Learn about and configure insider risk management browser signal detection

Important

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

In Microsoft Purview Insider Risk Management, browser signal detection is used for:

• The following templates:
  • Data theft by departing users
  • Data leaks
  • Risky browser usage (preview)
• Forensic evidence

Browsers and templates

Web browsers are often used by users to access both sensitive and non-sensitive files within an organization. Insider risk management allows your organization to detect and act on browser exfiltration signals for all non-executable files viewed in Microsoft Edge and Google Chrome browsers. With these signals, analysts and investigators can quickly act when any of the following risky activities are performed by in-scope policy users when using these browsers:

• Files copied to personal cloud storage
• Files printed to local or network devices
• Files transferred or copied to a network share
• Files copied to USB devices
• Browsing potentially risky websites

Signals for these events are detected in Microsoft Edge using built-in browser capabilities and using the Microsoft Compliance Extension add-on. In Google Chrome, customers use the Microsoft Compliance Extension for signal detection.

The following table summarizes identified risk activities and extension support for each browser:

Detected activities	Microsoft Edge	Google Chrome
Files copied to personal cloud storage	Native	Extension
Files printed to local or network devices	Native	Extension
Files transferred or copied to a network share	Extension	Extension
Files copied to USB devices	Extension	Extension
Browsing potentially risky websites	Extension	Extension

The following table summarizes activities by template:

Detected activities	Data theft by departing users	Data leaks	Risky browser usage
Files copied to personal cloud storage	Yes	Yes	No
Files printed to local or network devices	Yes	Yes	No
Files transferred or copied to a network share	Yes	Yes	No
Files copied to USB devices	Yes	Yes	No
Browsing potentially risky websites	No	No	Yes

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Forensic evidence

For forensic evidence, all types of browsing activities can be captured; you're not limited to the browsing indicators of the Risky browser usage template. You can specify the desktop apps and websites that you want to include or exclude. To capture browsing activity for forensic evidence, you must install the extensions as described in this topic, and you must also turn on at least one risky browsing indicator in the insider risk settings.

Common requirements

Before installing the Microsoft Edge add-on or Google Chrome extension, ensure that devices for in-scope policy users meet the following requirements:

• Latest Windows 10 x64 build is recommended, minimum Windows 10 x64 build 1809 for signal detection support. Browser signal detection isn't currently supported on non-Windows devices.
• Current Microsoft 365 subscription with insider risk management support.
• Devices must be onboarded to the Microsoft Purview compliance portal.

For specific browser configuration requirements, see the Microsoft Edge and Google Chrome sections later in this article.

Additional requirements

If you're using policies based on the Risky browser usage template, at least one Browsing indicator must be selected in Insider risk management > Settings > Policy indicators.

Configure browser signal detection for Microsoft Edge

Microsoft Edge browser requirements

• Meet the common requirements
• Latest Microsoft Edge x64, version (91.0.864.41 or higher)
• Latest Microsoft Compliance Extension add-on (1.0.0.44 or higher)
• Edge.exe is not configured as an unallowed browser

Option 1: Basic setup (recommended for testing with Edge)

Use this option to configure a single machine self-host for each device in your organization when testing browser signal detection.

1. Go to Microsoft Compliance Extension.
2. Install the extension.

Option 2: Intune setup for Edge

Use this option to configure the extension and requirements for your organization using Intune.

1. Sign-in to the Microsoft Intune admin center.
2. Go to Devices > Configuration Profiles.
3. Select Create Profile.
4. Select Windows 10 and later as the platform.
5. Select Settings catalog as the profile type.
6. Select Custom as the template name.
7. Select Create.
8. Enter a name and optional description on the Basics tab, and then select Next.
9. Select Add settings on the Configuration settings tab.
10. Select Administrative Templates > Microsoft Edge > Extensions.
11. Select Control which extensions are installed silently.
12. Change the toggle to Enabled.
13. Enter the following value for the extensions and app IDs and update URL: lcmcgbabdcbngcbcfabdncmoppkajglo**.**
14. Select Next.
15. Add or edit scope tags on the Scope tags tab as needed, and then select Next.
16. Add the required deployment users, devices, and groups on the Assignments tab, and then select Next.
17. Select Create.

Option 3: Group Policy setup for Edge

Use this option to configure the extension and requirements organization-wide using Group Policy.

Step 1: Import the latest Microsoft Edge Administrative Template (.admx) file.

Devices must be manageable using Group Policies and all Microsoft Edge Administrative Templates need to be imported into the Group Policy Central Store. For more information, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

Step 2: Add the Microsoft Compliance Extension add-on to the Force Install list.

1. In the Group Policy Management Editor, go to your Organizational Unit (OU).
2. Expand the following path Computer/User configuration > Policies > Administrative templates > Classic administrative templates > Microsoft Edge > Extensions. This path may vary depending on the configuration of your organization.
3. Select Configure which extensions are installed silently.
4. Right-click and select Edit.
5. Check the Enabled radio button.
6. Select Show.
7. For Value, add the following entry: lcmcgbabdcbngcbcfabdncmoppkajglo;https://edge.microsoft.com/extensionwebstorebase/v1/crx
8. Select OK, and then select Apply.

Configure browser signal detection for Google Chrome

Insider risk management browser signal detection support for Google Chrome is enabled through the Microsoft Compliance Extension. This extension also supports Endpoint DLP on Chrome. For more information about Endpoint DLP support, see Get started with the Microsoft Compliance Extension (preview).

Google Chrome browser requirements

• Meet common requirements
• Latest version of Google Chrome x64
• Latest Microsoft Compliance Extension version (2.0.0.183 or higher)
• Chrome.exe is not configured as an unallowed browser

Option 1: Basic setup (recommended for testing with Chrome)

Use this option to configure a single machine self-host for each device in your organization when testing browser signal detection.

1. Go to Microsoft Compliance Extension.
2. Install the extension.

Option 2: Intune setup for Chrome

Use this option to configure the extension and requirements for your organization using Intune.

1. Sign in to the Microsoft Intune admin center.
2. Go to Devices > Configuration Profiles.
3. Select Create Profile.
4. Select Windows 10 and later as the platform.
5. Select Settings catalog as the profile type.
6. Select Custom as the template name.
7. Select Create.
8. Enter a name and optional description on the Basics tab, and then select Next.
9. Select Add settings on the Configuration settings tab.
10. Select Administrative Templates > Google > Google Chrome > Extensions.
11. Select Configure the list of force-installed apps and extensions.
12. Change the toggle to Enabled.
13. Enter the following value for the extensions and app IDs and update URL: echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx
14. Select Next.
15. Add or edit scope tags on the Scope tags tab as needed, and then select Next.
16. Add the required deployment users, devices, and groups on the Assignments tab, and then select Next.
17. Select Create.

Option 3: Group Policy setup for Chrome

Use this option to configure the extension and requirements organization-wide using Group Policy.

Step 1: Import the Chrome Administrative Template file

Your devices must be manageable using Group Policy and all Chrome Administrative Templates need to be imported into the Group Policy Central Store. For more information, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

Step 2: Add the Chrome extension to the Force Install list

1. In the Group Policy Management Editor, go to your organizational unit (OU).
2. Expand the following path Computer/User configuration > Policies > Administrative templates > Classic administrative templates > Google > Google Chrome > Extensions. This path may vary depending on the configuration for your organization.
3. Select Configure the list of force installed extensions.
4. Right-click and select Edit.
5. Select the Enabled radio button.
6. Select Show.
7. For Value, add the following entry: echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx
8. Select OK, and then select Apply.

Test and verify insider risk management browser signal detections

1. Create an insider risk management policy with device indicators enabled.

2. To test signal detection for files copied to personal cloud storage, complete the following steps from a supported Windows device:

   • Open a file sharing website (Microsoft OneDrive, Google Drive, etc.) with the browser type that you've configured for signal detection.
   • With the browser, upload a non-executable file to the website.

3. To test signal detection for files printed to local or network devices, files transferred or copied to a network share, and files copied to USB devices, complete the following steps from a supported Windows device:

   • Open a non-executable file directly in the browser. The file must be opened directly through File Explorer or opened in a new browser tab for viewing rather than a webpage.
   • Print the file.
   • Save the file to a USB device.
   • Save the file to a network drive.

4. After your first insider risk management policy was created, you'll start to receive alerts from activity indicators after about 24 hours. Check the Alerts dashboard for insider risk management alerts for the tested activities.