Use reports in insider risk management
Important
Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
Use reports in Microsoft Purview Insider Risk Management to understand the landscape of your insider risk program. Reports provide deeper insights and summary information for all areas relating to insider risk, including alerts, cases, user activity, and analytics generated from qualifying risk activities across Microsoft services to help identify insights into potential areas of risk.
The following reports are available by navigating to Insider Risk Management > Reports in the Microsoft Purview portal:
- Alerts (preview): View trends for generated alert, actions take on alerts over time, and alerts by policy.
- Analytics: View a summary of anonymized user activities detected in your organization.
- Cases (preview): View trends for created cases, actions taken on cases over time, and cases status by policy and region.
- User activity: Review recent user activity, regardless if the user is included in a policy or alert.
Work with reports
To get started and view Insider Risk Management reports, you must be a member of the applicable role or role group. Permission requirements are different for viewing reports for alerts and cases and the permissions required to view reports for analytics. If your organization is using administrative units, access may vary for these reports. For more information, see:
- Permissions for insider risk management
- Permissions for insider risk management and administrative units
Customize charts
For each report area, predefined report filter controls and a date selector are available to help you quickly scope insights to specific criteria or date ranges. Select a filter at the top of the page for each area to quickly scope all the reports in the area to a filter setting. For reporting dates, select a specific month or select Last 3 months to view all data for the report area.
You may also want to pick and choose which reports to display by default in each report area. To customize the reports shown in each area, select Customize view. On the Customize view flyout pane, you can choose which reports to display and which reports to hide in each area.
Chart details
To dive deeper into the results contained in a report, select View details for the report. In the details view, you can scope the information using filters and change your view by dates or policies. To export data contained in a report, select Export to download either an image of the report chart or a .csv file with the report values.
Alert reports (preview)
Investigating potentially risky user activities is an important first step in minimizing insider risks for your organization. These risks may be activities that generate alerts from insider risk management policies. Alert reports provide insights into alert volumes, progress of managing alerts, common alert sources, and time spent triaging. You can quickly filter all alert reports by All alerts, Confirmed alerts, and Dismissed alerts.
| Report type | Report | Description |
|---|---|---|
| Summary | Alerts generated | Displays the number of low, medium, and high severity alerts generated during the specified date range. |
| Alerts acted on | Displays the number of alerts confirmed to a case or dismissed during the specified date range. | |
| Dismissal reasons | Displays... | |
| Demographics | Top countries/regions with alerts | Displays the number of alerts generated for users based on what country or region they’re in. Not specified means their country or region isn’t specified in Microsoft Entra ID. |
| Alerts generated by department | Displays the number of alerts generated for users based on what department they’re in. Not specified means their department isn’t specified in Microsoft Entra ID. | |
| Insights | Alerts by top triggering event | Displays the number of alerts based on top triggering events detected during the specified date range. |
| Alerts by top activity that generated the alert | Displays the number of alerts based on top activities detected during the specified date range. | |
| Productivity | Alert status by assignment | Displays the number of alerts assigned to specific admins, broken down by alert status. |
| Average days alerts are in Needs Review | Displays the average number of days that alerts remained in a Needs review status during the specified date range. | |
Analytics reports
After the first analytics scan is complete for your organization, members of the Insider Risk Management Admins role group will automatically receive an email notification and can view the initial insights and recommendations for potentially risky activities by your users. Daily scans continue unless you turn off analytics for your organization. Email notifications to admins are provided for each of the three in-scope categories for analytics (data leaks, theft, and exfiltration) after the first instance of potentially risky activity in your organization. Email notifications aren't sent to admins for follow-up risk management activity detection resulting from the daily scans.
Note
If the Analytics setting is disabled and then re-enabled, automatic email notifications are reset and email notifications are sent to members of the Insider Risk Management Admins role group for new scanning insights.
To view potential risks for your organization, go to Insider Risk Management > Reports > Analytics.
Note
If the scan for your organization isn't complete, you see a message that the scan is still active.
For completed analyses, you'll see the potential risks discovered in your organization and insights and recommendations to address these risks. Identified risks and specific insights are included in reports grouped by area, the total number of users (all types of Microsoft Entra accounts, including user, guest, system, and so on) with identified risks, the percentage of these users with potentially risky activities, and a recommended insider risk policy to help mitigate these risks. The reports include:
- Data leaks insights: For all users that may include accidental oversharing of information outside your organization or data leaks by users with malicious intent.
- Data theft insights: For departing users or users with deleted Microsoft Entra accounts that may include risky sharing of information outside your organization or data theft by users with malicious intent.
- Top exfiltration insights: For all users that may include sharing data outside of your organization.
To display more information for an insight, select View details to display the details pane for the insight. The details pane includes the complete insight results, an insider risk policy recommendation, and Create policy to quickly help you create the recommended policy. Selecting Create policy takes you to the policy workflow and automatically selects the recommended policy template related to the insight. For example, if the analytics insight is for Data Theft activity, the Data Theft policy template is pre-selected in the policy workflow for you.
Case reports (preview)
Cases allow you to deeply investigate and act on issues generated by risk indicators defined in your policies. Cases are manually created from alerts in situations where further action is needed to address a compliance-related issue for a user. Cases reports provide trend information for cases to help you track the type of cases, the current status of cases, cases by region or assignment, and more. You can quickly filter all cases reports by All cases, Confirmed cases, and Benign cases.
| Report type | Report | Description |
|---|---|---|
| Summary | Cases created | Displays the number of cases generated during the specified date range. |
| Actioned cases | Displays the number of cases with activity during the specified date range. | |
| Demographics | Top countries/regions with cases | Displays the number of cases generated for users based on what country or region they’re in. Not specified means their country or region isn’t specified in Microsoft Entra ID. |
| Top departments with cases | Displays the number of cases generated for users based on what department they’re in. Not specified means their country or region isn’t specified in Microsoft Entra ID. | |
| Productivity | Case status by assignment | Displays the number of cases assigned to specific admins, broken down by alert status. |
| Average days with active status | Displays the average number of days that cases remained in a Active status during the specified date range. | |
User activity reports
User activity reports allow you to examine potentially risky activities (for specific users and for a defined time period) without having to assign these activities, temporarily or explicitly, to an insider risk management policy. In most insider risk management scenarios, users are explicitly defined in policies, and they may have policy alerts (depending on triggering events) and risk scores associated with the activities. But in some scenarios, you may want to examine the activities for users that aren't explicitly defined in a policy. These activities may be for users that you've received a tip about the user and potentially risky activities, or users that typically don't need to be assigned to an insider risk management policy.
After you've configured indicators on the insider risk management Settings page, user activity is detected for potentially risky activity associated with the selected indicators. This configuration means that all detected activity for users is available for review, regardless if it has a triggering event or if it creates an alert. Reports are created on a per-user basis and can include all activities for a custom 90-day period. Multiple reports for the same user aren't supported.
After examining potentially risky activities, investigators can dismiss individual user's activities as benign. They can also share or email a link to the report with other investigators, or choose to assign users (temporarily or explicitly) to an insider risk management policy. Users must be assigned to the Insider Risk Management Investigators role group to view the User activity reports page.
Create a user activity report
To create a user activity report, complete the following steps:
- Navigate to Insider Risk Management > Reports > User activity.
- Select Create user activity report.
- Select a date for the Start date.
- Select a date for the End date.
- In the Users field, search for one or more users by name or user principal name.
- Select Create report.
User activity data is available for reporting approximately 48 hours after the activity occurred. For example, to review user activity data for December 1, you'll need to make sure at least 48 hours have elapsed before creating the report (you'd create a report on December 3 at the earliest).
New reports typically take up to 10 hours before they're ready for review. When the report is ready, Report ready appears in the Status column on the User activity report page
View a user activity report
Select the user to view the detailed report:
The User activity report for the selected user contains the User activity, Activity explorer, and Forensic evidence tabs:
- User activity: Use this chart view to investigate potentially risky activities and view potentially related activities that occur in sequences. This tab is structured to enable quick review of a case, including a historical timeline of all activities, activity details, the current risk score for the user in the case, the sequence of risk events, and filtering controls to help with investigative efforts. To learn more, see User activity.
- Activity explorer: This tab provides risk investigators with a comprehensive analytics tool that provides detailed information about activities. With the Activity explorer, reviewers can quickly review a timeline of detected risky activity and identify and filter all potentially risky activities associated with alerts. To learn more, see Activity explorer.
- Forensic evidence: This tab allows risk investigators to review visual captures associated with risk activities included in cases from forensic evidence detection.