Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Detecting and investigating security risks with new capabilities from Insider Risk Management
Published Oct 12 2022 09:00 AM 10.6K Views

Over the years that Microsoft Security has been working to help organizations address insider risks, we’ve often been asked the question, “How do I start building a program that works for my organization?”. Building an insider risk program – or a data protection strategy that explicitly addresses insider risks – can be challenging, especially as both security and compliance leaders want to make sure they have an approach that works for the needs of their organizations.

This month, Microsoft released the “Building a Holistic Insider Risk Management Program,” report. As part of our research, we asked security and compliance decision makers what was most important to them as they developed an effective insider risk management program. Specifically, we were interested in learning how organizations approached managing insider risk “holistically:” How they included people, processes, training, and tools as part of their approach for addressing insider risks end-to-end. From our interviews and survey responses, we found that companies who approach insider risk with a holistic program share five characteristics:

  1. Prioritize employee trust, productivity and privacy controls
  2. Attain buy-in and involvement across the organization
  3. Focus on employee training and education
  4. Use positive deterrents, like employee morale programs
  5. Manage insider risk through an integrated set of tools

We believe technology is only part of the solution to addressing insider risks in your environment, and that people, processes and education play an equally important role. Protecting user privacy and ensuring that the right security actions are being taken by the right designated individuals is also critical. Best practices for building a holistic insider risk management program include empowering your people, making user privacy a priority, collaborating across leadership to build a program, and addressing data protection and insider risk management from multiple lenses. View more from our report here.


We know security teams and CISOs are looking for their data protection and insider risk management tools to go further to protect their sensitive data, surface potential insider risks better and to provide more concrete context for security investigations.


Insider Risk Management is the Microsoft Purview solution designed to help organizations identify and manage insider risks. The solution correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations, based on policies built by customers to meet their needs. Built with privacy by design, usernames are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.


“For an insider risk program to be effective, it is important that organizations take into consideration user privacy as part of the technologies they evaluate. Taking a privacy by design approach, Insider Risk Management solution from Microsoft is an opt-in solution that incorporates username pseudonymization by default and strong role-based access controls to deliver user-level privacy,” stated Ryan O’Leary, Research Director, Privacy and Legal Technology at IDC.


In our last blog, we announced new enhancements to analytics, quicker policy creation capabilities, new file path / keyword / site URL exclusions to reduce false positives, and a new policy type to help detect risky browsing usage that may lead to a security incident like accessing malware or hacking websites.


We are continually listening to customers, and we know they are asking for even more help to detect, prioritize and investigate risks, in order to better protect their data and keep their assets secure.

Today we are excited to roll out additional features in our Insider Risk Management solution in public preview:

  1. Enhancements to triage and detection capabilities
  2. Information type and trainable classifier exclusions
  3. Integration between Insider Risk Management and Communication Compliance
  4. HR data connector capabilities
  5. Forensic evidence capabilities
  6. Insights for risky actions by potential high impact users
  7. Improved analytics assessment insights with anomaly detection

We are also excited to announce that security and compliance user activity reports are now Generally Available.


Enhancements to triage and detection capabilities
User actions like the downloading of confidential data, or printing a number of important documents, might not be a potential data risk on their own, but a series of actions could indicate potential data security risks. This is why we have sequence detection available in Insider Risk Management: to identify and surface sequential events that might lead to a possible security incident, like when a user downloads a confidential file, exfiltrates it, then deletes it.

Security teams are now able to customize a security trigger in the “data leaks” policy to surface when a user performs a sequence, enabling them to respond to user actions that might be considered riskier. The “data leaks” policy template is used by Insider Risk Management admins and security teams to identify when there are potential user actions or sequences that might lead to an inadvertent or malicious data leak. With greater support for sequences, security teams can better respond to user actions that pose a greater risk and lead to a data security incident.

Insider Risk Management also now allows security teams to create policies with sequences without any other required underlying policy indicator selections. It’s easier than ever to get started with creating a policy, with the new quick policy creation capabilities announced in our last blog; we are taking this further by enabling security teams to create potential data leak or data theft policies by using sequence detection, without having to set up the additional policy indicators in advance.




In Insider Risk Management, risky user actions that take place on the device can be detected using device indicators. Now, admins can configure policies to detect exfiltration from a remote desktop protocol (RDP) device. This expands the amount of security coverage that security admins have over their managed devices.

We are also excited to announce capabilities to help you fine-tune your policies. Now, rather than having go to the policy configuration wizard to modify a policy, designated admins, investigators and analysts can now fine-tune security policies directly from the alert review experience. While reviewing an alert in the Insider Risk Management dashboard, admins can tune and customize a policy to better address their top needs, including adjusting policy thresholds to surface fewer false positives.


Inline alert customization.png


Furthermore, we are now expanding the “Downloading files from SharePoint” indicator into four distinct indicators:

  • Downloading content from SharePoint
  • Downloading content from OneDrive
  • Syncing content from SharePoint
  • Syncing content from OneDrive

This expansion of the “Downloading files from SharePoint” indicator coupled with de-dupe logic for Copy to USB, Copy to network share as well as SharePoint and OneDrive for Business sync that we are introducing to count number of unique files vs. number of events generated empowers security teams to more precisely identify actions of interest. This de-dupe to identify unique files. vs. number of events results in more precise identification of user action.


One of the key fundamentals to data protection is understanding what data is the most important to your organization. For a pharmaceutical company this might be new research and development of new drugs; for a healthcare provider, it might be your patient data. Making sure this content is protected is of utmost importance, and potential leakage or exfiltration of this data should be considered a top priority. We are announcing new priority content-only scoring, to help security admins better detect and respond to potential user actions that put the highest priority data at risk.




Organizations using Insider Risk Management can set up policies to surface potential security risks based on anomalous exfiltration actions that take place over time and across exfiltration activity types, based on the average exfiltration patterns across their organization. For example, an alert may be surfaced when a user is sharing or sending data outside of the organization at a higher rate than their average user. We call this cumulative exfiltration anomaly detection, and now, Insider Risk Management can take this further, with the ability to detect aggregate exfiltration anomalies as compared with users in similar groups or roles.


For example, if a user in your organization is in a sales role and communicates regularly with customers and partners outside of your organization, their externally facing activity will likely be much higher than the organizational average. Compared with others in sales roles, however, their activity might look very similar. These similar user groups are defined by grouping together users who access the same SharePoint Online destinations, who are in the same team and who have similar job titles as configured in Azure AD.


Information type and trainable classifier exclusions
Managing insider risk is about keeping your most confidential and important data safe and secure. It also means taking steps to make sure the detection and security alerts surfaced are those most important to your organization while managing any potential “noise” that might be created within the system.


To help organizations better prioritize alerts and the types of content being flagged, we now have the ability to exclude Sensitive Information Types and trainable classifiers from your detections. This means that actions related to file activities on the endpoint, SharePoint, Microsoft Teams, OneDrive or Exchange will not generate alerts if the excluded sensitive information type or trainable classifier is matched with the content of the activity performed by the user.


New exclusions.png


Integration of Insider Risk Management and Communication Compliance
Customers who own Insider Risk Management, through Microsoft 365 E5, E5 Compliance or Insider Risk Management, also own Communication Compliance, the Microsoft solution to help organizations detect explicit regulatory compliance violations, like the inappropriate sharing of sensitive or confidential information.

Admins are now able to use Communication Compliance risk signals within Insider Risk Management policies. Users who are sending inappropriate messages over work channels, such as threatening or harassing messages, could potentially become a risk to your organization. Leveraging these risk signals in Insider Risk Management policies, security teams can detect risky actions that may lead to a security incident. Like Insider Risk Management, Communication Compliance has privacy built in, with user pseudonymization on by default and strong role-based access controls in place, allowing organizations to build the right policies to meet their needs. You can see more about the recent product releases from Communication Compliance here.


HR data connector capabilities

Data security risks often surface when an employee’s work status changes. Understanding when an employee has turned in their resignation or has had a negative performance review can help to detect potential insider risks.


Insider Risk Management supports importing user and log data from third-party risk management and Human Resources platforms. The Microsoft 365 Human Resources data connector allows organizations to pull in HR data from CSV files, including user termination or exit dates. Admins can configure the Microsoft 365 HR data connector to upload this data where it can be used as indicators in Insider Risk Management.


Now, it’s even easier to upload HR data using Power Automate templates and define the triggers, like new HR files being made available. Admins can streamline this process with the confidential information storage capabilities in Azure Key Vault, or process automation capabilities in Azure Automation using runbooks. Along with HR data, admins can also leverage Power Automate templates to upload healthcare data through the healthcare data connector.


Forensic evidence capabilities
We hear from customers how valuable context is during a security investigation. Within Insider Risk Management, the activity explorer is designed to help security teams get better context from user actions across a specific timespan, with sequences to help understand what activities took place when. The content explorer helps security teams understand what specific content was impacted, like which files were downloaded or exfiltrated, to help evaluate the nature and impact of users’ actions. Many of our customers, particularly those in heavily regulated industries such as financial services or government, need additional ways to meet their regulatory compliance needs and to further support their security investigations.

Now, with forensic evidence, an opt-in add-in to Insider Risk Management, security teams can get visual insights into potentially risky user actions that might lead to a data security incident, all while protecting user privacy . With customizable event triggers and built-in user privacy protection controls, the visual capturing capabilities from forensic evidence help security teams better investigate, understand and respond to potential security data incidents like unauthorized data exfiltration of sensitive data. The benefit to customers is having more context available to support security investigations, which can drive accuracy and timely resolution as well as help in determining whether security and compliance incidents stem from willful or inadvertent actions, a stolen device, malware infections or other security related risks.

Forensic evidence is off by default, policy creation requires dual authorization and usernames can be masked with default pseudonymization. Organizations use forensic evidence by determining and setting the right policies for themselves, including what risky events are highest priority and what data is most sensitive. Existing Insider Risk Management customers can try it during our public preview period.


Prioritization for actions by potential high impact users
When setting policies and determining which user actions are higher risk and may lead to a data security incident, different user accounts might require a different approach due to their account permissions or potential impact to the organization. An organizational leader, C-suite officer or someone in the legal department may have access to more sensitive or confidential content than an employee in the field, for example. Understanding what the potential impact is for different users can help analysts and investigators prioritize alerts and potential security incidents.

Insider Risk Management will now be able to help security admins to prioritize alerts for potential high-impact users with our new risk booster score capabilities. By turning on this new risk booster score in Settings, using advanced machine learning algorithms the alerts for users found to have potentially higher impact will have a higher priority alert in the dashboard. This high-priority user is determined by their frequency of accessing higher sensitivity content, like sensitive information types, labels, or priority content, compared with others in the organization, and if they are a leader in the organization, depending on their role designation within Azure AD, or level of influence as configured by Azure AD.




Improved analytics assessment insights with anomaly detection
For organizations just getting started on their Insider Risk Management journey, or those looking to understand data risks within their environment, an analytics assessment is an easy way to start. Within 48 hours of turning on analytics, assessment results will provide aggregated and anonymized insights into how your data is being accessed, shared, or exfiltrated. The results from analytics can help in establishing a data risk baseline for your organization and can be used to help you build or fine-tune your Insider Risk Management or data loss protection policies.


Anomaly in Analytics.png

We are excited to announce the results of an analytics assessment will now include anomaly detection, allowing security teams and admins to better understand when anomalous or unusual user activity is taking place in your organization. This can help in inform your policies related to exfiltration anomaly detection.


Lastly, we are excited to announce that security and compliance user activity reports are now generally available. These new reports allow security teams to investigate potential security incidents like data theft or exfiltration without explicitly adding a user to a policy, giving them the ability to better respond to security incidents in real time.

Get Started
These new features in Microsoft Purview Insider Risk Management have already rolled out or will start rolling out to customer tenants in the next month. These solutions are also generally available across government clouds, supported in Government Community Cloud (GCC), GCC-High, and US Department of Defense tenants.

Insider Risk Management is part of the Microsoft Purview suite of solutions designed to help organizations manage, govern and protect their data. If you are an organization using Microsoft 365 E3 and would like to experience Insider Risk and other Purview solutions for yourself, check out our E5 Purview trial.

If you own Insider Risk Management and interested in learning more about Insider Risk Management, or leveraging Insider Risk Management to understand your environment, build policies for your organization or investigate potential risky user actions, check out the resources available on our “Become an Insider Risk Management Ninja” resource page.


-Talhah Mir, Principal Product Manager, Microsoft Purview Insider Risk Management

Version history
Last update:
‎Oct 12 2022 09:04 AM
Updated by: