Configure intelligent detections in insider risk management
Important
Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
Note
Global exclusions settings that were previously included in the Intelligent detections setting are now included in the Global exclusions (preview) setting.
Use can use the Intelligent detections setting in Microsoft Purview Insider Risk Management to:
- Boost the score for unusual file download activities by entering a minimum number of daily events.
- Increase or decrease the volume and distribution of high, medium, and low alerts.
- Import and filter Defender for Endpoint alerts for activities used in policies created from insider risk management templates.
- Specify unallowed domains to boost the risk score for potentially risky activity.
- Specify third-party domains to generate alerts for potentially risky download activity.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
File activity detection
You can use this section to specify the number of daily events required to boost the risk score for download activity that's considered unusual for a user. For example, if you enter "25", if a user downloads 10 files on average over the previous 30 days, but a policy detects that they downloaded 20 files on one day, the score for that activity won't be boosted even though it's unusual for that user because the number of files they downloaded that day was less than 25.
Alert volume
Potentially risky activities detected by insider risk policies are assigned a specific risk score, which in turn determines the alert severity (low, medium, high). By default, insider risk management generates a certain amount of low, medium, and high severity alerts, but you can increase or decrease the volume of a specific level of alerts to suit your needs.
To adjust the volume of alerts for all insider risk management policies, choose one of the following settings:
- Fewer alerts: You'll see all high-severity alerts, fewer medium-severity alerts, and no low-severity alerts. You could miss some true positives if you choose this setting level.
- Default volume: You'll see all high-severity alerts and a balanced amount of medium-severity and low-severity alerts.
- More alerts: You'll see all medium-severity and high-severity alerts and most low-severity alerts. This setting level might result in more false positives.
Microsoft Defender for Endpoint alert statuses
Important
To import security violation alerts, you must configure Microsoft Defender for Endpoint in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center. For more information on configuring Defender for Endpoint for insider risk management integration, see Configure advanced features in Defender for Endpoint.
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. To have better visibility of security violations in your organization, you can import and filter Defender for Endpoint alerts for activities used in policies created from insider risk management security violation policy templates.
Depending on the types of signals you're interested in, you can choose to import alerts to insider risk management based on the Defender for Endpoint alert triage status. You can define one or more of the following alert triage statuses in the global settings to import:
- Unknown
- New
- In progress
- Resolved
Alerts from Defender for Endpoint are imported daily. Depending on the triage status you choose, you may see multiple user activities for the same alert as the triage status changes in Defender for Endpoint.
For example, if you select New, In progress, and Resolved for this setting, when a Microsoft Defender for Endpoint alert is generated and the status is New, an initial alert activity is imported for the user in insider risk management. When the Defender for Endpoint triage status changes to In progress, a second activity for this alert is imported. When the final Defender for Endpoint triage status of Resolved is set, a third activity for this alert is imported. This functionality allows investigators to follow the progression of the Defender for Endpoint alerts and choose the level of visibility that their investigation requires.
Domains
You can specify unallowed and third-party domains to boost your detections:
- Unallowed domains: When you specify an unallowed domain, risk management activity that takes place with that domain will have a higher risk score. For example, you might want to specify activities that involve sharing content with someone (such as sending email to someone with a gmail.com address) or activities that involve users downloading content to a device from an unallowed domain. You can add up to 500 unallowed domains.
- Third-party domains: If your organization uses third-party domains for business purposes (such as cloud storage), include them in the Third-party domains section to receive alerts for potentially risky activity related to the device indicator Use a browser to download content from a third-party site. You can add up to 500 third-party domains.
Tip
You can also specify domains to exclude from being scored by insider risk management policies.
Add an unallowed domain
Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.
Sign in to the Microsoft Purview portal using credentials for an admin account in your Microsoft 365 organization.
Select Settings in the upper-right corner of the page, and then select Insider Risk Management to go to the insider risk management settings.
Under Insider risk settings, select Intelligent detections.
Scroll down to the Unallowed domains section, and then select Add domains.
Enter a domain.
Tip
If you don't want to enter domains one at a time, you can import them as a CSV file by selecting Import domains from CSV file on the previous page.
If you want to include all subdomains within the domain you entered, select the Include multi-level subdomains checkbox.
[!NOTE You can use wildcards to help match variations of root domains or subdomains. For example, to specify sales.wingtiptoys.com and support.wingtiptoys.com, use the wildcard entry "*.wingtiptoys.com" to match these subdomains (and any other subdomain at the same level). To specify multi-level subdomains for a root domain, you must select the Include multi-level subdomains checkbox.
Press Enter. Repeat this process for each domain that you want to add.
Select Add domains.
Add a third-party domain
Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.
Sign in to the Microsoft Purview portal using credentials for an admin account in your Microsoft 365 organization.
Select Settings in the upper-right corner of the page, and then select Insider Risk Management to go to the insider risk management settings.
Under Insider risk settings, select Intelligent detections.
Scroll down to the Third-party domains section, and then select Add domains.
Enter a domain.
Tip
If you don't want to enter domains one at a time, you can import them as a CSV file by selecting Import domains from CSV file on the previous page.
If you want to include all subdomains within the domain you entered, select the Include multi-level subdomains checkbox.
[!NOTE You can use wildcards to help match variations of root domains or subdomains. For example, to specify sales.wingtiptoys.com and support.wingtiptoys.com, use the wildcard entry "*.wingtiptoys.com" to match these subdomains (and any other subdomain at the same level). To specify multi-level subdomains for a root domain, you must select the Include multi-level subdomains checkbox.
Press Enter. Repeat this process for each domain that you want to add.
Select Add domains.