Best practices for managing the volume of alerts in communication compliance
After configuring Microsoft Purview Communication Compliance, you may want to make adjustments to manage the volume of alerts that you receive. Use the list of best practices in this article to help you create policies that cover as many users as possible while reducing the number of non-actionable alerts.
Understand keyword list volumes
Many customers use custom keyword lists for compliance scenarios. Understanding the volume of policy matches for each keyword can help you tune your policies. Use the Sensitive information type per location report to analyze keyword lists to see which keywords trigger most matches. You can then investigate further to see if those keywords have high false-positive rates. You can also use the Message details reports to get data on keyword matches for a specific policy.
Use the data classification dashboard
It’s important to understand the volume of items classified by trainable classifiers and sensitive information types. You can use the Content explorer in the data classification dashboard to help you understand the volume that you can expect for your organization.
When you first start using trainable classifiers, you might not get enough matches, or you might get too many matches. The following table shows the volume level to expect for different types of trainable classifiers.
| Trainable classifier | Volume |
|---|---|
| Discrimination | Low |
| Targeted harassment | Low |
| Threat | Low |
| Adult images | Low |
| Customer complaints | Medium |
| Profanity | Medium |
| Racy images | Medium |
| Gory images | Medium |
| Gifts & entertainment | Medium |
| Money laundering | Medium |
| Regulatory collusion | Medium |
| Stock manipulation | Medium |
| Unauthorized disclosure | High |
Consider using the Adult images classifier instead of the Racy images classifier since the Adult images classifier detects a more explicit image. You can use the Content explorer page to help you understand the volume that you can expect for your organization for each of the trainable classifiers.
Filter email blasts
You can filter out email messages that are generic and intended for mass communication. For example, filter out spam, newsletters, and so on. Learn about the Email blast senders report
Filter out email signatures/disclaimers
Sensitive information types can be triggered from footers in emails, such as disclaimers. If many of your non-actionable alerts come from a specific set of sentences or phrases in an email signature or disclaimer, you can filter out the email signature or disclaimer.
Use sentiment evaluation
Messages in alerts include sentiment evaluation to help you quickly prioritize potentially riskier messages to address first. Using sentiment evaluation won't reduce your detection volumes but will make it easier to prioritize detections. Messages are flagged as Positive, Negative, or Neutral sentiment. For some organizations, messages with Positive sentiment may be determined to be a lower priority, allowing you to spend more time on other message alerts.
Report messages as misclassified
Reporting false positives as misclassified will help to improve Microsoft’s models and reduce the number of false positives that you see in the future.
Filter out specific senders by using a condition
If you have senders that consistently trigger detections (for example, through newsletters, automated mails, and so on), you can filter out these particular senders using the following conditional setting: Message is not received from any of these domains.
Use communication direction to target a particular set of users
If you’re detecting standards of business conduct scenarios and only care about communications from your employees (not from external users), consider using a policy that detects only outbound communications. If you make the entire organization in scope, you can ensure that all of the users in your organization are covered but exclude users from outside your organization.
Combine trainable classifiers
Consider combining two or more trainable classifiers together. For example, combine the Threat and Profanity classifiers or the Targeted harassment and Profanity classifiers to raise the threshold for messages captured.
Lower the percentage of reviewed communications
If you just want to sample a subset of all the messages that trigger alerts, specify a percentage of communications to review.