Learn about insider risk management settings

Important

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

Before getting started with insider risk management policies, it's important to understand and choose the insider risk management settings that best meet the compliance needs for your organization. Insider risk management settings apply to all insider risk management policies, regardless of the template you choose when creating a policy.

Note

Use Settings at the top of any insider risk management page to make settings changes.

The following table describes each insider risk management setting and provides a link to learn more about the setting.

Setting Description
Privacy Choose whether to display usernames or anonymized versions of usernames for all current and past policy matches for alerts and cases.
Policy indicators Each insider risk management policy template is based on specific indicators that correspond to specific triggers and risk activities. All global indicators are disabled by default; you must select one or more indicators to configure an insider risk management policy. Indicator level settings help you control how the number of occurrences of risk events in your organization affect the risk score.
Detection groups Use the Detection groups setting to create variants of built-in indicators if you want to tailor detections for different sets of users. Creating detection groups helps to reduce false positives.
Global exclusions Use the Global exclusions setting to specify global exclusions that won't be scored by your insider risk management policies.
Policy timeframes The Policy timeframes setting allows you to define past and future review periods that are triggered after policy matches based on events and activities for the insider risk management policy templates.
Intelligent detections Use the Intelligent detections setting to boost the score for unusual download activity, control alert volume, import and filter Microsoft Defender for Endpoint alerts, and specify unallowed and third-party domains for risk scoring.
Export alerts Insider risk management alert information is exportable to security information and event management (SIEM) and security orchestration automated response (SOAR) solutions by using the Office 365 Management Activity API schema. You can use the Office 365 Management Activity APIs to export alert information to other applications your organization may use to manage or aggregate insider risk information.
Data sharing Use the Data sharing setting to do either of the following: 1) Export insider risk management alert information to SIEM solutions by using the Office 365 Management Activity API schema; 2) Share insider risk management user risk levels with Microsoft Defender and DLP alerts.
Priority user groups Users in your organization may have different levels of risk depending on their position, level of access to sensitive information, or risk history. Prioritizing the examination and scoring of the activities of these users can help alert you to potential risks that may have higher consequences for your organization. Use the Priority user groups setting to define the users in your organization that need closer inspection and more sensitive risk scoring.
Priority physical assets (preview) Identifying access to priority physical assets and correlating access activity to user events is an important component of your compliance infrastructure. These physical assets represent priority locations in your organization, such as company buildings, data centers, or server rooms. Insider risk activities may be associated with users working unusual hours, attempting to access these unauthorized sensitive or secure areas, and requests for access to high-level areas without legitimate needs.
Power Automate flows (preview) Microsoft Power Automate is a workflow service that automates actions across applications and services. By using flows from templates or created manually, you can automate common tasks associated with these applications and services. When you enable Power Automate flows for insider risk management, you can automate important tasks for cases and users. You can configure Power Automate flows to retrieve user, alert, and case information and share this information with stakeholders and other applications, as well as automate actions in insider risk management, such as posting to case notes. Power Automate flows are applicable for cases and any user in scope for a policy.
Microsoft Teams (preview) You can enable Microsoft Teams support so that compliance analysts and investigators can use Teams to collaborate on insider risk management cases. Use Teams to:
- Coordinate and review response activities for cases in private Teams channels
- Securely share and store files and evidence related to individual cases
- Detect and review response activities by analysts and investigators
Analytics Insider risk analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher user risk and help determine the type and scope of insider risk management policies you may consider configuring.
Admin notifications Use the Admin notifications setting to automatically send an email notification to selectable insider risk management role groups. You can:
- Send a notification email when the first alert is generated for a new policy
- Send a daily email when new high-severity alerts are generated
- Send a weekly email summarizing policies that have unresolved warnings
Inline alert customization Inline alert customization allows you to quickly tune an insider risk management policy directly from the Alerts dashboard while reviewing the alert. Alerts are generated when a risk management activity meets the thresholds configured in the related policy. To reduce the number of alerts you get from this type of activity, you can change the thresholds or remove the risk management activity from the policy altogether.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.