Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft security products and earn a digital badge by January 10!
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Important
Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
Investigating potentially risky user activities is an important first step in minimizing insider risks for your organization. These risks may be activities that generate alerts from insider risk management policies. They can also be risks from compliance-related activities that are detected by policies, but don't immediately create insider risk management alerts for users. You can investigate these types of activities by using the User activity reports (preview) or with the Alert dashboard.
Tip
Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.
User activity reports allow you to examine potentially risky activities (for specific users and for a defined time period) without having to assign these activities, temporarily or explicitly, to an insider risk management policy. To create and view user activity reports, go to Insider Risk Management > Reports > User activity reports.
Insider risk management alerts are automatically generated by risk indicators that are defined in insider risk management policies. These alerts give compliance analysts and investigators an all-up view of the current risk status and allow your organization to triage and take actions for discovered potential risks. By default, policies generate a certain amount of low, medium, and high severity alerts, but you can increase or decrease the alert volume to suit your needs. Additionally, you can configure the alert threshold for policy indicators when creating a new policy with the policy creation tool.
Note
For any alerts that are generated, insider risk management generates a single aggregated alert per user. Any new insights for that user are added to the same alert.
Check out the Insider Risk Management Alerts Triage Experience video for an overview of how alerts provide details, context, and related content for risky activity and how to make your investigation process more effective.
Important
If your policies are scoped by one or more administrative units, you can only see alerts for the users you're scoped for. For example, if an administrative scope applies to just users in Germany, you can only see alerts for users in Germany. Unrestricted administrators can see all alerts for all users in the organization.
Restricted administrators can't access alerts for the users assigned to them through security groups or distribution groups added in administrative units. Such user alerts are visible only to unrestricted administrators. Microsoft recommends adding users directly to administrative units to ensure their alerts are also visible to restricted administrators with administrative units assigned.
The following graphic shows how alerts are generated in insider risk management.
Depending on the number and type of active insider risk management policies in your organization, reviewing a large queue of alerts can be challenging. To help you keep track of alerts, you can:
Select Add filter.
Select one or more of the following attributes:
Attribute | Description |
---|---|
Activity that generated the alert | Displays the top potentially risky activity and policy match during the activity evaluation period that led to the alert being generated. This value can be updated over time. |
Alert dismissal reason | The reason for dismissing the alert. |
Assigned to | The admin that the alert is assigned to for triaging (if assigned). |
Policy | The name of the policy. |
Risk factors | The risk factors that help determine how risky a user's activity might be. The possible values are Cumulative exfiltration activities, Activities include priority content, Sequence activities, Activities include unallowed domains, Member of a priority user group, and Potential high impact user. |
Severity | The user's risk severity level. The options are High, Medium, and Low. |
Status | Status of the alert. The options are Confirmed, Dismissed, Needs review, and Resolved. |
Time detected (UTC) | The start and end dates for when the alert was created. The filter searches for alerts between UTC 00:00 on the start date and UTC 00:00 on the end date. |
Triggering event | The event that brought the user into scope of the policy. The triggering event can change over time. |
The attributes that you select are added to the filter bar.
Select an attribute in the filter bar, and then select a value to filter by. For example, select the Time detected (UTC) attribute, enter or select the dates in the Start date and End date fields, and then select Apply.
Tip
If you want to start over at any point, select Reset all on the filter bar.
After applying the filters as described in the preceding procedure, select Save, enter a name for the filter set, and then select Save.
The filter set is added as a card. It includes a number that shows the count of alerts that meet the criteria in the filter set.
Note
You can save up to five filter sets. If you need to delete a filter set, select the ellipsis (three dots) in the upper-right corner of the card, and then select Delete.
To reapply a saved filter set, simply select the card for the filter set.
On the right side of the page, select Customize columns.
Select or clear the checkbox(es) for the columns you want to display or hide.
The column settings are saved across sessions and across browsers.
Use the Search control to search for a user principal name (UPN), an assigned admin name, or an Alert ID.
Navigate to Insider Risk Management > Reports > Alerts to view reports for generated alerts, alerts by region, alerts by triggering event, and more.
Investigating and acting on alerts in insider risk management includes the following steps:
Each of these steps is described in more detail in this section
Select the appropriate tab for the portal you're using. Depending on your Microsoft 365 plan, the Microsoft Purview compliance portal is retired or will be retired soon.
To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.
You can select Summarize with Copilot or the Copilot icon to quickly summarize an alert and to prioritize the alerts that need further investigation. You can summarize selected alerts without opening the alert or after viewing the details of the alert. When you summarize an alert with Microsoft Copilot in Microsoft Purview, a Copilot pane appears on the right side of the screen with an alert summary.
The alert summary includes all the essential details about the alert, such as the policy that was triggered, the activity that generated the alert, the triggering event, the user involved, their last working date (if applicable), any key user attributes, and the user's top risk factors. Copilot in Microsoft Purview consolidates information about the user from all their alerts and in-scope policies and emphasizes the user's top risk factors.
Suggested prompts are automatically listed to help further refine your summary and to help provide additional insights to the activities associated with the alert. Choose from the following suggested prompts:
Tip
You can also use the standalone version of Microsoft Security Copilot to investigate insider risk management, Microsoft Purview data loss prevention (DLP), and Microsoft Defender XDR alerts.
You can triage alerts by going to the Alert details page.
This section in the Alert details page contains general information about the user and alert. This information is available for context while reviewing detailed information about the detected risk management activity included in the alert for the user:
Note
When a user is detected as a potential high impact user, this information is highlighted in the alert header in the User details page. The user details also include a summary with the reasons the user has been detected as such. To learn more about setting policy indicators for potential high impact users, see Insider risk management settings.
Alerts generated from policies scoped to only activities that include priority content include the Only activity with priority content was scored for this alert notification in this section.
Tip
To get a quick overview of an alert, select Summarize on the alert details page. When you select Summarize, a Copilot pane appears on the right side of the page with an alert summary. The alert summary includes all the essential details about the alert, such as the policy that was triggered, the activity that generated the alert, the triggering event, the user involved, their last working date (if applicable), any key user attributes, and the user's top risk factors. Copilot in Microsoft Purview consolidates information about the user from all their alerts and in-scope policies and emphasizes the user's top risk factors. You can also summarize the alert from the Alerts queue without having to open the alert by using Copilot. Or use the standalone version of Microsoft Security Copilot to investigate insider risk management, Microsoft Purview data loss prevention (DLP), and Microsoft Defender XDR alerts.
This tab in the Alert details page opens the summary of risk factors for the user's alert activity. Risk factors can help you determine how risky this user's risk management activity is during your review. The risk factors include summaries for:
With these filters, you only see alerts with these risk factors, but the activity that generated an alert might not fall into any of these categories. For example, an alert containing sequence activities might have been generated simply because the user copied a file to a USB device.
This section on the All risk factors tab includes content associated with the risk activities for the alert and summarizes activity events by key areas. Selecting an activity link opens the Activity explorer and displays more details about the activity.
The User activity tab is one of the most powerful tools for internal risk analysis and investigation for alerts and cases in the insider risk management solution. This tab is structured to enable quick review of all activities for a user, including a historical timeline of all alerts, alert details, the current risk score for the user, and the sequence of risk events.
Case actions: Options for resolving the case are on the case action toolbar. When viewing in a case, you can resolve a case, send an email notice to the user, or escalate the case for a data or user investigation.
Risk activity chronology: The full chronology of all risk alerts associated with the case are listed, including all the details available in the corresponding alert bubble.
Filters and sorting (preview):
Time filters: By default, the last three months of potentially risky activities are displayed in the User activity chart. You can easily filter the chart view by selecting the 6 Months, 3 Months, or 1 Month tabs on the bubble chart.
Risk sequence: The chronological order of potentially risky activities is an important aspect of risk investigation and identifying these related activities is an important part of evaluating overall risk for your organization. Alert activities that are related are displayed with connecting lines to highlight that these activities are associated with a larger risk area. Sequences are also identified in this view by an icon positioned over the sequence activities relative to the risk score for the sequence. Hover over the icon to see the date and time of the risky activity associated with this sequence. This view of activities can help investigators literally 'connect the dots' for risk activities that could have been viewed as isolated or one-off events. Select the icon or any bubble in the sequence to display details for all the associated risk activities. Details include:
Risk alert activity and details: Potentially risky activities are visually displayed as colored bubbles in the User activity chart. Bubbles are created for different categories of risk. Select a bubble to display the details for each potentially risky activity. Details include:
Cumulative exfiltration activities: Select to view a visual chart of how activity is building over time for the user.
Risk activity legend: Across the bottom of the user activity chart, a color-coded legend helps you quickly determine risk category for each alert.
Note
Activity explorer is available in the alert management area for users with triggering events after this feature is available in your organization.
The Activity explorer provides risk investigators and analysts with a comprehensive analytics tool that provides detailed information about alerts. With the Activity explorer, reviewers can quickly review a timeline of detected potentially risky activity and identify and filter all risk activities associated with alerts.
Select the appropriate tab for the portal you're using. Depending on your Microsoft 365 plan, the Microsoft Purview compliance portal is retired or will be retired soon.
To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.
When reviewing activities in the Activity explorer, investigators and analysts can select a specific activity and open the activity details pane. The pane displays detailed information about the activity that investigators and analysts can use during the alert triage process. Detailed information may provide context for the alert and assist with identifying the full scope of the risk activity that triggered the alert.
When selecting an activity's events from the activity timeline, the number of activities displayed in the explorer might not match the number of activity events listed in the timeline. Examples of why this difference may occur:
A sequence might contain one or more events that are excluded from risk scoring based on your settings configuration. For example, your organization might use the Global exclusions setting to exclude .png files from risk scoring since .png files aren't normally risky. But a .png file could be used to obfuscate a malicious activity. For this reason, if an event that's excluded from risk scoring is part of a sequence due to an obfuscation activity, the event is included in the sequence since it may be interesting in the context of the sequence.
The Activity explorer displays the following information for excluded events in sequences:
To filter alerts in the Activity explorer for column information, select Filters. You can filter alerts by one or more attributes listed in the details pane for the alert. Activity explorer also supports customizable columns to help investigators and analysts focus the dashboard on the information most important to them.
Use the Activity scope, Risk factor, and Review status filters to display and sort activities and insights for the following areas.
Activity scope: Filters all scored activities for the user.
Risk factor: Filters for risk factor activity applicable for all policies assigning risk scores This includes all activity for all policies for in-scope users.
Review status: Filters activity review status.
If you create a filter and customize columns for the filter, you can save a view of your changes so that you or others can quickly filter for the same changes again later. When you save a view, you save both the filters and columns. When you load the view, it loads both saved filters and columns.
Tip
If you want to start over at any point, select Reset. To change columns that you've customized, select Reset columns.
Note
The maximum length for a view name is 40 characters and you can't use any special characters.
When you select a view this way, it resets all the existing filters and replace them with the view that you selected.
Note
Insider risk management uses built-in alert throttling to help protect and optimize your risk investigation and review experience. This throttling guards against issues that might result in an overload of policy alerts, such as misconfigured data connectors or data loss prevention policies. As a result, there might be a delay in displaying new alerts for a user.
You can triage alerts into one of the following statuses:
Alert risk scores are automatically calculated from several risk activity indicators. These indicators include the type of risk activity, the number, and the frequency of the activity occurrence, the history of users' risk activity, and the addition of activity risks that may boost the seriousness of the potentially risky activity. The alert risk score drives the programmatic assignment of a risk severity level for each alert and can't be customized. If alerts remain untriaged and risk activities continue to accrue to the alert, the risk severity level can increase. Risk analysts and investigators can use alert risk severity to help triage alerts in accordance with your organization's risk policies and standards.
Alert risk severity levels are:
It may help save triage time for analysts and investigators to immediately dismiss multiple alerts at once. The Dismiss alerts command bar option allows you to select one or more alerts with a Needs review status on the dashboard and quickly dismiss these alerts as benign as appropriate in your triage process. You can select up to 400 alerts to dismiss at one time.
Select the appropriate tab for the portal you're using. Depending on your Microsoft 365 plan, the Microsoft Purview compliance portal is retired or will be retired soon.
To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.
To see reports for alerts, go to the Reports page. Each report widget on the Reports page displays information for the last 30 days:
If you're an administrator, and you're a member of the Insider Risk Management, Insider Risk Management Analysts, or Insider Risk Management Investigators role group, you can assign ownership of an alert to yourself or to an insider risk management user with one of the same roles. After an alert is assigned, you can also reassign it to a user with any of the same roles. You can only assign an alert to one admin at a time.
Note
If your policies are scoped by one or more administrative units, ownership of an alert can only be given to insider risk management users with the appropriate role group permissions, and the user highlighted in the alert must be in scope of the admin unit. For example, if an administrative scope applies to just users in Germany, the insider risk management user can only see alerts for users in Germany. Unrestricted administrators can see all alerts for all users in the organization.
After an admin is assigned, you can search by admin.
Note
Admins contained within a Microsoft Entra security group are not supported for alert assignment. Admins must be directly assigned to one of the required roles.
If you're using a custom group, make sure that the custom group contains the Case management role. The Insider Risk Management Analysts and the Insider Risk Management Investigators role groups both contain the Case managment role, but if you're using a custom group, you must explicitly add the Case management role to the group.
Select the appropriate tab for the portal you're using. Depending on your Microsoft 365 plan, the Microsoft Purview compliance portal is retired or will be retired soon.
To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.
Select the appropriate tab for the portal you're using. Depending on your Microsoft 365 plan, the Microsoft Purview compliance portal is retired or will be retired soon.
To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.
You can create a case for an alert if you want to further investigate potentially risky activity.
Select the appropriate tab for the portal you're using. Depending on your Microsoft 365 plan, the Microsoft Purview compliance portal is retired or will be retired soon.
To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.
After the case is created, investigators and analysts can manage and act on the case. For more information, see the Insider risk management case article.
As insider risk management alerts age, their value to minimize potentially risky activity diminishes for most organizations. Conversely, active cases and associated artifacts (alerts, insights, activities) are always valuable to organizations and shouldn't have an automatic expiration date. This includes all future alerts and artifacts in an active status for any user associated with an active case.
To help minimize the number of older items that provide limited current value, the following retention and limits apply for insider risk management alerts, cases, and user reports:
Item | Retention/Limit |
---|---|
Alerts with Needs review status | 120 days from alert creation, then automatically deleted |
Active cases (and associated artifacts) | Indefinite retention, never expire |
Resolved cases (and associated artifacts) | 120 days from case resolution, then automatically deleted |
Maximum number of active cases | 100 |
User activities reports | 120 days from report creation, then automatically deleted |
Reviewing, investigating, and acting on potentially risky insider alerts are important parts of minimizing insider risks in your organization. Quickly taking action to minimize the impact of these risks can potentially save time, money, and regulatory or legal ramifications for your organization. Learn about best practices for managing your insider risk management alert queue
Events
Take the Microsoft Learn Challenge
Nov 19, 11 PM - Jan 10, 11 PM
Ignite Edition - Build skills in Microsoft security products and earn a digital badge by January 10!
Register nowTraining
Module
Respond to data loss prevention alerts using Microsoft 365 - Training
Respond to data loss prevention alerts using Microsoft 365
Certification
Microsoft Certified: Information Protection and Compliance Administrator Associate - Certifications
Demonstrate the fundamentals of data security, lifecycle management, information security, and compliance to protect a Microsoft 365 deployment.