Get started with insider risk management forensic evidence

Important

Forensic evidence is an opt-in add-on feature in Insider Risk Management that gives security teams visual insights into potential insider data security incidents, with user privacy built in. Forensic evidence includes customizable event triggers and built-in user privacy protection controls, enabling security teams to better investigate, understand and respond to potential insider data risks like unauthorized data exfiltration of sensitive data.

Organizations set the right policies for themselves, including what risky events are highest priority for capturing forensic evidence and what data is most sensitive. Forensic evidence is off by default, policy creation requires dual authorization and usernames can be masked with pseudonymization (which is on by default for Insider Risk Management). Setting up policies and reviewing security alerts within Insider Risk Management leverages strong role-based access controls (RBAC), ensuring that the designated individuals in the organization are taking the right actions with additional auditing capabilities.

Important

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

Configure forensic evidence

Configuring forensic evidence in your organization is similar to configuring other policies from insider risk management policy templates. In general, you'll follow the same basic configuration steps to set up forensic evidence, but there are a few areas that need feature-specific configuration actions before you get started with the basic configuration steps.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Step 1: Confirm your subscription and configure data storage access

Before you get started with forensic evidence, you should confirm your insider risk management subscription and any add-ons.

Additionally, you need to add the following domains to your firewall and proxy server allowlist to support forensic evidence capture storage for your organization:

Worldwide - Domain

- compliancedrive.microsoft.com
- *.events.data.microsoft.com
- officeclient.microsoft.com
- odc.officeapps.live.com
- hrd.svc.cloud.microsoft

GCC/GCC High - Domain

- *.compliancedrive.microsoft.us
- tb.events.data.microsoft.com
- officeclient.microsoft.com
- odc.officeapps.live.com
- hrd.svc.cloud.microsoft

DOD - Domain

- dod.compliancedrive.apps.mil
- pf.events.data.microsoft.com
- officeclient.microsoft.com
- odc.officeapps.live.com
- hrd.svc.cloud.microsoft

For more information on these endpoints, see Microsoft 365 endpoints.

Note

Captures and capture data are stored at these domains and are assigned only to your organization. No other Microsoft 365 organization has access to forensic evidence captures for your organization.

Forensic evidence data is stored in one region where your Exchange Online Protection (EOP) or exchange region is set.

Step 2: Configure supported devices

User devices eligible for forensic evidence capturing must be onboarded to the Microsoft Purview compliance portal and must have the Microsoft Purview Client installed.

Important

The Microsoft Purview Client automatically collects general diagnostic data related to device configuration and performance metrics. This includes data on critical errors, RAM consumption, process failures, and other data. This data helps us assess the client's health and identify any issues. For more details about how diagnostic data may be used, see the Use of Software with Online Services on the Microsoft Product Terms.

For a list of device and configuration requirements, see Learn about forensic evidence. To onboard supported devices, complete the steps outlined in the Onboard Windows 10 and Windows 11 devices into Microsoft 365 overview article.

Install the Microsoft Purview client

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

Microsoft Purview portal

1. Sign in to the Microsoft Purview portal using credentials for an admin account in your Microsoft 365 organization.

2. Go to the Insider Risk Management solution.

3. Select Forensic Evidence in the left navigation, and then select Client installation.

4. Select Download installer package (x64 version) to download the installation package for Windows.

5. After downloading the installation package, use your preferred method to install the client on users' devices. These options may include manually installing the client on devices or tools to help automate the client installation:

   • Microsoft Intune: Microsoft Intune is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune, without a complex migration, and with simplified licensing.
   • Third-party device management solutions: If your organization is using third-party device management solutions, see the documentation for these tools to install the client.

Compliance portal

1. Sign in to the Compliance portal using credentials for an admin account in your Microsoft 365 organization.

2. Go to the Insider Risk Management solution.

3. Go to Forensic evidence > Client installation.

4. Select Download installer package (x64 version) to download the installation package for Windows.

5. After downloading the installation package, use your preferred method to install the client on users' devices. These options may include manually installing the client on devices or tools to help automate the client installation:

   • Microsoft Intune: Microsoft Intune is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune, without a complex migration, and with simplified licensing.
   • Third-party device management solutions: If your organization is using third-party device management solutions, see the documentation for these tools to install the client.

Step 3: Configure settings

Forensic evidence has several configuration settings that provide flexibility for the types of security-related user activity captured, capturing parameters, bandwidth limits, and offline capturing options. Forensic evidence capturing enables you to create policies based on your requirements in just a few steps and adding users to a policy requires dual authorization.

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

Microsoft Purview portal

1. Sign in to the Microsoft Purview portal using credentials for an admin account in your Microsoft 365 organization.

2. Go to the Insider Risk Management solution.

3. Select Forensic evidence in the left navigation, and then select Forensic evidence settings.

4. Select Forensic evidence capturing to enable capturing support in your forensic evidence policies. If this is turned off later, this will remove all previously added users for forensic evidence policies.

   Important

   The Microsoft Purview Client used to capture activity on users' devices is licensed under the Use of Software with the Online Services on the Microsoft Product Terms. Note that customers are solely responsible for using the insider risk management solution, including the Microsoft Purview Client, in compliance with all applicable laws.

5. In the Capturing window section, define when to start and stop activity capturing. Available values are 10 seconds, 30 seconds, 1 minute, 3 minutes, or 5 minutes.

6. In the Upload bandwidth limit section, define the amount of capture data to upload into your data storage account per user, per day. Available values are 100 MB, 250 MB, 500 MB, 1 GB, or 2 GB.

7. In the Offline capturing cache limit section, define the maximum cache size to store on users' devices when offline capturing is enabled. Available values are 100 MB, 250 MB, 500 MB, 1 GB, or 2 GB.

8. Select Save.

Compliance portal

1. Sign in to the Microsoft Purview compliance portal using credentials for an admin account in your Microsoft 365 organization..

2. Go to the Insider Risk Management solution.

3. Go to Forensic evidence > Forensic evidence settings.

4. Select Forensic evidence capturing to enable capturing support in your forensic evidence policies. If this is turned off later, this will remove all previously added users for forensic evidence policies.

   Important

   The Microsoft Purview Client used to capture activity on users' devices is licensed under the Use of Software with the Online Services on the Microsoft Product Terms. Note that customers are solely responsible for using the insider risk management solution, including the Microsoft Purview Client, in compliance with all applicable laws.

5. In the Capturing window section, define when to start and stop activity capturing. Available values are 10 seconds, 30 seconds, 1 minute, 3 minutes, or 5 minutes.

6. In the Upload bandwidth limit section, define the amount of capture data to upload into your data storage account per user, per day. Available values are 100 MB, 250 MB, 500 MB, 1 GB, or 2 GB.

7. In the Offline capturing cache limit section, define the maximum cache size to store on users' devices when offline capturing is enabled. Available values are 100 MB, 250 MB, 500 MB, 1 GB, or 2 GB.

8. Select Save.

Step 4: Create a policy

Forensic evidence policies define the scope of security-related user activity to capture for configured devices. There are two options for capturing forensic evidence:

• Capture only specific activities (such as printing or exfiltrating files). With this option, you can choose the device activities that you want to capture and only the selected activities will be captured by the policy. You can also choose to capture activity for specific desktop apps and/or websites. This way you can focus on just the activities, apps, and websites that present risk.
• Capture all activities that approved users perform on their devices. This option is typically used for a specific period of time, for example, when a particular user is potentially involved in risky activity that may lead to a security incident. All forensic evidence indicators are automatically included if you select this option, including device indicators and Enhanced Phishing Protection indicators. To preserve capacity and user privacy, you can choose to exclude specific desktop apps and/or websites from the capture as described below.

After you create a policy, you'll include it in forensic evidence requests to control what activity to capture for users whose requests are approved.

Note

Continuous forensic policies (capturing all activities) take precedence over selective forensic evidence policies (capturing only specific activities).

Capture only specific activities

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

Microsoft Purview portal

1. Sign in to the Microsoft Purview portal using credentials for an admin account in your Microsoft 365 organization.

2. Go to the Insider Risk Management solution.

3. Select Forensic evidence in the left navigation, and then select Forensic evidence policies.

4. Select Create forensic evidence policy.

5. On the Scope page, select Specific activities. This option only captures activities detected by policies that users are included in. These activities are defined by the indicators selected in forensic evidence policies. Captures for this option will be available for review on the Forensic evidence (preview) tab on the Alerts or Cases dashboard.

6. Select Next.

7. On the Name and description page, complete the following fields:

   • Name (required): Enter a friendly name for the forensic evidence policy. This name can't be changed after the policy is created.
   • Description (optional): Enter a description for the forensic evidence policy.

8. Select Next.

9. On the Choose device activities to capture page:

   1. Select any device activities that you want to capture. Only the selected activities will be captured by the policy.

      Note

      If the indicators aren't selectable, you'll be prompted to turn them on.

   2. You can also choose to capture activity for particular desktop apps and/or websites in your policy by selecting the Opening a specific app or website check box under App and web browsing activities to capture.

   Important

   If you want to capture browsing activities (to include or exclude specific URLs in your forensic evidence policies), make sure to install the necessary browser extensions. You also need to turn on at least one browsing indicator. If you haven't already turned on one or more browsing indicators, you'll be prompted to do so if you choose to include or exclude desktop apps or websites. The triggering event for capturing browsing activities is a URL update in the URL bar that contains the specified URL.

   3. Select Next.

10. (Optional) If you chose to capture activity for particular desktop apps and websites, in the Add apps and websites you want to capture activity for page:

    1. To add a desktop app, select Add desktop apps, enter the name of an executable file (for example, teams.exe), and then select Add. Repeat this process for each desktop app that you want to add (up to 25 apps). To find the name of an executable file for the app, open the Task Manager, and then view the properties for the app. Here's a list of exe names for some of the common applications: Microsoft Edge (msedge.exe), Microsoft Excel (Excel.exe), the Snipping tool (SnippingTool.exe), Microsoft Teams (Teams.exe), Microsoft Word (WinWord.exe), and Microsoft Remote Desktop Connection (mstsc.exe).

    Note

    Sometimes, the exe names for an app might differ based on the device and the permissions with which the app was opened. For example, on a Windows 11 enterprise device, when Windows PowerShell is opened without administrator permissions, the exe name is WindowsTerminal.exe but when opened with administrator permissions, the exe name changes to powershell.exe. Make sure to include/exclude both exe names in such scenarios.

    2. To add a web app or website, select Add web apps and websites, enter a URL (for example, https://teams.microsoft.com), and then select Add. Repeat this process for each web app or website that you want to add. You can add up to 25 URLs with a character length of 100 for each URL.

    Tip

    If an app has a desktop and web version, be sure to add both the desktop executable and the web URL to make sure you capture activity for both.

    3. Select Next.

11. On the Review settings and finish page, review the settings you've chosen for the policy and any suggestions or warnings for your selections. Edit any of the policy values or select Submit to create and activate the policy.

12. After you've completed the policy configuration steps, continue to Step 5.

Compliance portal

1. Sign in to the Compliance portal using credentials for an admin account in your Microsoft 365 organization.

2. Go to the Insider Risk Management solution.

3. Go to Forensic evidence > Forensic evidence policies.

4. Select Create forensic evidence policy.

5. On the Scope page, select Specific activities. This option only captures activities detected by policies that users are included in. These activities are defined by the indicators selected in forensic evidence policies. Captures for this option will be available for review on the Forensic evidence (preview) tab on the Alerts or Cases dashboard.

6. Select Next.

7. On the Name and description page, complete the following fields:

   • Name (required): Enter a friendly name for the forensic evidence policy. This name can't be changed after the policy is created.
   • Description (optional): Enter a description for the forensic evidence policy.

8. Select Next.

9. On the Choose device activities to capture page:

   1. Select any device activities that you want to capture. Only the selected activities will be captured by the policy.

      Note

      If the indicators aren't selectable, you'll be prompted to turn them on.

   2. Select any activities under Enhanced Phishing Protection activities to capture (preview) that you want to capture. For example, you can capture when a user enters the Microsoft password they used to sign into their Windows 11 device on a phishing site or application connecting to a phishing site. Learn more about Enhanced Phishing Protection in Microsoft Defender SmartScreen.
   3. You can also choose to capture activity for particular desktop apps and/or websites in your policy by selecting the Opening a specific app or website check box under App and web browsing activities to capture.

   Important

   If you want to capture browsing activities (to include or exclude specific URLs in your forensic evidence policies), make sure to install the necessary browser extensions. You also need to turn on at least one browsing indicator. If you haven't already turned on one or more browsing indicators, you'll be prompted to do so if you choose to include or exclude desktop apps or websites. The triggering event for capturing browsing activities is a URL update in the URL bar that contains the specified URL.

   4. Select Next.

10. (Optional) If you chose to capture activity for particular desktop apps and websites, in the Add apps and websites you want to capture activity for page:

    1. To add a desktop app, select Add desktop apps, enter the name of an executable file (for example, teams.exe), and then select Add. Repeat this process for each desktop app that you want to add (up to 25 apps). To find the name of an executable file for the app, open the Task Manager, and then view the properties for the app. Here's a list of exe names for some of the common applications: Microsoft Edge (msedge.exe), Microsoft Excel (Excel.exe), the Snipping tool (SnippingTool.exe), Microsoft Teams (Teams.exe), Microsoft Word (WinWord.exe), and Microsoft Remote Desktop Connection (mstsc.exe).

    Note

    Sometimes, the exe names for an app might differ based on the device and the permissions with which the app was opened. For example, on a Windows 11 enterprise device, when Windows PowerShell is opened without administrator permissions, the exe name is WindowsTerminal.exe but when opened with administrator permissions, the exe name changes to powershell.exe. Make sure to include/exclude both exe names in such scenarios.

    2. To add a web app or website, select Add web apps and websites, enter a URL (for example, https://teams.microsoft.com), and then select Add. Repeat this process for each web app or website that you want to add. You can add up to 25 URLs with a character length of 100 for each URL.

    Tip

    If an app has a desktop and web version, be sure to add both the desktop executable and the web URL to make sure you capture activity for both.

    3. Select Next.

11. On the Review settings and finish page, review the settings you've chosen for the policy and any suggestions or warnings for your selections. Edit any of the policy values or select Submit to create and activate the policy.

12. After you've completed the policy configuration steps, continue to Step 5.

Capture all activities

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

Microsoft Purview portal

1. Sign in to the Microsoft Purview portal using credentials for an admin account in your Microsoft 365 organization.

2. Go to the Insider Risk Management solution.

3. Select Forensic evidence in the left navigation, and then select Forensic evidence policies.

4. Select Create forensic evidence policy.

5. On the Scope page, select All activities. This option captures any activity performed by users. Captures for this option will be available for review on the Forensic evidence (preview) tab on the User activity reports (preview) dashboard.

6. Select Next.

7. On the Name and description page, complete the following fields:

   • Name (required): Enter a friendly name for the forensic evidence policy. This name can't be changed after the policy is created.
   • Description (optional): Enter a description for the forensic evidence policy.

8. Select Next.

9. On the Choose device activities to capture page, if you want to exclude certain desktop apps and/or web apps or websites from the capture, under App and web browsing activities to capture, select the Exclude specific apps or websites check box.

10. Select Next.

11. If you chose to exclude particular desktop apps and websites from the capture, in the Exclude applications/URLs page:

    • To exclude a desktop app from the capture, select Exclude desktop apps, enter the name of an executable file (for example, teams.exe), and then select Add. Repeat this process for each desktop app that you want to exclude (up to 25 apps). To find the name of an executable file for an app, open the Task Manager, and then view the properties for the app.
    • To exclude a web app or website, select Exclude web apps and websites, enter a URL (for example, https://teams.microsoft.com), and then select Add. Repeat this process for each web app or website that you want to exclude. You can exclude up to 25 URLs with a character length of 100 for each URL.

    Tip

    If an app has a desktop and web version, be sure to add both the desktop executable and the web URL to make sure you exclude both.

12. On the Review settings and finish page, review the settings you've chosen for the policy and any suggestions or warnings for your selections. Edit any of the policy values or select Submit to create and activate the policy.

13. After you've completed the policy configuration steps, continue to Step 5.

Compliance portal

1. Sign in to the Compliance portal using credentials for an admin account in your Microsoft 365 organization.

2. Go to the Insider Risk Management solution.

3. Go to Forensic evidence (preview) > Forensic evidence policies.

4. Select Create forensic evidence policy.

5. On the Scope page, select All activities. This option captures any activity performed by users. Captures for this option will be available for review on the Forensic evidence (preview) tab on the User activity reports (preview) dashboard.

6. Select Next.

7. On the Name and description page, complete the following fields:

   • Name (required): Enter a friendly name for the forensic evidence policy. This name can't be changed after the policy is created.
   • Description (optional): Enter a description for the forensic evidence policy.

8. Select Next.

9. On the Choose device activities to capture page, if you want to exclude certain desktop apps and/or web apps or websites from the capture, under App and web browsing activities to capture, select the Exclude specific apps or websites check box.

10. Select Next.

11. If you chose to exclude particular desktop apps and websites from the capture, in the Exclude applications/URLs page:

    • To exclude a desktop app from the capture, select Exclude desktop apps, enter the name of an executable file (for example, teams.exe), and then select Add. Repeat this process for each desktop app that you want to exclude (up to 25 apps). To find the name of an executable file for an app, open the Task Manager, and then view the properties for the app.
    • To exclude a web app or website, select Exclude web apps and websites, enter a URL (for example, https://teams.microsoft.com), and then select Add. Repeat this process for each web app or website that you want to exclude. You can exclude up to 25 URLs with a character length of 100 for each URL.

    Tip

    If an app has a desktop and web version, be sure to add both the desktop executable and the web URL to make sure you exclude both.

12. On the Review settings and finish page, review the settings you've chosen for the policy and any suggestions or warnings for your selections. Edit any of the policy values or select Submit to create and activate the policy.

13. After you've completed the policy configuration steps, continue to Step 5.

Step 5: Define and approve users for capturing

Before security-related user activities can be captured, admins must follow the dual authorization process in forensic evidence. This process mandates that enabling visual capturing for specific users is both defined and approved by applicable people in your organization.

You must request that forensic evidence capturing is enabled for specific users. When a request is submitted, approvers in your organization are notified in email and can approve or reject the request. If approved, the user will appear on the Approved users tab and will be eligible for capturing. See these links for more information:

• Request approval for forensic evidence capturing.
• Approve (or reject) requests for forensic evidence capturing.

Next steps

After you've configured your forensic evidence policy, it may take up to two hours for policy enforcement, given that the forensic evidence clients (installed at the endpoint devices) are online. When a clip is captured by the client, it may take up to one hour before the clip is available to review. For more information about managing forensic evidence and reviewing clip captures, see the Manage information risk management forensic evidence article.