results in descending order based on the timestamp, so the most recent events appear first.
Details
David Alonso
Released: May 25, 2026
Tables
DataSecurityEvents
Keywords
DataSecurityEventsTimestampSensitivityLabelIdActionTypeAccountUpnObjectIdSourceRelativeUrlTargetFilePathApplicationNamesWorkloadTargetUrlDomainEmailSubjectNetworkMessageId
Operators
whereisnotemptyinprojectorder by