Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link:
Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community
This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
The Insider Risk Management section of this blog series is geared toward Security and Compliance officers who need to monitor users behavior when it comes to compliance data.
This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the use of Insider Risk Management (IRM).
It is presumed that you already data to search inside your tenant.
We will only step through a basic eDiscovery case (see the Use Case section).
This part of the blog will only cover the case (investigation) aspect of IRM.
This document does not cover any other aspect of Microsoft E5 Compliance, including:
It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).
It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing.
As it relates to Insider Risk Management we will not be covering:
There are many use cases related to accessing and sharing of sensitive data. One example is – A user is accessing and sharing sensitive data on a regular bass and management needs to know if there are any spikes in access or sharing of that information that might coordinate with negative HR reports, resignations, etc.
Here you will manage an investigation (case) inside of IRM. Here are the parts of the case we will navigate. Details for each will be covered in Part 1 – Cases below.
None
If you have performed parts 1-3 of this blog series, then you have everything you need to run this . If you have not done those parts of
the blog, you will need to populate your test environment with test data for the steps to follow.
You must have enabled at least 1 Insider Risk Management license
It is recommended you have completed Part 3a DLP for Endpoint, or at the least, that you have on-boarded a minimum of one Windows 10/11 device to test the collection of Endpoint DLP policies into Insider Risk management (IRM).
You have loaded an Insider Risk Management (IRM) licensing for at least 1 week in order to collect as much telemetry as possible. That you have run Sensitivity and DLP testing during that 1 week, again, to add telemetry information to your IRM console.
You should have done steps 6-6d in this series.
There are several parts to a case, and we will walk through all of them here. However, from a daily basis, and IRM investigator will spend most of their time in the following:
Let us proceed to the Overview and walk through each part of an IRM case.
2. You will see all your cases listed below.
In the Case Overview tab, you will see a dashboard with the information about the case, the alerts, content detects etc.
This tab shows the alerts related to the case. This will take you to the specific details around any given alert. See part 6d (Insider Risk Management – Alerts) for more details on how to navigate the alerts.
3. On the right-hand side you will see a graphical representation of what has happened over the period selected.
4. We are done with this section. You can proceed to the next section.
Content Explorer allows the investigator to looK inside the files to see the context of why the file/email was flagged for an Insider Risk Management investigation
You can add case notes to the Insider Risk Management case. This optional.
Contributors are individuals who would need to look at an Insider Risk Management case. This optional.
Learn about insider risk management - Microsoft 365 Compliance | Microsoft Docs
Investigate insider risk management activities - Microsoft 365 Compliance | Microsoft Docs
Insider risk management cases - Microsoft 365 Compliance | Microsoft Docs
Insider risk management policies - Microsoft 365 Compliance | Microsoft Docs
Insider risk management notice templates - Microsoft 365 Compliance | Microsoft Docs
Insider risk management settings - Microsoft 365 Compliance | Microsoft Docs
Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.