Microsoft this week announced some policy enhancements to the Insider Risk Management service for Microsoft 365 that soon will be arriving at the preview level.
The enhancements, which include previews of new policy indicators and new templates, will be arriving at Microsoft 365 tenancies “in the coming days and weeks,” the announcement indicated. New API integrations also are coming.
Insider Risk Management, which uses machine learning to detect data leaks, intellectual property theft, insider trading, compliance violations and fraud, was commercially released in February. Using it requires having Microsoft 365 E5 licensing.
Some of the capabilities of Insider Risk Management also may depend on using other Microsoft services. Typically mentioned in that context are Microsoft’s Advanced eDiscovery service, the Microsoft 365 HR Connector and the Microsoft 365 Data Loss Protection service.
New Policy Indicator Previews
At preview in Insider Risk Management are some additional “policy indicators” that can be added to so-called “policy templates” specifying what to check. Here are the new policy indicators, at preview, that can be added:
- Sharing files/folders/sites from SharePoint Online to domains marked “unallowed”
- Downloading content from Teams
- Emailing outside the organization to domains marked “unallowed“
New Template Previews
Microsoft also added some new templates in Insider Risk Management. The following new templates are at the preview stage:
- Data leaks by priority users
- Data leaks by disgruntled users
- General security policy violations
- Security policy violations by departing users
- Security policy violations by priority users
- Security policy violations by disgruntled users
On the final point, organizations can use the HR Connector with the Insider Risk Management service to “use additional HR insights that might indicate disgruntlement.”
It’s also now possible to customize the templates that Microsoft provides with the Insider Risk Management service. Customization can be done by adjusting the threshold numbers for the indicators within the templates.
New API Additions
The alerts that come from the Insider Risk Management service are getting added to the Office 365 Management Activity API. These alerts indicate things like the “severity and status” of a possible incident.
With this API integration, users of security incident event management solutions, such as Microsoft’s own Azure Sentinel product, can get Insider Risk Management alerts, allowing actions to be taken. Alternatively, these alerts can be linked to Microsoft’s Insider Risk Management service, permitting “further investigation.”
In addition, Microsoft indicated that the Insider Risk Management service is “integrating with ServiceNow APIs,” using that company’s trouble-ticketing solution. The integration will permit “Insider Risk Management case managers to directly create ServiceNow tickets for incident managers,” the announcement explained.
Microsoft claimed that its signals intelligence, artificial intelligence and “deep learning” capabilities in the agentless Insider Risk Management service represent an easier approach than trying to use separate user activity monitoring and user entity behavior analytics solutions.
The signals come from Windows 10 and Microsoft Edge use, such as when files are copied, printed or transferred to a network file share. It’s also possible to check when Edge is used to “download content from an unallowed domain” or a “third-party site.” The service also will track the renaming of files on a device.
When Insider Risk Management is used with Microsoft Defender Advanced Threat Protection, it’s possible to get “insights into whether someone is trying to evade security controls.” Such actions might include “disabling multifactor authentication or installing unwanted software,” Microsoft suggested.