Automating label downgrade email notifications

Sure, we wanted to be alerted if any label that was Confidential or higher was downgraded.

Here is the query we are using, you just need to substitute your own label's and corresponding GUID's.

let labelsMap = parse_json('{'
'"<Label GUID>": "Public",'
'"<Label GUID>": "Internal",'
'"<Label GUID>": "Confidential",'
'"<Label GUID>": "Highly Confidential",'
'}');
MicrosoftPurviewInformationProtection
| where LabelEventType == "LabelDowngraded"
| extend NewSensitivityLabelName = iif(isnotempty(SensitivityLabelId), 
tostring(labelsMap[tostring(SensitivityLabelId)]), "")
| extend OldSensitivityLabelName = iif(isnotempty(OldSensitivityLabelId), 
tostring(labelsMap[tostring(OldSensitivityLabelId)]), "")
| where OldSensitivityLabelName contains "Confidential"
| extend Object = url_decode(ObjectId)
| extend FileName = extract(@'.*[\\\/](.*)$', 1, Object)
| project TimeGenerated, UserId, FileName, OldSensitivityLabelName, NewSensitivityLabelName, JustificationText