Learn about insider risk management forensic evidence

Important

Forensic evidence is an opt-in add-on feature in Insider Risk Management that gives security teams visual insights into potential insider data security incidents, with user privacy built in. Forensic evidence includes customizable event triggers and built-in user privacy protection controls, enabling security teams to better investigate, understand and respond to potential insider data risks like unauthorized data exfiltration of sensitive data.

Organizations set the right policies for themselves, including what risky events are highest priority for capturing forensic evidence and what data is most sensitive. Forensic evidence is off by default, policy creation requires dual authorization and usernames can be masked with pseudonymization (which is on by default for Insider Risk Management). Setting up policies and reviewing security alerts within Insider Risk Management leverages strong role-based access controls (RBAC), ensuring that the designated individuals in the organization are taking the right actions with additional auditing capabilities.

Important

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

Having visual context is crucial for security teams during forensic investigations to get better insights into potentially risky security-related user activities. With customizable event triggers and built-in user privacy protection controls, forensic evidence enables customizable visual activity capturing across devices to help your organization better mitigate, understand, and respond to potential data risks like unauthorized data exfiltration of sensitive data. You set the right policies for your organization, including what risky events are the highest priority for capturing forensic evidence, what data is most sensitive, and whether users are notified when forensic capturing is activated. Forensic evidence capturing is off by default and policy creation requires dual authorization.

Tip

Get started with Microsoft Copilot for Security to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Copilot for Security in Microsoft Purview.

Feature capabilities

  • Visual capturing allows organizations to capture clips of key security-related user activities, allowing for more secure or compliant visibility and meeting organizational needs.
  • Include or exclude desktop applications and/or websites to configure a recording policy that focuses on the applications and websites that present the most risk. This preserves storage space and user privacy. For example, exclude personal email and social media accounts.
  • Enhanced phishing protection (preview) allows organizations to capture clips related to Enhanced Phishing Protection in Microsoft Defender SmartScreen. For example, you can capture when a user enters the Microsoft password they used to sign into their Windows 11 device on a phishing site or application connecting to a phishing site. Learn more about Enhanced Phishing Protection in Microsoft Defender SmartScreen
  • Protected user privacy through multiple levels of approval for the activation of the capturing feature.
  • Customizable triggers and capturing options mean that security teams can set up forensic evidence to meet their needs, whether it be based on incidents (for example, Capture 5 min before and 10 min after a user has downloaded 'SecretResearchPlans.docx'), or based on continuous capturing needs.
  • User-centric policy targeting means that security and compliance teams can focus on activity by user, not device, for better contextual insights.
  • Strong role-based access controls (RBAC) mean that the ability to set up and review forensic clips is tightly controlled and only available to individuals in the organization with the right permissions.
  • Deep integration with current insider risk management features, making for easier onboarding and more familiar workflows for insider risk management administrators and a trusted single-platform approach.
  • Trial capacity (up to 20 GB) for captured clips, with quick access to capacity utilization and the ability to purchase additional capacity.

Device and configuration requirements

The following tables include the supported minimum requirements for utilizing insider risk management forensic evidence.

Supported platforms

Operating system SKU Processor
Windows 10 (including Windows 365) Enterprise 64-bit (Intel or AMD)
Windows 11 (including Windows 365) Enterprise 64-bit (Intel or AMD)

Physical devices

Hardware Minimum requirement
RAM Minimum of 8 GB (at least 2 GB should be available for client usage
CPU processor Intel i5 or above and AMD Ryzen 5 or above
Graphics card Compatible with DirectX 11 or later, with a WDDM 1.0 driver or later (currently only integrated graphics cards supported)
Disk space Minimum of 10 GB of disk storage
Display Minimum screen resolution of 1920 x 1080

Hyper-V and virtual machines

Hardware Minimum requirement
RAM Minimum of 16 GB (at least 2 GB should be available for client usage)
CPU processor Minimum of eight vCPU processors or equivalent
Disk space Minimum of 10 GB of disk storage
Display Minimum screen resolution of 1920 x 1080

Important

If the minimum requirements aren't met, users are likely to run into Microsoft Purview client issues and the quality of forensic captures may not be reliable.

Capturing options

Triggering events, global indicators, and policy indicators play an important role in all insider risk management policies, including forensic evidence policies. Triggering events are user actions that determine if users are brought into scope for evaluation in insider risk management policies. Global settings indicators are used to determine what activities are collected by insider risk management. Policy indicators are used to determine a risk score for an in-scope user.

Depending how your organization decides to configure forensic evidence, there are two capturing options:

  • Specific activities: This policy option captures activity only when a triggering event has brought an approved user into scope for the forensic evidence policy and when the conditions for a policy indicator are detected for the user. For example, a user approved for forensic evidence capturing is brought in-scope to the forensic evidence policy and the user copies data to personal cloud storage services or portable storage devices. Capturing is scoped only to the configured time frame when the user is copying the data to the personal cloud storage service or portable storage device. Captures for this option will be available for review on the Forensic evidence tab on the Alerts dashboard.
  • All activities: This policy option captures any activity performed by users. For example, your organization has a time-sensitive need for capturing activities for an approved user that is actively involved in potentially risky activities that may lead to a security incident. Policy indicators may not have reached the threshold for an alert to be generated by the policy and the potentially risky activity may not be documented. Continuous capturing help prevents the potentially risky activity from being missed or going undetected. Captures for this option will be available for review on the Forensic evidence tab on the User activity reports (preview) dashboard.

Important

Forensic evidence clips are deleted 120 days after they're captured or at the end of the preview period, whichever is sooner. You can download or transfer forensic evidence clips before they're deleted.

Workflow

The overall workflow for detecting, investigating, and remediating alerts that contain clip capturing follows the same basic steps as other insider risk management policies. However, there are some notable differences for forensic evidence when configured in your organization:

  • Users subject to capturing must have explicit capturing requests and approvals: This is an extra process not included as a part of configuring other insider risk management policies. Users assigned to the Insider Risk Management or Insider Risk Management Admins role groups must submit a request to users assigned to the Insider Risk Management Approvers role group before any user in your organization is eligible for any clip capturing options. For example, this requirement helps support organizational scenarios where your insider risk management admins must get explicit approval from your designated legal or human resources personnel before capturing for any user is enabled.
  • Devices must be onboarded and have the Microsoft Purview client installed: Before forensic evidence can collect and store clips captured for eligible users, their devices must be onboarded to the Microsoft Purview compliance portal. Additionally, each device must have the Microsoft Purview Client installed. These prerequisites enable support for both online and offline device capturing.

Ready to get started?