內部人員風險管理案例Insider risk management cases

案例是「內部使用者風險管理」的核心,可讓您深入調查您的原則中所定義之風險指示器所產生的問題。Cases are the heart of insider risk management and allow you to deeply investigate and act on issues generated by risk indicators defined in your policies. 在需要進一步採取動作來處理使用者的符合性相關問題的情況下,會從警示手動建立案例。Cases are manually created from alerts in situations where further action is needed to address a compliance-related issue for a user. 每個案例的範圍為單一使用者,而使用者的多個提醒可以新增至現有案例或新案例。Each case is scoped to a single user and multiple alerts for the user can be added to an existing case or to a new case.

在調查案例的詳細資料之後,您可以採取下列動作:After investigating the details of a case, you can take action by:

  • 傳送使用者通知sending the user a notice
  • 解決案例是良性resolving the case as benign
  • 與您的 ServiceNow 實例或電子郵件收件者共用案例sharing the case with your ServiceNow instance or with an email recipient
  • 升級高級 eDiscovery 調查的案例escalating the case for an Advanced eDiscovery investigation

案例儀表板Cases dashboard

「內幕風險管理 案例」儀表板 可讓您查看並處理案例。The insider risk management Cases dashboard allows you to view and act on cases. 儀表板上的每個報告構件會顯示過去30天的資訊。Each report widget on the dashboard displays information for last 30 days.

  • 使用 案例:調查中的作用中案例總數。Active cases: The total number of active cases under investigation.
  • 過去30天的案例:已 建立的案例總數,依作用 中和 關閉 狀態排序。Cases over past 30 days: The total number of cases created, sorted by Active and Closed status.
  • 統計資料:使用中案例的平均時間,以小時、天或月為單位。Statistics: Average time of active cases, listed in hours, days, or months.

案例佇列會列出您組織中所有作用中和關閉的案例,以及下列案例屬性的目前狀態:The case queue lists all active and closed cases for your organization, in addition to the current status of the following case attributes:

  • 案例名稱:案例名稱,在確認警示及案例建立時定義。Case name: The name of the case, defined when an alert is confirmed and the case is created.
  • 狀態:案例的狀態為 [ 可用 ] 或 [ 已關閉]。Status: The status of the case, either Active or Closed.
  • 使用者:案例的使用者。User: The user for the case. 如果已啟用匿名,則會顯示匿名資訊。If anonymization for usernames is enabled, anonymized information is displayed.
  • 開啟的時間大小寫:開啟案例後所經過的時間。Time case opened: The time that has passed since the case was opened.
  • 原則警示總數:在案例中包含的原則相符數目。Total policy alerts: The number of policy matches included in the case. 如果新增警示新增至案例,此數位可能會增加。This number may increase if new alerts are added to the case.
  • 上次更新:自已經新增案例附注或變更案例狀態,已過去的時間。Last updated: The time that has passed since there has been an added case note or change in the case state.
  • 上次更新者:上次更新案例的有問必答風險管理分析員或調查人員名稱。Last updated by: The name of the insider risk management analyst or investigator that last updated the case.

內幕風險管理案例儀表板

使用 搜尋 控制項,針對特定文字搜尋案例名稱,並使用案例篩選器,依下列屬性來排序案例:Use the Search control to search case names for specific text and use the case filter to sort cases by the following attributes:

  • 狀態Status
  • 開啟、開始日期和結束日期的時間大小寫Time case opened, start date, and end date
  • 上次更新、開始日期和結束日期Last updated, start date, and end date

篩選案例Filter cases

根據組織中使用中內幕風險管理原則的數量和類型,檢查大型案例佇列可能面臨挑戰性的困難。Depending on the number and type of active insider risk management policies in your organization, reviewing a large queue of cases can be challenging. 使用案例篩選可協助分析員和調查人員依數個屬性排序案例。Using case filters can help analysts and investigators sort cases by several attributes. 若要在 案例儀表板 上篩選警示,請選取 篩選 控制項。To filter alerts on the Cases dashboard, select the Filter control. 您可以透過一或多個屬性來篩選案例:You can filter cases by one or more attributes:

  • 狀態:選取一個或多個狀態值以篩選案例清單。Status: Select one or more status values to filter the case list. 選項為作用中和 關閉**狀態The options are Active and Closed.
  • 開啟的時間大小寫:選取案例開啟時的開始和結束日期。Time case opened: Select the start and end dates for when the case was opened.
  • 上次更新:選取案例更新的開始和結束日期。Last updated: Select the start and end dates for when the case was updated.

調查案例Investigate a case

若要採取適當的糾正動作,深入調查「內幕風險管理」提醒是很重要的。Deeper investigation into insider risk management alerts is critical to taking proper corrective actions. 「內部使用者風險管理案例」是一種中央管理工具,可深入瞭解使用者風險的活動歷程記錄和警示詳細資料,並探索風險的內容和訊息。Insider risk management cases are the central management tool to dive deeper into user risk activity history and alert details, and to explore the content and messages exposed to risks. 風險分析師和調查人員也會使用案例來集中查看意見反應和記事,並處理案例解決。Risk analysts and investigators also use cases to centralize review feedback and notes and to process case resolution.

選取案例會開啟案例管理工具,並可讓分析員和調查人員深入瞭解案例的詳細資料。Selecting a case opens the case management tools and allows analysts and investigators to dig into the details of cases.

案例概述Case overview

[ 案例概述 ] 索引標籤會摘要案例的警示活動和風險層級歷程記錄。The Case overview tab summarizes the alert activity and risk level history for the case.

  • 警示 構件會顯示案例的原則相符專案,包括警示的狀態、警示風險嚴重性,以及偵測到警示的時間。The Alerts widget shows the policy matches for the case, including the status of the alert, the alert risk severity, and when the alert was detected.
  • 風險層級的記錄 圖表會顯示過去30天的使用者風險層級。The Risk level history chart displays the user risk level over the last 30 days. 這張折線圖可讓分析員和調查人員在一段時間內快速查看整體使用者風險的趨勢。The line chart allows analysts and investigators to quickly see the trend in overall user risk over time.
  • 風險活動內容 小小的摘要會摘要新增至案例中的資料類型和包含在警示中的內容。The Risk activity content widget summarizes the types of data and content contained in alerts added to the case. 此小工具可讓您在案例中的風險中,完整的資料和內容集的觀點。This widget gives an all-up view of the entire data and content set at risk in the case.

案例詳細資料 」窗格可用於所有案例管理索引標籤,並匯總風險分析師和調查人員案例的詳細資料。The Case details pane is available on all case management tabs and summarizes the case details for risk analysts and investigators. 其包含下欄區域:It includes the following areas:

  • 案例名稱:案例名稱(前面加上自動產生的案例順序編號),以及與第一個已確認的警示相符之原則範本相關聯的風險名稱。Case name: The name of the case, prefixed with an autogenerated case sequence number and the name of the risk associated with the policy template that the first confirmed alert matches.
  • 案例狀態:此案例的目前狀態為 [使用中 ] 或 [ 已關閉]。Case status: The current status of the case, either Active or Closed.
  • 使用者風險評分:案例中使用者的目前計算風險層級。User's risk score: The current calculated risk level of the user for the case. 這個分數每24小時計算一次,並使用與使用者相關聯之所有使用中警示的警示風險分數。This score is calculated every 24 hours and uses the alert risk scores from all active alerts associated to the user.
  • 警示:確認 的使用者警示清單。Alerts confirmed: List of alerts for the user confirmed for the case.
  • 相關內容:依內容來源及類型排序的內容清單。Related content: List of content, sorted by content sources and types. 例如,在 SharePoint Online 中的案例警示內容,您可能會看到所列的資料夾或檔案名與案例中的警示風險活動相關聯。For example, for case alert content in SharePoint Online, you may see folder or file names listed that are associated with the risk activity for alerts in the case.

內部人員風險管理案例詳細資料

警示Alerts

[ 警示 ] 索引標籤會匯總案例中所包含的目前警示。The Alerts tab summarizes the current alerts included in the case. 新的提醒可能會新增至現有的案例,而且會在指派給其時,加入至 警示 佇列。New alerts may be added to an existing case and they will be added to the Alert queue as they are assigned. 佇列中列出下列警示屬性:The following alert attributes are listed the queue:

  • 狀態Status
  • 嚴重性Severity
  • 偵測時間Time detected

從佇列中選取警示,以顯示 警示詳細資料 頁面。Select an alert from the queue to display the Alert detail page.

使用搜尋控制項來搜尋特定文字的警示名稱,並使用警示篩選器,依下列屬性來排序案例:Use the search control to search alert names for specific text and use the alert filter to sort cases by the following attributes:

  • 狀態Status
  • 嚴重性Severity
  • 偵測到的時間、開始日期和結束日期Time detected, start date, and end date

使用篩選控制項,依數個屬性來篩選警示,包括:Use the filter control to filter alerts by several attributes, including:

  • 狀態:選取一個或多個狀態值以篩選警示清單。Status: Select one or more status values to filter the alert list. 選項已 確認解除 處理、 需要複查解決The options are Confirmed, Dismissed, Needs review, and Resolved.
  • 嚴重性:選取一或多個警示風險的嚴重性等級以篩選警示清單。Severity: Select one or more alert risk severity levels to filter the alert list. 選項為 [ ]、[ ] 和 [ ]。The options are High, Medium, and Low.
  • 偵測 到的時間:選取建立警示的開始和結束日期。Time detected: Select the start and end dates for when the alert was created.
  • 原則:選取一個或多個原則,以篩選所選取原則所產生的警示。Policy: Select one or more policies to filter the alerts generated by the selected policies.

使用者活動User activity

[ 使用者活動 ] 索引標籤是一種最強大的工具,可用來分析內部的風險管理解決方案案例。The User activity tab is one of the most powerful tools for internal risk analysis and investigation for cases in the insider risk management solution. 此索引標籤可讓您快速查看案例,包括所有提醒的歷史時程表、所有預警詳細資料、案例中使用者目前的風險評分,以及要採取有效行動以在案例中包含風險的控制項。This tab is structured to enable quick review of a case, including a historical timeline of all alerts, all alerts details, the current risk score for the user in the case, and controls to take effective action to contain the risks in the case.

內幕風險管理使用者活動

  1. 日期和時段篩選:根據預設,在案例中確認的最後六個月的預警會顯示在 [使用者活動] 圖表中。Date and window time filters: By default, the last six months of alerts confirmed in the case are displayed in the User activity chart. 您可以使用 [圖表] 視窗的兩個端點上的滑塊控制項,或是在 [圖表篩選] 控制項中定義特定的開始和結束日期,輕鬆地篩選圖表視圖。You can easily filter the chart view with either the slider controls at both ends of the chart window, or by defining specific start and end dates in the chart filter control.
  2. 風險警示活動和詳細資料:風險活動會在使用者活動圖中以色彩氣泡的方式顯示。Risk alert activity and details: Risk activities are visually displayed as colored bubbles in the User activity chart. 建立氣泡是針對不同類別的風險和氣泡大小,與類別的風險活動數目成正比。Bubbles are created for different categories of risk and bubble size is proportional to the number of risk activities for the category. 選取氣泡以顯示每個風險活動的詳細資料。Select a bubble to display the details for each risk activity. 詳細資料包括:Details include:
    • 風險活動的 日期Date of the risk activity.
    • 風險活動類別The risk activity category. 例如, 電子郵件 (s) 與在組織或檔案之外傳送的附件 () 從 SharePoint 線上下載For example, Email(s) with attachments sent outside the organization or File(s) downloaded from SharePoint Online.
    • 警示的 風險評分Risk score for the alert. 這個分數是警示風險嚴重性層級的數值分數。This score is the numerical score for the alert risk severity level.
    • 與警示相關的事件數目。Number of events associated with the alert. 也可以使用與風險活動相關聯之每個檔案或電子郵件的連結。Links to each file or email associated with the risk activity is also available.
  3. 風險活動圖例:在 [使用者活動] 圖表的底部,使用色彩編碼的圖例可協助您快速判斷每個警示的風險類別。Risk activity legend: Across the bottom of the user activity chart, a color-coded legend helps you quickly determine risk category for each alert.
  4. 風險活動 chronology:會列出與案例相關聯之所有風險警示的完整 chronology,包括對應警示氣泡中所有可用的詳細資料。Risk activity chronology: The full chronology of all risk alerts associated with the case are listed, including all the details available in the corresponding alert bubble.
  5. 案例動作:解決案例的選項位於 [案例] 動作工具列上。Case actions: Options for resolving the case are on the case action toolbar. 您可以解決案例、將電子郵件通知傳送給使用者,或為數據或使用者調查上報案例。You can resolve a case, send an email notice to the user, or escalate the case for a data or user investigation.

活動瀏覽器 (預覽) Activity explorer (preview)

重要

在您的組織中有此功能的使用者的「案例管理」區域中,可以使用 [活動流覽] 索引標籤。The Activity explorer tab is available in the case management area for users with triggering events after this feature is available in your organization.

[ 活動流覽 ] 索引標籤可讓風險分析人員和調查人員查看與風險警示相關的活動詳細資料。The Activity explorer tab allows risk analysts and investigators to review activity details associated with risk alerts. 例如,在案例管理動作中,調查人員和分析員可能需要查看與案例相關聯的所有風險活動,以取得詳細資訊。For example, as part of the case management actions, investigators and analysts may need to review all the risk activities associated with the case for more details. 透過 活動瀏覽器,檢閱者可以快速查看偵測到風險的啟用時間表,並識別及篩選與提醒相關聯的所有風險活動。With the Activity explorer, reviewers can quickly review a timeline of detected risky activity and identify and filter all risk activities associated with alerts.

如需活動瀏覽器的詳細資訊,請參閱「 內幕人員風險管理提醒 」文章。For more information about the Activity explorer, see the Insider risk management alerts article.

內容瀏覽器Content Explorer

[ 內容瀏覽器 ] 索引標籤可讓風險分析人員和調查人員檢查與風險警示相關聯之所有個別檔案和電子郵件的副本。The Content Explorer tab allows risk analysts and investigators to review copies of all individual files and email messages associated with risk alerts. 例如,如果當使用者從 SharePoint 下載成百上千個檔案,且該活動觸發一個原則警示時,就會建立警示,並從原始的儲存來源中捕獲並複製該警示的所有已下載檔案至「有問必答風險管理案例」。For example, if an alert is created when a user downloads hundreds of files from SharePoint Online and the activity triggers a policy alert, all the downloaded files for the alert are captured and copied to the insider risk management case from original storage sources.

內容瀏覽器是強大的工具,具有基本及高級搜尋及篩選功能。The Content Explorer is a powerful tool with basic and advanced search and filtering features. 若要深入瞭解使用內容瀏覽器,請參閱「 內幕風險管理」內容瀏覽器To learn more about using the Content Explorer, see Insider risk management Content Explorer.

內部人員風險管理案例內容瀏覽器

案例備註Case notes

案例中的「 案例 觀點」索引標籤是風險分析師和調查人員在案例中共用批註、意見反應及深入資訊的位置。The Case notes tab in the case is where risk analysts and investigators share comments, feedback, and insights about their work for the case. 附注會永久新增至案例,而且在儲存記事之後無法編輯或刪除。Notes are permanent additions to a case and cannot be edited or deleted after the note is saved. 當案例是從警示建立時,在 [ 確認警示] 和 [建立內部會員風險案例 ] 對話方塊中輸入的批註,會自動新增為案例記事。When a case is created from an alert, the comments entered in the Confirm alert and create insider risk case dialog are automatically added as a case note.

案例記事儀表板會以建立附注的使用者顯示附注,以及在儲存注解後所經過的時間。The case notes dashboard displays notes by the user that created the note and the time that has passed since the note was saved. 若要搜尋特定關鍵字的 case 附注文字欄位,請使用 case 儀表板上的 [ 搜尋 ] 按鈕,然後輸入特定的關鍵字。To search the case note text field for a specific keyword, use the Search button on the case dashboard and enter a specific keyword.

若要將附注新增至案例:To add a note to a case:

  1. Microsoft 365 規範中心,移至「 內幕人員風險管理 」,然後選取 [ 案例 ] 索引標籤。In the Microsoft 365 compliance center, go to Insider risk management and select the Cases tab.
  2. 選取案例,然後選取 [ 案例備 忘] 索引標籤。Select a case, then select the Case notes tab.
  3. 選取 [ 新增案例附注]。Select Add case note.
  4. 在 [ 新增案例附注 ] 對話方塊中,輸入案例的附注。On the Add case note dialog, type your note for the case. 選取 [ 儲存 ],將附注新增至案例,或選取 [ 取消 關閉] 而不將附注儲存至案例。Select Save to add the note to the case or select Cancel close without saving the note to the case.

貢獻Contributors

案例中的 [ Contributors ] 索引標籤是風險分析人員和調查人員可以在案例中新增其他檢閱者的地方。The Contributors tab in the case is where risk analysts and investigators can add other reviewers to the case. 預設值,所有指派「 內部使用者風險管理分析員 」和「 內部使用者風險管理調查員 」角色的使用者,都會列為投稿者,每個使用中和封閉式案例。Be default, all users assigned the Insider Risk Management Analysts and Insider Risk Management Investigators roles are listed as contributors for each active and closed case. 只有獲指派「 有問必答風險管理調查 人員」角色的使用者具有在內容瀏覽器中查看檔案和郵件的許可權。Only users assigned the Insider Risk Management Investigators role have permission to view files and messages in the Content Explorer.

您可以將使用者新增為投稿者,以授與案例的暫時存取權。Temporary access to a case can be granted by adding a user as a contributor. 參與者在特定案例上具有所有案例管理控制,但不包括:Contributors have all case management control on the specific case except:

  • 確認或關閉提醒的許可權Permission to confirm or dismiss alerts
  • 編輯案例的參與者的許可權Permission to edit the contributors for cases
  • 在內容瀏覽器中查看檔案和郵件的許可權Permission to view files and messages in the Content Explorer

若要將參與者新增至案例:To add a contributor to a case:

  1. Microsoft 365 規範中心,移至「 內幕人員風險管理 」,然後選取 [ 案例 ] 索引標籤。In the Microsoft 365 compliance center, go to Insider risk management and select the Cases tab.
  2. 選取案例,然後選取 [ Contributors ] 索引標籤。Select a case, then select the Contributors tab.
  3. 選取 [ 新增投稿 人]。Select Add contributor.
  4. 在 [ 新增參與者 ] 對話方塊中,開始輸入您想要新增的使用者名稱,然後從 [建議的使用者] 清單中選取使用者。On the Add contributor dialog, start typing the name of the user you want to add and then select the user from the suggested user list. 此清單是由您租使用者訂閱的 Azure Active Directory 產生。This list is generated from the Azure Active Directory of your tenant subscription.
  5. 選取 [ 新增 ],將使用者新增為投稿者,或選取 [ 取消 ] 關閉對話方塊,而不將使用者新增為參與者。Select Add to add the user as a contributor or select Cancel close the dialog without adding the user as a contributor.

案例動作Case actions

風險分析師和調查人員可以採取多種方法中的動作採取動作,具體取決於案例的嚴重性、使用者風險的記錄,以及組織的風險指導方針。Risk analysts and investigators can take action on a case in one of several methods, depending on the severity of the case, the history of risk of the user, and the risk guidelines of your organization. 在某些情況下,您可能需要將案例升級至使用者或資料調查,以與組織的其他區域共同作業,以及深入瞭解風險活動。In some situations, you may need to escalate a case to a user or data investigation to collaborate with other areas of your organization and to dive deeper into risk activities. 有問必答風險管理與其他 Microsoft 365 合規性解決方案緊密整合,以協助您進行端對端的解決方案管理。Insider risk management is tightly integrated with other Microsoft 365 compliance solutions to help you with end-to-end resolution management.

傳送電子郵件通知Send email notice

在大多數情況下,建立有問必答風險警示的使用者動作為無意或無意。In most cases, user actions that create insider risk alerts are inadvertent or accidental. 透過電子郵件將提醒通知傳送給使用者是一種有效的案例回顧和動作記錄方式,而且是一種可提醒使用者公司原則的方法Sending a reminder notice to the user via email is an effective method for documenting case review and action, and is a method to remind users of corporate policies or point them to refresher training. 通知會從您為您的內部使用者風險管理基礎結構 所建立的通知範本 產生。Notices are generated from notice templates that you create for your insider risk management infrastructure.

請務必記住,將電子郵件通知傳送給使用者 * 不 將案例解析為 _Closed *。It's important to remember that sending an email notice to a user does not _ resolve the case as _Closed. 在某些情況下,您可能想要在將通知傳送給使用者之後,保留案例開啟,以尋找更多風險活動,而不需要開啟新案例。In some cases, you may want to leave a case open after sending a notice to a user to look for more risk activities without opening a new case. 如果您想要在傳送通知之後解決案例,您必須在傳送通知之後,選取 [ 解決案例 ] 做為後續步驟。If you want to resolve a case after sending a notice, you must select the Resolve case as a follow-on step after sending a notice.

若要將通知傳送給指派案例的使用者:To send a notice to the user assigned to a case:

  1. Microsoft 365 規範中心,移至「 內幕人員風險管理 」,然後選取 [ 案例 ] 索引標籤。In the Microsoft 365 compliance center, go to Insider risk management and select the Cases tab.
  2. 選取案例,然後選取 [案例動作] 工具列上的 [ 傳送電子郵件通知 ] 按鈕。Select a case, then select the Send email notice button on the case action toolbar.
  3. 在 [ 傳送電子郵件通知 ] 對話方塊中,選取 [ 選擇公告範本 ] 下拉式清單,以選取公告的公告範本。On the Send e-mail notice dialog, select the Choose a notice template dropdown control to select the notice template for the notice. 這種選取範圍預先填滿通知中的其他欄位。This selection pre-fills the other fields on the notice.
  4. 視需要複查 [注意事項] 欄位及更新。Review the notice fields and update as appropriate. 這裡輸入的值會覆寫範本上的值。The values entered here will override the values on the template.
  5. 選取 [ 傳送 ],將通知傳送給使用者,或選取 [ 取消 ] 關閉對話方塊,而不將通知傳送給使用者。Select Send to send the notice to the user or select Cancel close the dialog without sending the notice to the user. 所有已傳送的通知都會新增至 案例記事 儀表板上的「案例記事」佇列。All sent notices are added to the case notes queue on the Case notes dashboard.

升級以進行調查Escalate for investigation

在使用者風險活動需要進行其他法律考評的情況下,升級案例以進行使用者調查。Escalate the case for user investigation in situations where additional legal review is needed for the user's risk activity. 此次上報會在您的 Microsoft 365 組織中開啟新的高級 eDiscovery 案例。This escalation opens a new Advanced eDiscovery case in your Microsoft 365 organization. Advanced eDiscovery 提供端對端的工作流程,可保留、收集、審閱、分析和匯出回應組織內部和外部法律調查的內容。Advanced eDiscovery provides an end-to-end workflow to preserve, collect, review, analyze, and export content that's responsive to your organization's internal and external legal investigations. 它也可讓您的法律小組管理整個法律封存通知工作流程,以與案例中的保管人進行通訊。It also lets your legal team manage the entire legal hold notification workflow to communicate with custodians involved in a case. 在從內幕風險管理案例建立的高級 eDiscovery 案例中指派檢閱者做為保管人,可協助您的法律小組採取適當的動作和管理內容保留。Assigning a reviewer as a custodian in an Advanced eDiscovery case created from an insider risk management case helps your legal team take appropriate action and manage content preservation. 若要深入了解進階電子文件探索案例,請參閱 Mcrosoft 365 中的進階電子文件探索概觀To learn more about Advanced eDiscovery cases, see Overview of Advanced eDiscovery in Microsoft 365.

若要將案例升級為使用者調查:To escalate a case to a user investigation:

  1. Microsoft 365 規範中心,移至「 內幕人員風險管理 」,然後選取 [ 案例 ] 索引標籤。In the Microsoft 365 compliance center, go to Insider risk management and select the Cases tab.
  2. 選取案例,然後選取 [案例動作] 工具列上的 [ 呈報以進行調查 ] 按鈕。Select a case, then select the Escalate for investigation button on the case action toolbar.
  3. 在 [ 升級以進行調查 ] 對話方塊中,輸入新使用者調查的名稱。On the Escalate for investigation dialog, enter a name for the new user investigation. 如有需要,請輸入有關案例的備註,然後選取 [ 呈報]。If needed, enter notes about the case and select Escalate.
  4. 視需要複查 [注意事項] 欄位及更新。Review the notice fields and update as appropriate. 這裡輸入的值會覆寫範本上的值。The values entered here will override the values on the template.
  5. 選取 [ 確認 ] 以建立使用者調查案例,或選取 [ 取消 ] 關閉對話方塊,而不建立新的使用者調查案例。Select Confirm to create the user investigation case or select Cancel to close the dialog without creating a new user investigation case.

當「內幕風險管理案例」升級至新的使用者調查案例之後,您可以在 Microsoft 365 規範中心的 eDiscovery > Advanced 區域中查看新案例。After the insider risk management case has been escalated to a new user investigation case, you can review the new case in the eDiscovery > Advanced area in the Microsoft 365 compliance center.

在案例中以 Power 自動化流程執行自動化工作Run automated tasks with Power Automate flows for the case

使用建議的電源自動流程,風險調查人員和分析員可以快速採取下列動作:Using recommended Power Automate flows, risk investigators and analysts can quickly take action to:

  • 在內部使用者風險案例中,向來自人力資源或公司的使用者要求資訊Request information from HR or business about a user in an insider risk case
  • 使用者擁有「內幕風險警示」時通知管理員Notify manager when a user has an insider risk alert
  • 新增行事曆提醒以追蹤現有的有問必答風險案例Add calendar reminder to follow up on an insider risk case
  • 在 ServiceNow 中建立內部人員風險管理案例的記錄Create a record for an insider risk management case in ServiceNow

若要針對內幕風險管理案例執行、管理或建立電源自動化流程,請執行下列動作:To run, manage, or create Power Automate flows for an insider risk management case:

  1. 選取 [案例動作] 工具列上的 [ 自動 ]。Select Automate on the case action toolbar.
  2. 選擇 [電源自動化流程] 以執行,然後選取 [ 執行流程]。Choose the Power Automate flow to run, then select Run flow.
  3. 流程完成後,請選取 [ 完成]。After the flow has completed, select Done.

若要深入瞭解「內部人員風險管理」的 Power 自動化流程,請參閱「 內幕人員風險管理」設定快速入門。To learn more about Power Automate flows for insider risk management, see Getting started with insider risk management settings.

為案例查看或建立 Microsoft 團隊團隊View or create a Microsoft Teams team for the case

在 [設定] 中啟用「對內幕人員風險管理的 Microsoft 團隊整合」時,會在每次確認提醒並建立案例時,自動建立 Microsoft 團隊團隊。When Microsoft Teams integration for insider risk management is enabled in settings, a Microsoft Teams team is automatically created every time an alert is confirmed and a case is created. 風險調查人員和分析師可以在案例動作工具列上,選取 [ View Microsoft 團隊小組 ],快速開啟 Microsoft 團隊,並直接流覽至小組以取得案例。Risk investigators and analysts can quickly open Microsoft Teams and navigate directly to the team for a case by selecting View Microsoft Teams team on the case action toolbar.

在啟用 Microsoft Team 整合之前開啟的案例,風險調查人員和分析員可以在案例動作工具列上,選取 [ 建立 Microsoft 團隊小組 ],以在案例中建立新的 microsoft 團隊小組。For cases opened before enabling Microsoft Team integration, risk investigators and analysts can create a new Microsoft Teams team for a case by selecting Create Microsoft Teams team on the case action toolbar.

當解決案例時,關聯的 Microsoft 團隊會自動封存 (隱藏,並將其變成隻讀) 。When a case is resolved, the associated Microsoft Team will be automatically archive (hidden and turned to read-only).

若要深入瞭解 Microsoft 球隊的內幕人士風險管理,請參閱「 內幕人員風險管理設定」快速入門。To learn more about Microsoft Teams for insider risk management, see Getting started with insider risk management settings.

分享案例Share the case

共用內部使用者風險管理案例,可讓風險調查人員和分析員輕鬆與組織中的其他合規性專案關係人進行共同作業。Sharing an insider risk management case allows risk investigators and analysts to easily collaborate with other compliance stakeholders in your organization. 您可以使用「案例管理」區域中的外部利益關係人,快速分享內部使用者風險管理案例的連結。You can quickly share a link to an insider risk management case with external stakeholders from the case management area. 若要從連結存取「內部使用者風險管理案例」,必須在任何「內幕風險管理」角色群組中包含專案關係人。To access the insider risk management case from the link, stakeholders must be included in any of the insider risk management role groups.

注意

感謝您在 ServiceNow 連接器預覽期間進行意見反應和支援。Thank you for your feedback and support during the preview of the ServiceNow connector. 我們決定在2020年11月30日的「內幕人員風險管理」中結束支援 ServiceNow 連接器的預覽。We've decided to end the preview of ServiceNow connector and discontinue support in insider risk management on November 30, 2020. 我們正在積極評估替代方法,讓客戶在內幕風險管理中 ServiceNow 整合。We are actively evaluating alternative methods to provide customers with ServiceNow integration in insider risk management.

可使用的共用選項如下:The following sharing options are available:

  • ServiceNow:為您的 microsoft 365 組織設定 microsoft 365 ServiceNow 連接器之後,您可以輕鬆地分享案例的連結、開啟事件,或是向您的 ServiceNow 組織要求變更。ServiceNow: After configuring the Microsoft 365 ServiceNow connector for your Microsoft 365 organization, you can easily share a link to the case, open an incident, or request a change with your ServiceNow organization. 若要與 ServiceNow 共用案例,請 > 從 [案例] 動作中選取 [共用]ServiceNowTo share the case with ServiceNow, select Share > ServiceNow from the case action. ServiceNow 與內幕風險管理的整合支援包含下列案例資訊和動作:ServiceNow integration with insider risk management supports includes the following case information and actions:
    • 任務名稱:新 ServiceNow 任務的名稱。Task name: The name for the new ServiceNow task.
    • 工作 描述:新增 ServiceNow 任務的描述。Task description: The description for the new ServiceNow task. 此可編輯的描述欄位會自動包含「內幕風險管理案例」的連結。This editable description field automatically includes a link to the insider risk management case.
    • 工作 類型:新 ServiceNow 任務的工作類型,也就是 事件變更要求 的任務類型。Task type: The task type for the new ServiceNow task, either Incident or Change request.
    • Priority:新 ServiceNow 工作的優先順序,也就是 規劃適中嚴重Priority: The priority for the new ServiceNow task, either Planning, Low, Moderate, High, or Critical.
    • 到期日:所要求的完成 ServiceNow 任務的日期。Due date: The requested date for completing the ServiceNow task.

與 ServiceNow 的內幕人員風險管理共用

  • 電子郵件:共用電子郵件中的「內幕人員風險管理案例」連結。Email: Shares a link to the insider risk management case in an email. 您可以選擇使用此共用選項的任何本機設定的電子郵件用戶端。You can choose any locally configured email client with this sharing option. 若要與電子郵件共用案例連結, 請選取 > [從案例動作工具列共用 電子郵件]。To share the case link with email, select Share > Email from the case action toolbar.
  • 複製連結:複製「內部使用者風險管理」案例的連結到您的剪貼簿。Copy link: Copies a link to the insider risk management case to your clipboard. 若要將案例連結複製到您的剪貼簿,請選取 > [案例動作] 工具列中的 [共用 副本] 連結。To copy the case link to your clipboard, select Share > Copy link from the case action toolbar.

解決案例Resolve the case

風險分析師和調查人員完成其複查和調查之後,就可以解決案例中目前所包含的所有警示。After risk analysts and investigators have completed their review and investigation, a case can be resolved to act on all the alerts currently included in the case. 解決案例會新增解決方式分類、將案例狀態變更為 [ 已關閉],而且解決動作原因會自動新增至 案例記事 儀表板上的「案例記錄」佇列。Resolving a case adds a resolution classification, changes the case status to Closed, and the resolution action reasons are automatically added to the case notes queue on the Case notes dashboard. 案例的解決方法如下:Cases are resolved as either:

  • 良性:針對原則相符警示評估為低風險、非嚴重或誤報的情況分類。Benign: The classification for cases where policy match alerts are evaluated as low risk, non-serious, or false positive.
  • 確認的原則違規:針對原則相符警示的分類,評估為危險、嚴重或惡意目的的結果。Confirmed policy violation: The classification for cases where policy match alerts are evaluated as risky, serious, or the result of malicious intent.

解決案例:To resolve a case:

  1. Microsoft 365 規範中心,移至「 內幕人員風險管理 」,然後選取 [ 案例 ] 索引標籤。In the Microsoft 365 compliance center, go to Insider risk management and select the Cases tab.
  2. 選取案例,然後選取 [案例動作] 工具列上的 [ 解決案例 ] 按鈕。Select a case, then select the Resolve case button on the case action toolbar.
  3. 在 [ 解析案例 ] 對話方塊中,選取 [ 解析為 下拉式清單] 控制項,以選取案例的解決方法分類。On the Resolve case dialog, select the Resolve as dropdown control to select the resolution classification for the case. 選項是 良性 或已 確認的原則違規The options are Benign or Confirmed policy violation.
  4. 在 [ 解析案例 ] 對話方塊的 [ 採取動作 ] 文字欄位中,輸入解決方法分類的原因。On the Resolve case dialog, enter the reasons for the resolution classification in the Action taken text field.
  5. 選取 [ 解決 ] 以關閉案例,或選取 [ 取消 ] 關閉對話方塊,而不解析案例。Select Resolve to close the case or select Cancel close the dialog without resolving the case.