有問必答風險管理原則Insider risk management policies

有問必答風險管理原則決定哪些使用者屬於範圍,以及已針對警示設定哪些類型的風險指示器。Insider risk management policies determine which users are in-scope and which types of risk indicators are configured for alerts. 您可以快速建立套用至組織中所有使用者的原則,或定義個別使用者或群組以進行原則管理。You can quickly create a policy that applies to all users in your organization or define individual users or groups for management in a policy. 原則支援內容優先順序,以在多重或特定 Microsoft 團隊上聚焦原則條件,SharePoint 網站、資料敏感度類型及資料標籤。Policies support content priorities to focus policy conditions on multiple or specific Microsoft Teams, SharePoint sites, data sensitivity types, and data labels. 使用範本,您可以選取特定風險指示器,並自訂原則指標的事件臨界值,有效地自訂風險的分數和等級及警示頻率。Using templates, you can select specific risk indicators and customize event thresholds for policy indicators, effectively customizing risk scores and level and frequency of alerts. 此外,風險分數 boosters 和反常狀況的偵測可協助識別高重要性或更不尋常的使用者活動。Additionally, risk score boosters and anomaly detections help identify user activity that is of higher importance or more unusual. 原則 windows 可讓您定義將原則套用至警示活動的時間範圍,以及在啟動時用來判斷原則的持續時間。Policies windows allow you to define the time frame to apply the policy to alert activities and are used to determine the duration of the policy once activated.

原則儀表板Policy dashboard

原則儀表板 可讓您快速查看組織中的原則,以及與每個原則相關聯之警示的目前狀態。The Policy dashboard allows you to quickly see the policies in your organization and the current status of alerts associated with each policy.

  • 原則名稱:指派給原則嚮導中之原則的名稱。Policy name: The name assigned to the policy in the policy wizard.
  • 主動警示:每個原則的作用中警示數目。Active alerts: The number of active alerts for each policy.
  • 確認的警示:過去365天內從原則產生案例的警示總數。Confirmed alerts: The total number of alerts the resulted in cases from the policy in the last 365 days.
  • 對提醒採取的動作:過去365天內已確認或已解除的警示總數。Actions taken on alerts: The total number of alerts that were confirmed or dismissed for the last 365 days.
  • 原則有效性:已確認的警示總數取決於警示 (所進行的全部動作,也就是過去一年內已確認或消除的警示總數) 。Policy effectiveness: The percentage determined by total confirmed alerts divided by total actions taken on alerts (which is the sum of alerts that were confirmed or dismissed over the past year).
  • Active:案例的狀態為 [是] 或 [ ]。Active: The status of the case, either Yes or No.

測試人員風險管理原則儀表板

原則範本Policy templates

「內幕風險管理範本」是預先定義的原則條件,可定義原則所使用的風險指示器和風險計分模型類型。Insider risk management templates are pre-defined policy conditions that define the types of risk indicators and risk scoring model used by the policy. 在建立原則之前,每個原則都必須在 [原則建立] 嚮導中指派範本。Each policy must have a template assigned in the policy creation wizard before the policy is created. 有問必答風險管理最多可支援五個原則範本的原則。Insider risk management supports up to five policies for each policy template. 當您使用原則嚮導建立新的內幕使用者風險原則時,您可以選擇下列其中一個原則範本:When you create a new insider risk policy with the policy wizard, you'll choose from one of the following policy templates:

由去聲使用者竊取資料Data theft by departing users

當使用者離開您的組織時,使用者通常會有與資料竊取相關的特定風險指示器。When users leave your organization, there are specific risk indicators typically associated with data theft by departing users. 這個原則範本使用指示器來表示風險計分,並將重點偵測和警示通知給此風險區域。This policy template uses indicators for risk scoring and focuses detection and alerts to this risk area. 用於去聲使用者的資料竊取可能包括從 SharePoint 線上下載檔案、列印檔案,以及將資料複製到員工辭職和結束日期附近的個人雲端訊息和儲存服務。Data theft for departing users may include downloading files from SharePoint Online, printing files, and copying data to personal cloud messaging and storage services near their employment resignation and end dates. 這個範本會對與這些活動相關的風險指示器以及其與使用者雇傭狀態的關聯性開始計分。This template starts scoring for risk indicators relating to these activities and how they correlate with user employment status.

重要

使用此範本時,您必須設定 Microsoft 365 HR connector,定期為組織中的使用者匯入辭職及終止日期資訊。When using this template, you must configure a Microsoft 365 HR connector to periodically import resignation and termination date information for users in your organization. 如需為組織設定 Microsoft 365 HR connector 的逐步指引,請參閱 Import data WITH HR connector 文章。See the Import data with the HR connector article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization.

一般資料洩漏General data leaks

保護資料和防止資料洩漏是大多陣列織面臨的挑戰,尤其是使用者、裝置及服務建立的新資料的快速成長。Protecting data and preventing data leaks is a constant challenge for most organizations, particularly with the rapid grow of new data created by users, devices, and services. 使用者可在服務和裝置間建立、儲存及共用資訊,使管理資料洩漏變得越來越複雜和困難。Users are empowered to create, store, and share information across services and devices that make managing data leaks increasingly more complex and difficult. 資料洩漏可能包括意外 oversharing 組織外部的資訊,或惡意目的資料竊取。Data leaks can include accidental oversharing of information outside your organization or data theft with malicious intent. 與指派的資料遺失防護 (DLP) 原則,這個範本會開始計分可疑的可疑 SharePoint 線上資料下載、檔案和資料夾共用、列印檔案,並將資料複製到個人雲端郵件和儲存服務。In conjunction with an assigned Data Loss Prevention (DLP) policy, this template starts scoring real-time detections of suspicious SharePoint Online data downloads, file and folder sharing, printing files, and copying data to personal cloud messaging and storage services.

使用 資料洩漏 範本時,您必須指派 DLP 原則,以針對組織中的高嚴重性警示,在內幕風險原則中觸發指示器。When using a Data leaks template, you must assign a DLP policy to trigger indicators in the insider risk policy for high severity alerts in your organization. 當 DLP 原則規則所產生的高嚴重性警示新增至 Office 365 審核記錄檔時,使用此範本所建立的會員風險原則,會自動檢查高嚴重性的 DLP 警示。Whenever a high severity alert is generated by a DLP policy rule is added to the Office 365 audit log, insider risk policies created with this template automatically examine the high severity DLP alert. 如果警示包含內部使用者風險原則中所定義的範圍內使用者,則此警示會由內幕使用者風險原則處理為新的警示,並指派給內部使用者風險嚴重性和風險分數。If the alert contains an in-scope user defined in the insider risk policy, the alert is processed by the insider risk policy as a new alert and assigned an insider risk severity and risk score. 這個原則可讓您在內容中評估此警示,與案例中包含的其他活動。This policy allows you to evaluate this alert in context with other activities included in the case.

資料洩漏原則指導方針Data leaks policy guidelines

在建立或修改 DLP 原則以用於「內幕風險管理原則」時,請考慮下列指導方針:When creating or modifying DLP policies for use with insider risk management policies, consider the following guidelines:

  • 當您設定 DLP 原則中的規則時,在指派 附隨報告 設定為 [ ] 時,設定資料 exfiltration 事件的優先順序並加以選擇性。Prioritize data exfiltration events and be selective when assigning Incident reports settings to High when configuring rules in your DLP policies. 例如,電子郵件敏感檔至已知的競爭對手應該是 警示等級 exfiltration 事件。For example, emailing sensitive documents to a known competitor should be a High alert level exfiltration event. 在其他 DLP 原則規則的 [附隨報告] 中,以 [高] 指派 層次,可增加「內幕風險管理」提醒工作流程中的噪音,並使資料調查人員和分析員更難於正確評估這些警示。Over-assigning the High level in the Incident reports settings in other DLP policy rules can increase the noise in the insider risk management alert workflow and make it more difficult for your data investigators and analysts to properly evaluate these alerts. 例如,指派 警示等級來存取 DLP 原則中的 [拒絕] 活動,可使評估真正危險的使用者行為和活動變得更困難。For example, assigning High alert levels to access denial activities in DLP policies makes it more challenging to evaluate truly risky user behavior and activities.

  • 請確定您瞭解並正確設定 DLP 和有問必答風險管理原則中的範圍內使用者。Make sure you understand and properly configure the in-scope users in both the DLP and insider risk management policies. 只有在使用 資料洩漏 範本的情況中,定義為內部的內幕風險管理原則的使用者,才能處理高嚴重性原則警示。Only users defined as in-scope for insider risk management policies using the Data leaks template will have high severity DLP policy alerts processed. 此外,在高嚴重性的 DLP 警示中,只有定義為內部範圍的使用者,才能考慮使用「內幕風險管理」原則。Additionally, only users defined as in-scope in a rule for a high severity DLP alert will be examined by the insider risk management policy for consideration. 您不會以衝突的方式,在您的 DLP 和內幕郵件原則原則中,無意設定範圍內的使用者,這一點很重要。It is important that you don't unknowingly configure in-scope users in both your DLP and insider risk policies in a conflicting manner.

    例如,如果您的 DLP 原則規則的適用範圍只是 Sales 小組的使用者,而從 資料洩漏 範本所建立的有問必答風險原則,已將所有使用者定義為範圍內,則「內部使用者風險原則」只會對 Sales 小組的使用者實際處理高嚴重性的 DLP 警示。For example, if your DLP policy rules are scoped to only users on the Sales Team and the insider risk policy created from the Data leaks template has defined all users as in-scope, the insider risk policy will only actually process high severity DLP alerts for the users on the Sales Team. 內幕郵件原則不會收到任何高優先順序 DLP 警示,供使用者在此範例中未定義的 DLP 規則中進行處理。The insider risk policy won't receive any high priority DLP alerts for users to process that aren't defined in the DLP rules in this example. 相反地,如果您從 資料洩漏 範本所建立的會員風險管理原則僅限銷售小組的使用者,且指派的 DLP 原則的範圍限定為所有使用者,則「有問必答風險原則」只會處理 sales 團隊成員的高嚴重性 DLP 警示。Conversely, if your insider risk management policy created from Data leaks templates is scoped to only users on the Sales Team and the assigned DLP policy is scoped to all users, the insider risk policy will only process high severity DLP alerts for members of the Sales Team. 「內部使用者風險管理」原則會忽視所有不在 Sales 團隊之使用者的高嚴重性 DLP 警示。The insider risk management policy will ignore high severity DLP alerts for all users not on the Sales Team.

  • 請確定針對此內部人員風險管理範本使用的 DLP 原則中的 [ 附隨報告 ] 規則設定設定 嚴重性等級警示。Make sure the Incident reports rule setting in the DLP policy used for this insider risk management template is configured for High severity level alerts. 嚴重性層級是不會從 DLP 原則中的規則產生觸發事件和內部的風險管理提醒,其 [附隨報告] 欄位設定為 [] 或「」。The High severity level is the triggering events and insider risk management alerts won't be generated from rules in DLP policies with the Incident reports field set at Low or Medium.

    DLP 原則警示設定

    注意

    使用內建範本建立新的 DLP 原則時,您需要選取 [建立或自訂 ADVANCED DLP 規則] 選項,才能設定 嚴重性層級的「附隨報告」設定。When creating a new DLP policy using the built-in templates, you'll need to select the Create or customize advanced DLP rules option to configure the Incident reports setting for the High severity level.

資料洩漏 範本所建立的每個內幕人士風險管理原則,只能有一個指派的 DLP 原則。Each insider risk management policy created from the Data leaks template can only have one DLP policy assigned. 請考慮建立專用的 DLP 原則,將您要偵測的不同活動和作用中的事件,當作使用 資料洩漏 範本的有問必答風險原則的觸發事件。Consider creating a dedicated DLP policy that combines the different activities you want to detect and act as triggering events for insider risk policies that use the Data leaks template.

如需為組織設定 DLP 原則的逐步指引,請參閱 建立、測試及調整 DLP 原則 文章。See the Create, test, and tune a DLP policy article for step-by-step guidance to configure DLP policies for your organization.

依優先順序的使用者 (預覽的資料洩漏) Data leaks by priority users (preview)

保護資料和防止組織中使用者的資料洩漏可能取決於其位置、機密資訊的存取層級,或風險歷程記錄。Protecting data and preventing data leaks for users in your organization may depend on their position, level of access to sensitive information, or risk history. 資料洩漏可能包括意外 oversharing 組織外部的高敏感度資訊,或有惡意目的的資料竊取。Data leaks can include accidental oversharing of highly sensitive information outside your organization or data theft with malicious intent. 與指派的資料遺失防護 (DLP) 原則,這個範本會開始計分可疑活動的即時偵測,並產生具有較高嚴重性層級的有問必答風險警示和警示的增加可能性。In conjunction with an assigned Data Loss Prevention (DLP) policy, this template starts scoring real-time detections of suspicious activity and result in an increased likelihood of insider risk alerts and alerts with higher severity levels. 優先順序使用者是在「內幕風險管理設定」區域中設定的 優先順序使用者群組 中定義。Priority users are defined in priority user groups configured in the insider risk management settings area.

就像 一般資料洩漏範本 一樣,您必須指派 DLP 原則,以在組織中高嚴重性警示的內幕風險原則中觸發指示器。As with the General data leaks template, you must assign a DLP policy to trigger indicators in the insider risk policy for high severity alerts in your organization. 使用此範本建立原則時,請遵循上述資料洩漏原則指導方針。Follow the Data leaks policy guidelines above when creating a policy using this template. 此外,您必須將「內部使用者群組」原則 管理 > 設定 > 優先順序使用者群組 中所建立的優先順序使用者群組指派給原則。Additionally, you will need to assign priority user groups created in Insider risk management > Settings > Priority user groups to the policy.

因不滿使用者 (預覽的資料洩漏) Data leaks by disgruntled users (preview)

當使用者遇到雇用 stressors 時,可能會因不滿而導致「內幕風險」活動的機率增加。When users experience employment stressors, they may become disgruntled which may increase the chances of insider risk activity. 在識別與 disgruntlement 相關聯的指示器時,此範本會開始計分使用者活動。This template starts scoring user activity when an indicator associated with disgruntlement is identified. 範例包括效能改進通知、效能檢查不良或工作層級狀態的變更。Examples include performance improvement notifications, poor performance reviews, or changes to job level status. 不滿的使用者可能會包含從 SharePoint 線上下載檔案,並將資料複製到員工 stressor 事件附近的個人雲端訊息和儲存服務。Data leaks for disgruntled users may include downloading files from SharePoint Online and copying data to personal cloud messaging and storage services near employment stressor events.

使用此範本時,您也必須設定 Microsoft 365 HR 連接器,以定期匯入效能改進通知、不良效能檢查狀態,或組織中使用者的工作層級變更資訊。When using this template, you must also configure a Microsoft 365 HR connector to periodically import performance improvement notifications, poor performance review status, or job level change information for users in your organization. 如需為組織設定 Microsoft 365 HR connector 的逐步指引,請參閱 Import data WITH HR connector 文章。See the Import data with the HR connector article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization.

(預覽的一般安全性原則違規) General security policy violations (preview)

在許多組織中,使用者有權在其裝置上安裝軟體或修改裝置設定,以協助其工作。In many organizations, users have permissions to install software on their devices or to modify device settings to help with their tasks. 不管是無意或惡意的目的,使用者可能會安裝惡意程式碼或停用重要的安全性功能,以協助保護其裝置或網路資源上的資訊。Either inadvertently or with malicious intent, users may install malware or disable important security features that help protect information on their device or on your network resources. 這個原則範本使用 Microsoft Defender for Endpoint 中的安全性警示,以開始計分這些活動,並將此風險區域的「聚焦偵測和提醒」。This policy template uses security alerts from Microsoft Defender for Endpoint to start scoring these activities and focus detection and alerts to this risk area. 當使用者可能會有可能是「有問必答」風險的安全性原則違規記錄時,請使用此範本為案例中的安全性原則違規提供洞察力。Use this template to provide insights for security policy violations in scenarios when users may have a history of security policy violations that may be an indicator of insider risk.

您需要在您的組織中設定 Microsoft Defender for Endpoint,並在 Defender Security Center 中啟用內部使用者風險管理整合的 Endpoint Endpoint,以匯入安全性侵犯警示。You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. 如需針對內部人員風險管理整合設定 Defender for Endpoint 的詳細資訊,請參閱 在 Defender For endpoint 中設定高級功能For more information on configuring Defender for Endpoint for insider risk management integration, see Configure advanced features in Defender for Endpoint.

由使用者 (預覽) 中的使用者進行安全性原則違規Security policy violations by departing users (preview)

使用者不論是保留正負字詞,都可能會有較高的違反安全性原則的風險。Departing users, whether leaving on positive or negative terms, may be higher risks for security policy violations. 為了協助防止使用者遭受無意或惡意的安全性違規,此原則範本使用 Defender 做為端點警示,以提供與安全性相關的活動的洞察力。To help protect against inadvertent or malicious security violations for departing users, this policy template uses Defender for Endpoint alerts to provide insights into security-related activities. 這些活動包含使用者安裝惡意程式碼或其他可能有害的應用程式,以及停用裝置上的安全性功能。These activities include the user installing malware or other potentially harmful applications and disabling security features on their devices. 當使用者有讓步或終止日期匯入 Microsoft 365 HR Connector 做為觸發事件後,就會啟動原則指示器。Policy indicators are activated after users have a resignation or termination date imported from the Microsoft 365 HR Connector as a triggering event.

使用此範本時,您必須設定 Microsoft 365 HR connector,定期為組織中的使用者匯入辭職及終止日期資訊。When using this template, you must configure a Microsoft 365 HR connector to periodically import resignation and termination date information for users in your organization. 如需為組織設定 Microsoft 365 HR connector 的逐步指引,請參閱 Import data WITH HR connector 文章。See the Import data with the HR connector article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization.

您需要在您的組織中設定 Microsoft Defender for Endpoint,並在 Defender Security Center 中啟用內部使用者風險管理整合的 Endpoint Endpoint,以匯入安全性侵犯警示。You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. 如需針對內部人員風險管理整合設定 Defender for Endpoint 的詳細資訊,請參閱 在 Defender For endpoint 中設定高級功能For more information on configuring Defender for Endpoint for insider risk management integration, see Configure advanced features in Defender for Endpoint.

優先使用者 (預覽的安全性原則違規) Security policy violations by priority users (preview)

保護組織中使用者的安全性違規可能取決於其位置、機密資訊的存取層級,或風險歷程記錄。Protecting against security violations for users in your organization may depend on their position, level of access to sensitive information, or risk history. 由於優先順序使用者的安全性違規可能會對組織的重要區域產生 outsized 影響,因此這個原則範本會從這些指示器開始計分,並使用 Microsoft Defender for Endpoint 警示,為這些使用者提供與安全性相關的活動的洞察力。Because security violations by priority users may have an outsized impact on your organization's critical areas, this policy template starts scoring on these indicators and uses Microsoft Defender for Endpoint alerts to provide insights into security-related activities for these users. 這可能包括安裝惡意程式碼或其他可能有害之應用程式的優先順序使用者,以及停用裝置上的安全性功能。These may include the priority users installing malware or other potentially harmful applications and disabling security features on their devices. 優先順序使用者是在「內幕風險管理設定」區域中設定的優先順序使用者群組中定義。Priority users are defined in priority user groups configured in the insider risk management settings area.

您需要在您的組織中設定 Microsoft Defender for Endpoint,並在 Defender Security Center 中啟用內部使用者風險管理整合的 Endpoint Endpoint,以匯入安全性侵犯警示。You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. 如需針對內部人員風險管理整合設定 Defender for Endpoint 的詳細資訊,請參閱 在 Defender For endpoint 中設定高級功能For more information on configuring Defender for Endpoint for insider risk management integration, see Configure advanced features in Defender for Endpoint. 此外,您必須將「內部使用者群組」原則 管理 > 設定 > 優先順序使用者群組 中所建立的優先順序使用者群組指派給原則。Additionally, you will need to assign priority user groups created in Insider risk management > Settings > Priority user groups to the policy.

因不滿使用者 (預覽所違反的安全性原則) Security policy violations by disgruntled users (preview)

經驗 stressors 的使用者可能會遭受無意或惡意安全性原則違規的較高風險。Users that experience employment stressors may be at a higher risk for inadvertent or malicious security policy violations. 這些 stressors 可能包含要置於效能改進計畫、效能檢查狀態不良或從目前位置降級的使用者。These stressors may include the user being placed on a performance improvement plan, poor performance review status, or being demoted from their current position. 這個原則範本會啟動與這些使用者相關之事件的相關指示器和活動,以風險計分為基礎。This policy template starts risk scoring based these indicators and activities associated with these events for these users.

使用此範本時,您也必須設定 Microsoft 365 HR 連接器,以定期匯入效能改進通知、不良效能檢查狀態,或組織中使用者的工作層級變更資訊。When using this template, you must also configure a Microsoft 365 HR connector to periodically import performance improvement notifications, poor performance review status, or job level change information for users in your organization. 如需為組織設定 Microsoft 365 HR connector 的逐步指引,請參閱 Import data WITH HR connector 文章。See the Import data with the HR connector article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization.

您也需要在您的組織中設定 Microsoft Defender for Endpoint,並在 Defender Security Center 中啟用內部的「內部使用者風險管理整合」端點,以匯入安全性侵犯警示。You'll also need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. 如需針對內部人員風險管理整合設定 Defender for Endpoint 的詳細資訊,請參閱 在 Defender For endpoint 中設定高級功能For more information on configuring Defender for Endpoint for insider risk management integration, see Configure advanced features in Defender for Endpoint.

原則範本必要條件及觸發事件Policy template prerequisites and triggering events

根據您為有問必答風險管理原則選擇的範本,觸發事件和原則必要條件會有所不同。Depending on the template you choose for an insider risk management policy, the triggering events and policy prerequisites vary. 觸發事件是決定使用者是否為內部使用者風險管理原則的必要條件。Triggering events are prerequisites that determine if a user is active for an insider risk management policy. 如果使用者已新增至「內幕風險管理」原則,但沒有觸發事件,則除非手動將其新增至使用者儀表板,否則不會評估該原則的使用者活動。If a user is added to an insider risk management policy but does not have a triggering event, the user activity is not evaluated by the policy unless they are manually added in the Users dashboard. 原則必要條件是必要專案,讓原則接收評估風險所需的信號或活動。Policy prerequisites are required items so that the policy receives the signals or activities necessary to evaluate risk.

下表列出從每個有問必答風險管理原則範本所建立之原則的觸發事件和必要條件:The following table lists the triggering events and prerequisites for policies created from each insider risk management policy template:

原則範本Policy template 觸發原則的事件Triggering events for policies 先決條件Prerequisites
由去聲使用者竊取資料Data theft by departing users 來自 HR 連接器的辭職或終止日期指示器Resignation or termination date indicator from HR connector 設定為終止和讓步日期指標的 Microsoft 365 HR connectorMicrosoft 365 HR connector configured for termination and resignation date indicators
一般資料洩漏General data leaks 產生高嚴重性警示的資料洩漏原則活動Data leak policy activity that creates a High severity alert 為高嚴重性警示設定的 DLP 原則DLP policy configured for High severity alerts
依優先使用者的資料洩漏Data leaks by priority users 產生高嚴重性警示的資料洩漏原則活動Data leak policy activity that creates a High severity alert 為高嚴重性警示設定的 DLP 原則DLP policy configured for High severity alerts

在內部使用者風險設定中設定的優先順序使用者群組Priority user groups configured in insider risk settings
因不滿使用者的資料洩漏Data leaks by disgruntled users HR connector 的效能提高、效能不良或工作層級變更指示器Performance improvement, poor performance, or job level change indicators from HR connector 為 disgruntlement 指示器設定的 Microsoft 365 HR connectorMicrosoft 365 HR connector configured for disgruntlement indicators
一般安全性原則違規General security policy violations Microsoft Defender for Endpoint 所偵測到的安全性控制措施或不需要的軟體的防禦性規避Defensive evasion of security controls or unwanted software detected by Microsoft Defender for Endpoint 使用中 Microsoft Defender for Endpoint 訂閱Active Microsoft Defender for Endpoint subscription

Microsoft Defender for Endpoint integration (已設定 Microsoft 365 規範中心)Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured
脫離使用者的安全性原則違規Security policy violations by departing users 來自 HR 連接器的辭職或終止日期指示器Resignation or termination date indicators from HR connector 設定為終止和讓步日期指標的 Microsoft 365 HR connectorMicrosoft 365 HR connector configured for termination and resignation date indicators

使用中 Microsoft Defender for Endpoint 訂閱Active Microsoft Defender for Endpoint subscription

Microsoft Defender for Endpoint integration (已設定 Microsoft 365 規範中心)Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured
依優先順序的使用者所破壞的安全性原則Security policy violations by priority users Microsoft Defender for Endpoint 所偵測到的安全性控制措施或不需要的軟體的防禦性規避Defensive evasion of security controls or unwanted software detected by Microsoft Defender for Endpoint 使用中 Microsoft Defender for Endpoint 訂閱Active Microsoft Defender for Endpoint subscription

Microsoft Defender for Endpoint integration (已設定 Microsoft 365 規範中心)Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured

在內部使用者風險設定中設定的優先順序使用者群組Priority user groups configured in insider risk settings
因不滿使用者所違反的安全性原則Security policy violations by disgruntled user HR connector 的效能提高、效能不良或工作層級變更指示器Performance improvement, poor performance, or job level change indicators from HR connector 為 disgruntlement 指示器設定的 Microsoft 365 HR connectorMicrosoft 365 HR connector configured for disgruntlement indicators

使用中 Microsoft Defender for Endpoint 訂閱Active Microsoft Defender for Endpoint subscription

Microsoft Defender for Endpoint integration (已設定 Microsoft 365 規範中心)Microsoft Defender for Endpoint integration with Microsoft 365 compliance center configured

設定原則中內容的優先順序Prioritize content in policies

有問必答風險管理原則支援針對內容指定較高的優先順序,具體取決於其儲存位置或其分類方式。Insider risk management policies support specifying a higher priority for content depending where it is stored or how it is classified. 將內容指定為優先順序,可增加任何關聯活動的風險分數,進而會增加產生高嚴重性警示的機率。Specifying content as a priority increases the risk score for any associated activity, which in turn increases the chance of generating a high severity alert. 不過,除非相關的內容包含內建或自訂的機密資訊類型,或是在原則中指定為優先順序,否則有些活動根本不會產生警示。However, some activities won't generate an alert at all unless the related content contains built-in or custom sensitive info types or was specified as a priority in the policy.

例如,您的組織擁有高度機密專案的專屬 SharePoint 網站。For example, your organization has a dedicated SharePoint site for a highly confidential project. 此 SharePoint 網站中資訊的資料洩漏可能會危及專案,並對其成功產生重大影響。Data leaks for information in this SharePoint site could compromise the project and would have a significant impact on its success. 在資料洩漏原則中優先使用此 SharePoint 網站,可自動增加符合資格活動的風險分數。By prioritizing this SharePoint site in a Data leaks policy, risk scores for qualifying activities are automatically increased. 這種優先順序會增加這些活動產生「有問必答風險」警示的可能性,並會提升警示的嚴重性等級。This prioritization increases the likelihood that these activities generate an insider risk alert and raises the severity level for the alert.

當您在原則嚮導中建立「有問必答風險管理」原則時,可以選擇下列優先順序:When you create an insider risk management policy in the policy wizard, you can choose from the following priorities:

  • SharePoint 網站:與定義 SharePoint 網站中的所有檔案類型相關聯的任何活動,都是以較高風險排名指派。SharePoint sites: Any activity associated with all file types in defined SharePoint sites is assigned a higher risk score.
  • 敏感資訊類型:與包含 機密資訊類型 之內容相關聯的任何活動都會獲指派較高的風險分數。Sensitive information types: Any activity associated with content that contains sensitive information types are assigned a higher risk score.
  • 敏感度標籤:與已套用特定 敏感度標籤 之內容相關聯的任何活動,都是以較高的風險排名指派。Sensitivity labels: Any activity associated with content that has specific sensitivity labels applied are assigned a higher risk score.

建立新的原則Create a new policy

若要建立新的內部使用者風險管理原則,您會使用 Microsoft 365 規範中心內的「 內部使用者風險管理 」方案中的原則嚮導。To create a new insider risk management policy, you'll use the policy wizard in Insider risk management solution in the Microsoft 365 compliance center.

完成下列步驟以建立新的原則:Complete the following steps to create a new policy:

  1. Microsoft 365 合規性中心,移至 [測試人員風險管理],然後選取 [原則] 索引標籤。In the Microsoft 365 compliance center, go to Insider risk management and select the Policies tab.

  2. 選取 [建立原則] 以開啟原則精靈Select Create policy to open the policy wizard

  3. [新增測試人員風險原則] 頁面上,完成下列欄位:On the New insider risk policy page, complete the following fields:

    • Name (必要):輸入原則的易記名稱。Name (required): Enter a friendly name for the policy.
    • 說明 (選用):輸入原則的說明。Description (optional): Enter a description for the policy.
    • 選擇原則範本 (必要):選取其中一個 原則範本,以定義受原則監視的風險指標類型。Choose policy template (required): Select one of the policy templates to define the types of risk indicators are monitored by the policy.

    重要

    大多數原則範本都具有必須針對原則進行設定以產生相關警示的必要條件。Most policy templates have prerequisites that must be configured for the policy to generate relevant alerts. 若尚未設定適用的原則必要條件,請參閱「 開始使用內部使用者風險管理」。If you haven't configured the applicable policy prerequisites, see Get started with insider risk management.

  4. 選取 [下一步] 繼續。Select Next to continue.

  5. 在 [ 使用者 ] 頁面上,選取 [ 新增使用者或群組 ] 或 [選擇優先級使用者群組 ],以根據您所選取的原則範本,定義納入原則中的使用者或優先順序使用者群組。On the Users page, select Add user or group or Choose Priority user groups to define which users or priority user groups are included in the policy, depending on the policy template you've selected. 如果有 (的話,請選取 [ 所有使用者及擁有郵件功能的群組 ] 核取方塊(如果您尚未選取優先順序的使用者範本) )。Select All users and mail-enabled groups checkbox if applicable (if you haven't selected a priority user-based template). 選取 [下一步] 繼續。Select Next to continue.

  6. 在 [ 指定優先順序 () 選用的內容 ] 頁面上,您可以指派來源,以優先順序增加風險的分數。On the Specify what content to prioritize (optional) page, you can assign the sources to prioritize for increased risk scores. 不過,除非相關的內容包含內建或自訂的機密資訊類型,或是在此頁面上指定為優先順序,否則有些活動根本不會產生警示:However, some activities won't generate an alert at all unless the related content contains built-in or custom sensitive info types or was specified as a priority on this page:

    • SharePoint 網站:選取 [新增 SharePoint 網站],然後選取要設定優先順序的 SharePoint 組織。SharePoint sites: Select Add SharePoint site and select the SharePoint organizations you want to prioritize. 例如,"group1@contoso.sharepoint.com/sites/group1"For example, "group1@contoso.sharepoint.com/sites/group1".
    • 敏感性資訊類型:選取 [新增敏感性資訊類型],然後選取要設定優先順序的敏感性類型。Sensitive info type: Select Add sensitive info type and select the sensitivity types you want to prioritize. 例如,[美國銀行帳戶號碼][信用卡號碼]For example, "U.S. Bank Account Number" and "Credit Card Number".
    • 敏感度標籤:選取 [新增敏感度標籤],然後選取要設定優先順序的標籤。Sensitivity labels: Select Add sensitivity label and select the labels you want to prioritize. 例如,[機密][密碼]For example, "Confidential" and "Secret".
  7. 選取 [下一步] 繼續。Select Next to continue.

  8. 在 [選取原則指示器] 頁面上,您會看到您已在「有問必答風險設定 指示器」頁面上定義為可用的 指示器 > 。On the Select policy indicators page, you'll see the indicators that you've defined as available on the Insider risk settings > Indicators page. 如果您在嚮導的開頭選取 資料洩漏 範本,則必須從 [ dlp 原則 ] 下拉式清單中選取 dlp 原則,才能啟用該原則的觸發指示器。If you selected a Data leaks template at the beginning of the wizard, you must select a DLP policy from the DLP policy dropdown list to enable triggering indicators for the policy. 選取您要套用到原則的指示器。Select the indicators you want to apply to the policy. 如果您不想使用這些指標的預設原則閾值設定,請停用 [ 使用 Microsoft 建議的預設閾值 ],然後為每個選取的指示器輸入臨界值。If you prefer not to use the default policy threshold settings for these indicators, disable the Use default thresholds recommended by Microsoft and enter the threshold values for each selected indicator. 如果您已選取至少一個 辦公室裝置 指標,請視需要選取 [ 風險分數 boosters ]。If you've selected at least one Office or Device indicator, select the Risk score boosters as appropriate. 風險分數 boosters 只適用于選取的指示器。Risk score boosters are only applicable for selected indicators.

    重要

    如果無法選取此頁面上的指示器,您必須選取要對「內幕人員風險管理 > 設定 > 原則指示器」頁面上的所有原則啟用的指示器。If indicators on this page can't be selected, you'll need to select the indicators you want to enable for all policies on the Insider risk management > Settings > Policy indicators page.

  9. 選取 [下一步] 繼續。Select Next to continue.

  10. 在 [原則時段] 頁面上,您會在 [有問必答風險設定 原則時段] 頁面上看到 [原則] 的 [啟用] 視窗條件 > 。On the Policy timeframes page, you'll see the activation window conditions for the policy that on the Insider risk settings > Policy timeframes page.

  11. 選取 [下一步] 繼續。Select Next to continue.

  12. 檢閱 頁面上,檢閱您為原則選擇的設定。On the Review page, review the settings you've chosen for the policy. 選取 [編輯] 以變更任何原則值,或選取 [提交] 來建立並啟用原則。Select Edit to change any of the policy values or select Submit to create and activate the policy.

更新原則Update a policy

若要更新現有的「內部使用者風險管理」原則,您將使用 Microsoft 365 規範中心內的「 內幕風險管理 」方案中的原則嚮導。To update an existing insider risk management policy, you'll use the policy wizard in Insider risk management solution in the Microsoft 365 compliance center.

完成下列步驟以管理現有的原則:Complete the following steps to manage an existing policy:

  1. Microsoft 365 合規性中心,移至 [測試人員風險管理],然後選取 [原則] 索引標籤。In the Microsoft 365 compliance center, go to Insider risk management and select the Policies tab.

  2. 在 [原則] 儀表板上,選取您要管理的原則。On the policy dashboard, select the policy you want to manage.

  3. 在 [原則詳細資料] 頁面上,選取 [編輯原則]On the policy details page, select Edit policy

  4. 在 [原則嚮導] 中,您無法編輯下欄欄位:In the policy wizard, you cannot edit the following fields:

    • 名稱:原則的易記名稱Name: The friendly name for the policy
    • 選擇 [原則範本]:用來定義原則所監控之風險指示器類型的範本。Choose policy template: The template used to define the types of risk indicators monitored by the policy.
  5. 在 [ 描述 ] 欄位中輸入原則的新描述。Enter a new description for the policy in the Description field.

  6. 選取 [下一步] 繼續。Select Next to continue.

  7. 在 [ 使用者 ] 頁面上,選取 [ 新增使用者或群組 ] 或 [選擇優先級使用者群組 ],以根據您所選取的原則範本,定義納入原則中的使用者或優先順序使用者群組。On the Users page, select Add user or group or Choose Priority user groups to define which users or priority user groups are included in the policy, depending on the policy template you've selected. 如果有 (的話,請選取 [ 所有使用者及擁有郵件功能的群組 ] 核取方塊(如果您尚未選取優先順序的使用者範本) )。Select All users and mail-enabled groups checkbox if applicable (if you haven't selected a priority user-based template). 選取 [下一步] 繼續。Select Next to continue.

  8. 在 [ 指定優先順序 () 選用的內容 ] 頁面上,您可以指派來源,以優先順序增加風險的分數。On the Specify what content to prioritize (optional) page, you can assign the sources to prioritize for increased risk scores. 不過,除非相關的內容包含內建或自訂的機密資訊類型,或是在此頁面上指定為優先順序,否則有些活動根本不會產生警示:However, some activities won't generate an alert at all unless the related content contains built-in or custom sensitive info types or was specified as a priority on this page:

    • SharePoint 網站:選取 [新增 SharePoint 網站],然後選取要設定優先順序的 SharePoint 組織。SharePoint sites: Select Add SharePoint site and select the SharePoint organizations you want to prioritize. 例如,"group1@contoso.sharepoint.com/sites/group1"For example, "group1@contoso.sharepoint.com/sites/group1".
    • 敏感性資訊類型:選取 [新增敏感性資訊類型],然後選取要設定優先順序的敏感性類型。Sensitive info type: Select Add sensitive info type and select the sensitivity types you want to prioritize. 例如,[美國銀行帳戶號碼][信用卡號碼]For example, "U.S. Bank Account Number" and "Credit Card Number".
    • 敏感度標籤:選取 [新增敏感度標籤],然後選取要設定優先順序的標籤。Sensitivity labels: Select Add sensitivity label and select the labels you want to prioritize. 例如,[機密][密碼]For example, "Confidential" and "Secret".
  9. 選取 [下一步] 繼續。Select Next to continue.

  10. 在 [選取原則指示器] 頁面上,您會看到您已在「有問必答風險設定 指示器」頁面上定義為可用的 指示器 > 。On the Select policy indicators page, you'll see the indicators that you've defined as available on the Insider risk settings > Indicators page. 如果您在嚮導的開頭選取 資料洩漏 範本,則必須從 [ dlp 原則 ] 下拉式清單中選取 dlp 原則,才能啟用該原則的觸發指示器。If you selected a Data leaks template at the beginning of the wizard, you must select a DLP policy from the DLP policy dropdown list to enable triggering indicators for the policy. 選取您要套用到原則的指示器。Select the indicators you want to apply to the policy. 如果您不想使用這些指標的預設原則閾值設定,請停用 [ 使用 Microsoft 建議的預設閾值 ],然後為每個選取的指示器輸入臨界值。If you prefer not to use the default policy threshold settings for these indicators, disable the Use default thresholds recommended by Microsoft and enter the threshold values for each selected indicator. 如果您已選取至少一個 辦公室裝置 指標,請視需要選取 [ 風險分數 boosters ]。If you've selected at least one Office or Device indicator, select the Risk score boosters as appropriate. 風險分數 boosters 只適用于選取的指示器。Risk score boosters are only applicable for selected indicators.

    重要

    如果無法選取此頁面上的指示器,您必須選取要對「內幕人員風險管理 > 設定 > 原則指示器」頁面上的所有原則啟用的指示器。If indicators on this page can't be selected, you'll need to select the indicators you want to enable for all policies on the Insider risk management > Settings > Policy indicators page.

  11. 選取 [下一步] 繼續。Select Next to continue.

  12. 在 [原則時段] 頁面上,您會在 [有問必答風險設定 原則時段] 頁面上看到 [原則] 的 [啟用] 視窗條件 > 。On the Policy timeframes page, you'll see the activation window conditions for the policy that on the Insider risk settings > Policy timeframes page.

  13. 選取 [下一步] 繼續。Select Next to continue.

  14. 在 [ 複查 ] 頁面上,複查您已針對原則更新的設定。On the Review page, review the settings you've updated for the policy. 選取 [ 編輯 ] 以變更任何原則值,或選取 [ 提交 ] 以更新及啟用原則。Select Edit to change any of the policy values or select Submit to update and activate the policy.

刪除原則Delete a policy

注意

刪除原則並不會刪除原則所產生的使用中或已封存警示。Deleting a policy does not delete active or archived alerts generated from the policy.

若要刪除現有的有問必答風險管理原則,請完成下列步驟:To delete an existing insider risk management policy, complete the following steps:

  1. Microsoft 365 合規性中心,移至 [測試人員風險管理],然後選取 [原則] 索引標籤。In the Microsoft 365 compliance center, go to Insider risk management and select the Policies tab.
  2. 在 [原則] 儀表板上,選取您要刪除的原則。On the policy dashboard, select the policy you want to delete.
  3. 選取儀表板工具列上的 [ 刪除 ]。Select Delete on the dashboard toolbar.
  4. 在 [ 刪除 ] 對話方塊中,選取 [是] 刪除原則,或選取 [ 取消 ] 關閉對話方塊。On the Delete dialog, Select Yes to delete the policy, or select Cancel to close the dialog.