cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Purview - Paint By Numbers Series (Part 6e) - Insider Risk Management - Cases
By
James_Havens
Published May 25 2022 01:45 PM 1,509 Views
James_Havens
Microsoft
‎May 25 2022 01:45 PM

Microsoft Purview - Paint By Numbers Series (Part 6e) - Insider Risk Management - Cases

‎May 25 2022 01:45 PM

paint_by_numbers_splash_picture.jpg

 

 

 

Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link:

Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community

 

 

Disclaimer

This document is not meant to replace any official documentation, including those found at docs.microsoft.com.  Those documents are continually updated and maintained by Microsoft Corporation.  If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed.  Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.

 

All of the following steps should be done with test data, and where possible, testing should be performed in a test environment.  Testing should never be performed against production data.

Target Audience

The Insider Risk Management section of this blog series is geared toward Security and Compliance officers who need to monitor users behavior when it comes to compliance data.

 

Document Scope

This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the use of Insider Risk Management (IRM).

It is presumed that you already data to search inside your tenant.

We will only step through a basic eDiscovery case (see the Use Case section).

This part of the blog will only cover the case (investigation) aspect of IRM.

 

Out-of-Scope

This document does not cover any other aspect of Microsoft E5 Compliance, including:

  • Sensitive Information Types
  • Exact Data Matching
  • Data Protection Loss (DLP) for Exchange, OneDrive, Devices
  • Microsoft Cloud App Security (MCAS)
  • Records Management (retention and disposal)
  • Overview of Advanced eDiscovery (AeD)
  • Reports and Analytics available in of Advanced eDiscovery (AeD)

It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).

 

It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing.

 

As it relates to Insider Risk Management we will not be covering:

  • Permissions
  • Settings
  • Policies
  • Alerts
  • Users
  • Notifications
  • Creation of Advanced eDiscovery Cases from IRM

Use Case

There are many use cases related to accessing and sharing of sensitive data.  One example is – A user is accessing and sharing sensitive data on a regular bass and management needs to know if there are any spikes in access or sharing of that information that might coordinate with negative HR reports, resignations, etc.

 

Overview of Document

Here you will manage an investigation (case) inside of IRM.  Here are the parts of the case we will navigate.  Details for each will be covered in Part 1 – Cases below.

 

  • Case Overview
  • Alerts
  • User activity
  • Activity explorer
  • Case notes
  • Contributors
  • Case Actions

 

Definitions

  • Data Theft – This means data taken/stolen by departing users near their resignation or termination date.
  • Data Leakage – Data leaks can range from accidental oversharing of information outside your organization to data theft with malicious intent.​
  • Indicators – Indicators included in insider risk management policies used to determine a risk score for an in-scope user. These policy indicators are only activated after a triggering event occurs for a user.
  • Thresholds – Each indicator uses default thresholds that influences an activity's risk score, which in turn determines whether an alert's severity is low, medium, or high. The threshold is based on the number of events recorded for an activity per day.
  • Triggers – Triggering events determine when a policy will begin to assign risk scores to a user's activity.
  • Anonymization – Masking a user’s name and account information to prevent bias from investigators
  • Telemetry – data from the M365 Audit log (ex. deletions, changes, label modifications, uploads, etc),
  • Risk Score – Insider Risk Management leverages a score system to track how low or high a risk an activity is 100/100 is the highest risk possible.  0/100 is the lowest risk possible. 

 

Notes

None

 

Pre-requisites

If you have performed parts 1-3 of this blog series, then you have everything you need to run this .  If you have not done those parts of

the blog, you will need to populate your test environment with test data for the steps to follow.

 

You must have enabled at least 1 Insider Risk Management license

 

It is recommended you have completed Part 3a DLP for Endpoint, or at the least, that you have on-boarded a minimum of one Windows 10/11 device to test the collection of Endpoint DLP policies into Insider Risk management (IRM).

 

You have loaded an Insider Risk Management (IRM) licensing for at least 1 week in order to collect as much telemetry as possible.  That you have run Sensitivity and DLP testing during that 1 week, again, to add telemetry information to your IRM console.

 

You should have done steps 6-6d in this series.

 

Part 1 – Cases

There are several parts to a case, and we will walk through all of them here.  However, from a daily basis, and IRM investigator will spend most of their time in the following:

  • Alerts
  • User Activity
  • Content Explorer
  • Case Actions

 

Let us proceed to the Overview and walk through each part of an IRM case.

 

  1. In the top ribbon, click on Cases.

James_Havens_0-1653510850554.png

 

 

2. You will see all your cases listed below.

James_Havens_1-1653510871536.png

 

 

  1. If you click on one of your case, it will take you to the details on it.  I will click on “HR Case 12345”.

James_Havens_2-1653510888571.png

 

 

  1. In the case section we will look at the following tabs and actions:
  • Case Overview
  • User Activity
  • Case Actions

 

  1. We will not the following tabs in this Case
  • Activity Explorer – this is in the Alerts section above.
  • Content Explorer – this is covered.
  • Case Notes – These are the analysts and investigators notes related to the case.
  • Contributors – This are where risk analysts and investigators can add other reviewers to the case

 

  1. Proceed to the Case Overview.

 

Part 1a – Case Overview

In the Case Overview tab, you will see a dashboard with the information about the case, the alerts, content detects etc.

 

  1. Click on the tab labeled Case Overview.

James_Havens_3-1653510924675.png

 

 

  1. In the top section labeled About this Case, you will find the general information about this case and the related user.

James_Havens_4-1653510943676.png

 

 

  1. In the middle section labeled Alerts, you’ll see the list of all the Alerts associated with this case.

James_Havens_5-1653510952978.png

 

 

  1. In the bottom section labeled Content Detected,

James_Havens_6-1653510980407.png

 

 

  1. You are now done with this Overview tab.

 

 

Part 1b – Alerts

This tab shows the alerts related to the case.  This will take you to the specific details around any given alert. See part 6d (Insider Risk Management – Alerts) for more details on how to navigate the alerts.

 

 

  1. Select the Alerts tab, you will see a dashboard with the information about the case, the alerts, content detects etc.  Look it over and familiarize with it and then move to the next section.

James_Havens_0-1653511077460.png

 

 

  1. Select one of the alerts.

James_Havens_1-1653511088873.png

 

 

  1. You will be taken to the Alerts screen.  See part 6d (Insider Risk Management – Alerts) for more details on how to navigate the alerts.

 

  1. Once you are done with exploring the alerts, you can move to the User Activity tab.

 

 

 

Part 1c – User Activity

 

  1. Click on Activity Explorer tab at the top.

James_Havens_2-1653511108912.png

 

 

  1. On the left-hand side you can Filter the activity by Risk Category or Activity Type.

James_Havens_3-1653511123449.png

 

 

3. On the right-hand side you will see a graphical representation of what has happened over the period selected.

James_Havens_4-1653511150779.png

 

 

4. We are done with this section.  You can proceed to the next section.

 

 

 

 

Part 1d – Content Explorer

Content Explorer allows the investigator to looK inside the files to see the context of why the file/email was flagged for an Insider Risk Management investigation

 

  1. Click on Content Explorer

 

  1. On the left-hand side, you will see a list of all the files/emails collected as part of the IRM case. 

James_Havens_6-1653511224407.png

 

 

  1. Once you’ve clicked on a file/email on the panel on the left side, you can view the contents of the file to determine if the alert was justified or needs to be escalated to an Premium eDiscovery case. You can run searches inside the file to find an Sensitive Information Types (SITs) that might have caused the IRM alert.

James_Havens_7-1653511245774.png

 

 

  1. You are now down with the Content Explorer section of the case and can proceed to the next section

 

 

Part 1e – Case Notes

You can add case notes to the Insider Risk Management case.  This optional.

 

  1. Click on the Case Notes tab.

 

  1. Click Add Case Notes.

James_Havens_8-1653511333264.png

 

 

  1. Enter whatever notes you feel are relevant to this IRM case.

James_Havens_9-1653511347099.png

 

  1. Click Save.

 

  1. You are now done with the Case Notes tab

 

Part 1f – Contributors

Contributors are individuals who would need to look at an Insider Risk Management case.  This optional.

 

 

  1. To add a contributor, click Add contributor.

James_Havens_10-1653511376938.png

 

 

  1. In the left-hand pop.  You can type in the name of the individual you want to add to the case.  In my example, I’ve added Pradeep Gupta.

James_Havens_11-1653511388773.png

 

  1. Once you have the user(s) you want to add, click Save.

 

  1. You are now done with the Contributors tab.

 

 

 

Part 1g – Case Actions

 

  1. In the Case Actions dropdown, you will find several options:
    • Send email notice – allows you to notify individuals that a case has been opened.  An example would be: emailing a user’s manager to make them aware of possible problem.
    • Escalate for investigation – This allows you to bundle up the information gathered in the IRM case and hand it over to an Premium eDiscovery case.
    • Automate – allows you to leverage Power Automate workflows as part of the case.
    • Share – allows you to share the case with individuals within the organization, sush as HR officers.
    • View Microsoft team – Insider Risk Management allows you to create a Microsoft Team to handle your daily communication around the case.
    • Manage pseudonymize – allows you turn on/off anonymization.

James_Havens_0-1653511430009.png

 

 

  1. Most of these are self-explanatory.  We will not be performing any of these actions at this time but feel free to explore this on your own.  Once you are done with your exploration, move on to the next section.

                                                     

 

 

Appendix and Links

 

Learn about insider risk management - Microsoft 365 Compliance | Microsoft Docs

 

Investigate insider risk management activities - Microsoft 365 Compliance | Microsoft Docs

 

Insider risk management cases - Microsoft 365 Compliance | Microsoft Docs

 

Insider risk management policies - Microsoft 365 Compliance | Microsoft Docs

 

Insider risk management notice templates - Microsoft 365 Compliance | Microsoft Docs

 

Insider risk management settings - Microsoft 365 Compliance | Microsoft Docs

 

Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such.  Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.

 

Co-Authors
Version history
Last update:
‎Nov 03 2022 10:21 AM
Updated by:
Labels