Merge pull request #50012 from riswinto/NEW-purview-insider-risk-investigate-alerts

New purview insider risk investigate alerts

Author: JillGrant615

learn-pr/paths/purview-implement-insider-risk-management/index.yml

@@ -3,7 +3,7 @@ uid: learn.wwl.purview-implement-insider-risk-management
 metadata:
   title: 'Implement and manage Microsoft Purview Insider Risk Management (SC-401)'
   description: 'Implement Microsoft Purview Insider Risk Management to detect, investigate, and respond to internal risks while protecting data, ensuring compliance, and maintaining employee trust.'
-  ms.date: 03/24/2025
+  ms.date: 04/15/2025
   author: wwlpublish
   ms.author: riswinto
   ms.topic: learning-path
@@ -28,6 +28,7 @@ modules:
 - learn.wwl.purview-explore-insider-risk-management
 - learn.wwl.purview-prepare-insider-risk-management
 - learn.wwl.purview-create-manage-insider-risk-policy
+- learn.wwl.purview-insider-risk-investigate-alerts
 - learn-m365.m365-compliance-irm-adaptive-protection
 trophy:
   uid: learn.wwl.purview-implement-insider-risk-management.trophy

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/activity-explorer-tab.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-insider-risk-investigate-alerts.activity-explorer-tab
+title: Investigate activity details with the Activity explorer tab
+metadata:
+  title: Investigate activity details with the Activity explorer tab
+  description: "Investigate activity details with the Activity explorer tab."
+  ms.date: 04/15/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 6
+content: |
+  [!include[](includes/activity-explorer-tab.md)]

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/all-risk-factors-tab.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-insider-risk-investigate-alerts.all-risk-factors-tab
+title: Analyze alert context with the All risk factors tab
+metadata:
+  title: Analyze alert context with the All risk factors tab
+  description: "Analyze alert context with the All risk factors tab."
+  ms.date: 04/15/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 5
+content: |
+  [!include[](includes/all-risk-factors-tab.md)]

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/activity-explorer-tab.md

@@ -0,0 +1,71 @@
+The **Activity explorer** tab in Microsoft Purview Insider Risk Management helps analysts investigate the full context of potentially risky behavior. This tab shows a timeline of user activity that contributes to the alert, with detailed metadata to support investigation, filtering, and review.
+
+Use this tab to confirm what triggered the alert and identify patterns or supporting evidence that indicate whether further action is needed.
+
+:::image type="content" source="../media/activity-explorer-tab.png" alt-text="Screenshot showing the Activity explorer tab in Microsoft Purview Insider Risk Management." lightbox="../media/activity-explorer-tab.png":::
+
+## Review activity details
+
+Each row in the Activity explorer represents an event associated with the alert or broader user activity. Columns show details such as:
+
+- Date and time of the event
+- Activity type (for example, file download or risky prompt)
+- File name and location
+- Associated sensitivity label, if present
+- Risk score and related risk factors
+
+You can select an item to open the activity details pane and review:
+
+- Event metadata, such as file path or recipient
+- Assigned risk score
+- Indicators that contributed to the risk level
+
+This level of detail supports deeper investigation of user behavior.
+
+## Filter activity for investigation
+
+To help focus your review, use filters at the top of the page to narrow the activity list. You can filter by:
+
+- **Activity scope**: Show all scored activity for the user or only activity associated with this specific alert
+- **Risk factor**: Focus on specific indicators like sequences, cumulative exfiltration, unallowed domains, or priority content
+- **Review status**: Hide previously reviewed items to focus on new activity
+
+Filtering helps streamline triage and identify which events require the most attention.
+
+## Customize the view
+
+Customizing the view helps you focus on relevant attributes during triage. To match your investigation workflow, you can:
+
+- Select or remove columns using **Customize columns**
+- Sort the view by date or risk score
+- Save custom filter and column views for reuse
+
+These options help personalize the workspace so investigators can focus on what matters most.
+
+## Understand activity count discrepancies
+
+The number of activities shown in Activity explorer might not always match the number of raw event logs. Common reasons include:
+
+- **Cumulative exfiltration detection**: Similar activities are deduplicated and scored as a single risk event
+- **Policy changes**: If policy settings change after events occur, prior events might be excluded
+- **Excluded items in sequences**: Files excluded from risk scoring might still appear if they're part of a larger sequence
+
+These factors explain why sequences or exfiltration activity counts might differ between views.
+
+## Investigate excluded items in sequences
+
+Even when a file type is excluded from scoring, it might still show up in a sequence if it contributes to broader risk. For example, a .png file normally excluded from policy might appear in a sequence if it was used during an obfuscation attempt.
+
+In these cases:
+
+- A score of 0 appears for the excluded event
+- Excluded events are marked as **Excluded** in the activity details
+- A link is available to filter and view all excluded events
+
+This helps you understand the full context of a user's behavior, even when individual events aren't scored directly.
+
+## Save views for future use
+
+If you create a useful filter and column setup, you can select **Save this view** to reuse it later. Saved views include both filters and column selections, allowing consistent triage workflows across analysts or alert types.
+
+Select **Views** to load saved views at any time. Views can be personal or shared depending on how your team manages investigations.

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/all-risk-factors-tab.md

@@ -0,0 +1,38 @@
+The **All risk factors** tab in Microsoft Purview Insider Risk Management provides a summary of potentially risky activity associated with an alert. This view helps investigators understand why an alert might be significant by showing which risk signals are present, even if those signals weren’t the direct cause of the alert.
+
+Use this tab to evaluate the broader context of a user's behavior and decide whether to investigate further, dismiss the alert, or take action.
+
+:::image type="content" source="../media/all-risk-factors-tab.png" alt-text="Screenshot showing the All risk factors tab in Microsoft Purview Insider Risk Management." lightbox="../media/all-risk-factors-tab.png":::
+
+## Risk factors shown in this tab
+
+The All risk factors tab surfaces several types of behavior that might increase a user's overall risk level:
+
+- **Top exfiltration activities**: Lists the most frequent exfiltration actions, such as archiving or uploading files.
+- **Cumulative exfiltration**: Shows whether repeated actions build over time to indicate rising risk.
+- **Sequences of activities**: Highlights related activities that form a recognizable risk sequence.
+- **Priority content**: Indicates whether the user interacted with files marked as sensitive or business-critical.
+- **Unallowed domains**: Flags any file or data transfers to domains that aren't permitted by policy.
+- **Unusual behavior or high-impact user status**: Detects abnormal patterns or identifies users whose role or access level contributes to elevated risk.
+
+Not all alerts are directly caused by these factors, but the tab helps you assess what else might be happening that could influence the user’s risk level.
+
+> [!TIP]
+> Risk signals shown on this tab might not be the reason the alert was triggered. Always check the activity listed in the alert summary before deciding how to respond.
+
+## Use the Content detected section
+
+The **Content detected** section on this tab shows specific items involved in each risk activity. Selecting a listed item allows you to:
+
+- View metadata such as file name, type, location, and sensitivity label if present
+- Open the **Activity explorer** to see how that item fits into a broader timeline of activity
+
+:::image type="content" source="../media/all-risk-factors-content-detected.png" alt-text="Screenshot showing the Content detected section of the All risk factors tab in Microsoft Purview Insider Risk Management." lightbox="../media/all-risk-factors-content-detected.png":::
+
+This view helps you validate whether the behavior was risky and supports more informed decisions.
+
+## Important behavior to understand
+
+- **Risk factor summaries don't always match the trigger.** An alert might be triggered by access to priority content, but the tab could instead highlight unrelated risky browsing activity or sequences that increase concern.
+- **Sequences can include excluded events.** Even if a file type is excluded from scoring, it can still appear in a sequence if it contributes to broader risky behavior. For example, a .png file might normally be excluded but still appears if used during an obfuscation attempt.
+- **Use the Content detected section to investigate further.** This section links to Activity explorer, where you can view detailed events and associated content. It serves as a key entry point for deeper review.

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/insider-risk-cases.md

@@ -0,0 +1,107 @@
+Cases in Microsoft Purview Insider Risk Management allow investigators to track user risk over time, review associated alerts, and take action based on the severity and context of the activity. Each case focuses on a single user and can include one or more alerts. Cases are created manually when an alert requires deeper review or coordination with other teams.
+
+Use the **Cases** dashboard to view all active and closed cases, assign ownership, and manage follow-up actions such as escalation, communication, and resolution.
+
+## Respond to alerts
+
+Not all alerts require a case. You can take action directly from the **Alerts** queue by confirming or dismissing alerts as part of your triage process:
+
+- **Dismiss** an alert if it's a false positive or doesn't require further review.
+- **Confirm** an alert to indicate a policy violation and optionally create a case for deeper investigation.
+
+Creating a case is recommended when an alert involves serious risk, multiple incidents, or needs collaboration across teams. Once a case is created, you can take further action such as sending notices, escalating, or resolving with a classification.
+
+## Create and manage cases
+
+Cases are created from alerts when an incident needs further review or response. Once created, cases can be updated with new alerts and managed through their lifecycle. You can:
+
+- Assign or reassign ownership
+- Send an email notice to the user
+- Escalate to Microsoft Purview eDiscovery (Premium)
+- Run Power Automate flows
+- Create or view a connected Microsoft Teams team
+- Resolve the case with a classification of Benign or Confirmed policy violation
+
+You can assign a case to any user with one of these roles: **Insider Risk Management**, **Analyst**, or **Investigator**.
+
+:::image type="content" source="../media/insider-risk-case-details.png" alt-text="Screenshot showing how to create a case in Insider Risk Management." lightbox="../media/insider-risk-case-details.png":::
+
+## Use the Cases dashboard
+
+The Cases dashboard lists each case and includes key details:
+
+- Case name and ID
+- Assigned user (anonymized if enabled)
+- Status: **Active** or **Closed**
+- Number of alerts
+- Time opened and last updated
+- Last updated by
+
+You can search by case ID or keywords, and use filters to narrow by status, date opened, or last updated.
+
+To customize the view, select **Customize columns**. To save filters for future use, apply filters and select **Save this view**.
+
+:::image type="content" source="../media/insider-risk-case-details.png" alt-text="Screenshot showing the Cases dashboard in Insider Risk Management." lightbox="../media/insider-risk-case-details.png":::
+
+## Investigate a case
+
+Selecting a case opens a detailed investigation view with multiple tabs:
+
+- **Case overview**: User identity, department, risk score, associated alerts
+- **Alerts**: Status, severity, and alert ID for each included alert
+- **User activity**: Timeline of scored risk activity from the alert or broader user history
+- **Activity explorer (preview)**: Detailed timeline and metadata for each associated event
+
+   **User activity** shows the overall timeline of user risk behavior, while **Activity explorer** focuses on event-level details within the case scope.
+
+- **Forensic evidence**: Screen captures from activity that triggered the alert
+- **Content explorer**: Copies of files and email messages associated with risk alerts
+- **Case notes:** Permanent, timestamped notes added by analysts
+- **Contributors**: Users added to the case for collaboration
+
+   :::image type="content" source="../media/insider-risk-case-details.png" alt-text="Screenshot showing details of a case investigation." lightbox="../media/insider-risk-case-details.png":::
+
+> [!NOTE]
+> Contributors can view the case and add notes, but they can't edit contributor lists or confirm/dismiss alerts.
+
+## Take action on a case
+
+The case toolbar includes actions for responding to the alert:
+
+### Send email notice
+
+Send a message to the user to reinforce policies or training. Notices are based on templates and are recorded in the **Case notes** tab.
+
+> [!TIP]
+> Sending a notice doesn't close the case. To resolve it, you must select **Resolve case** separately.
+
+### Escalate for investigation
+
+Use this option to escalate the case to a Microsoft Purview eDiscovery (Premium) case for deeper investigation and legal hold workflows.
+
+### Run Power Automate flows
+
+Trigger flows for common tasks such as:
+
+- Notifying a manager
+- Creating a record in ServiceNow
+- Requesting details from HR
+
+### Create or view Teams team
+
+If Teams integration is enabled in Insider Risk Management settings, a team is created automatically when a case is opened. Teams are archived when a case is resolved. To enable Teams integration:
+
+1. Go to the [Microsoft Purview portal](https://purview.microsoft.com/?azure-portal=true).
+1. Select **Settings** > **Insider Risk Management** > **Microsoft Teams**.
+1. Select the toggle to enable integration with Microsoft Teams.
+
+   :::image type="content" source="../media/insider-risk-teams-integration.png" alt-text="Screenshot showing where to enable Teams integration in Microsoft Purview Insider Risk Management." lightbox=" ../media/insider-risk-teams-integration.png":::
+
+## Resolve a case
+
+When investigation is complete, resolve the case as:
+
+- **Benign**: Behavior is low-risk, accidental, or false positive
+- **Confirmed policy violation**: Behavior is intentional or a serious violation
+
+Enter a reason for the resolution. Resolution actions are recorded in Case notes, and the case status is updated to Closed.

learn-pr/wwl-sci/purview-insider-risk-investigate-alerts/includes/introduction.md

@@ -0,0 +1,11 @@
+Identifying insider risks is only the beginning. Organizations also need a clear and consistent approach to investigating alerts and understanding the full context of user behavior. Without a structured process, high-risk activity might go unnoticed, low-risk alerts might receive too much attention, and investigators can struggle to determine the right response.
+
+This module focuses on helping you analyze and respond to alerts in Microsoft Purview Insider Risk Management. You'll learn how to:
+
+- Review and triage alerts using the Alerts dashboard
+- Understand the factors that influence alert generation and risk scoring
+- Use tools like Activity explorer, User activity, and All risk factors to investigate user behavior
+- Work with insider risk cases to organize related alerts and take follow-up actions
+- Extend your investigation into Microsoft Defender XDR and use advanced hunting for deeper insight
+
+By the end of this module, you'll understand how to investigate insider risk alerts in a way that's efficient, accurate, and aligned with your organization's risk policies.