Insider risk management policies

Insider risk management policies determine which users are in-scope and which types of risk indicators are configured for alerts. You can quickly create a policy that applies to all users in your organization or define individual users or groups for management in a policy. Policies support content priorities to focus policy conditions on multiple or specific Microsoft Teams, SharePoint sites, data sensitivity types, and data labels. Using templates, you can select specific risk indicators and customize event thresholds for policy indicators, effectively customizing risk scores and level and frequency of alerts. Additionally, risk score boosters and anomaly detections help identify user activity that is of higher importance or more unusual. Policies windows allow you to define the time frame to apply the policy to alert activities and are used to determine the duration of the policy once activated.

Policy dashboard

The Policy dashboard allows you to quickly see the policies in your organization and the current status of alerts associated with each policy.

  • Policy name: The name assigned to the policy in the policy wizard.
  • Active alerts: The number of active alerts for each policy.
  • Confirmed alerts: The total number of alerts the resulted in cases from the policy in the last 365 days.
  • Actions taken on alerts: The total number of alerts that were confirmed or dismissed for the last 365 days.
  • Policy effectiveness: The percentage determined by total confirmed alerts divided by total actions taken on alerts (which is the sum of alerts that were confirmed or dismissed over the past year).
  • Active: The status of the case, either Yes or No.

Insider risk management policy dashboard

Policy templates

Insider risk management templates are pre-defined policy conditions that define the types of risk indicators and risk scoring model used by the policy. Each policy must have a template assigned in the policy creation wizard before the policy is created. Insider risk management supports up to five policies for each policy template. When you create a new insider risk policy with the policy wizard, you'll choose from one of the following policy templates:

Data theft by departing users

When users leave your organization, there are specific risk indicators typically associated with data theft by departing users. This policy template uses indicators for risk scoring and focuses detection and alerts to this risk area. Data theft for departing users may include downloading files from SharePoint Online, printing files, and copying data to personal cloud messaging and storage services near their employment resignation and end dates. This template starts scoring for risk indicators relating to these activities and how they correlate with user employment status.

Important

When using this template, you must configure a Microsoft 365 HR connector to periodically import resignation and termination date information for users in your organization. See the Import data with the HR connector article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization.

General data leaks

Protecting data and preventing data leaks is a constant challenge for most organizations, particularly with the rapid grow of new data created by users, devices, and services. Users are empowered to create, store, and share information across services and devices that make managing data leaks increasingly more complex and difficult. Data leaks can include accidental oversharing of information outside your organization or data theft with malicious intent. In conjunction with an assigned Data Loss Prevention (DLP) policy, this template starts scoring real-time detections of suspicious SharePoint Online data downloads, file and folder sharing, printing files, and copying data to personal cloud messaging and storage services.

When using a Data leaks template, you must assign a DLP policy to trigger indicators in the insider risk policy for high severity alerts in your organization. Whenever a high severity alert is generated by a DLP policy rule is added to the Office 365 audit log, insider risk policies created with this template automatically examine the high severity DLP alert. If the alert contains an in-scope user defined in the insider risk policy, the alert is processed by the insider risk policy as a new alert and assigned an insider risk severity and risk score. This policy allows you to evaluate this alert in context with other activities included in the case.

Data leaks policy guidelines

When creating or modifying DLP policies for use with insider risk management policies, consider the following guidelines:

  • Prioritize data exfiltration events and be selective when assigning Incident reports settings to High when configuring rules in your DLP policies. For example, emailing sensitive documents to a known competitor should be a High alert level exfiltration event. Over-assigning the High level in the Incident reports settings in other DLP policy rules can increase the noise in the insider risk management alert workflow and make it more difficult for your data investigators and analysts to properly evaluate these alerts. For example, assigning High alert levels to access denial activities in DLP policies makes it more challenging to evaluate truly risky user behavior and activities.

  • Make sure you understand and properly configure the in-scope users in both the DLP and insider risk management policies. Only users defined as in-scope for insider risk management policies using the Data leaks template will have high severity DLP policy alerts processed. Additionally, only users defined as in-scope in a rule for a high severity DLP alert will be examined by the insider risk management policy for consideration. It is important that you don't unknowingly configure in-scope users in both your DLP and insider risk policies in a conflicting manner.

    For example, if your DLP policy rules are scoped to only users on the Sales Team and the insider risk policy created from the Data leaks template has defined all users as in-scope, the insider risk policy will only actually process high severity DLP alerts for the users on the Sales Team. The insider risk policy won't receive any high priority DLP alerts for users to process that aren't defined in the DLP rules in this example. Conversely, if your insider risk management policy created from Data leaks templates is scoped to only users on the Sales Team and the assigned DLP policy is scoped to all users, the insider risk policy will only process high severity DLP alerts for members of the Sales Team. The insider risk management policy will ignore high severity DLP alerts for all users not on the Sales Team.

  • Make sure the Incident reports rule setting in the DLP policy used for this insider risk management template is configured for High severity level alerts. The High severity level is the triggering events and insider risk management alerts won't be generated from rules in DLP policies with the Incident reports field set at Low or Medium.

    DLP policy alert setting

    Note

    When creating a new DLP policy using the built-in templates, you'll need to select the Create or customize advanced DLP rules option to configure the Incident reports setting for the High severity level.

Each insider risk management policy created from the Data leaks template can only have one DLP policy assigned. Consider creating a dedicated DLP policy that combines the different activities you want to detect and act as triggering events for insider risk policies that use the Data leaks template.

See the Create, test, and tune a DLP policy article for step-by-step guidance to configure DLP policies for your organization.

Data leaks by priority users (preview)

Protecting data and preventing data leaks for users in your organization may depend on their position, level of access to sensitive information, or risk history. Data leaks can include accidental oversharing of highly sensitive information outside your organization or data theft with malicious intent. In conjunction with an assigned Data Loss Prevention (DLP) policy, this template starts scoring real-time detections of suspicious activity and result in an increased likelihood of insider risk alerts and alerts with higher severity levels. Priority users are defined in priority user groups configured in the insider risk management settings area.

As with the General data leaks template, you must assign a DLP policy to trigger indicators in the insider risk policy for high severity alerts in your organization. Follow the Data leaks policy guidelines above when creating a policy using this template. Additionally, you will need to assign priority user groups created in Insider risk management > Settings > Priority user groups to the policy.

Data leaks by disgruntled users (preview)

When users experience employment stressors, they may become disgruntled which may increase the chances of insider risk activity. This template starts scoring user activity when an indicator associated with disgruntlement is identified. Examples include performance improvement notifications, poor performance reviews, or changes to job level status. Data leaks for disgruntled users may include downloading files from SharePoint Online and copying data to personal cloud messaging and storage services near employment stressor events.

When using this template, you must also configure a Microsoft 365 HR connector to periodically import performance improvement notifications, poor performance review status, or job level change information for users in your organization. See the Import data with the HR connector article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization.

General security policy violations (preview)

In many organizations, users have permissions to install software on their devices or to modify device settings to help with their tasks. Either inadvertently or with malicious intent, users may install malware or disable important security features that help protect information on their device or on your network resources. This policy template uses security alerts from Microsoft Defender for Endpoint to start scoring these activities and focus detection and alerts to this risk area. Use this template to provide insights for security policy violations in scenarios when users may have a history of security policy violations that may be an indicator of insider risk.

You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see Configure advanced features in Defender for Endpoint.

Security policy violations by departing users (preview)

Departing users, whether leaving on positive or negative terms, may be higher risks for security policy violations. To help protect against inadvertent or malicious security violations for departing users, this policy template uses Defender for Endpoint alerts to provide insights into security-related activities. These activities include the user installing malware or other potentially harmful applications and disabling security features on their devices. Policy indicators are activated after users have a resignation or termination date imported from the Microsoft 365 HR Connector as a triggering event.

When using this template, you must configure a Microsoft 365 HR connector to periodically import resignation and termination date information for users in your organization. See the Import data with the HR connector article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization.

You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see Configure advanced features in Defender for Endpoint.

Security policy violations by priority users (preview)

Protecting against security violations for users in your organization may depend on their position, level of access to sensitive information, or risk history. Because security violations by priority users may have an outsized impact on your organization's critical areas, this policy template starts scoring on these indicators and uses Microsoft Defender for Endpoint alerts to provide insights into security-related activities for these users. These may include the priority users installing malware or other potentially harmful applications and disabling security features on their devices. Priority users are defined in priority user groups configured in the insider risk management settings area.

You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see Configure advanced features in Defender for Endpoint. Additionally, you will need to assign priority user groups created in Insider risk management > Settings > Priority user groups to the policy.

Security policy violations by disgruntled users (preview)

Users that experience employment stressors may be at a higher risk for inadvertent or malicious security policy violations. These stressors may include the user being placed on a performance improvement plan, poor performance review status, or being demoted from their current position. This policy template starts risk scoring based these indicators and activities associated with these events for these users.

When using this template, you must also configure a Microsoft 365 HR connector to periodically import performance improvement notifications, poor performance review status, or job level change information for users in your organization. See the Import data with the HR connector article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization.

You'll also need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see Configure advanced features in Defender for Endpoint.

Offensive language in email

Important

Starting October 16, 2020, you will no longer be able to create policies using this template. Any active policies that use this template will work until they're permanently removed in January 2021. We are deprecating the Offensive Language built-in classifier that supports this template because it has been producing a high number of false positives. To address risk issues for offensive language, we recommend using Microsoft 365 communication compliance policies. For more information about built-in classifiers, see Getting started with trainable classifiers.

Detecting and taking action to prevent offensive and abusive behavior is a critical component of preventing risk. Built-in classifiers in Microsoft 365 scan sent email messages from Exchange Online mailboxes in your organization for different types of compliance issues. These classifiers use a combination of artificial intelligence and keywords to identify language in email likely to violate anti-harassment policies. Use this template to quickly create a policy that uses these classifiers to automatically detect email message content that may be considered abusive or offensive. Insider risk management uses classifiers that scan sent email messages for English language terms and sentiment for offensive language.

Policy template prerequisites and triggering events

Depending on the template you choose for an insider risk management policy, the triggering events and policy prerequisites vary. Triggering events are prerequisites that determine if a user is active for an insider risk management policy. If a user is added to an insider risk management policy but does not have a triggering event, the user activity is not evaluated by the policy unless they are manually added in the Users dashboard. Policy prerequisites are required items so that the policy receives the signals or activities necessary to evaluate risk.

The following table lists the triggering events and prerequisites for policies created from each insider risk management policy template:

Policy template Triggering events for policies Prerequisites
Data theft by departing users Resignation or termination date indicator from HR connector Microsoft 365 HR connector configured for termination and resignation date indicators
General data leaks Data leak policy activity that creates a High severity alert DLP policy configured for High severity alerts
Data leaks by priority users Data leak policy activity that creates a High severity alert DLP policy configured for High severity alerts

Priority user groups configured in insider risk settings
Data leaks by disgruntled users Performance improvement, poor performance, or job level change indicators from HR connector Microsoft 365 HR connector configured for disgruntlement indicators
General security policy violations Defensive evasion of security controls or unwanted software detected by Microsoft Defender for Endpoint Active Microsoft Defender for Endpoint subscription

Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured
Security policy violations by departing users Resignation or termination date indicators from HR connector Microsoft 365 HR connector configured for termination and resignation date indicators

Active Microsoft Defender for Endpoint subscription

Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured
Security policy violations by priority users Defensive evasion of security controls or unwanted software detected by Microsoft Defender for Endpoint Active Microsoft Defender for Endpoint subscription

Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured

Priority user groups configured in insider risk settings
Security policy violations by disgruntled user Performance improvement, poor performance, or job level change indicators from HR connector Microsoft 365 HR connector configured for disgruntlement indicators

Active Microsoft Defender for Endpoint subscription

Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured
Offensive language in email Profanity, threats, or harassing language in email messages Active Exchange Online subscription

Prioritize content in policies

Insider risk management policies support specifying a higher priority for content depending where it is stored or how it is classified. Specifying content as a priority increases the risk score for any associated activity, which in turn increases the chance of generating a high severity alert. However, some activities won't generate an alert at all unless the related content contains built-in or custom sensitive info types or was specified as a priority in the policy.

For example, your organization has a dedicated SharePoint site for a highly confidential project. Data leaks for information in this SharePoint site could compromise the project and would have a significant impact on its success. By prioritizing this SharePoint site in a Data leaks policy, risk scores for qualifying activities are automatically increased. This prioritization increases the likelihood that these activities generate an insider risk alert and raises the severity level for the alert.

When you create an insider risk management policy in the policy wizard, you can choose from the following priorities:

  • SharePoint sites: Any activity associated with all file types in defined SharePoint sites is assigned a higher risk score.
  • Sensitive information types: Any activity associated with content that contains sensitive information types are assigned a higher risk score.
  • Sensitivity labels: Any activity associated with content that has specific sensitivity labels applied are assigned a higher risk score.

Create a new policy

To create a new insider risk management policy, you'll use the policy wizard in Insider risk management solution in the Microsoft 365 compliance center.

Complete the following steps to create a new policy:

  1. In the Microsoft 365 compliance center, go to Insider risk management and select the Policies tab.

  2. Select Create policy to open the policy wizard

  3. On the New insider risk policy page, complete the following fields:

    • Name (required): Enter a friendly name for the policy.
    • Description (optional): Enter a description for the policy.
    • Choose policy template (required): Select one of the policy templates to define the types of risk indicators are monitored by the policy.

    Important

    Most policy templates have prerequisites that must be configured for the policy to generate relevant alerts. If you haven't configured the applicable policy prerequisites, see Get started with insider risk management.

  4. Select Next to continue.

  5. On the Users page, select Add user or group or Choose Priority user groups to define which users or priority user groups are included in the policy, depending on the policy template you've selected. Select All users and mail-enabled groups checkbox if applicable (if you haven't selected a priority user-based template). Select Next to continue.

  6. On the Specify what content to prioritize (optional) page, you can assign the sources to prioritize for increased risk scores. However, some activities won't generate an alert at all unless the related content contains built-in or custom sensitive info types or was specified as a priority on this page:

    • SharePoint sites: Select Add SharePoint site and select the SharePoint organizations you want to prioritize. For example, "group1@contoso.sharepoint.com/sites/group1".
    • Sensitive info type: Select Add sensitive info type and select the sensitivity types you want to prioritize. For example, "U.S. Bank Account Number" and "Credit Card Number".
    • Sensitivity labels: Select Add sensitivity label and select the labels you want to prioritize. For example, "Confidential" and "Secret".
  7. Select Next to continue.

  8. On the Select policy indicators page, you'll see the indicators that you've defined as available on the Insider risk settings > Indicators page. If you selected a Data leaks template at the beginning of the wizard, you must select a DLP policy from the DLP policy dropdown list to enable triggering indicators for the policy. Select the indicators you want to apply to the policy. If you prefer not to use the default policy threshold settings for these indicators, disable the Use default thresholds recommended by Microsoft and enter the threshold values for each selected indicator. If you've selected at least one Office or Device indicator, select the Risk score boosters as appropriate. Risk score boosters are only applicable for selected indicators.

    Important

    If indicators on this page can't be selected, you'll need to select the indicators you want to enable for all policies on the Insider risk management > Settings > Policy indicators page.

  9. Select Next to continue.

  10. On the Policy timeframes page, you'll see the activation window conditions for the policy that on the Insider risk settings > Policy timeframes page.

  11. Select Next to continue.

  12. On the Review page, review the settings you've chosen for the policy. Select Edit to change any of the policy values or select Submit to create and activate the policy.

Update a policy

To update an existing insider risk management policy, you'll use the policy wizard in Insider risk management solution in the Microsoft 365 compliance center.

Complete the following steps to manage an existing policy:

  1. In the Microsoft 365 compliance center, go to Insider risk management and select the Policies tab.

  2. On the policy dashboard, select the policy you want to manage.

  3. On the policy details page, select Edit policy

  4. In the policy wizard, you cannot edit the following fields:

    • Name: The friendly name for the policy
    • Choose policy template: The template used to define the types of risk indicators monitored by the policy.
  5. Enter a new description for the policy in the Description field.

  6. Select Next to continue.

  7. On the Users page, select Add user or group or Choose Priority user groups to define which users or priority user groups are included in the policy, depending on the policy template you've selected. Select All users and mail-enabled groups checkbox if applicable (if you haven't selected a priority user-based template). Select Next to continue.

  8. On the Specify what content to prioritize (optional) page, you can assign the sources to prioritize for increased risk scores. However, some activities won't generate an alert at all unless the related content contains built-in or custom sensitive info types or was specified as a priority on this page:

    • SharePoint sites: Select Add SharePoint site and select the SharePoint organizations you want to prioritize. For example, "group1@contoso.sharepoint.com/sites/group1".
    • Sensitive info type: Select Add sensitive info type and select the sensitivity types you want to prioritize. For example, "U.S. Bank Account Number" and "Credit Card Number".
    • Sensitivity labels: Select Add sensitivity label and select the labels you want to prioritize. For example, "Confidential" and "Secret".
  9. Select Next to continue.

  10. On the Select policy indicators page, you'll see the indicators that you've defined as available on the Insider risk settings > Indicators page. If you selected a Data leaks template at the beginning of the wizard, you must select a DLP policy from the DLP policy dropdown list to enable triggering indicators for the policy. Select the indicators you want to apply to the policy. If you prefer not to use the default policy threshold settings for these indicators, disable the Use default thresholds recommended by Microsoft and enter the threshold values for each selected indicator. If you've selected at least one Office or Device indicator, select the Risk score boosters as appropriate. Risk score boosters are only applicable for selected indicators.

    Important

    If indicators on this page can't be selected, you'll need to select the indicators you want to enable for all policies on the Insider risk management > Settings > Policy indicators page.

  11. Select Next to continue.

  12. On the Policy timeframes page, you'll see the activation window conditions for the policy that on the Insider risk settings > Policy timeframes page.

  13. Select Next to continue.

  14. On the Review page, review the settings you've updated for the policy. Select Edit to change any of the policy values or select Submit to update and activate the policy.

Delete a policy

Note

Deleting a policy does not delete active or archived alerts generated from the policy.

To delete an existing insider risk management policy, complete the following steps:

  1. In the Microsoft 365 compliance center, go to Insider risk management and select the Policies tab.
  2. On the policy dashboard, select the policy you want to delete.
  3. Select Delete on the dashboard toolbar.
  4. On the Delete dialog, Select Yes to delete the policy, or select Cancel to close the dialog.