Users who connected from 2+ countries within 4 hours — possible account compromise or VPN misconfiguration.
Stale Devices — Owner Remediation
—
Devices with no heartbeat >24h, with their last known owner. Click Notify to copy a remediation email.
User Identity Directory
— users
Master list: Harmony session data joined with Entra ID display names & departments.
🔍
🔥 Critical Alerts
—
Last 24 hours
⚠️ Medium Alerts
—
Last 24 hours
✅ Devices Online
—
Harmony API — source of truth
🧊 Storage Auth Errors
—
SMB / NTLM spike detection
Total Event Volume
— events
■ Harmony■ Sentinel■ Defender
Top 10 Notable Events
Today
User
Device
Event
Source
Time ET
Today's Focus Queue
— items
Tunnel Health — 24h
Online
—
Warning
—
Offline
—
Connects 24h
—
Disconnects 24h
—
Disconnect Timeline — 24h
-24h-18h-12h-6hNow
Devices with Tunnel Churn
Top Users — Harmony Event Volume
Recent Admin / API Activity
api.activity.*
Azure Files
—
Total SMB connections
Private Endpoint
—
privatelink connections
Public Endpoint
—
file.core.windows.net
NetApp SMB
—
NetApp volume connections
Unique Users
—
Distinct Azure AD users
Unique Devices
—
Distinct endpoints
File Share Connection Table
— connections
Device
Azure AD User
Domain
Process Account
Remote Endpoint
Remote IP
Conns
First Seen
Last Seen
Status
Connections by Endpoint
Traffic Split
Sentinel KQL — Storage Access Query
DeviceNetworkEvents
| where TimeGenerated >= ago(24h)
| where RemotePort == 445
| where RemoteUrl has_any ("file.core.windows.net","privatelink.file.core.windows.net","NetAppQ-2420.martellore.com")
| join kind=leftouter (
DeviceInfo
| mv-expand LoggedOnUsers
| extend AzureADUser = tostring(LoggedOnUsers.UserName),
Domain = tostring(LoggedOnUsers.DomainName)
| summarize AzureADUser=any(AzureADUser), Domain=any(Domain) by DeviceId
) on DeviceId
| summarize
ConnectionCount = count(),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated),
ProcessAccount = any(InitiatingProcessAccountName)
by DeviceName, AzureADUser, Domain, RemoteUrl, RemoteIP
| order by ConnectionCount desc
—
days to BMA audit
BMA Deadline: October 2026 — Microsoft Purview Information Protection posture must be production-ready.
Two auto-label policies are currently in expired Simulation mode and require promotion to enforcement before the deadline.
Active finding: tyler.rhodes removed a Restricted label with no justification from a public IP.
Open Findings
—
Unresolved label events
Policies in Simulation
—
Not yet enforced
Labels Applied (7d)
—
Across all SharePoint / OD
Labels Removed (7d)
—
Requires justification audit
External Access Events
—
PublicEndpoint operations
Active Compliance Findings
— findings
Auto-Label Policy Status
Label Activity (7 days)
Sensitivity Label Audit Log
— events
Time (ET)
User
Operation
Label
Workload
Location
IP Address
Justification
Severity
Sentinel KQL — Purview Information Protection Queries
// Priority 1 — Restricted label removals on HR / Executive SharePoint
InformationProtectionEvents
| where TimeGenerated > ago(7d)
| where Operation == "SensitivityLabelRemoved"
| where SensitivityLabelId has_any ("Restricted", "Highly Confidential")
| project TimeGenerated, UserId, Operation, SensitivityLabelId,
ObjectId, Workload, ClientIP
| order by TimeGenerated desc
// Priority 2 — Confidential label ops by user (volume baseline)
InformationProtectionEvents
| where TimeGenerated > ago(7d)
| where SensitivityLabelId has "Confidential"
| summarize EventCount=count(), LastOp=max(TimeGenerated)
by UserId, Operation
| order by EventCount desc
// Priority 3 — External access via PublicEndpoint
InformationProtectionEvents
| where TimeGenerated > ago(7d)
| where AccessScope == "PublicEndpoint"
| project TimeGenerated, UserId, Operation,
SensitivityLabelId, ClientIP, ObjectId
| order by TimeGenerated desc
