内部风险管理入门Get started with insider risk management

使用内部风险管理策略来确定风险活动和管理工具,以对组织的风险警报采取行动。Use insider risk management policies to identify risky activities and management tools to act on risk alerts in your organization. 完成以下步骤以设置先决条件并配置内部风险管理策略。Complete the following steps to set up prerequisites and configure an insider risk management policy.

重要

Microsoft 365 内部风险管理解决方案提供租户级选项,帮助客户促进用户级别的内部治理。The Microsoft 365 insider risk management solution provides a tenant level option to help customers facilitate internal governance at the user level. 租户级管理员可以设置权限,为组织成员提供对此解决方案的访问权限,在 Microsoft 365 合规中心中设置数据连接器以导入相关的数据,以支持用户级别识别可能存在风险的活动。Tenant level administrators can set up permissions to provide access to this solution for members of your organization and set up data connectors in the Microsoft 365 compliance center to import relevant data to support user level identification of potentially risky activity. 客户确认与个人用户的行为、字符或绩效相关的见解(与雇佣关系相关)由管理员计算,并提供给组织其他人使用。Customers acknowledge insights related to the individual user's behavior, character, or performance materially related to employment can be calculated by the administrator and made available to others in the organization. 此外,客户确认他们必须自行执行与个人用户行为、字符或与雇佣相关的性能方面的完全调查,而不只是依赖于内部风险管理服务的见解。In addition, customers acknowledge that they must conduct their own full investigation related to the individual user's behavior, character, or performance materially related to employment, and not just rely on insights from the insider risk management service. 客户应单独负责使用 Microsoft 365 内部风险管理服务以及符合所有适用法律(包括与个人用户标识相关的法律以及任何补救措施)的任何关联功能或服务。Customers are solely responsible for using the Microsoft 365 insider risk management service, and any associated feature or service in compliance with all applicable laws, including laws relating to individual user identification and any remediation actions.

有关内部风险策略如何有助于管理组织中风险的信息,请参阅 Microsoft 365中的内部风险管理。For more information about how insider risk policies can help you manage risk in your organization, see Insider risk management in Microsoft 365.

订阅和许可Subscriptions and licensing

在开始内部风险管理之前,应先确认 Microsoft 365 订阅和任何加载项。Before you get started with insider risk management, you should confirm your Microsoft 365 subscription and any add-ons. 若要访问和使用内部风险管理,你的组织必须拥有以下订阅或加载项之一:To access and use insider risk management, your organization must have one of the following subscriptions or add-ons:

  • Microsoft 365 E5 订阅(付费或试用版本)Microsoft 365 E5 subscription (paid or trial version)
  • Microsoft 365 E3 订阅 + Microsoft 365 E5 合规加载项Microsoft 365 E3 subscription + the Microsoft 365 E5 Compliance add-on
  • Microsoft 365 E3 订阅 + Microsoft 365 E5 预览体验成员风险管理加载项Microsoft 365 E3 subscription + the Microsoft 365 E5 Insider Risk Management add-on
  • Microsoft 365 A5 订阅(付费或试用版本)Microsoft 365 A5 subscription (paid or trial version)
  • Microsoft 365 A3 订阅 + Microsoft 365 A5 合规加载项Microsoft 365 A3 subscription + the Microsoft 365 A5 Compliance add-on
  • Microsoft 365 A3 订阅 + Microsoft 365 A5 预览体验成员风险管理加载项Microsoft 365 A3 subscription + the Microsoft 365 A5 Insider Risk Management add-on
  • Microsoft 365 G5 订阅(付费或试用版本)Microsoft 365 G5 subscription (paid or trial version)
  • Microsoft 365 G3 订阅 + Microsoft 365 G5 合规性加载项Microsoft 365 G3 subscription + the Microsoft 365 G5 Compliance add-on
  • Microsoft 365 G3 订阅 + Microsoft 365 G5 内部风险管理加载项Microsoft 365 G3 subscription + the Microsoft 365 G5 Insider Risk Management add-on
  • Office 365 E3 订阅 + 企业移动性和安全性 E3 + Microsoft 365 E5 合规性加载项Office 365 E3 subscription + Enterprise Mobility and Security E3 + the Microsoft 365 E5 Compliance add-on

必须为包含在内部风险管理策略中的用户分配上述许可证之一。Users included in insider risk management policies must be assigned one of the licenses above.

如果你没有现有的 Microsoft 365 企业版 E5 计划,并且想要尝试内部风险管理,可以将Microsoft 365添加到现有订阅或注册Microsoft 365 企业版 E5 的试用版。If you don't have an existing Microsoft 365 Enterprise E5 plan and want to try insider risk management, you can add Microsoft 365 to your existing subscription or sign up for a trial of Microsoft 365 Enterprise E5.

步骤 1:为内部风险管理启用权限Step 1: Enable permissions for insider risk management

重要

配置角色组之后,可能需要长达 30 分钟时间将角色组权限应用到整个组织的已分配用户。After configuring your role groups, it may take up to 30 minutes for the role group permissions to apply to assigned users across your organization.

有四个角色组用于配置管理内部风险管理功能的权限。There are four roles groups used to configure permissions to manage insider risk management features. 若要继续这些配置步骤,租户管理员必须先将你分配到 预览 体验成员风险管理或 内部风险管理管理员角色 组。To continue with these configuration steps, your tenant administrators must first assign you to the Insider Risk Management or Insider Risk Management Admin role group. 若要在初始配置后访问和管理内部风险管理功能,用户必须至少是一个内部风险管理角色组的成员。To access and manage insider risk management features after initial configuration, users must be a member of at least one insider risk management role group.

根据合规性管理团队的结构,有选项将用户分配到特定角色组,以管理不同的预览体验计划风险管理功能集。Depending on the structure of your compliance management team, you have options to assign users to specific role groups to manage different sets of insider risk management features. 若要查看 Office 365 安全与合规中心中的"权限"选项卡&管理角色组,您需要被分配到组织管理角色组,或需要分配有"角色管理"角色To view the Permissions tab in the Office 365 Security & Compliance Center and manage role groups, you need to be assigned to the Organization Management role group or need to be assigned the Role Management role. 配置内部风险管理时,请从以下角色组选项中进行选择:Choose from these role group options when configuring insider risk management:

角色组Role group 角色权限Role permissions
内部风险管理Insider Risk Management 使用此角色组来管理单个组中组织的预览体验成员风险管理。Use this role group to manage insider risk management for your organization in a single group. 通过添加指定管理员、分析师、研究人员和审核员的所有用户帐户,可以在单个组中配置内部风险管理权限。By adding all user accounts for designated administrators, analysts, investigators, and auditors you can configure insider risk management permissions in a single group. 此角色组包含所有内部风险管理权限角色和相关权限。This role group contains all the insider risk management permission roles and associated permissions. 此配置是快速开始使用内部风险管理的最简单方法,非常适合不需要为单独的用户组定义单独权限的组织。This configuration is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users.
内部风险管理管理员Insider Risk Management Admin 使用此角色组最初配置内部风险管理,稍后再将内部风险管理员隔离到定义的组中。Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. 此角色组的用户可启用和查看分析见解,并创建、读取、更新和删除内部风险管理策略、全局设置和角色组分配。Users in this role group can enable and view analytics insights and create, read, update, and delete insider risk management policies, global settings, and role group assignments.
预览体验计划风险管理分析员Insider Risk Management Analysts 使用此组为将充当预览体验成员案例分析员的用户分配权限。Use this group to assign permissions to users that will act as insider risk case analysts. 此角色组的用户可以访问和查看所有内部风险管理警报、案例、分析见解和通知模板。Users in this role group can access and view all insider risk management alerts, cases, analytics insights, and notices templates. 他们无法访问内部风险内容资源管理器。They cannot access the insider risk Content explorer.
预览体验计划风险管理调查员Insider Risk Management Investigators 使用此组为将充当预览体验成员、风险数据执行者的用户分配权限。Use this group to assign permissions to users that will act as insider risk data investigators. 此角色组的用户可以访问所有事例的内部风险管理警报、案例、通知模板和内容资源管理器。Users in this role group can access to all insider risk management alerts, cases, notices templates, and the Content explorer for all cases.
内部风险管理审核员Insider Risk Management Auditors 使用此组向将审核内部风险管理活动的用户分配权限。Use this group to assign permissions to users that will audit insider risk management activities. 此角色组的用户可以访问内部风险审核日志。Users in this role group can access the insider risk audit log.

备注

这些角色组当前在 Privileged Identity Management (PIM) 。These role groups are currently not supported on Privileged Identity Management (PIM). 若要了解有关 PIM 的信息,请参阅 Privileged Identity Management 中的分配 Azure AD 角色To learn more about PIM, see Assign Azure AD roles in Privileged Identity Management.

将用户添加到内部风险管理角色组Add users to an insider risk management role group

完成以下步骤以将用户添加到内部风险管理角色组:Complete the following steps to add users to an insider risk management role group:

  1. 使用 Microsoft 365 组织中的管理员账户凭据登录 https://protection.office.com/permissionsSign into https://protection.office.com/permissions using credentials for an admin account in your Microsoft 365 organization.

  2. 在安全 & 合规中心中,转到“权限”。In the Security & Compliance Center, go to Permissions. 选择链接以查看和管理 Office 365 中的角色。Select the link to view and manage roles in Office 365.

  3. 选择要添加用户的内部风险管理角色组,然后选择"编辑 角色组"。Select the insider risk management role group you want to add users to, then select Edit role group.

  4. 从左侧导航窗格中选择“选择成员”,然后选择“编辑”。Select Choose members from the left navigation pane, then select Edit.

  5. 选择“添加”,然后选中希望添加到角色组的所有用户的复选框。Select Add and then select the checkbox for all users you want to add to the role group.

  6. 选择“添加”,然后选择“完成”。Select Add, then select Done.

  7. 选择“保存”以将用户添加到角色组。Select Save to add the users to the role group. 选择“关闭”以完成步骤。Select Close to complete the steps.

步骤 2:启用 Microsoft 365 审核日志Step 2: Enable the Microsoft 365 audit log

内部风险管理使用 Microsoft 365 审核日志获取策略和分析见解中标识的用户见解和活动。Insider risk management uses Microsoft 365 audit logs for user insights and activities identified in policies and analytics insights. Microsoft 365 审核日志是组织中所有活动的摘要,内部风险管理策略可能会使用这些活动生成策略见解。The Microsoft 365 audit logs are a summary of all activities within your organization and insider risk management policies may use these activities for generating policy insights.

有关启用审核的逐步操作说明,请参阅 打开或关闭审核日志搜索For step-by-step instructions to turn on auditing, see Turn audit log search on or off. 打开审核之后,将显示一条消息,内容为正在准备审核日志,你可以在准备完成后几个小时内运行搜索。After you turn on auditing, a message is displayed that says the audit log is being prepared and that you can run a search in a couple of hours after the preparation is complete. 此操作只需要执行一次。You only have to do this action once. 有关使用 Microsoft 365 审核日志, 请参阅搜索审核日志。For more information about the using the Microsoft 365 audit log, see Search the audit log.

步骤 3:启用和查看内部风险分析见解 (可选) Step 3: Enable and view insider risk analytics insights (optional)

通过内部风险管理分析,你可以对组织中潜在的内部风险进行评估,而无需配置任何内部风险策略。Insider risk management analytics enables you to conduct an evaluation of potential insider risks in your organization without configuring any insider risk policies. 此评估可帮助你的组织确定潜在的用户风险领域,并帮助确定你可能考虑配置的内部风险管理策略的类型和范围。This evaluation can help your organization identify potential areas of higher user risk and help determine the type and scope of insider risk management policies you may consider configuring. 此评估还可以帮助您确定对现有策略进行其他许可或未来优化的需求。This evaluation may also help you determine needs for additional licensing or future optimization of existing policies. 分析扫描结果最多可能需要 48 小时,才能将见解作为报告提供进行审阅。Analytics scan results may take up to 48 hours before insights are available as reports for review. 若要了解有关分析见解的详细信息,请参阅预览体验成员风险管理设置:分析 (预览) 并观看 预览 体验成员风险管理分析视频,以帮助了解分析如何有助于加快识别潜在内部风险并帮助你快速采取行动。To learn more about analytics insights, see Insider risk management settings: Analytics (preview) and check out the Insider Risk Management Analytics video to help understand how analytics can help accelerate the identification of potential insider risks and help you to quickly take action.

若要启用内部风险分析,你必须是 内部 风险管理、内部风险管理管理员或 Microsoft 365 全局管理员角色组 的成员。To enable insider risk Analytics, you must be a member of the Insider Risk Management, Insider Risk Management Admin, or Microsoft 365 Global admin role group.

完成以下步骤以启用内部风险分析:Complete the following steps to enable insider risk analytics:

  1. Microsoft 365 合规中心中,转到 "内部风险管理"。In the Microsoft 365 compliance center, go to Insider risk management.
  2. "内部 风险管理概述"选项卡上的"扫描 组织卡中的 内部风险"中选择" 运行扫描 "。此操作将打开组织的分析扫描。Select Run scan on the Scan for insider risks in your organization card on the insider risk management Overview tab. This action turns on analytics scanning for your organization. 您还可以在组织中打开扫描,方法为导航到"内部风险设置""分析 (预览版) 并启用"扫描租户的用户活动 > ", 以确定 潜在的内部风险You can also turn on scanning in your organization by navigating to Insider risk settings > Analytics (preview) and enabling Scan your tenant's user activity to identify potential insider risks.
  3. 在" 分析详细信息" 窗格中,选择" 运行扫描"开始组织的扫描On the Analytics details pane, select Run scan to start the scan for your organization. 分析扫描结果最多可能需要 24 小时,才能将见解作为报告提供进行审阅。Analytics scan results may take up to 24 hours before insights are available as reports for review.

查看分析见解后,选择内部风险策略并配置最符合组织的内部风险缓解策略的相关先决条件。After reviewing the analytics insights, choose the insider risk policies and configure the associated prerequisites that best meet your organization's insider risk mitigation strategy.

步骤 4:配置策略的先决条件Step 4: Configure prerequisites for policies

大多数内部风险管理策略的先决条件必须为策略指示器进行配置,以生成相关活动警报。Most insider risk management policies have prerequisites that must be configured for policy indicators to generate relevant activity alerts. 根据计划为组织配置的策略配置相应的先决条件。Configure the appropriate prerequisites depending on the policies you plan to configure for your organization.

配置 Microsoft 365 HR 连接器Configure Microsoft 365 HR connector

内部风险管理支持导入从第三方风险管理和人力资源平台导入的用户和日志数据。Insider risk management supports importing user and log data imported from 3rd-party risk management and human resources platforms. Microsoft 365 人力资源 (HR) 数据连接器允许你从 CSV 文件中提取人力资源数据,包括用户终止日期、上次雇佣日期、绩效改善计划通知、绩效考核操作和工作级别更改状态。The Microsoft 365 Human Resources (HR) data connector allows you to pull in human resources data from CSV files, including user termination dates, last employment dates, performance improvement plan notifications, performance review actions, and job level change status. 此数据可帮助预览体验计划风险管理策略中警报指标,是在你的组织中配置完全风险管理范围的重要组成部分。This data helps drive alert indicators in insider risk management policies and is an important part of configuring full risk management coverage in your organization. 如果为组织配置多个 HR 连接器,内部风险管理将自动拉取所有 HR 连接器中的指示器。If you configure more than one HR connector for your organization, insider risk management will automatically pull indicators from all HR connectors.

使用下列策略模板时,需要 Microsoft 365 HR 连接器:The Microsoft 365 HR connector is required when using the following policy templates:

  • 脱离用户数据盗窃Departing user data theft
  • 离开用户违反安全策略Security policy violations by departing users
  • 解除限制的用户违反安全策略Security policy violations by disgruntled users
  • 解除限制的用户泄露数据Data leaks by disgruntled users

有关 为组织配置 Microsoft 365 HR 连接器的分步指南,请参阅设置连接器以导入 HR 数据文章。See the Set up a connector to import HR data article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization. 配置 HR 连接器后,返回到这些配置步骤。After you've configured the HR connector, return to these configuration steps.

配置 DLP 策略 (数据丢失) 防护Configure Data Loss Prevention (DLP) policies

内部风险管理支持使用 DLP 策略来帮助识别针对高严重性级别 DLP 警报向不需要方泄露敏感信息的有意或意外行为。Insider risk management supports using DLP policies to help identify the intentional or accidental exposure of sensitive information to unwanted parties for High severity level DLP alerts. 使用任何"数据泄露"模板配置内部风险管理策略时,必须为该策略分配特定的 DLP 策略。When configuring an insider risk management policy with any of the Data leaks templates, you must assign a specific DLP policy to the policy.

DLP 策略可帮助识别用户,以在针对敏感信息的高风险性 DLP 警报的内部风险管理中激活风险评分,这是在组织中配置完全风险管理覆盖的重要部分。DLP policies help identify users to activate risk scoring in insider risk management for high severity DLP alerts for sensitive information and are an important part of configuring full risk management coverage in your organization. 有关内部风险管理和 DLP 策略集成以及规划注意事项的信息,请参阅 预览体验成员风险管理策略For more information about insider risk management and DLP policy integration and planning considerations, see Insider risk management policies.

重要

确保已完成以下操作:Make sure you've completed the following:

  • 您可以在 DLP 和内部风险管理策略中了解并正确配置范围内用户,以生成预期策略范围。You understand and properly configure the in-scope users in both the DLP and insider risk management policies to produce the policy coverage you expect.
  • 确保 DLP 策略 用于这些模板的内部风险管理的"事件报告"设置已针对高严重性级别警报进行配置。Make sure the Incident reports setting in the DLP policy for insider risk management used with these templates are configured for High severity level alerts. 不会从 DLP 策略生成内部风险管理警报,"事件报告"字段设置为 "低"或"中 "。Insider risk management alerts won't be generated from DLP policies with the Incident reports field set at Low or Medium.

使用下列策略模板时需要 DLP 策略:A DLP policy is required when using the following policy templates:

  • 常规数据泄露General data leaks
  • 按优先级用户的数据泄露Data leaks by priority users

有关 为组织配置 DLP 策略的分步指南,请参阅创建、测试和调整 DLP 策略一文。See the Create, test, and tune a DLP policy article for step-by-step guidance to configure DLP policies for your organization. 配置 DLP 策略后,返回到这些配置步骤。After you've configured a DLP policy, return to these configuration steps.

配置优先级用户组Configure priority user groups

内部风险管理包括对向策略分配优先用户组的支持,以帮助标识具有关键职位、高级数据和网络访问或过去风险行为历史记录的用户的唯一风险活动。Insider risk management includes support for assigning priority user groups to policies to help identity unique risk activities for user with critical positions, high levels of data and network access, or a past history of risk behavior. 创建优先级用户组并将用户分配到组帮助将策略的范围确定为这些用户呈现的独特情况。Creating a priority user group and assigning users to the group help scope policies to the unique circumstances presented by these users.

使用下列策略模板时需要优先级用户组:A priority user group is required when using the following policy templates:

  • 优先级用户违反安全策略Security policy violations by priority users
  • 按优先级用户的数据泄露Data leaks by priority users

有关 创建优先用户组 的分步指南,请参阅内部风险管理设置入门文章。See the Getting started with insider risk management settings article for step-by-step guidance to create a priority user group. 配置优先级用户组后,返回到这些配置步骤。After you've configured a priority user group, return to these configuration steps.

配置物理保护连接器 (可选) Configure Physical badging connector (optional)

内部风险管理支持从物理控制和访问平台导入用户和日志数据。Insider risk management supports importing user and log data from physical control and access platforms. 物理密码连接器允许你从 JSON 文件拉取访问数据,包括用户 ID、访问点 ID、访问时间和日期以及访问状态。The Physical badging connector allows you to pull in access data from JSON files, including user IDs, access point IDs, access time and dates, and access status. 此数据可帮助预览体验计划风险管理策略中警报指标,是在你的组织中配置完全风险管理范围的重要组成部分。This data helps drive alert indicators in insider risk management policies and is an important part of configuring full risk management coverage in your organization. 如果为组织配置了多个物理标记连接器,内部风险管理会自动从所有物理标记连接器提取指示器。If you configure more than one Physical badging connector for your organization, insider risk management automatically pulls indicators from all Physical badging connectors. 使用所有内部风险策略模板时,物理保护连接器的信息会补充其他内部风险信号。Information from the Physical badging connector supplements other insider risk signals when using all insider risk policy templates.

重要

若要让内部风险管理策略使用与离开和终止用户相关的信号数据,并将该数据与物理控制和访问平台的事件数据关联,还必须配置 Microsoft 365 HR 连接器。For insider risk management policies to use and correlate signal data related to departing and terminated users with event data from your physical control and access platforms, you must also configure the Microsoft 365 HR connector. 如果在未启用 Microsoft 365 HR 连接器的情况下启用物理保护连接器,内部风险管理策略将仅处理针对组织中用户的未经授权的物理访问的事件。If you enable the Physical badging connector without enabling the Microsoft 365 HR connector, insider risk management policies will only process events for unauthorized physical access for users in your organization.

有关 为组织 配置物理保护连接器的分步指南,请参阅设置连接器以导入物理保护数据一文。See the Set up a connector to import physical badging data article for step-by-step guidance to configure the Physical badging connector for your organization. 配置连接器后,返回到这些配置步骤。After you've configured the connector, return to these configuration steps.

为终结点配置 Microsoft Defender (可选) Configure Microsoft Defender for Endpoint (optional)

Microsoft Defender for Endpoint 是一个企业终结点安全平台,旨在帮助企业网络预防、检测、调查和响应高级威胁。Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. 为了更好地查看组织中安全违规的情况,你可以导入并筛选 Defender for Endpoint 警报,以用于从内部风险管理安全违反策略模板创建的策略中使用的活动。To have better visibility of security violations in your organization, you can import and filter Defender for Endpoint alerts for activities used in policies created from insider risk management security violation policy templates.

如果你创建违反安全策略,则需要在你的组织中配置 Microsoft Defender for Endpoint,并启用 Defender for Endpoint 以实现 Defender 安全中心中的内部风险管理集成,以导入安全违反警报。If you create security violation policies, you'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. 有关要求详细信息,请参阅 Microsoft Defender for Endpoints 的最低要求文章。For more information about requirements, see the Minimum requirements for Microsoft Defender for Endpoints article.

请参阅 在 Defender for Endpoint 中配置高级功能一文,了解为内部风险管理集成配置 Defender for Endpoint 的分步指南。See the Configure advanced features in Defender for Endpoint article for step-by-step guidance to configure Defender for Endpoint for insider risk management integration. 配置适用于终结点的 Microsoft Defender 后,返回到这些配置步骤。After you've configured the Microsoft Defender for Endpoint, return to these configuration steps.

步骤 5:配置内部风险设置Step 5: Configure insider risk settings

内部风险设置 适用于所有内部风险管理策略,无论你在创建策略时选择了哪个模板。Insider risk settings apply to all insider risk management policies, regardless of the template you chose when creating a policy. 设置使用位于内部风险管理选项卡顶部的 内部风险管理 控件进行配置。Settings are configured using the Insider risk settings control located at the top of all insider risk management tabs. 这些设置控制隐私、指示器、监视窗口和智能检测。These settings control privacy, indicators, monitoring windows, and intelligent detections.

在配置策略之前,请定义以下内部风险设置:Before configuring a policy, define the following insider risk settings:

  1. Microsoft 365合规中心中,转到"内部风险管理",然后从任意页面右上角选择"内部风险设置"。In the Microsoft 365 compliance center, go to Insider risk management and select Insider risk settings from the top-right corner of any page.

  2. "隐私 "页上,选择用于显示策略通知的用户名的隐私设置。On the Privacy page, select a privacy setting for displaying usernames for policy alerts.

  3. "指示器" 页上,选择要应用于所有内部风险策略的警报指示器。On the Indicators page, select the alert indicators you want to apply to all insider risk policies.

    重要

    为了接收策略中定义的风险活动的警报,必须选择一个或多个指示器。In order to receive alerts for risky activity defined in your policies, you must select one or more indicators. 如果未在"设置"中配置指示器,则这些指示器在内部风险策略中将不可选择。If indicators aren't configured in Settings, the indicators won't be selectable in insider risk policies.

  4. "策略时间范围"页上,选择要在 触发内部风险策略匹配时为用户生效的策略时间范围。On the Policy timeframes page, select the policy timeframes to go into effect for a user when they trigger a match for an insider risk policy.

  5. "智能检测" 页上,为内部风险策略配置以下设置:On the Intelligent detections page, configure the following settings for insider risk policies:

  6. 在" 导出警报" 页上,根据需要使用 Office 365 管理 API 导出内部风险警报信息。On the Export alerts page, enable export of insider risk alert information using the Office 365 Management APIs if needed.

  7. 在" 优先级用户组" 页上,创建优先级用户组,如果未在步骤 3 中创建,则 添加用户On the Priority user groups page, create a priority user group and add users if not created in Step 3.

  8. "Power Automate 流" 页上,配置来自内部风险流模板的流或创建新流。On the Power Automate flows page, configure a flow from insider risk flow templates or create a new flow. 有关 分步指南 ,请参阅内部风险管理设置入门文章。See the Getting started with insider risk management settings article for step-by-step guidance.

  9. 在" 优先级资源"页上,配置优先级资源以使用物理保护连接器导入的物理控制和访问平台的数据。On the Priority assets page, configure priority assets to use data from your physical control and access platform imported by the Physical badging connector. 有关 分步指南 ,请参阅内部风险管理设置入门文章。See the Getting started with insider risk management settings article for step-by-step guidance.

  10. Microsoft Teams 页面上,启用 Microsoft Teams 与内部风险管理的集成,以自动为案例或用户协作创建团队。On the Microsoft Teams page, enable Microsoft Teams integration with insider risk management to automatically create a team for case or user collaboration. 有关 分步指南 ,请参阅内部风险管理设置入门文章。See the Getting started with insider risk management settings article for step-by-step guidance.

  11. 选择 "保存 ",为内部风险策略启用这些设置。Select Save to enable these settings for your insider risk policies.

步骤 6:创建内部风险管理策略Step 6: Create an insider risk management policy

预览体验计划风险管理策略包括已分配的用户并定义为警报配置哪些类型的风险指示器。Insider risk management policies include assigned users and define which types of risk indicators are configured for alerts. 必须配置策略,活动才能触发警报。Before activities can trigger alerts, a policy must be configured. 使用策略向导创建新的内部风险管理策略。Use the policy wizard to create new insider risk management policies.

  1. Microsoft 365合规中心中,转到 "内部风险管理 "并选择" 策略" 选项卡。In the Microsoft 365 compliance center, go to Insider risk management and select the Policies tab.

  2. 选择 "创建策略 "以打开策略向导。Select Create policy to open the policy wizard.

  3. 在" 策略模板 "页上,选择一个策略类别,然后选择新策略的模板。On the Policy template page, choose a policy category and then select the template for the new policy. 这些模板由定义要检测和调查的风险活动的条件和指示器所决定。These templates are made up of conditions and indicators that define the risk activities you want to detect and investigate. 查看模板先决条件、触发事件和检测到的活动,以确认此策略模板符合你的需求。Review the template prerequisites, triggering events, and detected activities to confirm this policy template fits your needs.

    重要

    某些策略模板具有必须为策略配置以生成相关警报的先决条件。Some policy templates have prerequisites that must be configured for the policy to generate relevant alerts. 如果尚未配置适用的策略先决条件,请参阅上面的 步骤 4。If you haven't configured the applicable policy prerequisites, see Step 4 above.

  4. 选择 "下一 步"继续。Select Next to continue.

  5. 在" 名称和说明"页上 ,填写下列字段:On the Name and description page, complete the following fields:

    • 需要 (名称) : 输入策略的友好名称。Name (required): Enter a friendly name for the policy. 创建策略后,无法更改此名称。This name cannot be changed after the policy is created.
    • 说明 (可选) : 输入策略的说明。Description (optional): Enter a description for the policy.
  6. 选择 "下一 步"继续。Select Next to continue.

  7. 在"用户和 组"页上,选择"包括所有用户和组"或"包括特定用户和组"以定义策略中包括哪些用户或组,或者如果你选择了基于用户的优先级模板;选择 "添加或编辑优先级用户组"。On the Users and groups page, select Include all users and groups or Include specific users and groups to define which users or groups are included in the policy, or if you've chosen a priority users-based template; select Add or edit priority user groups. 选择 "包括所有用户和 组"将查找组织中所有用户和组的触发事件,以开始分配策略的风险评分。Selecting Include all users and groups will look for triggering events for all users and groups in your organization to start assigning risk scores for the policy. 选择 "包括特定用户和组 "可定义要分配给策略的用户和组。Selecting Include specific users and groups allows you to define which users and groups to assign to the policy.

  8. 选择 "下一 步"继续。Select Next to continue.

  9. 在" 设置优先级的内容"页上, (根据需要) 源分配优先级,这会增加为这些源生成高严重性警报的可能性。On the Content to prioritize page, you can assign (if needed) the sources to prioritize, which increases the chance of generating a high severity alert for these sources. 选择下列选项之一:Select one of the following choices:

    • 我希望将 SharePoint 网站、敏感度标签和/或敏感信息类型指定为优先内容I want to specify SharePoint sites, sensitivity labels, and/or sensitive information types as priority content. 选择此选项将在向导中启用详细信息页面以配置这些通道。Selecting this option will enable detail pages in the wizard to configure these channels.
    • 现在,我不想指定 优先级内容 (可以在创建策略后) 。I don't want to specify priority content right now (you'll be able to do this after the policy is created). 选择此选项将跳过向导中的频道详细信息页面。Selecting this option will skip the channel detail pages in the wizard.
  10. 选择 "下一 步"继续。Select Next to continue.

  11. 如果在上一步中选择了"我希望将 SharePoint 网站、敏感度标签和/或敏感信息类型指定为优先内容",你将看到 有关 SharePoint 网站、敏感信息类型和敏感度标签的详细信息 页面。If you selected I want to specify SharePoint sites, sensitivity labels, and/or sensitive information types as priority content in the previous step, you'll see the detail pages for SharePoint sites, Sensitive info types, and Sensitivity labels. 使用这些详细信息页定义 SharePoint、敏感信息类型和敏感度标签,以在策略中设置优先级。Use these detail pages to define the SharePoint, sensitive info types, and sensitivity labels to prioritize in the policy.

    • SharePoint 网站选择"添加 SharePoint 网站",然后选择有权访问并想要确定优先级的 SharePoint 网站。SharePoint sites: Select Add SharePoint site and select the SharePoint sites you have access to and want to prioritize. 例如 ,"group1@contoso.sharepoint.com/sites/group1"。For example, "group1@contoso.sharepoint.com/sites/group1".
    • 敏感信息类型:选择 "添加敏感信息类型 ",然后选择要确定优先级的敏感度类型。Sensitive info type: Select Add sensitive info type and select the sensitivity types you want to prioritize. 例如 ,"美国银行帐号""信用卡号"。For example, "U.S. Bank Account Number" and "Credit Card Number".
    • 敏感度标签:选择 "添加敏感度 标签",然后选择要设置优先级的标签。Sensitivity labels: Select Add sensitivity label and select the labels you want to prioritize. 例如 ,"机密"和**"机密"。For example, "Confidential" and "Secret".
  12. 选择 "下一 步"继续。Select Next to continue.

  13. "指示器和触发事件"页面上,你将在"内部风险设置指示器 "页面上看到已定义为可用的 > 指示器。On the Indicators and triggering events page, you'll see the indicators that you've defined as available on the Insider risk settings > Indicators page. 如果在向导开始时选择了"数据泄露"模板,则必须从 DLP 策略下拉列表中选择 DLP 策略,以启用策略的触发指示器或选择内置触发事件。If you selected a Data leaks template at the beginning of the wizard, you must select a DLP policy from the DLP policy dropdown list to enable triggering indicators for the policy or select the built-in triggering event.

    重要

    如果无法选择此页面上的指示器,则需要选择要针对所有策略启用的指示器。If indicators on this page can't be selected, you'll need to select the indicators you want to enable for all policies. 可以使用向导 中的"打开 指示器"按钮,或在"内部 风险管理设置策略指示器"页上选择 > > 指示器。You can use the Turn on indicators button in the wizard or select indicators on the Insider risk management > Settings > Policy indicators page.

    选择要应用于策略的指示器。Select the indicators you want to apply to the policy. 如果您不希望使用这些指示器的默认策略阈值设置,请禁用"使用 Microsoft 建议的默认阈值",并输入每个选定指示器的阈值。If you prefer not to use the default policy threshold settings for these indicators, disable the Use default thresholds recommended by Microsoft and enter the threshold values for each selected indicator.

    • 如果已选择至少一个 Office设备 指示器,请根据情况 选择 风险评分分数。If you've selected at least one Office or Device indicator, select the Risk score boosters as appropriate. 风险评分评估仅适用于所选指标。Risk score boosters are only applicable for selected indicators.
    • 如果选择了"数据盗窃" 或"数据泄露"策略模板,请选择一个或多个序列检测方法和累积泄漏检测方法以应用于策略。 If you've selected a Data theft or Data leaks policy template, select one or more Sequence detection methods and a Cumulative exfiltration detection method to apply to the policy.
  14. 选择 "下一 步"继续。Select Next to continue.

  15. 在" 指示器阈值" 页上,选择使用默认指示器阈值或指定单个指示器的自定义阈值的选项。On the Indicator thresholds page, select the option to use default indicator thresholds or to specify custom thresholds for individual indicators. 对于每个指示器,选择相应的级别以生成所需的活动提醒级别。For each indicator, choose the appropriate level to generate the desired level of activity alerts.

  16. 选择 "下一 步"继续。Select Next to continue.

  17. "审阅 "页上,查看为策略选择的设置以及所选内容的任何建议或警告。On the Review page, review the settings you've chosen for the policy and any suggestions or warnings for your selections. 选择 " 编辑"以更改任何策略值,或选择" 提交 "以创建和激活策略。Select Edit to change any of the policy values or select Submit to create and activate the policy.

后续步骤Next steps

完成这些步骤以创建首个内部风险管理策略后,你将在大约 24 小时后开始从活动指示器接收警报。After you've completed these steps to create your first insider risk management policy, you'll start to receive alerts from activity indicators after about 24 hours. 使用本文步骤 4 中的指导或创建新的内部风险策略 中的步骤根据需要配置 其他策略Configure additional policies as needed using the guidance in Step 4 of this article or the steps in Create a new insider risk policy.

若要详细了解如何调查内部风险警报和 警报仪表板,请参阅 预览体验成员风险管理警报To learn more about investigating insider risk alerts and the Alerts dashboard, see Insider risk management alerts.