Take action with Data Security Posture Management (preview) recommendations

Recommendations in Data Security Posture Management (DSPM) (preview) are generated directly from the processed data, current state of unprotected sensitive assets in your organization and the user activities that put the unprotected sensitive assets at risk. Specific recommendations allow you take action and to quickly create data loss prevention (DLP) and insider risk management policies to help you mitigate data security risks. DSPM (preview) recommendations can also help you identify coverage gaps in existing insider risk management and DLP policies.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.

Using recommendations

To display and review recommendations, navigate to Data Security Posture Management > Overview or Data Security Posture Management > Recommendations.

• From the Overview page, you can review the top two data security recommendations or select View all recommendations for a complete listing of all recommendations.
• From the Recommendations page, you can directly review a complete listing of all recommendations.

Recommendations are generated from the last 30 days of user activity and the state of unprotected sensitive assets. As processing continues, the list of recommendations is automatically updated and the recommendations older than 30 days are removed.

Each recommendation provides a short description of the risky activity or state of the unprotected sensitive asset and includes a recommended policy to configure to help mitigate ongoing and future data security risks. Metrics for the number of activities, the associated type of protection, and the number of users involved are displayed for the recommendation.

Select View recommendation to take action and to create a new policy to help mitigate the data security risks associated with the recommendation.

Creating policies from recommendations

After selecting View recommendation for a specific recommendation, you can create one or more policies in data loss prevention (DLP) and/or insider risk management to help mitigate the data security risks associated with the recommendation.

For example, if you have a recommendation to prevent users from copying sensitive files to network shares, the recommendation may be to create both an insider risk management policy to detect when certain users perform risky activities containing sensitive data and a DLP policy to prevent those same users from sharing the data with others.

To create policies from a recommendation, complete the following steps:

1. Go to the Microsoft Purview portal and sign in using the credentials for a user account assigned DSPM (preview) permissions.
2. Select the Data Security Posture Management solution card and then select Recommendations in the left nav.
3. Select a recommendation, then select View recommendation.
4. On the recommendation flyout pane, choose the option to create either one type of policy or multiple policies. By default, if more than one policy applies to the recommendation, the option to create multiple policies is selected by default.
5. Each policy type has a dedicated section for configuring the policy options:
6. For the Insider Risk Management policy section options, configure the following policy options:
   1. Policy name: Enter a unique policy name or accept the suggested policy name.
   2. User scope: Select Include all users and groups (recommended for best coverage) or I want to choose specific users and groups. If you chose to include specific users or groups, enter the user and group names in the picker field.
   3. Settings we filled in for you: The settings for the policy are automatically scoped to the type of activity and unprotected data asset insights associated to the recommendation. These include using specific policy templates, triggering events, and indicators. If the suggested settings need changes, select Customize > Insider risk policy to create the policy in the insider risk management policy wizard.
7. For the Data Loss Prevention policy section options, configure the following policy options:
   1. Policy name: Enter a unique policy name.
   2. Mode: Select Simulation or On.
   3. Settings we filled in for you: The settings for the policy are automatically scoped to the type of activity and unprotected data asset insights associated to the recommendation. These include using specific sensitive information types, enforcement actions, triggering events, and data locations. If the suggested settings need changes, select Customize > DLP policy to create the policy in the DLP policy wizard.
8. If the suggested policy options meet your needs, select Create policy. This creates one or more policies in the applicable solutions.

It takes a few minutes to create each policy. The new policies are listed on the Policies tab in the applicable solutions. Once the policy is active, it could take at least 24 hours for the triggering event to occur and score user activity, then the first alert is generated. If administrator notifications are turned on, you get an email when this alert occurs.

You can triage the alert and confirm it to a case for further investigation or dismiss it as normal behavior. After you review a few alerts, fine tune your policy to control how many alerts are generated, what activities are detected, and more. Additional recommendations may be generated for this type of activity that can help you with policy updates.

Updating policies in other solutions

To update policies created from recommendations, use the policy management tools in each solution. The tools in the solutions allow you to fully customize policies beyond the quick policy settings included with recommendations.

• Manage insider risk management policies
• Manage DLP policies

Verifying the configuration of existing policies

If your organization already has insider risk management or DLP policies configured, recommendations in DSPM (preview) are a great way to help you identify and correct any gaps in your current policy configurations. Instead of using the policy creation options directly in the recommendation, you may choose to use the insights associated with the recommendation to update or refine an existing insider risk management or DLP policy.