How to get an alert when documents' or mails' sensitivity label is changed ?

Hi @Mohand Benhaddad ,

To get an alert when a sensitivity label is changed and monitor sensitivity label events/activities in Microsoft Purview, you can use Microsoft Sentinel.

If you use the Microsoft Purview Information Protection connector in Microsoft Sentinel, you can collect audit log data from Microsoft Purview and query for activities related to sensitivity labels: for example, SensitivityLabelRemoved, SensitivityLabelUpdated, SensitivityLabelPolicyMatched, and SensitivityLabelFileOpened.

Then you can create a rule to generate an alert when a sensitivity label is changed. For instance, you can create a rule that triggers an alert when the SensitivityLabelUpdated activity is detected in the audit log.

Here is a link to the Microsoft documentation that provides more information on the audit log record types and activities supported in Sentinel: https://docs.microsoft.com/azure/sentinel/microsoft-purview-record-types-activities

Note that in Microsoft Purview, the Smart Alerts feature is coming to public preview soon, and this will allow you to get built-in alerts based on risky behavior.

Alternatively, without using Microsoft Purview, you can create an alert policy based on user activity as described here, or check the Activity logs.

If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar information.