Explore insider risk management cases

  • 9 minutes

Cases are the heart of Insider risk management. They enable organizations to deeply investigate and act on issues generated by risk indicators defined in their policies. Organizations manually create cases from alerts. They do so in situations where they must take further action to address a compliance-related issue for a user.

Note

You scope each case to a single user. You can add multiple alerts for the user to an existing case or to a new case.

After an organization's investigators and risk analysts investigate the details of a case, they can take action by:

  • Sending the user a notice.
  • Resolving the case as benign.
  • Sharing the case with an email recipient.
  • Escalating the case for an eDiscovery (Premium) investigation.

Additional viewing. For an overview of how Insider risk management investigates and manages cases, watch the following short video titled: Insider Risk Management Investigation and Escalation.

Cases dashboard

The Insider risk management Cases dashboard enables an organization's investigators and risk analysts to view and act on cases. Each report widget on the dashboard displays the following information for the last 30 days:

  • Active cases. The total number of active cases under investigation.
  • Cases over past 30 days. The total number of cases created, sorted by Active and Closed status.
  • Statistics. Average time of active cases, listed in hours, days, or months.

The case queue lists all active and closed cases for an organization. It also displays the current status of the following case attributes:

  • Case name. The name of the case. When an organization confirms an alert and creates the case, it assigns the case name.
  • Status. The status of the case, either Active or Closed.
  • User. The user for the case. If you enable the Anonymization for usernames setting when creating the case, the system displays anonymized information.
  • Time case opened. The time that passed since you opened the case.
  • Total policy alerts. The number of policy matches included in the case. This number may increase if you add new alerts to the case.
  • Case last updated. The time that passed since someone added a case note or changed the case state.
  • Last updated by. The name of the Insider risk management analyst or investigator who last updated the case.

Screenshot of the Insider risk management dashboard showing the Cases tab.

Investigators and risk analysts can use the Search control to search case names for specific text. They can also use the case filter to sort cases by the following attributes:

  • Status of the case.
  • Time the case opened, plus its start date and end date.
  • The date you last updated the case, plus its start date and end date.

Filter cases

Depending on the number and type of active Insider risk management policies in an organization, reviewing a large queue of cases can be challenging. Using case filters can help analysts and investigators sort cases by several attributes. To filter alerts on the Cases dashboard, select the Filter control. You can filter cases by one or more attributes:

  • Status. Select one or more status values to filter the case list. The options are Active and Closed.
  • Time case opened. Select the start and end dates for when you opened cases.
  • Last updated. Select the start and end dates for when you last updated cases.

Investigate a case

Deeper investigation into Insider risk management alerts is critical to taking proper corrective actions. Insider risk management cases are the central management tool to dive deeper into:

  • User risk activity history
  • Alert details
  • The sequence of risk events
  • The content and messages exposed to risks

Risk analysts and investigators also use cases to centralize review feedback and notes and to process case resolution. When they open a case, the case management tools become available. These tools enable analysts and investigators to dig into the details of cases.

Case overview

The Case overview tab summarizes the case details for risk analysts and investigators. It includes the following information in the area titled About this case:

  • Status. The current status of the case, either Active or Closed.
  • Case created on. The date and time you created the case.
  • User's risk score. The current calculated risk level of the user for the case. The system calculates this score every 24 hours and uses alert risk scores from all active alerts associated to the user.
  • Email. The email alias of the user for the case.
  • Organization or department. The user's assigned organization or department.
  • Manager name. The name of the user's manager.
  • Manager email. The email alias of the user's manager.

Screenshot of the Insider risk management dashboard showing the Case details page.

The Case overview tab also includes an Alerts section that includes the following information about policy match alerts associated with the case:

  • Policy matches. The name of the Insider risk management policy associated with the match alerts for user activity.
  • Status. Status of the alert.
  • Severity. Severity of the alert.
  • Time detected. The time that passed since the system generated the alert.

Alerts

The Alerts tab summarizes the current alerts included in the case. The system can add new alerts to an existing case. The system also adds them to the Alert queue as they get assigned to a case. The queue lists the following alert attributes:

  • Status
  • Severity
  • Time detected

Select an alert from the queue to display the Alert detail page. Use the search control to search alert names for specific text and use the alert filter to sort cases by the following attributes:

  • Status
  • Severity
  • Time detected, start date, and end date

Use the filter control to filter alerts by several attributes, including:

  • Status. Select one or more status values to filter the alert list. The options are Confirmed, Dismissed, Needs review, and Resolved.
  • Severity. Select one or more alert risk severity levels to filter the alert list. The options are High, Medium, and Low.
  • Time detected. Select the start and end dates for when the system created the alert.
  • Policy. Select one or more policies to filter the alerts generated by the selected policies.

User activity

The User activity tab enables risk analysts and investigators to review activity details. It also shows a visual representation of all the activities associated with risk alerts and cases. For example, as part of the alert triage process, analysts may need to review all the risk activities associated with the case for more details. In cases, risk investigators can review user activity details and the bubble chart to help understand the overall scope of the activities associated with the case.

Activity explorer

The Activity explorer tab allows risk analysts and investigators to review activity details associated with risk alerts. For example, as part of the case management actions, investigators and analysts may need to review all the risk activities associated with the case for more details. With the Activity explorer, reviewers can quickly review a timeline of detected risky activity and identify and filter all risk activities associated with alerts. The prior training unit examined Activity explorer in greater detail.

Content explorer

The Content explorer tab enables risk investigators to review copies of all individual files and email messages associated with risk alerts. For example, consider the scenario in which the system created an alert when a user downloaded hundreds of files from SharePoint Online. It did so because the activity triggered a policy alert. In this situation, the system captured all the downloaded files for the alert and copied them to the Insider risk management case from their original storage sources.

Content explorer is a powerful tool with basic and advanced search and filtering features. To learn more about using the Content explorer, see Insider risk management Content explorer.

Screenshot of the Insider risk management dashboard showing the Content explorer tab.

Case notes

The Case notes tab is where risk analysts and investigators share comments, feedback, and insights about their work for the case. Notes are permanent additions to a case. You can't edit or delete a note after you save it. When you create a case from an alert, the system automatically adds the comments you entered in the Confirm alert and create insider risk case dialog as a case note.

The Case notes dashboard displays notes by the user that created the note and the time that passed since the user saved the note. To search the case note text field for a specific keyword, use the Search button on the case dashboard and enter a specific keyword.

Contributors

The Contributors tab in the case is where risk analysts and investigators can add other reviewers to the case. By default, the system displays all users assigned to the Insider Risk Management Analysts or the Insider Risk Management Investigators roles as contributors for each active and closed case. Only users assigned the Insider Risk Management Investigators role have permission to view files and messages in the Content explorer.

You can grant temporary access to a case when you add a user as a contributor. Contributors have all case management control on the specific case, except:

  • Permission to confirm or dismiss alerts.
  • Permission to edit the contributors for cases.
  • Permission to view files and messages in the Content explorer.

Case actions

Risk investigators can take action on a case in one of several methods, depending on:

  • The severity of the case.
  • The history of risk of the user.
  • The organization's risk guidelines.

In some situations, an organization must escalate a case to a user or data investigation. By doing so, the organization can collaborate with other areas of its business and dive deeper into risk activities. Microsoft 365 tightly integrates Insider risk management with other Microsoft Purview solutions to help organizations with end-to-end resolution management.

Send email notice

In most cases, user actions that create insider risk alerts are inadvertent or accidental. Sending a reminder notice to the user through email is an effective method for documenting case review and action. It's also a way to remind users of corporate policies or point them to refresher training. Notice templates that you create generate notices for your Insider risk management infrastructure.

The system doesn't resolve a case as Closed when you send an email notice to a user. In some cases, an organization may want to leave a case open after sending a notice to a user. Doing so enables the organization to look for more risk activities without opening a new case. If an organization wants to resolve a case after sending a notice, it must select the Resolve case as a follow-on step after sending a notice.

Complete the following steps to send a notice to the user assigned to a case:

  1. In the Microsoft Purview compliance portal, select Insider risk management on the navigation pane.
  2. On the Insider risk management page, select the Cases tab.
  3. On the Cases tab, select a case. Then select the Send email notice button on the menu bar.
  4. In the Send e-mail notice dialog box, select the Choose a notice template dropdown control to select the notice template for the notice. This selection prefills the other fields on the notice.
  5. Review the notice fields and update as appropriate. The values entered here override the values on the template.
  6. Select Send to send the notice to the user. Or select Cancel to close the dialog without sending the notice to the user. The system adds all sent notices to the case notes queue on the Case notes dashboard.

Escalate for investigation

Escalate the case for user investigation in situations where an organization needs more legal review or the user's risk activity. This escalation opens a new Microsoft Purview eDiscovery (Premium) case in the organization's Microsoft 365 tenant. eDiscovery (Premium) provides an end-to-end workflow to preserve, collect, review, analyze, and export content that's responsive to an organization's internal and external legal investigations. It also lets the company's legal team manage the entire legal hold notification workflow to communicate with custodians involved in a case. Escalating to an eDiscovery (Premium) case from an Insider risk management case helps the organization's legal team take appropriate action and manage content preservation. To learn more about eDiscovery (Premium) cases, see Overview of Microsoft Purview eDiscovery (Premium).

To escalate a case to a user investigation:

  1. In the Microsoft Purview compliance portal, select Insider risk management on the navigation pane.
  2. On the Insider risk management page, select the Cases tab.
  3. On the Cases tab, select a case. Then select the Escalate for investigation button on the menu bar.
  4. In the Escalate for investigation dialog box, enter a name for the new user investigation. If needed, enter notes about the case and select Escalate.
  5. Review the notice fields and update as appropriate. The values entered here override the values on the template.
  6. Select Confirm to create the user investigation case. Or, select Cancel to close the dialog without creating a new user investigation case.

After you escalate the Insider risk management case to a new user investigation case, investigators and risk analysis can review the new case by navigating to eDiscovery, and then the Advanced area in the Microsoft Purview compliance portal.

Resolve the case

After risk analysts and investigators complete their review and investigation, you can resolve a case to act on all the alerts currently included in the case. Resolving a case:

  • Adds a resolution classification.
  • Changes the case status to Closed.
  • Adds the resolution action reasons to the case notes queue on the Case notes dashboard.

You can resolve a case as either:

  • Benign. The classification for cases where you evaluate policy match alerts as low risk, nonserious, or false positive.
  • Confirmed policy violation. The classification for cases where you evaluate policy match alerts as risky, serious, or the result of malicious intent.

Complete the following steps to resolve a case:

  1. In the Microsoft Purview compliance portal, select Insider risk management on the navigation pane.
  2. On the Insider risk management page, select the Cases tab.
  3. On the Cases tab, select a case. Then select the Resolve case button on the menu bar.
  4. In the Resolve case dialog box, select the Resolve dropdown control to select the resolution classification for the case. The options are Benign or Confirmed policy violation.
  5. On the Resolve case dialog box, enter the reasons for the resolution classification in the Action taken text field.
  6. Select Resolve to close the case. Or select Cancel close the dialog without resolving the case.