Trình duyệt này không còn được hỗ trợ nữa.
Hãy nâng cấp lên Microsoft Edge để tận dụng các tính năng mới nhất, bản cập nhật bảo mật và hỗ trợ kỹ thuật.
Quan trọng
Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
The insider risk management Content explorer allows users assigned the Insider Risk Management Investigators role to examine the context and details of content associated with activity in alerts. The case data in Content explorer is refreshed daily to include new risk activity. For all alerts that are confirmed to a case, copies of data and message files are archived as a snapshot in time of the items, while maintaining the original files and messages in the storage sources. If needed, case data files might be exported as a portable document file (PDF) or in the original file format.
Mẹo
Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.
To examine the emails and files captured by the policies included in a specific case, navigate to the Insider risk management Cases page and select the row of the Case name in the list for the case you want to view details for. Then in the case details page, select the Content explorer tab to open the Content explorer.
Quan trọng
After an alert is confirmed to a case, Content explorer won't display any details for that case if the organization has not assigned a user to either the Insider Risk Management Investigators or Insider Risk Management role group.
Content explorer includes user activities related to Microsoft 365 service files, such as user activity on SharePoint, Exchange, and OneDrive for Business. For new cases, it usually takes about an hour for content to populate in Content explorer. For cases with large amounts of content, it might take longer to create a snapshot. If content is still loading in Content explorer, you'll see a progress indicator that displays the completion percentage.
In some cases, data associated with a case might not be available as a snapshot for review in Content explorer. This situation might occur when case data has been deleted or moved, or when a temporary error occurs when processing case data. If this situation occurs, select View files in the warning bar to view the file names, file path, and reason for the failure for each file. If needed, this information can be exported to a .csv (comma-separated values) file.
If the content includes Information Rights Management permissions, these permissions are maintained for the copied content and users assigned the Insider Risk Management Investigators role will need these permissions and rights if they need to open and view the files. Each file and message are automatically assigned a unique file ID in the insider risk management case for management purposes. Documents associated with device indicator activities aren't included in Content explorer.
Lưu ý
After a case is active for over 365 days, Content explorer isn't updated to reflect new activities. To update content explorer with new activities for a user in this scenario, resolve the case and open a new case for the user.
Mẹo
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
To make it easier for risk analysts and investigators to review captured data and messages and review the context to the case, several filtering and sorting tools are included in the Content explorer. For basic sorting, the Date and File class columns support sorting using the column titles in the content queue pane. Other queue columns are available to add to the view to provide different pivots on the files and messages.
To add or remove column headings for the content queue, use the Edit columns control and select from the following column options. These columns map to the common, email, and document property conditions supported in the Content explorer and listed later in this article.
| Column option | Description |
|---|---|
| Author | The author field from Office documents, which persists if a document is copied. For example, if a user creates a document and the emails it to someone else who then uploads it to SharePoint, the document will still retain the original author. |
| Bcc | Available for email messages, the users in the Bcc message field. |
| Cc | Available for email messages, the users in the Cc message field. |
| Compound path | Human readable path that describes the source of the item. |
| Conversation ID | Conversation ID from the message. |
| Conversation index | Conversation index from the message. |
| Created time | The time the file or email message was created. |
| Date (UTC) | For email, the date a message was received by a recipient or sent by the sender. For documents, the date a document was last modified. Date is in Coordinated Universal Time (UTC). |
| Dominant theme | Dominant theme as calculated for analytics. |
| Email set ID | Group ID for all messages in the same email set. |
| Family ID | Family ID groups together all items; for email, this column includes the message and all attachments; for documents, this column includes the document and any embedded items. |
| File class | For content from SharePoint and OneDrive: Document; for content from Exchange: Email or Attachment. |
| File ID | Document identifier unique within the case. |
| File type icon | The extension of a file; for example, docx, one, pptx, or xlsx. This field is the same property as the FileExtension site property. |
| ID | The GUID identifier for the file. |
| Immutable ID | Immutable ID as stored in Office 365. |
| Inclusive type | Inclusive type calculated for analytics: 0 - not inclusive; 1 - inclusive; 2 - inclusive minus; 3 - inclusive copy. |
| Last modified | The date that a document was last changed. |
| Marked as representative | One document from each set of exact duplicates is marked as representatives. |
| Message kind | The type of email message to search for. Possible values: contacts, docs, email, external data, faxes, im, journals, meetings, microsoft teams (returns items from chats, meetings, and calls in Microsoft Teams), notes, posts, RSS feeds, tasks, voicemail |
| Participants | List of all participants of a message; for example, Sender, To, Cc, Bcc. |
| Pivot ID | The ID of a pivot. |
| Received | The date that an email message was received by a recipient. This field is the same property as the Received email property. |
| Recipients | All recipient fields in an email message. These fields are To, Cc, and Bcc. |
| Representative ID | Numeric identifier of each set of exact duplicates. |
| Sender | The sender of an email message. |
| Sender/Author | For email, the person who sent a message. For documents, the person cited in the author field from Office documents. You can type more than one name, separated by commas. Two or more values are logically connected by the OR operator. |
| Sensitive info types | The sensitive info types identified in content. |
| Sensitivity labels | The sensitivity labels applied to the content. |
| Sent | The date that an email message was sent by the sender. This field is the same property as the Sent email property. |
| Size | For both email and documents, the size of the item (in bytes). |
| Subject | The text in the subject line of an email message. |
| Subject/Title | For email, the text in the subject line of a message. For documents, the title of the document. As previously explained, the Title property is metadata specified in Microsoft Office documents. You can type the name of more than one subject/title, separated by commas. Two or more values are logically connected by the OR operator. |
| Themes list | Themes list as calculated for analytics. |
| Title | The title of the document. The Title property is metadata that's specified in Office documents. It's different than the file name of the document. |
| To | The recipient of an email message in the To field. |
You can use one or more filters to narrow the scope of a search and return a more refined set of results. To set a filter, select Filters at the top of the content queue. Many filters include additional filtering options to help narrow the results returned by the filter. For example, the Date filter includes controls to configure a Start date and Ending date for the Date filter. Select one or more filter items from the following categories:
| Filter | Description |
|---|---|
| Date (UTC) | For email, the date a message was received by a recipient or sent by the sender. For documents, the date a document was last modified. |
| Sender/Author | For email, the person who sent a message. For documents, the person cited in the Author field from Office documents. You can type more than one name, separated by commas. |
| Source | The location of the document in your organization. For example, a specific SharePoint site location. |
| Subject/Title | For email, the text in the subject line of a message. For documents, the title of the document. The Title property in documents is metadata specified in Microsoft Office documents. You can type the name of more than one subject/title, separated by commas. Two or more values are logically connected by the OR operator. |
| Filter | Description |
|---|---|
| Bcc | The Bcc field of an email message. |
| Cc | The Cc field of an email message. |
| Has attachment | Indicates whether a message has an attachment. Values are listed as true or false. |
| Is email attachment | If the document is an attachment, the value is listed as Yes. |
| Is embedded document | If the document is embedded in the email message, the value is listed as Yes. |
| Is inline attachment | If the document is an inline attachment in the email message, the value is listed as Yes. |
| Participants | All the people fields in an email message. These fields are From, To, Cc, and Bcc. |
| Received | The date that an email message was received by a recipient. |
| Recipient domains | List of all domains of recipients of a message. |
| Recipients | The email message recipients. |
| Sender | Sender (From) field for message types. Format is DisplayName <SmtpAddress>. |
| Sender domain | Domain of the sender. |
| To | The To field of an email message. |
| Unique in email set | False if there's a duplicate of the attachment in its email set. |
| Filters | Description |
|---|---|
| Compliance labels | Compliance labels applied in Microsoft 365. |
| Created time (UTC) | The date and time the file or email message was created. The date and time are in Coordinated Universal Time (UTC). |
| Last modified date (UTC) | The date that a document was last changed. The date and time are in Coordinated Universal Time (UTC). |
| File extension | The extension type of the file. |
| User activity events | Activity for items related to specific user activity in a case. For example, when you select a link to 'Explore Content' for an activity in the User Activity page of a case, this filter is used to display items related to that activity. |
| Work product | The type of work product for the document. For example, annotations or tags in the document. |
Đào tạo
Mô-đun
Investigate threats with Content search in Microsoft Purview - Training
Investigate threats with Content search in Microsoft Purview.
Chứng chỉ
Được Microsoft chứng nhận: Liên kết Người quản trị Bảo vệ Thông tin và Tuân thủ - Certifications
Minh họa các nguyên tắc cơ bản về bảo mật dữ liệu, quản lý vòng đời, bảo mật thông tin và tuân thủ để bảo vệ triển khai Microsoft 365.