Read the article below or watch the video:
In Insider Risk Management, a sequence isn’t just one activity, like downloading a file. It’s a chain of related activities carried out by a single user, one after the other. These sequences help identify risky behaviour by showing how actions connect.
Imagine a user downloads a file named "Financial Report" from SharePoint. By itself, downloading isn’t alarming. But now, they rename the file to "My Vacation Plan." Then, they email it to their personal address and delete the original.
If you were only looking at the email attachment, you'd see "My Vacation Plan" and might not think twice. But IRM detects the entire sequence. It shows the file started as "Financial Report," was renamed, sent, and deleted. This context raises red flags for investigators.
Sequences give you the full story, not just isolated events. It’s about understanding the why behind actions, not just the what. The activities are NOT treated as isolated random events.
Select the Alert to review its risk factors:
On the All Risk Factors page of the IRM Alert, you can find the Sequences of Activity dashboard.
Select "View all sequence activity"
In the Activity Explorer you can see the sequences on the left.
Files exfiltrated and cleaned up. It also shows a Risk Score—in this case, it’s 100 out of 100.
For this sequence, we can see 72 events were detected. These include files downloaded from SharePoint, uploaded to the cloud, and then deleted. Of those, 26 events involve files with sensitive information.
You can select one of the events from the events grid to inspect the event's details.
The Activity Details Panel shows information such as Date and time, Operations, location details (in this case it’s SharePoint Site URL). Object ID provides a full path SharePoint path and file name.
The Result Status section breaks down all of the steps of the sequences.
Step 1 is SharePoint file download. It also says that there were 16 of such events within one hour.
Step 2 – user copied the downloaded file to Personal Cloud.
And in Step 3, the downloaded file was deleted.
The activities are displayed as two connected dots inside of the circle.
If you hover over the icon to see the date and time of the risky activity associated with this sequence. Here you can “connect the dots” when you are looking at the activities in this sequence.
You can use Sequence indicators as triggering events for the IRM Policy.
When you creating IRM Policy, note that Sequence indicators triggering events are only available for General Data Leaks (Data Leaks) or Data Leaks by Priority users templates.
In the “Triggering event” screen of the Policy Wizard scroll down to Sequences section to select which sequences will trigger this policy. As you can see, there are quite a few sequences to choose from. It’s a good idea to have all sequences selected.
Thresholds for sequences are much lower than those for single events, and for good reason—sequences are a strong indicator of potential insider risk.
You’ll often find users downloading existing files or templates from SharePoint, renaming them, uploading them to the cloud, and then deleting them. In many cases, workers are simply reusing templates, but these activities can trigger sequence indicators. To avoid generating too many false positives, you might need to revise your procedures or further customize your policies.
Additionally, if your SharePoint tenant isn’t properly configured, IRM policies may generate alerts stating that files are being uploaded to a personal cloud. To prevent this, make sure the company’s tenant is added as a trusted cloud app in Microsoft Defender for Cloud Apps. You should also verify that the company’s tenant domain is properly registered in Azure AD, as misconfigured domains can appear as external.
Comments