Microsoft Purview Insider Risk Management – detection and investigation experience

Coming soon to public preview, the enhancements for the Insider Risk Management solution in the Microsoft Purview compliance portal will improve the experience for admins, analysts, and investigators.

When this will happen:

Rollout will begin in mid-February and is expected to be complete by mid-March.

How this will affect your organization:

Microsoft Purview Insider Risk Management correlates various signals to identify potentially malicious or inadvertent insider risks that may lead to a data security incident, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

With this update, the following preview features will become available:

• File type exclusion in email attachments: Admins can configure file type exclusions from Insider Risk Management policies, though by default these exclusions do not apply to email attachments. With this update, the file type exclusion will extend to email attachments to help reduce noisy signals.
• Sequence detection starting with downloads from third-party sites: Admins can configure the new sequence feature to detect risky user actions that start with downloading data from third-party domains, such as box.com or dropbox.com. This can help security teams gain visibility into actions that take place in their multi-cloud environments that may lead to a data security incident.
• File archiving as obfuscation: Admins can configure policies and leverage sequence detection to detect file archiving actions taken by users that potentially obfuscate their data exfiltration activities. This can provide greater visibility into a series of connected activities that might be performed to evade detection of data exfiltration that could lead to a security incident.
• Improved alert filtering: Analysts and investigators can filter out any activity that was already reviewed in a past alert for a user so they can focus their review on new activities that might lead to a data security incident.
• Visualization of cumulative exfiltration trends: When investigating an alert, admins can leverage the activity scatter plot to visualize a historical timeline of activity types, risk scores, and the sequence of events. To help organizations better visualize the growth of data exfiltration over time, this new trend chart will show a user’s cumulative data exfiltration activity as it relates to other key signals like resignation date.
• Enhancements to the unusual activity booster detection: Today, admins can enable the risk score booster “Activity is above user’s usual activity for that day.” With this update, the model to detect unusual activity will be enhanced to improve the ability to detect when a user’s activity is unusual compared with their historical norms. If an admin has opted-in to the “Activity is above user’s usual activity for that day” risk score booster in settings, the organization might see fewer activities with the risk score booster.
• Deduplicate signals of 13 activities: A single user activity could generate duplicate signals used to identify insider risks thereby creating noisy alerts. With this update, the noisy signals will be de-duplicated to reduce the noise without losing risk context.

What you need to do to prepare:

To begin using these preview features, select the appropriate configuration options within insider risk settings and policies, or choose the relevant filtering and visualization options within user activity review.

From Insider Risk Management > Settings, you can configure the following policy options:

• Exclude file types in Insider Risk Management policies. Note: If file type exclusion is already configured for your organization, these settings will now also apply to email attachments.
• Configure third-party sites; this enables admins to select sequences for data leaks or data theft policies where the first step is downloading from a third-party site.
• Include “archiving files on a device” as an indicator of obfuscation; this enables admins to include file archiving as an obfuscation activity for sequence detection.

For alert reviewing enhancements, if Insider Risk Management is enabled in your tenant, admins will see an option to filter out past alerts on the alert page. Additionally, on the user activity page of an alert or a case, Insider Risk Management analysts or Insider Risk Management investigators can click into the cumulative exfiltration event on the timeline to see the new trend chart visualization.

For signals deduplication and enhancements to the unusual activity booster, the update will automatically roll out and doesn’t require admin’s actions.

Get started with Insider Risk Management in the Microsoft Purview compliance portal.

Learn more: Learn about insider risk management