investigate module

Author: riswinto

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/activity-explorer-tab.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-insider-risk-investigate-alerts.activity-explorer-tab
+title: Investigate activity details with the Activity explorer tab
+metadata:
+  title: Investigate activity details with the Activity explorer tab
+  description: "Investigate activity details with the Activity explorer tab."
+  ms.date: 04/15/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 6
+content: |
+  [!include[](includes/activity-explorer-tab.md)]

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/all-risk-factors.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-insider-risk-investigate-alerts.all-risk-factors
+title: Analyze alert context with the All risk factors tab
+metadata:
+  title: Analyze alert context with the All risk factors tab
+  description: "Analyze alert context with the All risk factors tab."
+  ms.date: 04/15/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 5
+content: |
+  [!include[](includes/all-risk-factors.md)]

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/activity-explorer-tab.md

@@ -0,0 +1,71 @@
+The **Activity explorer** tab in Microsoft Purview Insider Risk Management helps analysts investigate the full context of potentially risky behavior. This tab shows a timeline of user activity that contributes to the alert, with detailed metadata to support investigation, filtering, and review.
+
+Use this tab to confirm what triggered the alert and identify patterns or supporting evidence that indicate whether further action is needed.
+
+:::image type="content" source="../media/activity-explorer-tab.png" alt-text="Screenshot showing the Activity explorer tab in Microsoft Purview Insider Risk Management." lightbox="../media/activity-explorer-tab.png":::
+
+## Review activity details
+
+Each row in the Activity explorer represents an event associated with the alert or broader user activity. Columns show details such as:
+
+- Date and time of the event
+- Activity type (for example, file download or risky prompt)
+- File name and location
+- Associated sensitivity label, if present
+- Risk score and related risk factors
+
+You can select an item to open the activity details pane and review:
+
+- Event metadata, such as file path or recipient
+- Assigned risk score
+- Indicators that contributed to the risk level
+
+This level of detail supports deeper investigation of user behavior.
+
+## Filter activity for investigation
+
+To help focus your review, use filters at the top of the page to narrow the activity list. You can filter by:
+
+- **Activity scope**: Show all scored activity for the user or only activity associated with this specific alert
+- **Risk factor**: Focus on specific indicators like sequences, cumulative exfiltration, unallowed domains, or priority content
+- **Review status**: Hide previously reviewed items to focus on new activity
+
+Filtering helps streamline triage and identify which events require the most attention.
+
+## Customize the view
+
+Customizing the view helps you focus on relevant attributes during triage. To match your investigation workflow, you can:
+
+- Select or remove columns using **Customize columns**
+- Sort the view by date or risk score
+- Save custom filter and column views for reuse
+
+These options help personalize the workspace so investigators can focus on what matters most.
+
+## Understand activity count discrepancies
+
+The number of activities shown in Activity explorer might not always match the number of raw event logs. Common reasons include:
+
+- **Cumulative exfiltration detection**: Similar activities are deduplicated and scored as a single risk event
+- **Policy changes**: If policy settings change after events occur, prior events might be excluded
+- **Excluded items in sequences**: Files excluded from risk scoring might still appear if they're part of a larger sequence
+
+These factors explain why sequences or exfiltration activity counts might differ between views.
+
+## Investigate excluded items in sequences
+
+Even when a file type is excluded from scoring, it might still show up in a sequence if it contributes to broader risk. For example, a .png file normally excluded from policy might appear in a sequence if it was used during an obfuscation attempt.
+
+In these cases:
+
+- A score of 0 appears for the excluded event
+- Excluded events are marked as **Excluded** in the activity details
+- A link is available to filter and view all excluded events
+
+This helps you understand the full context of a user's behavior, even when individual events aren't scored directly.
+
+## Save views for future use
+
+If you create a useful filter and column setup, you can select **Save this view** to reuse it later. Saved views include both filters and column selections, allowing consistent triage workflows across analysts or alert types.
+
+Select **Views** to load saved views at any time. Views can be personal or shared depending on how your team manages investigations.

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/all-risk-factors.md

@@ -0,0 +1,38 @@
+The **All risk factors** tab in Microsoft Purview Insider Risk Management provides a summary of potentially risky activity associated with an alert. This view helps investigators understand why an alert might be significant by showing which risk signals are present, even if those signals weren’t the direct cause of the alert.
+
+Use this tab to evaluate the broader context of a user's behavior and decide whether to investigate further, dismiss the alert, or take action.
+
+:::image type="content" source="../media/all-risk-factors-tab.png" alt-text="Screenshot showing the All risk factors tab in Microsoft Purview Insider Risk Management." lightbox="../media/all-risk-factors-tab.png":::
+
+## Risk factors shown in this tab
+
+The All risk factors tab surfaces several types of behavior that might increase a user's overall risk level:
+
+- **Top exfiltration activities**: Lists the most frequent exfiltration actions, such as archiving or uploading files.
+- **Cumulative exfiltration**: Shows whether repeated actions build over time to indicate rising risk.
+- **Sequences of activities**: Highlights related activities that form a recognizable risk sequence.
+- **Priority content**: Indicates whether the user interacted with files marked as sensitive or business-critical.
+- **Unallowed domains**: Flags any file or data transfers to domains that aren't permitted by policy.
+- **Unusual behavior or high-impact user status**: Detects abnormal patterns or identifies users whose role or access level contributes to elevated risk.
+
+Not all alerts are directly caused by these factors, but the tab helps you assess what else might be happening that could influence the user’s risk level.
+
+> [!TIP]
+> Risk signals shown on this tab might not be the reason the alert was triggered. Always check the activity listed in the alert summary before deciding how to respond.
+
+## Use the Content detected section
+
+The **Content detected** section on this tab shows specific items involved in each risk activity. Selecting a listed item allows you to:
+
+- View metadata such as file name, type, location, and sensitivity label if present
+- Open the **Activity explorer** to see how that item fits into a broader timeline of activity
+
+:::image type="content" source="../media/all-risk-factors-content-detected.png" alt-text="Screenshot showing the Content detected section of the All risk factors tab in Microsoft Purview Insider Risk Management." lightbox="../media/all-risk-factors-content-detected.png":::
+
+This view helps you validate whether the behavior was risky and supports more informed decisions.
+
+## Important behavior to understand
+
+- **Risk factor summaries don't always match the trigger.** An alert might be triggered by access to priority content, but the tab could instead highlight unrelated risky browsing activity or sequences that increase concern.
+- **Sequences can include excluded events.** Even if a file type is excluded from scoring, it can still appear in a sequence if it contributes to broader risky behavior. For example, a .png file might normally be excluded but still appears if used during an obfuscation attempt.
+- **Use the Content detected section to investigate further.** This section links to Activity explorer, where you can view detailed events and associated content. It serves as a key entry point for deeper review.

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/introduction.md

@@ -2,18 +2,24 @@ The Alert dashboard in Microsoft Purview Insider Risk Management helps investiga
 
 ## Overview of the Alert dashboard
 
-The Alert dashboard provides a centralized view of all alerts generated by insider risk policies. Each alert is tied to a single user and includes:
+The Alerts dashboard provides a centralized queue of all alerts generated by Insider Risk Management policies. Each row in the dashboard represents an individual alert and includes key fields to support triage and prioritization at a glance:
 
-- **Alert summary**: Displays the risk severity level, alert score, activity that triggered the alert, and triggering event.
-- **User details and history**: Shows general user information and past alerts, including unresolved or repeated risk patterns.
-- **Tabs for deeper analysis**: Includes tabs for **All risk factors**, **User activity**, and **Activity explorer** to review specific behavior in detail.
+- **ID**: A unique identifier for each alert.
+- **Copilot icon**: Indicates whether Copilot is available to summarize the alert.
+- **Users**: The individual associated with the potentially risky activity.
+- **Policy**: The Insider Risk Management policy that generated the alert.
+- **Status**: Shows if the alert is new, confirmed, dismissed, or resolved.
+- **Spotlight**: Highlights high-priority alerts that meet specific risk criteria.
+- **Alert severity**: Automatically calculated risk level—Low, Medium, or High.
+- **Time detected**: Indicates when the alert was generated.
+- **Assigned to**: Shows who, if anyone, is currently assigned to investigate the alert.
+- **Case**: Lists any case associated with the alert.
 
-Alerts are automatically categorized by severity (low, medium, high) and can be filtered by status, policy, risk factor, or other criteria. Each new insight related to a user is added to their existing alert instead of generating a new one.
+:::image type="content" source="../media/insider-risk-alerts-dashboard.png" alt-text="Screenshot showing the Alerts dashboard in Insider Risk Management." lightbox=" ../media/insider-risk-alerts-dashboard.png":::
 
-> [!NOTE]
-> Only unrestricted administrators or users with proper role assignments can view alerts, depending on how administrative units are scoped.
+You can use filters, saved views, and column customization to focus on the alerts that matter most. Selecting an alert opens the Alert details page, where you can investigate activity, view user history, and take action such as dismissing or escalating the alert.
 
-## Filtering and customizing views
+### Filtering and customizing views
 
 When working with a high volume of alerts, filtering and customizing your view can improve efficiency:
 
@@ -22,8 +28,32 @@ When working with a high volume of alerts, filtering and customizing your view c
 - **Customize columns** to show or hide fields like policy name, time detected, or alert status.
 - **Search by keyword** such as user principal name (UPN), alert ID, or assigned admin.
 
+:::image type="content" source="../media/insider-risk-filter-alerts.png" alt-text="Screenshot highlighting the filters on the Alerts dashboard." lightbox=" ../media/insider-risk-filter-alerts.png":::
+
+### Spotlight high-priority alerts
+
+Insider Risk Management includes a **Spotlight** feature that automatically highlights high-priority alerts in the alert queue. This helps analysts focus on the most critical cases first. Spotlight uses rule-based logic to evaluate alerts based on activity type, tags, and risk scoring patterns observed across organizations. Spotlighted alerts appear visually distinct in the alert list and support faster triage decisions.
+
+> [!TIP]
+> Spotlight is especially useful in environments with high alert volume. It brings attention to alerts that might require immediate review.
+
 These tools help reduce investigation time and support consistency across teams.
 
+## Review individual alerts
+
+After identifying an alert of interest in the dashboard, you can select it to open the Alert details page. This view provides a deeper investigation workspace with information about the triggering activity, user context, and risk factors. From here, analysts and investigators can assess whether the alert warrants further action.
+
+- **Alert summary**: Displays the risk severity level, alert score, activity that triggered the alert, and triggering event.
+- **User details and history**: Shows general user information and past alerts, including unresolved or repeated risk patterns.
+- **Tabs for deeper analysis**: Includes tabs for **All risk factors**, **User activity**, and **Activity explorer** to review specific behavior in detail.
+
+:::image type="content" source="../media/insider-risk-alert-details.png" alt-text="Screenshot showing alert details in Insider Risk Management." lightbox=" ../media/insider-risk-alert-details.png":::
+
+Alerts are automatically categorized by severity (low, medium, high) and can be filtered by status, policy, risk factor, or other criteria. Each new insight related to a user is added to their existing alert instead of generating a new one.
+
+> [!NOTE]
+> Only unrestricted administrators or users with proper role assignments can view alerts, depending on how administrative units are scoped.
+
 ## Triage and take action on alerts
 
 Once you've identified an alert that needs review, you can triage and take action directly from the Alert details page:
@@ -52,6 +82,8 @@ Copilot can also suggest questions to help refine your summary, such as:
 - List all sequential activities involving this user.
 - Did the user engage in any unusual behavior?
 
+   :::image type="content" source="../media/insider-risk-security-copilot.png" alt-text="Screenshot showing embedded Security Copilot in Insider Risk Management." lightbox=" ../media/insider-risk-security-copilot.png":::
+
 These insights make it easier to prioritize the most important alerts and dismiss those that don't require follow-up.
 
 ## Retention and alert limits

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/investigate-triage-alerts.md

@@ -0,0 +1,61 @@
+## Investigate ongoing risk with the User activity tab
+
+The **User activity** tab in Microsoft Purview Insider Risk Management shows a visual timeline of potentially risky behavior over time. This view helps investigators assess whether a user’s activity is ongoing, escalating, or part of a broader pattern.
+
+Use this tab to evaluate risk across multiple alerts and understand how individual actions fit into a larger risk profile.
+
+:::image type="content" source="../media/user-activity-tab.png" alt-text="Screenshot showing the User activity tab in Microsoft Purview Insider Risk Management." lightbox="../media/user-activity-tab.png":::
+
+## Identify patterns over time
+
+This view uses colored bubbles to show activity categories and risk scores across a timeline. Bubbles represent distinct risk events. Select any bubble to open a details pane that includes:
+
+- Date of the event
+- Risk category (for example, Exfiltration or Obfuscation)
+- Risk score
+- Number of associated files or emails, with links for review
+
+This visual layout makes it easier to spot repeated behaviors or concerning trends.
+
+## Understand risk sequences
+
+Sequences are shown with connecting lines between bubbles. These indicate related events that are part of a broader risk pattern. When a sequence is selected, the details pane includes:
+
+- Name and date range of the sequence
+- Combined risk score
+- Total number of events and links to associated content
+
+This view helps connect the dots between activities that might seem low-risk individually but are more significant together.
+
+## Use the scatter plot to visualize risk patterns
+
+The User activity tab includes a **color-coded scatter plot** that shows potentially risky activity over time. Each bubble represents a scored event. The vertical position indicates the risk score, and the horizontal position shows when the event occurred.
+
+Use this visual timeline to:
+
+- See when risk activity happened and how it changed over time
+- Spot clusters or gaps in activity
+- Identify risk sequences, shown with connecting lines and icons
+
+## Filter and sort user activity
+
+To focus your analysis, use the filters and sorting options at the top of the page:
+
+- **Risk category**: Filter for sequences or high-risk events
+- **Activity type**: Narrow to specific behaviors, such as AI usage or deletion
+- **Date range**: View activity over 1, 3, or 6 months
+- **Sort by**: Organize the timeline by risk score or event date
+- **Review status**: Filter out activity that has already been reviewed
+
+These filters make it easier to review large amounts of user activity.
+
+## Interpret the full user timeline
+
+The User activity tab provides a complete view of risk-assigned behavior:
+
+- Shows events that span multiple alerts
+- Displays cumulative exfiltration risk as a visual trend line
+- Highlights sequences that include excluded file types if relevant to the risk pattern
+- Uses a color-coded legend to categorize risk events
+
+This comprehensive view supports better decision-making during investigations and case reviews.

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/user-activity-tab.md

@@ -10,6 +10,6 @@ metadata:
   ms.topic: unit
 azureSandbox: false
 labModal: false
-durationInMinutes: 6
+durationInMinutes: 10
 content: |
   [!include[](includes/investigate-triage-alerts.md)]