From the course: Microsoft Information Security Administrator Associate (SC-401) Cert Prep by Microsoft Press

Unlock this course with a free trial

Join today to access over 25,300 courses taught by industry experts.

Enable and configure insider risk levels for Adaptive Protection

Enable and configure insider risk levels for Adaptive Protection - Microsoft 365 Tutorial

From the course: Microsoft Information Security Administrator Associate (SC-401) Cert Prep by Microsoft Press

Start my 1-month free trial Buy for my team

Enable and configure insider risk levels for Adaptive Protection

Insider Risk Management has an optional feature called Forensic Evidence Collection, which can be extremely useful in deep investigations. It basically lets the IRM solution reach out to an endpoint through the Defender for Endpoint client and grab a copy of a file or screenshot of whatever a user was doing. However, because this is potentially quite invasive, it's disabled by default and wrapped with extra controls, namely the approval workflow with the approval role, which we've discussed earlier in this lesson. So why do we need forensic evidence? Suppose an employee likely stole a document by copying to USB or emailing it to themselves. The IRM alert tells you the file name and maybe some metadata, but you might want to see the actual contents of that file to assess damage. So was it a client list or source code or something benign? With forensic evidence collection, an investigator can request, please retrieve this file from the user's device. If approved, the system will pull…

Contents