new module content

Author: riswinto

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/all-risk-factors.yml renamed to learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/all-risk-factors-tab.yml

@@ -1,5 +1,5 @@
 ### YamlMime:ModuleUnit
-uid: learn.wwl.purview-insider-risk-investigate-alerts.all-risk-factors
+uid: learn.wwl.purview-insider-risk-investigate-alerts.all-risk-factors-tab
 title: Analyze alert context with the All risk factors tab
 metadata:
   title: Analyze alert context with the All risk factors tab
@@ -12,4 +12,4 @@ azureSandbox: false
 labModal: false
 durationInMinutes: 5
 content: |
-  [!include[](includes/all-risk-factors.md)]
+  [!include[](includes/all-risk-factors-tab.md)]

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/all-risk-factors.md renamed to learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/all-risk-factors-tab.md

@@ -52,7 +52,7 @@ Selecting a case opens a detailed investigation view with multiple tabs:
 - **User activity**: Timeline of scored risk activity from the alert or broader user history
 - **Activity explorer (preview)**: Detailed timeline and metadata for each associated event
 
-   **User activity** shows the overall timeline of user risk behavior, while A**ctivity explorer** focuses on event-level details within the case scope.
+   **User activity** shows the overall timeline of user risk behavior, while **Activity explorer** focuses on event-level details within the case scope.
 
 - **Forensic evidence**: Screen captures from activity that triggered the alert
 - **Content explorer**: Copies of files and email messages associated with risk alerts
@@ -91,7 +91,7 @@ Trigger flows for common tasks such as:
 
 If Teams integration is enabled in Insider Risk Management settings, a team is created automatically when a case is opened. Teams are archived when a case is resolved. To enable Teams integration:
 
-1. Go to the [Microsoft Purview portal](https://purview.microsoft.com/).
+1. Go to the [Microsoft Purview portal](https://purview.microsoft.com/?azure-portal=true).
 1. Select **Settings** > **Insider Risk Management** > **Microsoft Teams**.
 1. Select the toggle to enable integration with Microsoft Teams.
 

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/insider-risk-cases.md

@@ -0,0 +1,11 @@
+Identifying insider risks is only the beginning. Organizations also need a clear and consistent approach to investigating alerts and understanding the full context of user behavior. Without a structured process, high-risk activity might go unnoticed, low-risk alerts might receive too much attention, and investigators can struggle to determine the right response.
+
+This module focuses on helping you analyze and respond to alerts in Microsoft Purview Insider Risk Management. You'll learn how to:
+
+- Review and triage alerts using the Alerts dashboard
+- Understand the factors that influence alert generation and risk scoring
+- Use tools like Activity explorer, User activity, and All risk factors to investigate user behavior
+- Work with insider risk cases to organize related alerts and take follow-up actions
+- Extend your investigation into Microsoft Defender XDR and use advanced hunting for deeper insight
+
+By the end of this module, you'll understand how to investigate insider risk alerts in a way that's efficient, accurate, and aligned with your organization's risk policies.

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/introduction.md

@@ -4,7 +4,7 @@ Use this view to correlate insider risk alerts with data from other services lik
 
 ## Access insider risk alerts in Defender XDR
 
-To review alerts in the [Microsoft Defender portal](https://security.microsoft.com/):
+To review alerts in the [Microsoft Defender portal](https://security.microsoft.com/?azure-portal=true):
 
 1. Go to **Investigation & response** > **Incidents & alerts** > **Incidents**.
 1. Use the **Service source** filter to select **Microsoft Purview Insider Risk Management**
@@ -67,7 +67,7 @@ Before alerts appear in the Microsoft Defender portal:
 
 The setting **Share user risk details with other security solutions** must be enabled in the Microsoft Purview portal. To enable this setting:
 
-1. Go to the [Microsoft Purview portal](https://purview.microsoft.com/).
+1. Go to the [Microsoft Purview portal](https://purview.microsoft.com/?azure-portal=true).
 1. Select **Settings** > **Insider Risk Management** > **Data sharing**.
 1. Enable **Share user risk details with other security solutions**.
 

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/investigate-alerts-defender.md

@@ -0,0 +1,18 @@
+Investigating insider risk requires more than reviewing a single alert. It demands tools and workflows that provide insight into user behavior, risk indicators, and broader patterns of activity.
+
+In this module, you learned how Microsoft Purview Insider Risk Management supports that process by:
+
+- Providing the Alerts dashboard for structured triage and prioritization
+- Offering context through the All risk factors tab, Activity explorer, and User activity views
+- Enabling deeper review and coordinated response through cases
+- Connecting alert data to Microsoft Defender XDR for broader investigation
+- Supporting advanced queries with hunting tools for detailed behavioral analysis
+
+Together, these tools help analysts and investigators move from initial detection to informed response. With this approach, organizations can respond more effectively to insider risks and reduce the time it takes to identify and act on meaningful threats.
+
+## Resources
+
+- [Investigate insider risk management activities](/purview/insider-risk-management-activities?azure-portal=true)
+- [Best practices for managing your alert volume in insider risk management](/purview/insider-risk-management-best-practices-alert-tuning?azure-portal=true)
+- [Take action on insider risk management cases](/purview/insider-risk-management-cases?azure-portal=true)
+- [Investigate insider risk threats in the Microsoft Defender portal](/defender-xdr/irm-investigate-alerts-defender?azure-portal=true)

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/summary.md

@@ -1,30 +1,31 @@
 ### YamlMime:Module
 uid: learn.wwl.purview-insider-risk-investigate-alerts
 metadata:
-  title: Prepare for Microsoft Purview Insider Risk Management
-  description: "Prepare for Microsoft Purview Insider Risk Management."
-  ms.date: 1/3/2025
+  title: Investigate insider risk alerts and related activity
+  description: "Investigate insider risk alerts and related activity."
+  ms.date: 04/15/2025
   author: wwlpublish
   ms.author: riswinto
   ms.topic: module
   ms.service: purview
   hidden: false
-title: Prepare for Microsoft Purview Insider Risk Management
-summary: Discover strategies for planning and configuring Microsoft Purview Insider Risk Management to meet organizational needs and protect privacy.
+title: Investigate insider risk alerts and related activity
+summary: Investigate insider risk alerts and manage related cases in Microsoft Purview to assess user behavior, take appropriate action, and coordinate deeper reviews across teams.
 abstract: |
   After completing this module, you'll be able to:
-  - Collaborate with stakeholders to prepare for insider risk management.
-  - Understand what's needed to meet prerequisites for implementation.
-  - Configure settings to align with compliance and privacy needs.
-  - Explore how connecting tools and data sources enhances risk management.
+  - Understand how alerts are generated and prioritized in Insider Risk Management.
+  - Tune policies and thresholds to manage alert volume effectively.
+  - Use the Alerts dashboard and alert details to triage and respond to risky activity.
+  - Investigate behavior using tabs like All risk factors, Activity explorer, and User activity.
+  - Integrate with Microsoft Defender XDR for broader threat investigation.
+  - Create, manage, and resolve Insider Risk Management cases.
 prerequisites: |
-  - Understanding of insider risk concepts.
-  - Familiarity with organizational compliance and privacy practices.
+  - Familiarity with Microsoft Purview Insider Risk Management policies and indicators
+  - Basic understanding of Microsoft 365 compliance and security tools
 iconUrl: /training/achievements/generic-badge.svg
 levels:
 - intermediate
 roles:
-- auditor
 - administrator
 - risk-practitioner
 products:
@@ -35,13 +36,15 @@ subjects:
 - security
 units:
 - learn.wwl.purview-insider-risk-investigate-alerts.introduction
-- learn.wwl.purview-insider-risk-investigate-alerts.plan-insider-risk-management
-- learn.wwl.purview-insider-risk-investigate-alerts.insider-risk-management-prerequisites
-- learn.wwl.purview-insider-risk-investigate-alerts.configure-insider-risk-settings
-- learn.wwl.purview-insider-risk-investigate-alerts.insider-risk-management-integrations
+- learn.wwl.purview-insider-risk-investigate-alerts.understand-insider-risk-alerts
+- learn.wwl.purview-insider-risk-investigate-alerts.manage-alert-volume
+- learn.wwl.purview-insider-risk-investigate-alerts.investigate-triage-alerts
+- learn.wwl.purview-insider-risk-investigate-alerts.all-risk-factors-tab
+- learn.wwl.purview-insider-risk-investigate-alerts.activity-explorer-tab
+- learn.wwl.purview-insider-risk-investigate-alerts.user-activity-tab
+- learn.wwl.purview-insider-risk-investigate-alerts.investigate-alerts-defender
+- learn.wwl.purview-insider-risk-investigate-alerts.insider-risk-cases
 - learn.wwl.purview-insider-risk-investigate-alerts.knowledge-check
 - learn.wwl.purview-insider-risk-investigate-alerts.summary
-
-
 badge:
   uid: learn.wwl.purview-insider-risk-investigate-alerts.badge

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/index.yml

@@ -1,5 +1,5 @@
 ### YamlMime:ModuleUnit
-uid: learn.wwl.purview-insider-risk-investigate-alerts.investigate-alerts-defender
+uid: learn.wwl.purview-insider-risk-investigate-alerts.insider-risk-cases
 title: Manage and take action on insider risk cases
 metadata:
   title: Manage and take action on insider risk cases

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/insider-risk-cases.yml

@@ -0,0 +1,75 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-insider-risk-investigate-alerts.knowledge-check
+title: Module assessment
+metadata:
+  title: Module assessment
+  description: "Knowledge check."
+  ms.date: 04/15/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 5
+quiz:
+  title: "Check your knowledge"
+  questions:
+  - content: "Where do you go in Microsoft Purview Insider Risk Management to view all alerts generated by policies?"
+    choices:
+    - content: "Cases dashboard"
+      isCorrect: false
+      explanation: "Incorrect: The Cases dashboard is for reviewing ongoing investigations, not initial alert triage."
+    - content: "Activity explorer"
+      isCorrect: false
+      explanation: "Incorrect: Activity explorer shows event-level behavior but doesn't show all alerts."
+    - content: "Alerts dashboard"
+      isCorrect: true
+      explanation: "Correct: The Alerts dashboard is the centralized queue for reviewing all policy-triggered alerts."
+
+  - content: "How does the scatter plot in the User activity tab help investigators?"
+    choices:
+    - content: "It maps user behavior to Microsoft Entra ID roles."
+      isCorrect: false
+      explanation: "Incorrect: The scatter plot shows risk-scored events, not Microsoft Entra ID data."
+    - content: "It visualizes risk-scored events over time to identify sequences and patterns."
+      isCorrect: true
+      explanation: "Correct: The scatter plot helps surface trends and clusters of risky behavior."
+    - content: "It provides direct access to Copilot summaries for each activity."
+      isCorrect: false
+      explanation: "Incorrect: Copilot summaries appear in the alert view, not the scatter plot."
+
+  - content: "What is a recommended next step if an alert involves multiple serious activities across different services?"
+    choices:
+    - content: "Dismiss the alert to avoid duplication."
+      isCorrect: false
+      explanation: "Incorrect: Dismissing could miss an opportunity for deeper investigation."
+    - content: "Create a case to manage follow-up actions and collaboration."
+      isCorrect: true
+      explanation: "Correct: Creating a case is best for managing serious or multi-layered incidents."
+    - content: "Delete the alert to reduce dashboard clutter."
+      isCorrect: false
+      explanation: "Incorrect: Alerts can't be manually deleted this way."
+
+  - content: "What role do cases play in insider risk investigations?"
+    choices:
+    - content: "They track licensing for each alert."
+      isCorrect: false
+      explanation: "Incorrect: Licensing is configured elsewhere and is unrelated to individual cases."
+    - content: "They allow grouping and managing alert investigations for a specific user."
+      isCorrect: true
+      explanation: "Correct: Cases are created per user and help manage multiple alerts and related activity."
+    - content: "They store Power Automate logs for compliance tracking."
+      isCorrect: false
+      explanation: "Incorrect: Cases support automation but aren't used for Power Automate auditing."
+
+  - content: "Which role is required to use Advanced hunting for insider risk events?"
+    choices:
+    - content: "Microsoft 365 Compliance Administrator"
+      isCorrect: false
+      explanation: "Incorrect: This role doesn't grant access to insider risk data in Defender."
+    - content: "Insider Risk Management Analyst or Investigator"
+      isCorrect: true
+      explanation: "Correct: Only users with these roles can access insider risk data in Advanced hunting."
+    - content: "Security Operator"
+      isCorrect: false
+      explanation: "Incorrect: Security roles in Defender don't grant access to Purview risk event data."