Insider Risk_Sign In Risk Followed By Sensitive Data Access

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

This query correlates a risky user sign ins with access to sensitive data classified by data loss prevention capabilities (watchlist configurable). For more information, see https://docs.microsoft.com/azure/sentinel/watchlists

Attribute	Value
Type	Hunting Query
Solution	MicrosoftPurviewInsiderRiskManagement
ID	`45ec52c2-99e1-4de1-9adc-bae0f79d4e23`
Tactics	Exfiltration
Techniques	T1567
Required Connectors	AzureInformationProtection, AzureActiveDirectory
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
`InformationProtectionLogs_CL` 🔶	?	✓	?
`SigninLogs`	✓	✗	?

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Hunting Queries · Back to MicrosoftPurviewInsiderRiskManagement