Updated September 6, 2023: We have updated the rollout timeline below. Thank you for your patience.
Coming soon to public preview, Microsoft Purview Insider Risk Management will be rolling out multiple features including bring your own detections, granular exclusion, saved views in activity explorer, and static alert and case IDs.
This message is associated with Microsoft 365 Roadmap ID 117609, 122278, 124777, and 124779.
[When this will happen:]
Preview: Rollout will begin in late October 2023 (previously mid-July) and is expected to be complete by late November 2023 (previously late August).
[How this will affect your organization:]
The following preview capabilities will soon be available within the Insider Risk Management solution in the Microsoft Purview compliance portal:
Bring your own detections will allow admins to bring in user activity indicators from homegrown, SIEM/UEBA platforms, or other line of business applications. By combining these custom detections with Insider Risk Management native signals, organizations can gain a more comprehensive understanding of potential insider risks across different environments. For example, admins can bring in events from Salesforce and use the signals as custom indicators in insider risk management policies.
Granular exclusion allows admins to create variants of built-in insider risk indicators according to organizational preferences to help tailor the detection of risks that may lead to a potential security incident. For example, admins can configure a variant of the “sending email with attachments to recipients outside the organization” indicator, to detect emails sent from marketing teams to external recipients other than a whitelist of marketing domains. In that way, admins can reduce the number of false positives.
Saved views in activity explorer enable Insider Risk Management analysts to use a configured combination of filters and columns with one click. This can help analysts efficiently work through recurring activities without manually setting up filters and columns every time.
Static alert and case IDs help admins track and communicate the investigation progress with their colleagues more easily.
[What you need to do to prepare:]
To bring your own detections to Insider Risk Management, admins can configure a data connector for insider risk indicators at Microsoft Purview compliance portal > data connectors.
To use granular exclusions, admins can configure the exclusion conditions at Insider risk settings > policy indicators and select indicators to create variants of detections.
No action is needed to enable other features.
Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
Get started with Insider Risk Management in the Microsoft Purview compliance portal.
Learn more: Learn about insider risk management