new module in irm alerts

Author: riswinto

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/insider-risk-cases.md

@@ -0,0 +1,107 @@
+Cases in Microsoft Purview Insider Risk Management allow investigators to track user risk over time, review associated alerts, and take action based on the severity and context of the activity. Each case focuses on a single user and can include one or more alerts. Cases are created manually when an alert requires deeper review or coordination with other teams.
+
+Use the **Cases** dashboard to view all active and closed cases, assign ownership, and manage follow-up actions such as escalation, communication, and resolution.
+
+## Respond to alerts
+
+Not all alerts require a case. You can take action directly from the **Alerts** queue by confirming or dismissing alerts as part of your triage process:
+
+- **Dismiss** an alert if it's a false positive or doesn't require further review.
+- **Confirm** an alert to indicate a policy violation and optionally create a case for deeper investigation.
+
+Creating a case is recommended when an alert involves serious risk, multiple incidents, or needs collaboration across teams. Once a case is created, you can take further action such as sending notices, escalating, or resolving with a classification.
+
+## Create and manage cases
+
+Cases are created from alerts when an incident needs further review or response. Once created, cases can be updated with new alerts and managed through their lifecycle. You can:
+
+- Assign or reassign ownership
+- Send an email notice to the user
+- Escalate to Microsoft Purview eDiscovery (Premium)
+- Run Power Automate flows
+- Create or view a connected Microsoft Teams team
+- Resolve the case with a classification of Benign or Confirmed policy violation
+
+You can assign a case to any user with one of these roles: **Insider Risk Management**, **Analyst**, or **Investigator**.
+
+:::image type="content" source="../media/insider-risk-case-details.png" alt-text="Screenshot showing how to create a case in Insider Risk Management." lightbox="../media/insider-risk-case-details.png":::
+
+## Use the Cases dashboard
+
+The Cases dashboard lists each case and includes key details:
+
+- Case name and ID
+- Assigned user (anonymized if enabled)
+- Status: **Active** or **Closed**
+- Number of alerts
+- Time opened and last updated
+- Last updated by
+
+You can search by case ID or keywords, and use filters to narrow by status, date opened, or last updated.
+
+To customize the view, select **Customize columns**. To save filters for future use, apply filters and select **Save this view**.
+
+:::image type="content" source="../media/insider-risk-case-details.png" alt-text="Screenshot showing the Cases dashboard in Insider Risk Management." lightbox="../media/insider-risk-case-details.png":::
+
+## Investigate a case
+
+Selecting a case opens a detailed investigation view with multiple tabs:
+
+- **Case overview**: User identity, department, risk score, associated alerts
+- **Alerts**: Status, severity, and alert ID for each included alert
+- **User activity**: Timeline of scored risk activity from the alert or broader user history
+- **Activity explorer (preview)**: Detailed timeline and metadata for each associated event
+
+   **User activity** shows the overall timeline of user risk behavior, while A**ctivity explorer** focuses on event-level details within the case scope.
+
+- **Forensic evidence**: Screen captures from activity that triggered the alert
+- **Content explorer**: Copies of files and email messages associated with risk alerts
+- **Case notes:** Permanent, timestamped notes added by analysts
+- **Contributors**: Users added to the case for collaboration
+
+   :::image type="content" source="../media/insider-risk-case-details.png" alt-text="Screenshot showing details of a case investigation." lightbox="../media/insider-risk-case-details.png":::
+
+> [!NOTE]
+> Contributors can view the case and add notes, but they can't edit contributor lists or confirm/dismiss alerts.
+
+## Take action on a case
+
+The case toolbar includes actions for responding to the alert:
+
+### Send email notice
+
+Send a message to the user to reinforce policies or training. Notices are based on templates and are recorded in the **Case notes** tab.
+
+> [!TIP]
+> Sending a notice doesn't close the case. To resolve it, you must select **Resolve case** separately.
+
+### Escalate for investigation
+
+Use this option to escalate the case to a Microsoft Purview eDiscovery (Premium) case for deeper investigation and legal hold workflows.
+
+### Run Power Automate flows
+
+Trigger flows for common tasks such as:
+
+- Notifying a manager
+- Creating a record in ServiceNow
+- Requesting details from HR
+
+### Create or view Teams team
+
+If Teams integration is enabled in Insider Risk Management settings, a team is created automatically when a case is opened. Teams are archived when a case is resolved. To enable Teams integration:
+
+1. Go to the [Microsoft Purview portal](https://purview.microsoft.com/).
+1. Select **Settings** > **Insider Risk Management** > **Microsoft Teams**.
+1. Select the toggle to enable integration with Microsoft Teams.
+
+   :::image type="content" source="../media/insider-risk-teams-integration.png" alt-text="Screenshot showing where to enable Teams integration in Microsoft Purview Insider Risk Management." lightbox=" ../media/insider-risk-teams-integration.png":::
+
+## Resolve a case
+
+When investigation is complete, resolve the case as:
+
+- **Benign**: Behavior is low-risk, accidental, or false positive
+- **Confirmed policy violation**: Behavior is intentional or a serious violation
+
+Enter a reason for the resolution. Resolution actions are recorded in Case notes, and the case status is updated to Closed.

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/investigate-alerts-defender.md

@@ -0,0 +1,94 @@
+**Microsoft Defender Extended Detection and Response (XDR)** helps expand investigation capabilities for insider risk by integrating alerts from Microsoft Purview Insider Risk Management with other Microsoft security data. This combined view gives security operations center (SOC) analysts the context they need to assess user behavior, correlate risk signals, and take action across Microsoft 365 workloads.
+
+Use this view to correlate insider risk alerts with data from other services like Microsoft Defender for Endpoint, Microsoft Entra ID, and Microsoft Purview Data Loss Prevention.
+
+## Access insider risk alerts in Defender XDR
+
+To review alerts in the [Microsoft Defender portal](https://security.microsoft.com/):
+
+1. Go to **Investigation & response** > **Incidents & alerts** > **Incidents**.
+1. Use the **Service source** filter to select **Microsoft Purview Insider Risk Management**
+
+   :::image type="content" source="../media/defender-insider-risk-incidents.png" alt-text="Screenshot showing the Incidents page being filtered to show Microsoft Purview Insider Risk Management incidents." lightbox="../media/defender-insider-risk-incidents.png":::
+
+This filter shows alerts from Insider Risk Management and highlights when those alerts are grouped into incidents with alerts from other Microsoft tools.
+
+## Understand the investigation view
+
+When insider risk alerts appear in the Defender portal, they might be:
+
+- Part of a unified **incident** that includes multiple alert types
+- Listed individually in the **alert queue** for review
+- Linked to other activity such as endpoint behavior or identity signals
+
+Selecting an alert or incident provides details such as severity, classification, and alert mappings. You can also view the user entity page for a risk summary and associated activity.
+
+## Review alert status and classification sync
+
+Alert status and classification automatically sync between Microsoft Purview and Microsoft Defender:
+
+| Microsoft Defender status | Insider Risk Management status |
+|-----|-----|
+| New, In progress | Needs review |
+| Resolved | Dismissed or Confirmed (based on classification) |
+
+How classification types align:
+
+| Microsoft Defender classification | Insider Risk Management classification |
+|-----|-----|
+| True positive | Confirmed |
+| Information, expected activity   | Dismissed |
+| False positive | Dismissed |
+
+Updates to status, classification, and alert details reflect across both portals within about 30 minutes.
+
+## Investigate insider risk activity with advanced hunting
+
+Defender's **Advanced hunting** feature allows deeper investigation of insider risk activity using Kusto Query Language (KQL). Insider risk alerts and behavior logs are available in the following tables:
+
+- `AlertInfo`: Alert metadata from multiple sources
+- `AlertEvidence`: Linked entities such as files or users
+- `DataSecurityBehaviors`: Policy-triggering behavioral patterns
+- `DataSecurityEvents`: Detailed events from policy violations
+
+These tables support cross-tool investigation. For example, you might query:
+
+```kusto
+DataSecurityEvents
+| where FileName endswith ".zip"
+| where ActionType == "FileUploaded"
+```
+
+You must be assigned the **Insider Risk Management Analyst** or **Investigator** role in Microsoft Purview to access this data.
+
+## Requirements and setup
+
+Before alerts appear in the Microsoft Defender portal:
+
+The setting **Share user risk details with other security solutions** must be enabled in the Microsoft Purview portal. To enable this setting:
+
+1. Go to the [Microsoft Purview portal](https://purview.microsoft.com/).
+1. Select **Settings** > **Insider Risk Management** > **Data sharing**.
+1. Enable **Share user risk details with other security solutions**.
+
+   :::image type="content" source="../media/enable-data-sharing-insider-risk-settings.png" alt-text="Screenshot showing where to enable data sharing in Microsoft Purview Insider Risk Management." lightbox=" ../media/enable-data-sharing-insider-risk-settings.png":::
+
+Users must have roles in both Microsoft Purview and Microsoft Defender:
+
+- **Defender**: _Security Operator_ or _Security Reader_
+- **Purview**: _Insider Risk Management_, _Analyst_, or _Investigator_
+
+Licensing for both solutions is also required. See Microsoft documentation for details.
+
+## Limitations
+
+Not all insider risk data is available in Defender:
+
+- Alerts created from custom detections
+- Risky AI usage events
+- Non-Microsoft app events
+- Exfiltration via email
+- Events that occurred before an alert was generated
+- Excluded events based on policy settings
+
+Viewing insider risk alerts in Microsoft Defender XDR helps bring together security signals across Microsoft 365. This integration supports broader investigations, faster triage, and more comprehensive incident response.

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/summary.md

@@ -0,0 +1,47 @@
+### YamlMime:Module
+uid: learn.wwl.purview-insider-risk-investigate-alerts
+metadata:
+  title: Prepare for Microsoft Purview Insider Risk Management
+  description: "Prepare for Microsoft Purview Insider Risk Management."
+  ms.date: 1/3/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: module
+  ms.service: purview
+  hidden: false
+title: Prepare for Microsoft Purview Insider Risk Management
+summary: Discover strategies for planning and configuring Microsoft Purview Insider Risk Management to meet organizational needs and protect privacy.
+abstract: |
+  After completing this module, you'll be able to:
+  - Collaborate with stakeholders to prepare for insider risk management.
+  - Understand what's needed to meet prerequisites for implementation.
+  - Configure settings to align with compliance and privacy needs.
+  - Explore how connecting tools and data sources enhances risk management.
+prerequisites: |
+  - Understanding of insider risk concepts.
+  - Familiarity with organizational compliance and privacy practices.
+iconUrl: /training/achievements/generic-badge.svg
+levels:
+- intermediate
+roles:
+- auditor
+- administrator
+- risk-practitioner
+products:
+- microsoft-purview
+- m365
+subjects:
+- information-protection-governance
+- security
+units:
+- learn.wwl.purview-insider-risk-investigate-alerts.introduction
+- learn.wwl.purview-insider-risk-investigate-alerts.plan-insider-risk-management
+- learn.wwl.purview-insider-risk-investigate-alerts.insider-risk-management-prerequisites
+- learn.wwl.purview-insider-risk-investigate-alerts.configure-insider-risk-settings
+- learn.wwl.purview-insider-risk-investigate-alerts.insider-risk-management-integrations
+- learn.wwl.purview-insider-risk-investigate-alerts.knowledge-check
+- learn.wwl.purview-insider-risk-investigate-alerts.summary
+
+
+badge:
+  uid: learn.wwl.purview-insider-risk-investigate-alerts.badge

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/index.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-insider-risk-investigate-alerts.investigate-alerts-defender
+title: Manage and take action on insider risk cases
+metadata:
+  title: Manage and take action on insider risk cases
+  description: "Manage and take action on insider risk cases."
+  ms.date: 04/15/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 6
+content: |
+  [!include[](includes/insider-risk-cases.md)]

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/insider-risk-cases.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-insider-risk-investigate-alerts.introduction
+title: Introduction
+metadata:
+  title: Introduction
+  description: "Introduction."
+  ms.date: 04/15/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 1
+content: |
+  [!include[](includes/introduction.md)]

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/introduction.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-insider-risk-investigate-alerts.investigate-alerts-defender
+title: Investigate insider risk alerts in Microsoft Defender XDR
+metadata:
+  title: Investigate insider risk alerts in Microsoft Defender XDR
+  description: "Investigate insider risk alerts in Microsoft Defender XDR."
+  ms.date: 04/15/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 6
+content: |
+  [!include[](includes/investigate-alerts-defender.md)]