X 2 Purview DLP X Office Activity Downloads
Query
// X-2 - Purview DLP match ⨯ OfficeActivity SharePoint download by same user (±30 min)
// Run in: security.microsoft.com -> Hunting -> Advanced hunting (UNIFIED PORTAL)
let dlpMatches =
MicrosoftPurviewInformationProtection
| where TimeGenerated > ago(1d)
| where isnotempty(ExecutionRuleName)
| project DlpTime=TimeGenerated, UserId, ItemName, PolicyName, ExecutionRuleName;
let spDownloads =
OfficeActivity
| where TimeGenerated > ago(1d)
| where Operation in ("FileDownloaded","FileSyncDownloadedFull","FileAccessed")
| project SpTime=TimeGenerated, UserId, OfficeObjectId, ClientIP, UserAgent;
dlpMatches
| join kind=inner spDownloads on UserId
| where SpTime between (DlpTime - 30m .. DlpTime + 30m)
| summarize Hits=count(),
DlpRules=make_set(ExecutionRuleName, 10),
Files=make_set(ItemName, 20),
SpObjects=make_set(OfficeObjectId, 20),
FirstSeen=min(DlpTime), LastSeen=max(DlpTime)
by UserId, ClientIP
| where Hits >= 5
| order by Hits descExplanation
This query is designed to identify users who have both triggered a Data Loss Prevention (DLP) rule and downloaded files from SharePoint within a 30-minute window. Here's a simplified breakdown:
-
Data Collection:
- The query first collects DLP matches from the
MicrosoftPurviewInformationProtectiontable, focusing on events from the last day where a DLP rule was executed. - It also gathers SharePoint download activities from the
OfficeActivitytable, again from the last day, specifically looking for file download or access operations.
- The query first collects DLP matches from the
-
Data Matching:
- It then joins these two datasets based on the
UserId, meaning it looks for instances where the same user appears in both datasets.
- It then joins these two datasets based on the
-
Time Correlation:
- The query filters the joined data to find cases where the SharePoint download activity occurred within 30 minutes before or after the DLP match.
-
Summarization:
- For each user, it counts the number of such matched events (
Hits). - It compiles lists of unique DLP rules triggered, file names involved, and SharePoint object IDs accessed.
- It also records the first and last time these events were seen for each user.
- For each user, it counts the number of such matched events (
-
Filtering and Ordering:
- It only keeps records where a user has at least 5 such matched events.
- Finally, it orders the results by the number of hits in descending order, highlighting users with the most frequent occurrences of this behavior.
In essence, this query helps identify users who might be involved in suspicious activities by correlating DLP rule triggers with SharePoint downloads in a short time frame.
Details

David Alonso
Released: May 25, 2026
Tables
MicrosoftPurviewInformationProtectionOfficeActivity
Keywords
MicrosoftPurviewInformationProtectionOfficeActivityUserIdItemNamePolicyNameExecutionRuleNameTimeGeneratedOperationOfficeObjectIdClientIPUserAgent
Operators
let|whereisnotemptyprojectinjoinonbetweensummarizecountmake_setminmaxbyorder bydesc