From the course: Microsoft Information Security Administrator Associate (SC-401) Cert Prep by Microsoft Press

Unlock this course with a free trial

Join today to access over 25,300 courses taught by industry experts.

Investigate insider risk activities by using the Microsoft Purview portal

Investigate insider risk activities by using the Microsoft Purview portal - Microsoft 365 Tutorial

From the course: Microsoft Information Security Administrator Associate (SC-401) Cert Prep by Microsoft Press

Start my 1-month free trial Buy for my team

Investigate insider risk activities by using the Microsoft Purview portal

The Insider Risk Management, or IRM, system in Purview is like an early warning system for potential insider threats. Instead of looking at one event at a time, like DLP does, IRM correlates multiple signals over time. So, for example, an employee who is downloading lots of confidential files and has given notice to leave the company and maybe sent some data to personal e-mail. When those patterns meet certain criteria defined in IRM policies, an alert is raised. So some key points about IRM alerts. When an IRM alert first appears, it will not show the user's actual name. It will show something anonymized, like user 47, until it's decided that a true investigation is needed. The alert includes a risk level, and it also indicates which IRM policy was triggered. So it could be data theft by a departing employee. And provides a brief description of what kind of events were observed. So user 47 downloaded 300 files and copied data to USB while Marx is leaving. So the IRM procedure is that…

Contents