We’re rolling out several features to general availability to enhance your Insider Risk Management policies and workflows. This message is associated with Microsoft 365 Roadmap ID 88997, 88998, 88999, 89000, 89001, 89002.
When this will happen
Rollout will begin in late April and is expected to be complete by mid-May.
How this will affect your organization
The following features and settings will soon be generally available as options within the Insider Risk Management solution in the Microsoft 365 compliance center:
- Enhanced support for domains: enables support for enhanced classification of unallowed, allowed, and third-party domains leveraging wildcards. This helps improve classification of detections.
- Export alerts: We are increasing the frequency in which alerts are sent to the Office 365 Management Activity API so you can have more updated alert information available. If you have turned on “Export Alerts” in settings, then alerts will now be exported every hour (previously 12 hours). Note: This will not impact the number or volume of alerts in the system, but rather the frequency with which existing alerts are updated. For example, if you have an alert and confirm that alert, you will see the status of the alert updated to “Confirmed” in one hour as opposed to 12 hours.
- Integration with Microsoft Teams: Compliance analysts and investigators can use Microsoft Teams to coordinate and review response activities for cases in private Teams, securely share and store files and evidence related to individual cases, and track and review response activities. Once enabled, a dedicated Microsoft Teams team is created every time an alert is confirmed and a case is created. For existing cases, analysts and investigators can choose to create a new Microsoft Teams team when working in a case if needed. Once you resolve the associated case, the team is automatically archived.
- Define priority user groups: Define users in your organization that need closer inspection based on factors such as their position, level of access to sensitive information, or risk history.
- Data leaks by priority users: Once created, priority user groups can be included in certain policy templates from the Policies page, such as detecting data leaks by users included in the defined group.
- Native triggers (new signals, indicator selection, customization, Activity explorer): You can now choose to assign selected indicators as triggering events for a policy. This flexibility and customization helps scope the policy to only the activities covered by the indicators. Also, you will be able to customize thresholds for each triggering event.
- Triage and investigation improvements: To enhance triage and investigation, we’re including historical insights for Exchange Online, and will also ingest triggering events into Activity explorer to assist in the triage process. Furthermore, we are introducing filtering and sorting capabilities across the triage experience to help reduce time-to-action.
What you need to do to prepare
Insider Risk Management in Microsoft 365 correlates various signals from the chip to the cloud to identify potential malicious or inadvertent insider risks, such as IP theft, security and policy violations, and more. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
Access the Insider Risk Management solution in the Microsoft 365 compliance center:
- Microsoft 365 compliance center for Worldwide and GCC cloud environments
- Microsoft 365 compliance center for GCC-H cloud environments
- Microsoft 365 compliance center for DoD cloud environments
To enable Microsoft Teams for Insider Risk Management:
- In the Microsoft 365 compliance center, go to Insider risk management > Insider risk settings
- Select the Microsoft Teams tab
- Enable Microsoft Teams integration
- Select Save to configure and exit
- Export alerts
- Integration with Microsoft Teams
- Priority user groups
- Data leaks by priority users
- Triggering events
- Triage alerts
- Investigate a case
- Microsoft 365 Docs > Manage insider risks > Insider risk management in Microsoft 365
- Multi-tenant management: Service Health and Message Center
Message ID: MC349520
Published: 30 March 2022
Updated: 30 March 2022