Investigate insider risk alerts with Security Copilot and AI agents

  • 10 minutes

Investigating insider risk alerts involves understanding patterns of user behavior and identifying actions that might put sensitive information or business integrity at risk. The Microsoft Purview insider risk triage agent, powered by Microsoft Security Copilot, helps automate this process. It reviews alerts, analyzes activity indicators, and prioritizes those with the highest potential risk so analysts can focus on what matters most.

Imagine you're reviewing alerts for employees uploading files to personal cloud storage or accessing sensitive data outside normal working hours. Some activity might be justified, but other cases could point to data exfiltration or policy violations. Instead of reviewing each alert manually, you can enable the insider risk triage agent to evaluate signals, assess policy risk, and highlight alerts that need immediate review. You can then use Security Copilot to summarize context, trace related activities, and guide your next steps.

Note

Insider Risk Management pseudonymizes usernames by default to protect user privacy. You can adjust pseudonymization settings in the Insider Risk Management settings page if your investigation procedures require identifiable data.

Understand how the insider risk triage agent works

The insider risk triage agent uses AI to analyze alerts generated by insider risk policies in Microsoft Purview. It examines multiple risk indicators, including data movement, communication patterns, and user context such as employment status or role changes. By analyzing these signals together, the agent determines which alerts pose the highest insider risk.

You can fine-tune how the agent interprets alerts by writing custom instructions in plain language. For example:

Focus on alerts where users shared confidential design documents externally after a resignation notice.

When configured, the agent can:

  • Interpret your instructions and convert them into logical conditions
  • Evaluate alerts against those conditions
  • Apply your criteria automatically each time it runs
  • Allow manual reruns or adjustments if needed

This reduces the time spent manually comparing user actions and keeps analysts in control of prioritization and decision-making.

Interpret triaged alerts in Microsoft Purview

After the agent runs, you can interpret results in the Alert triage agent (preview) view on the Alerts page. The agent organizes alerts into categories:

  • Needs attention: Alerts that represent the highest insider risk and should be reviewed first

  • Less urgent: Alerts that appear lower in severity or likelihood of policy violation

  • Not categorized: Alerts that couldn't be evaluated, such as those triggered by unsupported policy types

    Screenshot showing the Alert triage agent view in Microsoft Purview Insider Risk Management with filter and category options for triaged alerts.

Alerts are prioritized based on several factors:

  • Risk indicators: User activity patterns, such as unusual downloads, external sharing, or access from unmanaged devices
  • Policy type: The policy category that triggered the alert, such as data theft, security violation, or risky AI usage
  • User context: Risk level from adaptive protection, recent HR signals, or role changes

This prioritization helps analysts focus on alerts most likely to involve insider-driven data exposure or policy abuse.

Tip

Alert severity can change over time as new activity signals are detected or additional user behavior is analyzed. If the triage agent runs again with updated data, it might reprioritize alerts automatically.

Run the insider risk triage agent

Before running the agent, confirm you have the correct roles and licensing:

  • Roles: Insider Risk Administrator, Insider Risk Analyst, or Security Copilot Contributor
  • Licensing: Microsoft Purview Insider Risk Management and provisioned Security Compute Units (SCUs) for the agent to run
  • Configuration: Your tenant must be onboarded to Microsoft Security Copilot with the Purview plugin enabled

Agents run using the security context of the user who last saved the configuration, which must be renewed every 90 days.

You can set the agent to run automatically or manually:

  • Automatically, on a schedule, to review new alerts within a selected timeframe
  • Manually, on individual alerts or policies when deeper analysis is needed

The agent only triages alerts from active insider risk policies. Alerts from policies in simulation mode aren't included.

Use Security Copilot to analyze triaged alerts

After the agent completes triage, you can open Security Copilot directly from an alert to review findings and receive guidance. Copilot provides AI-generated summaries that highlight activity, intent, and relationships between events.

Security Copilot can help you:

  • Explain why the alert was prioritized as high risk
  • Identify sensitive data or user actions involved
  • Correlate behavior across data, devices, and communication channels
  • Suggest next steps, such as escalating or applying adaptive protection controls

You can ask Copilot questions such as:

  • Summarize the user's recent activity that increased risk.
  • Identify related alerts involving the same user or data source.
  • Explain the behavioral indicators contributing to this alert.

After reviewing Copilot's summary, return to the triaged alert queue to take action on alerts that require further investigation.

Review and act on triaged alerts

Once alerts are triaged, review the prioritized queue to decide what to do next:

  1. In the Microsoft Purview portal, go to Insider Risk Management > Alerts.

  2. Select Alert triage agent (preview) view.

  3. Review Needs attention alerts first.

  4. Select an alert to open the Agent summary pane and review the agent's risk categorization and notes.

  5. Use Summarize to generate an AI summary of the case for more context.

  6. Select View details or take actions such as assigning ownership, escalating to a case, or applying adaptive protection.

    Screenshot showing the Agent summary view in Microsoft Purview Insider Risk Management with categorized risk factors and user alert history.

You can also use tools like Activity explorer and the Data risk graph for a deeper look at user behavior. These tools help you visualize activity trends, identify repeated risk patterns, and explore how specific actions contributed to the alert.

You can rerun the agent on an alert if new activity or context becomes available.

Security Copilot helps analysts investigate insider risk alerts faster, connect behavioral patterns, and make consistent, evidence-based decisions.