Review data with the insider risk management content explorer

Important

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

The insider risk management Content explorer allows users assigned the Insider Risk Management Investigators role to examine the context and details of content associated with activity in alerts. The case data in Content explorer is refreshed daily to include new risk activity. For all alerts that are confirmed to a case, copies of data and message files are archived as a snapshot in time of the items, while maintaining the original files and messages in the storage sources. If needed, case data files may be exported as a portable document file (PDF) or in the original file format.

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Use the Content explorer to view details for a specific case

To examine the emails and files captured by the policies included in a specific case, navigate to the Insider risk management Cases page and select the row of the Case name in the list for the case you want to view details for. Then in the case details page, select the Content explorer tab to open the Content explorer.

Important

After an alert is confirmed to a case, Content explorer won't display any details for that case if the organization has not assigned a user to either the Insider Risk Management Investigators or Insider Risk Management role group.

Content explorer includes user activities related to Microsoft 365 service files, such as user activity on SharePoint, Exchange, and OneDrive for Business. For new cases, it usually takes about an hour for content to populate in Content explorer. For cases with large amounts of content, it may take longer to create a snapshot. If content is still loading in Content explorer, you'll see a progress indicator that displays the completion percentage.

In some cases, data associated with a case may not be available as a snapshot for review in Content explorer. This situation may occur when case data has been deleted or moved, or when a temporary error occurs when processing case data. If this situation occurs, select View files in the warning bar to view the file names, file path, and reason for the failure for each file. If needed, this information can be exported to a .csv (comma-separated values) file.

If the content includes Information Rights Management permissions, these permissions are maintained for the copied content and users assigned the Insider Risk Management Investigators role will need these permissions and rights if they need to open and view the files. Each file and message are automatically assigned a unique file ID in the insider risk management case for management purposes. Documents associated with device indicator activities aren't included in Content explorer.

Note

After a case is active for over 365 days, Content explorer isn't updated to reflect new activities. To update content explorer with new activities for a user in this scenario, resolve the case and open a new case for the user.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.

Column options

To make it easier for risk analysts and investigators to review captured data and messages and review the context to the case, several filtering and sorting tools are included in the Content explorer. For basic sorting, the Date and File class columns support sorting using the column titles in the content queue pane. Other queue columns are available to add to the view to provide different pivots on the files and messages.

To add or remove column headings for the content queue, use the Edit columns control and select from the following column options. These columns map to the common, email, and document property conditions supported in the Content explorer and listed later in this article.

Column option Description
Author The author field from Office documents, which persists if a document is copied. For example, if a user creates a document and the emails it to someone else who then uploads it to SharePoint, the document will still retain the original author.
Bcc Available for email messages, the users in the Bcc message field.
Cc Available for email messages, the users in the Cc message field.
Compound path Human readable path that describes the source of the item.
Conversation ID Conversation ID from the message.
Conversation index Conversation index from the message.
Created time The time the file or email message was created.
Date (UTC) For email, the date a message was received by a recipient or sent by the sender. For documents, the date a document was last modified. Date is in Coordinated Universal Time (UTC).
Dominant theme Dominant theme as calculated for analytics.
Email set ID Group ID for all messages in the same email set.
Family ID Family ID groups together all items; for email, this column includes the message and all attachments; for documents, this column includes the document and any embedded items.
File class For content from SharePoint and OneDrive: Document; for content from Exchange: Email or Attachment.
File ID Document identifier unique within the case.
File type icon The extension of a file; for example, docx, one, pptx, or xlsx. This field is the same property as the FileExtension site property.
ID The GUID identifier for the file.
Immutable ID Immutable ID as stored in Office 365.
Inclusive type Inclusive type calculated for analytics: 0 - not inclusive; 1 - inclusive; 2 - inclusive minus; 3 - inclusive copy.
Last modified The date that a document was last changed.
Marked as representative One document from each set of exact duplicates is marked as representatives.
Message kind The type of email message to search for. Possible values: contacts, docs, email, external data, faxes, im, journals, meetings, microsoft teams (returns items from chats, meetings, and calls in Microsoft Teams), notes, posts, RSS feeds, tasks, voicemail
Participants List of all participants of a message; for example, Sender, To, Cc, Bcc.
Pivot ID The ID of a pivot.
Received The date that an email message was received by a recipient. This field is the same property as the Received email property.
Recipients All recipient fields in an email message. These fields are To, Cc, and Bcc.
Representative ID Numeric identifier of each set of exact duplicates.
Sender The sender of an email message.
Sender/Author For email, the person who sent a message. For documents, the person cited in the author field from Office documents. You can type more than one name, separated by commas. Two or more values are logically connected by the OR operator.
Sensitive info types The sensitive info types identified in content.
Sensitivity labels The sensitivity labels applied to the content.
Sent The date that an email message was sent by the sender. This field is the same property as the Sent email property.
Size For both email and documents, the size of the item (in bytes).
Subject The text in the subject line of an email message.
Subject/Title For email, the text in the subject line of a message. For documents, the title of the document. As previously explained, the Title property is metadata specified in Microsoft Office documents. You can type the name of more than one subject/title, separated by commas. Two or more values are logically connected by the OR operator.
Themes list Themes list as calculated for analytics.
Title The title of the document. The Title property is metadata that's specified in Office documents. It's different than the file name of the document.
To The recipient of an email message in the To field.

Filtering

You can use one or more filters to narrow the scope of a search and return a more refined set of results. To set a filter, select Filters at the top of the content queue. Many filters include additional filtering options to help narrow the results returned by the filter. For example, the Date filter includes controls to configure a Start date and Ending date for the Date filter. Select one or more filter items from the following categories:

Common filters

Filter Description
Date (UTC) For email, the date a message was received by a recipient or sent by the sender. For documents, the date a document was last modified.
Sender/Author For email, the person who sent a message. For documents, the person cited in the Author field from Office documents. You can type more than one name, separated by commas.
Source The location of the document in your organization. For example, a specific SharePoint site location.
Subject/Title For email, the text in the subject line of a message. For documents, the title of the document. The Title property in documents is metadata specified in Microsoft Office documents. You can type the name of more than one subject/title, separated by commas. Two or more values are logically connected by the OR operator.

Email filters

Filter Description
Bcc The Bcc field of an email message.
Cc The Cc field of an email message.
Has attachment Indicates whether a message has an attachment. Values are listed as true or false.
Is email attachment If the document is an attachment, the value is listed as Yes.
Is embedded document If the document is embedded in the email message, the value is listed as Yes.
Is inline attachment If the document is an inline attachment in the email message, the value is listed as Yes.
Participants All the people fields in an email message. These fields are From, To, Cc, and Bcc.
Received The date that an email message was received by a recipient.
Recipient domains List of all domains of recipients of a message.
Recipients The email message recipients.
Sender Sender (From) field for message types. Format is DisplayName <SmtpAddress>.
Sender domain Domain of the sender.
To The To field of an email message.
Unique in email set False if there's a duplicate of the attachment in its email set.

Document filters

Filters Description
Compliance labels Compliance labels applied in Microsoft 365.
Created time (UTC) The date and time the file or email message was created. The date and time are in Coordinated Universal Time (UTC).
Last modified date (UTC) The date that a document was last changed. The date and time are in Coordinated Universal Time (UTC).
File extension The extension type of the file.
User activity events Activity for items related to specific user activity in a case. For example, when you select a link to 'Explore Content' for an activity in the User Activity page of a case, this filter is used to display items related to that activity.
Work product The type of work product for the document. For example, annotations or tags in the document.