We’re introducing several preview enhancements (preview) to Insider risk management features to improve your experience with alert review, cumulative exfiltration activities, user activity in a case, and export alerts. This message is associated with Microsoft 365 Roadmap IDs: 85578, 85579, 85580, and 85581.
Microsoft 365 Compliance center: Insider risk management – Enhanced alert review experience
Enhancements to the alert overview experience to improve explanation of why an alert was created and improve ability to review the riskiest activity in an alert.
Microsoft 365 Compliance center: Insider risk management – Enhancements to Cumulative exfiltration activities
Enhancements to the cumulative exfiltration activity presentation to update how we explain the user’s activity compared to the organization. Enhancements to assign higher risk scores when cumulative exfiltration activity involves Microsoft Information Protection labels that have been configured as priority content in a policy.
Microsoft 365 Compliance center: Insider risk management – Enhancements to User Activity experience
Within the user activity tab in a case, we have made enhancements to improve the activity review experience.
Microsoft 365 Compliance center: Insider risk management – Enhancements to Export Alerts
For the Export alerts feature, we have increased the frequency in which alerts are sent to the Office 365 Management Activity API to every hour (previously every 12 hours) so you can have more updated alert information available.
- Microsoft 365 suite
When this will happen
Rollout will begin mid-September and be completed by mid-October.
How this will affect your organization
The following enhancements will soon be available in preview:
Alert review experience
When clicking on an alert, you will now receive a full page summary that includes additional information about the alert:
- The triggering event for the user that prompted the policy to start assigning risk scores to the user’s activity.
- The activity that led to the alert being generated.
- A summary of whether the alert contains sequences, cumulative exfiltration activity, activity with events containing unallowed domains, activity with events containing priority content, or activity that is considered unusual for the user.
Cumulative exfiltration activities
Cumulative exfiltration activities will be updated to show when a user is in the “top x% in organization” for exfiltration activities. Additionally, cumulative exfiltration activities involving content with Microsoft Information Protection labels that have been selected as priority content in a policy will lead to higher risk scores.
User activity in cases
You will have the ability to filter out all activity with a risk score of less than 15 that is not part of a sequence to focus review on the riskiest activity. Additionally, you will be able to filter activity to only view sequences in the timeline for a cleaner view.
We are increasing the frequency in which alerts are sent to the Office 365 Management Activity API so you can have more updated alert information available. If you have turned on Export Alerts in settings, then alerts will now be exported every hour (previously 12 hours).
Note: This will not impact the number or volume of alerts in the system, but rather the frequency with which existing alerts are updated. For example, if you have an alert and confirm that alert, you will see the status of the alert updated to “Confirmed” in one hour as opposed to 12 hours.
What you need to do to prepare
Access the Insider risk management solution from the Microsoft 365 compliance center.
Review the following documentation
- Triage alerts: Investigate insider risk management activities
- Cumulative exfiltration activities: Insider risk management policies
- User activity: Insider risk management cases
- Export alerts: Insider risk management setting
Message ID: MC281912
Published: 30 August 2021
Updated: 30 August 2021