Forum Discussion
Confusion around Purview Definitions and Risk Scoring
In the early days of implementation and we've done our 'Quick setup' of Insider Risk Management which created our Adaptive Protection Policy for IRM, two IRM DLP policies (Endpoint & Teams/Exchange) and the Conditional Access policy.
My question is around 'Triggering events', Indicators and Insider Risk Levels.
To my understanding, a triggering event is the event that decides when the policy will start assigning risk scores to user activity which will then allow us to then give users risk levels. We have the option to either set this triggering event to either the DLP policies, or when a user performs an exfiltration activity/ sequence. The DLP policies only match activity when a user has a defined risk level and attempts to perform a specific activity i.e. sharing M365 with people outside the organisation.
I'm not sure if I'm thinking about this backwards, but if I set my Adaptive protection policy to only start assigning risk scores to user activity when they match a DLP policy, how can they trigger a DLP policy if they wont be assigned a risk level until that scoring begins to happen? Should I be setting my triggering events to be "User performs an Exfiltration Activity" instead of "User Matches a DLP policy"?
1 Reply
I think the confusion comes from the fact that DLP can play three different roles in Insider Risk Management and Adaptive Protection.
- DLP as a triggering event – This is what you're referring to. The DLP policy doesn't require the user to already have an Insider Risk level. It behaves like a normal DLP policy. The only documented requirement is that it generates High severity alerts. When a user matches that DLP policy, it triggers the IRM policy and risk scoring begins.
https://learn.microsoft.com/en-us/purview/insider-risk-management-policies#notification-messages
- DLP as an indicator – Once the IRM policy has been triggered, DLP events can also be configured as Indicators that contribute to the user's risk score, alongside exfiltration activities, unusual file access, etc.
- Adaptive Protection DLP – This is a separate integration where the user's IRM risk level (Low/Medium/High) is used to dynamically change DLP enforcement. https://learn.microsoft.com/en-us/purview/dlp-adaptive-protection-learn
So there isn't actually a circular dependency. The DLP policy used as the trigger doesn't depend on an existing risk level—it is what starts the IRM evaluation. The resulting risk level can later influence Adaptive Protection, and subsequent DLP events can contribute to the user's risk score if DLP is enabled as an indicator.
If your goal is proactive detection of risky behavior before a DLP violation occurs, then using "User performs an exfiltration activity" as the trigger is likely the better fit. If you only want to start IRM investigations after a significant DLP event has occurred, then "User matches a DLP policy" is the appropriate trigger.
- DLP as a triggering event – This is what you're referring to. The DLP policy doesn't require the user to already have an Insider Risk level. It behaves like a normal DLP policy. The only documented requirement is that it generates High severity alerts. When a user matches that DLP policy, it triggers the IRM policy and risk scoring begins.
