Learn about and configure insider risk management browser signal detection
Important
Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
In Microsoft Purview Insider Risk Management, browser signal detection is used for:
Risky browser usage template
Web browsers are often used by users to access both sensitive and non-sensitive files within an organization. Insider risk management allows your organization to detect and act on browser exfiltration signals for all non-executable files viewed in Microsoft Edge and Google Chrome browsers. With these signals, analysts and investigators can quickly act when any of the following risk activities are performed by in-scope policy users when using these browsers:
- Files copied to personal cloud storage
- Files printed to local or network devices
- Files transferred or copied to a network share
- Files copied to USB devices
- Browsing risky websites
- Browsing potentially risky websites
Signals for these events are detected in Microsoft Edge using built-in browser capabilities and using the Microsoft Compliance Extension add-on. In Google Chrome, customers use the Microsoft Compliance Extension for signal detection.
The following table summarizes identified risk activities and extension support for each browser:
Detected activities | Microsoft Edge | Google Chrome |
---|---|---|
Files copied to personal cloud storage | Native | Extension |
Files printed to local or network devices | Native | Extension |
Files transferred or copied to a network share | Extension | Extension |
Files copied to USB devices | Extension | Extension |
Browsing risky websites | Extension | Extension |
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Forensic evidence
For forensic evidence, all types of browsing activities can be captured; you're not limited to the browsing indicators of the Risky browser usage template. You can specify the desktop apps and websites that you want to include or exclude. To capture browsing activity for forensic evidence, you must install the extensions as described in this topic, and you must also turn on at least one risky browsing indicator in the insider risk settings.
Common requirements
Before installing the Microsoft Edge add-on or Google Chrome extension, ensure that devices for in-scope policy users meet the following requirements:
- Latest Windows 10 x64 build is recommended, minimum Windows 10 x64 build 1809 for signal detection support. Browser signal detection isn't currently supported on non-Windows devices.
- Current Microsoft 365 subscription with insider risk management support.
- Devices must be onboarded to the Microsoft Purview compliance portal.
For specific browser configuration requirements, see the Microsoft Edge and Google Chrome sections later in this article.
Additional requirements
If you're using policies based on the Risky browser usage template, at least one Browsing indicator must be selected in Insider risk management > Settings > Policy indicators.
Configure browser signal detection for Microsoft Edge
Microsoft Edge browser requirements
- Meet the common requirements
- Latest Microsoft Edge x64, version (91.0.864.41 or higher)
- Latest Microsoft Compliance Extension add-on (1.0.0.44 or higher)
- Edge.exe is not configured as an unallowed browser
Option 1: Basic setup (recommended for testing with Edge)
Use this option to configure a single machine self-host for each device in your organization when testing browser signal detection.
For the basic setup option, complete the following steps:
- Navigate to Microsoft Compliance Extension.
- Install the extension.
Option 2: Intune setup for Edge
Use this option to configure the extension and requirements for your organization using Intune.
For the Intune setup option, complete the following steps:
- Sign-in to the Microsoft Intune admin center using Administrator permissions.
- Navigate to Configuration Profiles.
- Select Create Profile.
- Choose Windows 10 as the platform.
- Choose Administrative Templates as Profile type and select Create.
- Select the Settings tab.
- Select Edge Version 77 and later.
- Search for Extensions which gives you an overview of all extension-related settings.
- Select the setting Control which extensions are installed silently.
- Select Enabled.
- Add the extension ID when prompted: lcmcgbabdcbngcbcfabdncmoppkajglo**.**
- Select OK.
Option 3: Group Policy setup for Edge
Use this option to configure the extension and requirements organization-wide using Group Policy.
For the Group Policy setup option, complete the following steps:
Step 1: Import the latest Microsoft Edge Administrative Template (.admx) file.
Devices must be manageable using Group Policies and all Microsoft Edge Administrative Templates need to be imported into the Group Policy Central Store. For more information, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.
Step 2: Add the Microsoft Compliance Extension add-on to the Force Install list.
Complete the following steps to add the extension:
- In the Group Policy Management Editor, navigate to your Organizational Unit (OU).
- Expand the following path Computer/User configuration > Policies > Administrative templates > Classic administrative templates > Microsoft Edge > Extensions. This path may vary depending on the configuration of your organization.
- Select Configure which extensions are installed silently.
- Right-click and select Edit.
- Check the Enabled radio button.
- Select Show.
- For Value, add the following entry: lcmcgbabdcbngcbcfabdncmoppkajglo;https://edge.microsoft.com/extensionwebstorebase/v1/crx
- Select OK and the select Apply.
Configure browser signal detection for Google Chrome
Insider risk management browser signal detection support for Google Chrome is enabled through the Microsoft Compliance Extension. This extension also supports Endpoint DLP on Chrome. For more information about Endpoint DLP support, see Get started with the Microsoft Compliance Extension (preview).
Google Chrome browser requirements
- Meet common requirements
- Latest version of Google Chrome x64
- Latest Microsoft Compliance Extension version (2.0.0.183 or higher)
- Chrome.exe is not configured as an unallowed browser
Option 1: Basic setup (recommended for testing with Chrome)
Use this option to configure single machine self-host for each device in your organization when testing browser signal detection.
For the basic setup option, complete the following steps:
Step 1: Enable required Registry keys with PowerShell
Get-Item -path "HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
Important
These registry keys are required to ensure proper functionality of the extension. You must enable these registry keys before testing any signals.*
Step 2: Install the Microsoft Compliance Extension
- Navigate to Microsoft Compliance Extension.
- Install the extension.
Option 2: Intune setup for Chrome
User this option to configure the extension and requirements for your organization using Intune.
For the Intune setup option, complete the following steps:
Step 1: Enable required Registry key with Intune
- Run the following PowerShell script:
Get-Item -path "HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
Sign-in to the Microsoft Intune admin center.
Navigate to Devices > Scripts and select Add.
Browse to the location of the script created when prompted.
Select the following settings:
- Run this script using the logged-on credentials: Yes
- Enforce script signature check: No
- Run script in 64-bit PowerShell Host: Yes
Select the appropriate device groups and apply the policy.
Step 2: Configure Intune Force Install
Before adding the Microsoft DLP Chrome extension to the list of force installed extensions, you must install the Chrome Administrative Template (.admx) file for Intune management. For step-by-step guidance, see Manage Chrome Browser with Microsoft Intune. After installing the Administrative Template file, complete the following steps:
Sign-in to the Microsoft Intune admin center.
Navigate to Configuration Profiles.
Select Create Profile.
Choose Windows 10 as the Platform.
Choose Custom as the Profile type.
Select the Settings tab.
Select Add.
Enter the following policy information:
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
- Data type: String
- Value: <enabled/><data id="ExtensionInstallForcelistDesc" value="1 echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx"/>
Select Create.
Option 3: Group Policy setup for Chrome
Use this option to configure the extension and requirements organization-wide using Group Policy.
For the Group Policy setup option, complete the following steps:
Step 1: Import the Chrome Administrative Template file
Your devices must be manageable using Group Policy and all Chrome Administrative Templates need to be imported into the Group Policy Central Store. For more information, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.
Step 2: Enable required Registry key with PowerShell
Create a PowerShell script with the following contents:
Get-Item -path "HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
Open the Group Policy Management Console and navigate to your organizational unit (OU).
Right-click and select Create a GPO in this domain and link it here. When prompted, assign a descriptive name to this Group Policy Object (GPO). For example, DLP Chrome Immediate PowerShell Script.
After creating the GPO, right-click and select Edit. This selection takes you to the Group Policy Object.
Navigate to Computer configuration > Preferences > Control panel settings > Scheduled tasks.
Right-click on the blank area under Scheduled Tasks and select New > Immediate Task (at least Windows 7).
Enter a task Name and Description.
Choose the corresponding account to run the immediate task. For example, NT Authority.
Select Run with highest privileges.
Configure the policy for Windows 10.
On the Actions tab, choose Start a program.
Enter the path to the program/script created in Step 1.
Select Apply.
Step 3: Add the Chrome extension to the Force Install list
- In the Group Policy Management Editor, navigate to your organizational unit (OU).
- Expand the following path Computer/User configuration > Policies > Administrative templates > Classic administrative templates > Google > Google Chrome > Extensions. This path may vary depending on the configuration for your organization.
- Select Configure the list of force installed extensions.
- Right-click and select Edit.
- Select the Enabled radio button.
- Select Show.
- For Value, add the following entry: echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx
- Select OK and the select Apply.
Test and verify insider risk management browser signal detections
Create an insider risk management policy with device indicators enabled.
To test signal detection for files copied to personal cloud storage, complete the following steps from a supported Windows device:
- Open a file sharing website (Microsoft OneDrive, Google Drive, etc.) with the browser type that you've configured for signal detection.
- With the browser, upload a non-executable file to the website.
To test signal detection for files printed to local or network devices, files transferred or copied to a network share, and files copied to USB devices, complete the following steps from a supported Windows device:
- Open a non-executable file directly in the browser. The file must be opened directly through File Explorer or opened in a new browser tab for viewing rather than a webpage.
- Print the file.
- Save the file to a USB device.
- Save the file to a network drive.
After your first insider risk management policy was created, you'll start to receive alerts from activity indicators after about 24 hours. Check the Alerts dashboard for insider risk management alerts for the tested activities.
Feedback
Submit and view feedback for