Share via


Set up global exclusions for insider risk management policies

Important

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

Use the Global exclusions (preview) setting in Microsoft Purview Insider Risk Management to exclude items from being scored by insider risk management policies. For example, to reduce "noise" in your policies, you might want to exclude certain file types or domains from being scored for risk if those file types or domains don't present risk to your organization.

When you set up global exclusions, you might also want to take advantage of detection groups to tailor detections for different sets of users. Detection groups can help you reduce false positives for your policies.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Configure a domain exclusion

You can exclude specific domains related to user activities from being scored by your insider risk management polices. These activities include:

  • Email sent to external domains.
  • Files, folders, and sites shared with external domains.
  • Files uploaded to external domains (using the Microsoft Edge browser).

Allowed domains are ignored by your policies and won't generate alerts.

Set up a domain exclusion

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  1. Sign in to the Microsoft Purview portal using credentials for an admin account in your Microsoft 365 organization.

  2. Select Settings in the upper-right corner of the page, and then select Insider Risk Management to go to the insider risk management settings.

  3. Under Insider risk settings, select Global exclusions (preview).

  4. In the Type panel to the right, select Domains.

  5. In the Domains panel to the right, select one of the following tabs:

    • Individual domains. To add domains one at a time:

      1. Select Add domains, and then enter an exact domain in the Domain field or use a wildcard asterisk (*) to detect a subdomain (for example, *.contoso.com). Preceding the domain name with a wildcard detects a maximum of one subdomain (for example, support.contoso.com).

      2. To include all subdomains within the domain, select the Include multi-level subdomains checkbox.

        Note

        You can use wildcards to help match variations of root domains or subdomains. For example, to specify sales.wingtiptoys.com and support.wingtiptoys.com, use the wildcard entry "*.wingtiptoys.com" to match these subdomains (and any other subdomain at the same level). To specify multi-level subdomains for a root domain, you must select the Include multi-level subdomains checkbox.

      3. Press Enter.

      4. Repeat this process for each domain that you want to add.

        Each domain that you enter is added to the Domain column and Yes or No is added to the Multi-level subdomains included list.

        Tip

        If you don't want to add domains one at a time, you can import a list of domains from a CSV file by selecting Import domains from CSV file on the previous page.

      5. Select Add domains.

    • Domain groups. To select a domain detection group that you already created:

      1. Select Add domain group.

      2. Select the appropriate domain group(s) from the list. The number of domains included in each domain group is listed in the Included domains column.

      3. Select Save.

Configure an email signature attachments exclusion

One of the main sources of 'noise' in insider risk management policies is images in email signatures, which are often detected as attachments in emails. If the Sending email with attachments to recipients outside the organization indicator is selected, the attachment is scored like any other email attachment sent outside the organization, even if the only thing in the attachment is the email signature. You can use the Ignore email signature attachments (preview) setting to exclude these attachments from scoring.

Turning this setting on significantly eliminates noise from email signature attachments, but won't completely eliminate all noise. This is because only the email signature attachment of the email sender (the person who initiates the email or replies to the email) is excluded from scoring. A signature attachment for anyone on the To, CC, or BCC line will still be scored. Also, if someone changes their email signature, the new signature has to be profiled, which can cause alert noise for a short period of time.

Configure an email signature attachments exclusion

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  1. Sign in to the Microsoft Purview portal using credentials for an admin account in your Microsoft 365 organization.

  2. Select Settings in the upper-right corner of the page, and then select Insider Risk Management to go to the insider risk management settings.

  3. Under Insider risk settings, select Global exclusions (preview).

  4. In the Type panel to the right, select Email signature attachments.

  5. In the Ignore email signature attachments (preview) panel to the right, turn the setting to On.

  6. Select Save.

Configure a file path exclusion

When you exclude file paths, user activities that map to specific indicators and that occur in those file path locations won't generate policy alerts. Examples include copying or moving files to a system folder or network share path. You can enter up to 500 file paths for exclusion.

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  1. Sign in to the Microsoft Purview portal using credentials for an admin account in your Microsoft 365 organization.

  2. Select Settings in the upper-right corner of the page, and then select Insider Risk Management to go to the insider risk management settings.

  3. Under Insider risk settings, select Global exclusions (preview).

  4. In the Type panel to the right, select File paths.

  5. In the File paths panel to the right, select one of the following tabs:

    • Individual file paths. To add an individual file path, select Add file paths to exclude, enter an exact network share or device file path, and then select Add file paths to exclude. Repeat this process for each file path that you want to exclude. Examples:

      Example Description
      \ms.temp\LocalFolder\ or C:\temp Excludes files directly under the folder and all subfolders for every file path starting with the entered prefix.
      \public\local\ Excludes files from every file path containing the entered value.

      Matches with 'C:\Users\Public\local\', 'C:\Users\User1\Public\local', and '\ms.temp\Public\local'.

      C:\Users*\Desktop Matches with 'C:\Users\user1\Desktop' and 'C:\Users\user2\Desktop'.
      C:\Users*(2)\Desktop Wilcards with numbers are supported. Matches with 'C:\Users\user1\Desktop' and 'C:\Users\user2\Shared\Desktop'.

      Each file path that you enter is added to the File path column on the page.

      Note

      See Default file paths for file paths that are automatically excluded from generating policy alerts.

    • File path groups. To select a file path detection group that you have already created, select Add file path group, and then select the appropriate file path group(s). The number of file paths included in each group is listed in the Included file paths column.

  6. Select Save.

Default file paths

By default, several file paths are automatically excluded from generating policy alerts. Activities in these file paths are typically benign and could potentially increase the volume of non-actionable alerts. If needed, you can cancel the selection for these default file path exclusions to enable risk scoring for activities in these locations.

The default file path exclusions are:

  • \Users*\AppData
  • \Users*\AppData\Local
  • \Users*\AppData\Roaming
  • \Users*\AppData\Local\Temp

The wildcards in these paths denote that all folder levels between the \Users and \AppData are included in the exclusion. For example, activities in C:\Users\Test1\AppData\Local and C:\Users\Test2\AppData\Local, C:\Users\Test3\AppData\Local (and so on) would all be included and not scored for risk as part of the \Users*\AppData\Local exclusion selection.

Configure a file type exclusion

You can exclude specific file types from all insider risk management policy matching. For example, you might want to exclude all .wav files. Files with that extension will be ignored for risk scoring by all insider risk management policies.

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  1. Sign in to the Microsoft Purview portal using credentials for an admin account in your Microsoft 365 organization.

  2. Select Settings in the upper-right corner of the page, and then select Insider Risk Management to go to the insider risk management settings.

  3. Under Insider risk settings, select Global exclusions (preview).

  4. In the Type panel to the right, select File types.

  5. In the File types panel to the right, select one of the following tabs:

    • Individual file types. To add file types one at a time, select Add file type, enter a file type, and then press Enter. Repeat this process for each file type that you want to add. Each file type that you enter is added to the page.

    • File type groups. To select a file type detection group that you have already created, select Add File type group, and then select the appropriate file type group(s) from the list.

  6. Select Save.

Configure a keyword exclusion

You can configure exclusions for keywords that appear in file names, file paths, or email message subject lines. This allows flexibility for organizations that need to reduce potential alert frequency due to flagging of benign terms. Such activities related to files or email subjects containing the keyword will be ignored by your insider risk management policies and won't generate alerts. You can exclude up to 500 keywords.

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  1. Sign in to the Microsoft Purview portal using credentials for an admin account in your Microsoft 365 organization.

  2. Select Settings in the upper-right corner of the page, and then select Insider Risk Management to go to the insider risk management settings.

  3. Under Insider risk settings, select Global exclusions (preview).

  4. In the Type panel to the right, select Keywords.

  5. In the Keywords panel to the right, select one of the following tabs:

    • Individual keywords. To add keywords one at a time, enter a keyword in the Exclude these keywords field, and then press Enter. Repeat this process for each keyword that you want to add. To delete a keyword that you've added to the list, select the X next to the keyword.

      Tip

      If you want to exclude a keyword from scoring, but you want to score that keyword when it's used in combination with other keywords or a phrase, enter the keyword you want to exclude in the Exclude these keywords field, and then enter the word or words that are part of the phrase that you do want to score in the Exclude the above keywords only if these terms aren't also present field. For example, if you add the keyword "compliance" to the Exclude these keywords field, but enter the keyword "training" in the Exclude the above keywords only if these terms aren't also present field, the word "compliance" by itself is excluded from scoring, but the phrase "compliance training" is scored.

    • Keyword groups. To select a keyword detection group that you have already created, select Add keyword group, and then select the appropriate keyword group(s) from the list. The number of keywords included in each group is displayed under the Included keywords heading.

  6. Select Save.

Configure a sensitive info type (preview) exclusion

Excluded sensitive info types map to indicators and triggers involving file-related activities for Endpoint, SharePoint, Teams, OneDrive, and Exchange. These excluded types are treated as non-sensitive info types. If a file contains any sensitive info type identified in this section, the file will be risk scored but not shown as activities involving content related to sensitive info types. For a complete list of sensitive info types, see Sensitive information type entity definitions.

You can select the sensitive info types to be excluded from the list of all available (out-of-box and custom) types available in the organization. You can choose up to 500 sensitive info types.

Note

The exclusion list of sensitive info types takes precedence over the priority content list.

Configure a sensitive info type exclusion

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  1. Sign in to the Microsoft Purview portal using credentials for an admin account in your Microsoft 365 organization.

  2. Select Settings in the upper-right corner of the page, and then select Insider Risk Management to go to the insider risk management settings.

  3. Under Insider risk settings, select Global exclusions (preview).

  4. In the Type panel to the right, select Sensitive info types.

  5. In the Sensitive info types panel to the right, select one of the following tabs:

    • Individual sensitive info types. To add sensitive info types one at a time, select Add or edit sensitive info types to exclude, select the sensitive info types you want to exclude, and then select Add. You can also use the search box to search for a sensitive info type.

    • SIT groups. To select a sensitive info type detection group that you have already created, select Add sensitive info type group, and then select the appropriate group(s) from the list. The number of sensitive info types included in a sensitive info type group is displayed under the Included sensitive info types heading. Select Save when you're done.

Configure a Sharepoint site exclusion

You can configure SharePoint site exclusions to prevent activities that occur in SharePoint (and SharePoint sites associated with Teams channel sites) from generating policy alerts. For example, you might want to exclude sites or channels that contain non-sensitive files and data that can be shared with stakeholders or the public. You can enter up to 500 SharePoint site URL paths.

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  1. Sign in to the Microsoft Purview portal using credentials for an admin account in your Microsoft 365 organization.

  2. Select Settings in the upper-right corner of the page, and then select Insider Risk Management to go to the insider risk management settings.

  3. Under Insider risk settings, select Global exclusions (preview).

  4. In the Type panel to the right, select SharePoint sites.

  5. In the SharePoint sites panel to the right, select one of the following tabs:

    • Individual sites. To add SharePoint sites one at a time, select Add or edit sites to exclude, select the sites you want to exclude, and then select Edit. You can also use the search box to search for a site.

    • Site groups. To select a SharePoint site detection group that you have already created, select Add SharePoint site group, and then select the appropriate group(s) from the list. The number of sites included in a site group is displayed under the Included sites heading. Select Save when you're done.

Set up a trainable classifier (preview) exclusion

Excluded trainable classifiers map to indicators and triggers involving file-related activities for SharePoint, Teams, OneDrive, and Exchange. If any file contains any trainable classifier identified as an exclusion, the file will be risk scored but not shown as activity involving content related to trainable classifiers. For a complete list of pre-trained classifiers, see Trainable classifiers definitions.

You can select the trainable classifiers to be excluded from the list of all available (out-of-box and custom) types available in the organization. Insider risk management excludes some trainable classifiers by default, including Threat, Profanity, Targeted harassment, Offensive language, and Discrimination. You can choose up to 500 trainable classifiers.

Note

Optionally, you can choose trainable classifiers to be included in the priority content list.

Configure a trainable classifier exclusion

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  1. Sign in to the Microsoft Purview portal using credentials for an admin account in your Microsoft 365 organization.

  2. Select Settings in the upper-right corner of the page, and then select Insider Risk Management to go to the insider risk management settings.

  3. Under Insider risk settings, select Global exclusions (preview).

  4. In the Type panel to the right, select Trainable classifiers.

  5. In the Trainable classifiers panel to the right, select one of the following tabs:

    • Individual trainable classifier. To select trainable classifiers one at a time, select Add or edit trainable classifiers to exclude, select the appropriate trainable classifier(s) from the list, and then select Add. You can use the search box to search for a trainable classifier.

    • Trainable classifier groups. To select a trainable classifier detection group that you have already created, select Add trainable classifier group, and then select the appropriate group(s) from the list. The number of trainable classifiers included in a trainable classifier group is displayed under the Included trainable classifiers heading. Select Save when you're done.