Best practices for managing your alert volume in insider risk management

Important

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

Reviewing, investigating, and acting on potentially risky insider alerts are important parts of minimizing insider risks in your organization. Quickly taking action to minimize the impact of these risks can potentially save time, money, and regulatory or legal ramifications for your organization. In this remediation process, the first step of reviewing alerts can seem like the most difficult task for many analysts and investigators.

This article provides best practices for managing the volume of alerts in your organization so that you don't have too many or too few alerts. For a general discussion of how alerts are generated and the tools for managing alerts, see Investigate insider risk activities.

Too few alerts to review

If you're receiving too few insider risk management alerts:

• Update your settings: Changes that you make to settings apply globally across all of your policies.

  • Enable more indicators: Selecting more indicators gives your policies a larger group of activities to detect.

    How to: Go to Settings > Policy indicators, and then enable all available and relevant indicators.

  • Adjust the Alert volume slider: Use this slider to see all medium and high severity alerts, and most low severity alerts. Note: Adjusting the slider may result in more false positives.

    How to: Go to Settings > Intelligent detections > Alert volume, and then move the slider to More alerts.

• Modify the policy: Identify the policy that isn’t generating enough alerts, and then consider the following actions:

  • Increase the user coverage in the policy: Policies with few users included in the scope are less likely to generate alerts. If applicable, consider increasing the number of users in scope for your policy.

    How to: Select a specific policy on the Policies page, select Edit policy, and then go to the Users and groups page to increase the number of in-scope users.

  • Lower the trigger thresholds: Policies based on the Data leaks and Risky Browser Usage (preview) templates allow you to customize some trigger thresholds. These thresholds define when you'll start to detect user activities. If you lower trigger thresholds, you lower the criteria for a user to start being evaluated for risky activity. Note: If a user doesn’t appear in the Users and groups page, it means that triggering event criteria hasn't been met yet.

    How to: Go to the specific policy on the Policies page, select Edit policy, go to the Trigger thresholds page, select the Use custom thresholds option, and then adjust your thresholds.

  • Add more indicators: Indicators are the activities a user must do to be considered risky. If you don’t have many indicators (activities considered to be risky) selected in your policy, alerts are less likely to be generated.

    How to: Go to the specific policy on the Policies page, select Edit policy, go to the Indicators page, and then select more indicators.

  • Lower indicator thresholds: After your users begin getting evaluated (have a triggering event), an alert will only be generated for those users if they do activities above a certain threshold that may indicate that their activity is risky. Lowering the indicator thresholds will lower the threshold that users must surpass to generate an alert.

    How to: Go to the specific policy on the Policies page, select Edit policy, go to the Indicator thresholds page, select the Customize thresholds option, and then set your thresholds. Learn about indicator threshold recommendations

Too many alerts to review

If you're receiving too many valid alerts or have too many stale low-risk alerts, consider taking the following actions:

• Enable analytics: Enabling analytics can help you quickly identify potential risk areas for your users and help determine the type and scope of insider risk management policies that you might want to configure.

  How to: Go to Settings > Analytics.

• Get real-time insights: You can also get real-time insights from analytics if you want to take advantage of threshold recommendations. These insights can help you efficiently adjust the selection of indicators and thresholds of activity occurrence so that you don’t receive too few or too many policy alerts.

  How to: See Use real-time analytics to help manage alert volume.

• Adjust your policies: Selecting and configuring the correct insider risk policy is the most basic method to address the type and volume of alerts. Starting with the appropriate policy template helps focus the types of risk activities and alerts you see. Other factors that may impact alert volume are the size of the in-scope user and groups and the content and channels that are prioritized. Consider adjusting policies to refine these areas to what is most important for your organization.

  How to: Select a specific policy on the Policies page, and then select Edit policy.

• Modify your insider risk settings: Insider risk settings include a wide variety of configuration options that can impact the volume and types of alerts you receive. Make sure to review and understand the following settings to filter out alert noise:

  • Policy indicators and indicator thresholds
  • Global exclusions
  • Detection groups
  • Variants of built-in indicators
  • Intelligent detections
  • Policy timeframes

• Enable inline alert customization: Enabling inline alert customization allows analysts and investigators to quickly edit policies when reviewing alerts. They can update thresholds for activity detection with Microsoft recommendations, configure custom thresholds, or choose to ignore the type of activity that created the alert. If this isn't enabled, then only users assigned to the Insider Risk Management role group can use inline alert customization.

  How to: Go to Settings > Inline alert customization.

• Bulk delete alerts, where applicable: It might help save triage time for your analysts and investigators to immediately dismiss multiple alerts in bulk. You can select up to 400 alerts to dismiss at one time.

Managing resource constraints in your organization

Modern workplace users often have a wide variety of responsibilities and demands on their time. There are several actions you can take to help address resource constraints:

• Focus analyst and investigator efforts on the highest risk alerts first: Depending on your policies, you may be capturing user activities and generating alerts with varying degrees of potential impact to your risk mitigation efforts. Filter alerts by severity and prioritize High severity alerts.
• Use Microsoft Copilot: You can use Microsoft Copilot in Microsoft Purview to summarize an alert without even opening it. This can speed up the triaging experience.
• Assign users as analysts and investigators: Having the right user assigned to the proper roles is an important part of the insider risk alert review process. Make sure you've assigned the appropriate users to the Insider Risk Management Analysts and Insider Risk Management Investigators role groups.
• Use automated insider risk features to help discover the highest risk activities:
  • Use insider risk management sequence detection and cumulative exfiltration detection to quickly discover harder to find risks in your organization.
  • Consider fine-tuning your risk score boosters, and use global exclusions, detection groups, and variants.
  • Fine tune minimum indicator threshold settings for your policies.

See also

Investigate insider risk management activities