new module on irm alerts

Author: riswinto

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/investigate-triage-alerts.md

@@ -0,0 +1,68 @@
+The Alert dashboard in Microsoft Purview Insider Risk Management helps investigators and analysts view, prioritize, and take action on potentially risky user activity. Each alert is based on policy-defined conditions and provides a summary of the user's actions, associated risks, and relevant context. Effective alert triage ensures that high-risk behavior is addressed quickly, while low-risk activity can be dismissed to reduce noise.
+
+## Overview of the Alert dashboard
+
+The Alert dashboard provides a centralized view of all alerts generated by insider risk policies. Each alert is tied to a single user and includes:
+
+- **Alert summary**: Displays the risk severity level, alert score, activity that triggered the alert, and triggering event.
+- **User details and history**: Shows general user information and past alerts, including unresolved or repeated risk patterns.
+- **Tabs for deeper analysis**: Includes tabs for **All risk factors**, **User activity**, and **Activity explorer** to review specific behavior in detail.
+
+Alerts are automatically categorized by severity (low, medium, high) and can be filtered by status, policy, risk factor, or other criteria. Each new insight related to a user is added to their existing alert instead of generating a new one.
+
+> [!NOTE]
+> Only unrestricted administrators or users with proper role assignments can view alerts, depending on how administrative units are scoped.
+
+## Filtering and customizing views
+
+When working with a high volume of alerts, filtering and customizing your view can improve efficiency:
+
+- **Add filters** to narrow results by attributes like risk factor, severity, policy, assigned analyst, or triggering event.
+- **Save custom filter views** to quickly return to commonly used alert queues.
+- **Customize columns** to show or hide fields like policy name, time detected, or alert status.
+- **Search by keyword** such as user principal name (UPN), alert ID, or assigned admin.
+
+These tools help reduce investigation time and support consistency across teams.
+
+## Triage and take action on alerts
+
+Once you've identified an alert that needs review, you can triage and take action directly from the Alert details page:
+
+- **Dismiss** the alert if it was triggered by expected or non-risky behavior.
+- **Confirm and create a case** to escalate the alert for deeper investigation.
+- **Assign** the alert to another analyst or investigator.
+
+Each alert is assigned a risk severity score based on multiple factors, including frequency of activity, user history, and the presence of risk indicators. If an alert remains untriaged and more risky behavior occurs, its severity level might increase.
+
+> [!TIP]
+> You can select and dismiss multiple low-priority alerts in bulk using the command bar. Up to 400 alerts can be dismissed at once.
+
+## Use Copilot to accelerate triage
+
+If enabled, Security Copilot embedded in Microsoft Purview can summarize an alert to help you triage faster. Without opening the alert, you can select **Summarize with Copilot** to generate an overview that includes:
+
+- Policy name and triggering event
+- Activity that generated the alert
+- Key user attributes
+- Top risk factors
+
+Copilot can also suggest questions to help refine your summary, such as:
+
+- What actions did the user perform in the last 10 days?
+- List all sequential activities involving this user.
+- Did the user engage in any unusual behavior?
+
+These insights make it easier to prioritize the most important alerts and dismiss those that don't require follow-up.
+
+## Retention and alert limits
+
+Alerts in a "Needs review" state are retained for 120 days. After this period, they're automatically deleted unless linked to an active case. Active and unresolved cases are retained indefinitely. Organizations can have up to 100 active cases at any given time.
+
+The Alert dashboard is the central hub for reviewing and triaging insider risk alerts in Microsoft Purview. It allows investigators to:
+
+- Quickly assess risk severity and context
+- Filter and organize large volumes of alerts
+- Use Copilot to streamline triage
+- Assign, dismiss, or escalate alerts as needed
+
+By combining automated insights with manual review tools, the Alert dashboard supports efficient, accurate investigation workflows aligned with your organization's risk management goals.

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/manage-alert-volume.md

@@ -0,0 +1,37 @@
+Balancing alert volume is an important part of maintaining an efficient insider risk program. If your policies generate too few alerts, you might miss meaningful signals. If they generate too many, investigators might become overwhelmed, making it harder to focus on high-risk activity. Microsoft Purview Insider Risk Management includes several tools and settings to help you fine-tune alert volume and ensure your environment supports consistent, focused investigations.
+
+## When you're receiving too few alerts
+
+Receiving fewer alerts than expected might indicate that your policies are too narrow or that thresholds are set too high. To increase alert volume:
+
+- **Enable more risk indicators** in the **Policy indicators** settings. This expands the types of activities that policies detect.
+- **Include more users** in policy scope by editing the **Users and groups** section of the policy.
+- **Lower trigger thresholds** to start evaluating users earlier based on specific events, such as resignation or access to sensitive content.
+- **Lower indicator thresholds** to generate alerts based on less frequent or less severe activity.
+- **Adjust the alert volume slider** under **Settings > Intelligent detections**. Moving the slider toward "More alerts" increases overall alert generation, including medium- and low-severity alerts.
+
+> [!TIP]
+> Policies based on certain templates, like _Data leaks_ and _Risky browser usage_, allow custom thresholds that can be lowered to help generate more alerts.
+
+## When you're receiving too many alerts
+
+High alert volume can overwhelm analysts and reduce the effectiveness of your investigation process. To reduce alert volume:
+
+- **Enable analytics** in **Settings > Analytics** to identify high-risk areas and adjust your approach accordingly.
+- **Use real-time insights** to update thresholds and indicator selections based on recommended values.
+- **Refine policy scope and content** by narrowing the list of in-scope users or prioritizing only the most sensitive files and communication channels.
+- **Enable inline alert customization** to allow analysts to adjust thresholds during triage.
+- **Dismiss multiple low-priority alerts in bulk** to reduce noise in the alert queue.
+
+## Configuration options for alert management
+
+Beyond basic tuning, Microsoft Purview provides several configuration options to help manage alert volume more effectively:
+
+- **Use appropriate policy templates** to target specific risk scenarios.
+- **Configure global exclusions** to prevent benign activity from triggering alerts.
+- **Define detection groups** to apply different policies to different user populations.
+- **Create indicator variants** to refine detection logic.
+- **Adjust policy timeframes** to control how far back activity is evaluated.
+- **Assign appropriate roles** to ensure only qualified users can make sensitive configuration changes.
+
+Effective alert volume management requires both upfront planning and ongoing tuning. Use built-in analytics and threshold recommendations to maintain a manageable signal-to-noise ratio. When alert volume is tuned effectively, your investigation process becomes more focused, efficient, and aligned with organizational risk priorities.

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/understand-insider-risk-alerts.md

@@ -0,0 +1,32 @@
+Alerts in Microsoft Purview Insider Risk Management aren't generated randomly. They follow a defined sequence of actions that begins with policy settings and ends with a triggered alert. Understanding how alerts are generated is critical to reviewing and interpreting them accurately during investigations. This understanding allows investigators to identify relevant activity, determine why it was evaluated, and assess whether it meets the defined risk criteria.
+
+## Why alert generation matters
+
+Knowing how an alert was generated helps investigators:
+
+- Identify what triggered the alert
+- Understand which activities were evaluated
+- Determine appropriate next steps
+- Align alert evaluation with policy criteria
+
+This context supports more consistent triage decisions and helps reduce time spent on irrelevant or low-risk activity.
+
+## Alert generation process
+
+Alerts are generated through a five-step process:
+
+:::image type="content" source="../media/insider-risk-management-alert-generation-chart.png" alt-text="Diagram illustrating the process of how alerts are generated in Insider Risk Management." lightbox=" ../media/insider-risk-management-alert-generation-chart.png":::
+
+1. **Settings configured**: Organizations configure policy settings to align with their insider risk management strategy. This includes defining which risk indicators to monitor, identifying sensitive domains, and setting privacy preferences.
+
+1. **Policy created**: Policies define whose activity to evaluate, what activity to detect, and which events should trigger active monitoring. For example, a policy might monitor users in finance for data exfiltration after a resignation is submitted.
+
+1. **Triggering event occurs**: A triggering event activates the policy for a specific user. This could include events such as a resignation date being set or a risky website being accessed. It might also include detection of exfiltration behavior.
+
+1. **User activity evaluated and scored**: The system begins monitoring the user's actions. Activities are assigned risk scores based on the type of activity, configured thresholds, and the user’s history.
+
+1. **Alert generated**: An alert is generated if the user's risk score exceeds the policy-defined threshold.
+
+This process ensures that alerts are based on defined conditions and relevant context. Not all activity results in an alert. For example, a user downloading files might not trigger an alert unless other risk factors are present.
+
+Each alert is the result of a defined policy, a triggering event, and risk-based evaluation of user activity. Understanding how alerts are generated helps investigators assess their relevance and determine whether further action is needed. This insight supports more accurate, timely, and consistent handling of insider risk alerts.

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/index.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-insider-risk-investigate-alerts.investigate-triage-alerts
+title: Investigate and triage insider risk alerts in Microsoft Purview
+metadata:
+  title: Investigate and triage insider risk alerts in Microsoft Purview
+  description: "Investigate and triage insider risk alerts in Microsoft Purview."
+  ms.date: 04/15/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 6
+content: |
+  [!include[](includes/investigate-triage-alerts.md)]

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/investigate-triage-alerts.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-insider-risk-investigate-alerts.manage-alert-volume
+title: Manage alert volume in insider risk management
+metadata:
+  title: Manage alert volume in insider risk management
+  description: "Manage alert volume in insider risk management."
+  ms.date: 04/15/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 4
+content: |
+  [!include[](includes/manage-alert-volume.md)]

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/manage-alert-volume.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-insider-risk-investigate-alerts.understand-insider-risk-alerts
+title: Understand insider risk alerts and investigations
+metadata:
+  title: Understand insider risk alerts and investigations
+  description: "Understand insider risk alerts and investigations."
+  ms.date: 04/15/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 3
+content: |
+  [!include[](includes/understand-insider-risk-alerts.md)]