![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 19%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
9,736 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 28.000000000000004%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECK%3C/text%3E%3C/svg%3E)
In order to troubleshoot your issue, we need to consider a few factors:
- Data sources: For Insider Risk Management to work correctly, you need to have the right data sources in place. These include the Microsoft 365 audit log, Microsoft Defender for Endpoint, and HR connector. Make sure these are correctly set up.
- Policies: You need to have correctly configured Insider Risk Management policies in place. Make sure you have set up these policies properly and they are active.
- Licenses: You need to have the right licenses for the users you are trying to monitor. You mentioned that you have Microsoft Defender for Endpoint Licenses, but you also need Microsoft 365 E5 or Microsoft 365 E5 Compliance for Insider Risk Management.
- Processing time: It takes time for the system to process events and generate alerts. While you have set the reaction time to 1 day, it might take more time for the system to start generating alerts, especially if there are lots of events to process.