Risk Management Settings

Overview

The following are global settings that are applied regardless of what is deployed via the Risk Management setting.

SettingDescription

Choose whether to display usernames or anonymized versions of usernames for all current and past policy matches for alerts and cases.

Each insider risk management policy template is based on specific indicators that correspond to specific triggers and risk activities. All global indicators are disabled by default; you must select one or more indicators to configure an insider risk management policy. Indicator level settings help you control how the number of occurrences of risk events in your organization affect the risk score.

Use the Detection groups setting to create variants of built-in indicators if you want to tailor detections for different sets of users. Creating detection groups helps to reduce false positives.

[Global exclusions]

Use the Global exclusions setting to specify global exclusions that won't be scored by your insider risk management policies.

The Policy timeframes setting allows you to define past and future review periods that are triggered after policy matches based on events and activities for the insider risk management policy templates.

Use the Intelligent detections setting to boost the score for unusual download activity, control alert volume, import and filter Microsoft Defender for Endpoint alerts, and specify unallowed and third-party domains for risk scoring.

Insider risk management alert information is exportable to security information and event management (SIEM) and security orchestration automated response (SOAR) solutions by using the Office 365 Management Activity API schema. You can use the Office 365 Management Activity APIs to export alert information to other applications your organization may use to manage or aggregate insider risk information.

Use the Data sharing setting to do either of the following: 1) Export insider risk management alert information to SIEM solutions by using the Office 365 Management Activity API schema; 2) Share insider risk management user risk levels with Microsoft Defender and DLP alerts.

Users in your organization may have different levels of risk depending on their position, level of access to sensitive information, or risk history. Prioritizing the examination and scoring of the activities of these users can help alert you to potential risks that may have higher consequences for your organization. Use the Priority user groups setting to define the users in your organization that need closer inspection and more sensitive risk scoring.

Identifying access to priority physical assets and correlating access activity to user events is an important component of your compliance infrastructure. These physical assets represent priority locations in your organization, such as company buildings, data centers, or server rooms. Insider risk activities may be associated with users working unusual hours, attempting to access these unauthorized sensitive or secure areas, and requests for access to high-level areas without legitimate needs.

Microsoft Power Automate is a workflow service that automates actions across applications and services. By using flows from templates or created manually, you can automate common tasks associated with these applications and services. When you enable Power Automate flows for insider risk management, you can automate important tasks for cases and users. You can configure Power Automate flows to retrieve user, alert, and case information and share this information with stakeholders and other applications, as well as automate actions in insider risk management, such as posting to case notes. Power Automate flows are applicable for cases and any user in scope for a policy.

You can enable Microsoft Teams support so that compliance analysts and investigators can use Teams to collaborate on insider risk management cases. Use Teams to: - Coordinate and review response activities for cases in private Teams channels - Securely share and store files and evidence related to individual cases - Detect and review response activities by analysts and investigators

Insider risk analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher user risk and help determine the type and scope of insider risk management policies you may consider configuring.

Use the Admin notifications setting to automatically send an email notification to selectable insider risk management role groups. You can: - Send a notification email when the first alert is generated for a new policy - Send a daily email when new high-severity alerts are generated - Send a weekly email summarizing policies that have unresolved warnings

Inline alert customization allows you to quickly tune an insider risk management policy directly from the Alerts dashboard while reviewing the alert. Alerts are generated when a risk management activity meets the thresholds configured in the related policy. To reduce the number of alerts you get from this type of activity, you can change the thresholds or remove the risk management activity from the policy altogether.

Last updated