Fine-tune exclusions in insider risk management by creating detection groups (preview)
Important
Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
You can exclude items from being scored by insider risk management policies by using the Global exclusions setting. These types of exclusions apply to every trigger and indicator for all policies that you create within a tenant. By using detection groups, you can modify a built-in global exclusion to make it specific for your organization's needs.
You can also use detection groups to modify the built-in insider risk indicators to tailor detections for different sets of users at the policy level. For example, to reduce the number of false positives for email activities, you might want to create a variant of the Sending email with attachments to recipients outside the organization built-in indicator to only detect email sent to personal domains.
Process for creating and using detection groups
To use a detection group as part of a global exclusion, you create the detection group as described in this article, and then select it as part of the global exclusion.
Using a detection group to modify a built-in indicator includes the following steps:
- Create the detection group as described in this article. You'll select this detection group when you create the variant.
- Create the variant.
- Use the variant in a new or existing policy.
- Review alerts related to the activities specified in the variant.
Create a detection group
A detection group helps you scope a built-in indicator or a global exclusion down to focus on the high-value activities important to your organization.
Detection types for policy indicators
Every policy indicator includes certain detection types that are applicable to that indicator. For example, for the Sharing SharePoint files with people outside the organization indicator, one of the detection types is domains. When you share a SharePoint file, you choose a domain to share the file with. Not all indicators have the same detection types. For example, domains is a detection type of the Sharing SharePoint files with people outside the organization indicator, but it's not a detection type of the Creating or copying files to USB indicator since it's not applicable in that case.
Insider risk management currently supports seven detection types:
- Domains
- File paths
- File types
- Keywords
- Sensitive info types
- SharePoint sites
- Trainable classifiers
Tip
When you create a detection group, you can see all the applicable indicators for a particular detection by selecting the View applicable indicators link in the introductory text for the group type.
The following procedures show how to create a detection group for each group type.
Create a domains detection group
In insider risk management settings, select Detection groups (preview).
In the panel to the right, under Type, select Domains.
In the panel to the right, select New domain group.
In the New domain group pane, add a name for the group (or accept the suggested name) and a description (optional).
In the Add domains field, enter a domain, and then press Enter. Continue adding more domains in the same way or, if you have a long list of domains to add, you can import them as a CSV file by selecting Import domains from CSV file. The domains that you add are listed at the bottom of the pane. You can create up to 10 domain detection groups and each group can have up to 200 items.
Note
To specify multi-level subdomains for a root domain, select the Include multi-level subdomains checkbox, add a domain, and then press Enter to add the domain to the list. Any subdomains included within that domain will be included. Repeat the same process to add more domains, and then select Add domains when you're done.
Tip
You can use wildcards to help match variations of root domains or subdomains. For example, to specify sales.wingtiptoys.com and support.wingtiptoys.com, use the wildcard entry '*.wingtiptoys.com' to match these subdomains (and any other subdomain at the same level).
Select Save. You'll see a Next steps dialog box that advises you on the next step in the process, which includes using this detection group in a variant.
How the Free public domains domain group detects for exfiltration of business data to personal email domains
The Domains detection group includes a special domain group called Free public domains that consists of a list of free email providers (gmail.com or yahoo.com, for example) that can be used to create a personal email ID. This list is used to automatically highlight exfiltration of business data to personal email domains for the email insight on the User activity and Activity explorer tabs. The insight lists the number of emails sent to free public domains by an in-scope user. The list is also used for the algorithm that identifies email sent to self (sent to the in-scope user's personal email account). The email insight lists the number of emails sent to self.
You can use this built-in domain group like any other domain group to create a variant of a built-in indicator for your policies. This domain group is only applicable to the Sending email with attachments to recipients outside the organization indicator. At this time, you can't edit or delete the Free public domains domain group. Learn more about creating a variant of a built-in indicator
Create a file paths detection group
- In insider risk management settings, select Detection groups (preview).
- In the panel to the right, under Type, select File paths.
- In the panel to the right, select New file path group.
- In the New file path group pane, add a name for the group (or accept the suggested name) and a description (optional).
- Select Add file paths, select the file paths that you want to exclude from scoring, and then select Add. You can create up to 10 file path detection groups and each group can have up to 200 items.
- Select Save. You'll see a Next steps dialog box that advises you on the next step in the process, which includes using this detection group in a variant.
Create a file types detection group
- In insider risk management settings, select Detection groups (preview).
- In the panel to the right, under Type, select File types.
- In the panel to the right, select New file type group.
- In the New file type group pane, add a name for the group (or accept the suggested name) and a description (optional).
- In the Add file type field, enter a file extension, and then press Enter. Continue adding more file extensions the same way. The extensions that you add are listed at the bottom of the pane. You can create up to 10 file types detection groups and each group can have up to 200 items.
- Select Save. You'll see a Next steps dialog box that advises you on the next step in the process, which includes using this detection group in a variant.
Create a keywords detection group
- In insider risk management settings, select Detection groups (preview).
- In the panel to the right, under Type, select Keywords.
- In the panel to the right, select New keywords group.
- In the New keywords group pane, add a name for the group (or accept the suggested name) and a description (optional).
- In the Add keywords field, enter a keyword, and then press Enter. Repeat this process for each keyword you want to add. The keywords that you add are listed at the bottom of the pane. You can create up to 10 keywords detection groups and each group can have up to 200 items.
- Select Save. You'll see a Next steps dialog box that advises you on the next step in the process, which includes using this detection group in a variant.
Create a sensitive info types detection group
Note
The exclusion list of sensitive info types takes precedence over the priority content list.
- In insider risk management settings, select Detection groups (preview).
- In the panel to the right, under Type, select Sensitive info types.
- In the panel to the right, select New sensitive info type group.
- In the New sensitive info type group pane, add a name for the group (or accept the suggested name) and a description (optional).
- Select Add sensitive info types, select the sensitive info types that you want to exclude from scoring, and then select Add. You can create up to 10 sensitive info type groups and each group can have up to 200 items.
- Select Save. You'll see a Next steps dialog box that advises you on the next step in the process, which includes using this detection group in a variant.
Create a SharePoint sites detection group
- In insider risk management settings, select Detection groups (preview).
- In the panel to the right, under Type, select SharePoint sites.
- In the panel to the right, select New SharePoint site group.
- In the New SharePoint site group pane, add a name for the group (or accept the suggested name) and a description (optional).
- Select Add sites, select the SharePoint sites that you want to exclude from scoring, and then select Add. You can create up to 10 SharePoint sites detection groups and each group can have up to 200 items.
- Select Save. You'll see a Next steps dialog box that advises you on the next step in the process, which includes using this detection group in a variant.
Create a trainable classifier detection group
- In insider risk management settings, select Detection groups (preview).
- In the panel to the right, under Type, select Trainable classifiers.
- In the panel to the right, select New trainable classifiers group.
- In the New trainable classifiers group pane, add a name for the group (or accept the suggested name) and a description (optional).
- Select Add trainable classifiers, select the trainable classifiers that you want to exclude from scoring, and then select Add. You can create up to 10 trainable classifier detection groups and each group can have up to 200 items.
- Select Save. You'll see a Next steps dialog box that advises you on the next step in the process, which includes using this detection group in a variant.