Fine-tune exclusions in insider risk management by creating detection groups and variants of built-in indicators (preview)

  • Article

Important

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

Microsoft Purview Insider Risk Management offers dozens of ready-to-use indicators. But the detection of insider risks may not be a one-size-fits-all solution for all users in an organization. You can use the Intelligent detections setting in insider risk management policies to globally exclude certain activities from being scored by your policies. But these exclusions apply to every trigger and indicator for all policies that you create within a tenant. With detection groups and variants, organizations can modify the built-in insider risk indicators and tailor detections for different sets of users. For example, to reduce the number of false positives for email activities, you might want to create a variant of the Sending email with attachments to recipients outside the organization built-in indicator to only detect email sent to personal domains.

Overall process for creating a detection group and using it together with a built-in indicator variant

Creating a detection group and using it together with a variant includes four steps:

  1. Create a detection group as described in this article. You'll select this detection group when you create the variant.
  2. Create the variant.
  3. Use the variant in a new or existing policy.
  4. Review alerts related to the activities specified in the variant.

Create a detection group

To create a variant of a built-in indicator, start by creating a detection group. A detection group helps you scope a built-in indicator down to focus on the high-value activities important to your organization.

Every policy indicator includes certain detection types that are applicable to that indicator. For example, for the Sharing SharePoint files with people outside the organization indicator, one of the detection types is domains. When you share a SharePoint file, you choose a domain to share the file with. Not all indicators have the same detection types. For example, domains is a detection type of the Sharing SharePoint files with people outside the organization indicator, but it's not a detection type of the Creating or copying files to USB indicator since it's not applicable in that case.

Insider risk management currently supports seven detection types:

  • Domains
  • File paths
  • File types
  • Keywords
  • Sensitive info types
  • SharePoint sites
  • Trainable classifiers

Tip

When you create a detection group, you can see all the applicable indicators for a particular detection by selecting the View applicable indicators link in the introductory text for the group type.

The following procedures show how to create a detection group for each group type.

Create a domains detection group

  1. In insider risk management settings, select Detection groups (preview).

  2. In the panel to the right, under Type, select Domains.

  3. In the panel to the right, select New domain group.

  4. In the New domain group pane, add a name for the group (or accept the suggested name) and a description (optional).

  5. In the Add domains field, enter a domain, and then press Enter. Continue adding more domains in the same way or, if you have a long list of domains to add, you can import them as a CSV file by selecting Import domains from CSV file. The domains that you add are listed at the bottom of the pane. You can create up to 10 domain detection groups and each group can have up to 200 items.

    Note

    To specify multi-level subdomains for a root domain, select the Include multi-level subdomains checkbox, add a domain, and then press Enter to add the domain to the list. Any subdomains included within that domain will be included. Repeat the same process to add more domains, and then select Add domains when you're done.

    Tip

    You can use wildcards to help match variations of root domains or subdomains. For example, to specify sales.wingtiptoys.com and support.wingtiptoys.com, use the wildcard entry '*.wingtiptoys.com' to match these subdomains (and any other subdomain at the same level).

  6. Select Save. You'll see a Next steps dialog box that advises you on the next step in the process, which includes using this detection group in a variant.

Create a file paths detection group

  1. In insider risk management settings, select Detection groups (preview).
  2. In the panel to the right, under Type, select File paths.
  3. In the panel to the right, select New file path group.
  4. In the New file path group pane, add a name for the group (or accept the suggested name) and a description (optional).
  5. Select Add file paths, select the file paths that you want to exclude from scoring, and then select Add. You can create up to 10 file path detection groups and each group can have up to 200 items.
  6. Select Save. You'll see a Next steps dialog box that advises you on the next step in the process, which includes using this detection group in a variant.

Create a file types detection group

  1. In insider risk management settings, select Detection groups (preview).
  2. In the panel to the right, under Type, select File types.
  3. In the panel to the right, select New file type group.
  4. In the New file type group pane, add a name for the group (or accept the suggested name) and a description (optional).
  5. In the Add file type field, enter a file extension, and then press Enter. Continue adding more file extensions the same way. The extensions that you add are listed at the bottom of the pane. You can create up to 10 file types detection groups and each group can have up to 200 items.
  6. Select Save. You'll see a Next steps dialog box that advises you on the next step in the process, which includes using this detection group in a variant.

Create a keywords detection group

  1. In insider risk management settings, select Detection groups (preview).
  2. In the panel to the right, under Type, select Keywords.
  3. In the panel to the right, select New keywords group.
  4. In the New keywords group pane, add a name for the group (or accept the suggested name) and a description (optional).
  5. In the Add keywords field, enter a keyword, and then press Enter. Repeat this process for each keyword you want to add. The keywords that you add are listed at the bottom of the pane. You can create up to 10 keywords detection groups and each group can have up to 200 items.
  6. Select Save. You'll see a Next steps dialog box that advises you on the next step in the process, which includes using this detection group in a variant.

Create a sensitive info types detection group

Note

The exclusion list of sensitive info types takes precedence over the priority content list.

  1. In insider risk management settings, select Detection groups (preview).
  2. In the panel to the right, under Type, select Sensitive info types.
  3. In the panel to the right, select New sensitive info type group.
  4. In the New sensitive info type group pane, add a name for the group (or accept the suggested name) and a description (optional).
  5. Select Add sensitive info types, select the sensitive info types that you want to exclude from scoring, and then select Add. You can create up to 10 sensitive info type groups and each group can have up to 200 items.
  6. Select Save. You'll see a Next steps dialog box that advises you on the next step in the process, which includes using this detection group in a variant.

Create a SharePoint sites detection group

  1. In insider risk management settings, select Detection groups (preview).
  2. In the panel to the right, under Type, select SharePoint sites.
  3. In the panel to the right, select New SharePoint site group.
  4. In the New SharePoint site group pane, add a name for the group (or accept the suggested name) and a description (optional).
  5. Select Add sites, select the SharePoint sites that you want to exclude from scoring, and then select Add. You can create up to 10 SharePoint sites detection groups and each group can have up to 200 items.
  6. Select Save. You'll see a Next steps dialog box that advises you on the next step in the process, which includes using this detection group in a variant.

Create a trainable classifier detection group

  1. In insider risk management settings, select Detection groups (preview).
  2. In the panel to the right, under Type, select Trainable classifiers.
  3. In the panel to the right, select New trainable classifiers group.
  4. In the New trainable classifiers group pane, add a name for the group (or accept the suggested name) and a description (optional).
  5. Select Add trainable classifiers, select the trainable classifiers that you want to exclude from scoring, and then select Add. You can create up to 10 trainable classifier detection groups and each group can have up to 200 items.
  6. Select Save. You'll see a Next steps dialog box that advises you on the next step in the process, which includes using this detection group in a variant.

See also