Skip to content

Control 1.12: Insider Risk Detection and Response - Portal Walkthrough

This playbook provides portal configuration guidance for Control 1.12.

Prerequisites

  • Microsoft 365 E5 or E5 Insider Risk Management add-on
  • Insider Risk Management roles assigned
  • HR data connector configured (recommended)
  • Investigation team trained
  • Privacy settings reviewed with Legal

Step 1: Enable Insider Risk Management

Portal Path: Microsoft Purview > Insider risk management > Settings

  1. Navigate to Microsoft Purview Compliance Portal
  2. Go to Insider risk management
  3. Complete initial setup wizard:
  4. Accept terms and conditions
  5. Configure basic settings
  6. Navigate to Settings for detailed options

Step 2: Configure Analytics

Portal Path: Insider risk management > Settings > Analytics

  1. Go to Settings > Analytics
  2. Enable Insider risk analytics
  3. Wait 24-48 hours for initial analysis
  4. Review analytics dashboard for:
  5. Potential data leaks
  6. Security policy violations
  7. Risky user activity patterns

Step 3: Create Insider Risk Policies

Portal Path: Insider risk management > Policies > + Create policy

Policy 1: Data Theft by Departing Users

  1. Click + Create policy
  2. Template: Data theft by departing users
  3. Policy name: FSI-DepartingUser-DataTheft
  4. Users and groups: All users or Priority user groups
  5. Priority content:
  6. SharePoint sites (sensitive sites)
  7. Sensitivity labels (Confidential, MNPI)
  8. Sensitive info types (Financial SITs)
  9. Triggering event: HR connector (resignation date) or Microsoft Entra ID deletion
  10. Indicators:
  11. Downloading content from SharePoint
  12. Sending email with attachments outside org
  13. Uploading files to cloud storage
  14. Printing documents
  15. Copying to USB
  16. Click Create policy

Policy 2: Data Leaks (General)

  1. Click + Create policy
  2. Template: Data leaks
  3. Policy name: FSI-DataLeaks-General
  4. Users: All users
  5. Priority content: Sensitivity labels, Sensitive info types
  6. Indicators:
  7. Email to external recipients
  8. File sharing externally
  9. Endpoint exfiltration
  10. Cumulative exfiltration
  11. Policy settings: Include DLP policy matches as risk indicators
  12. Click Create policy

Policy 3: Security Policy Violations

  1. Click + Create policy
  2. Template: Security policy violations
  3. Policy name: FSI-SecurityViolations
  4. Indicators:
  5. Security alert indicators
  6. Defender for Endpoint alerts
  7. Failed authentication attempts
  8. Risky sign-in behavior
  9. Users: Priority users (agent administrators, developers)
  10. Click Create policy
  1. Click + Create policy
  2. Template: Custom policy
  3. Policy name: FSI-AgentRelated-InsiderRisk
  4. Triggering event: Activity-based
  5. Indicators:
  6. Access to sensitive SharePoint sites (agent knowledge sources)
  7. Bulk download of agent-related content
  8. Modification of agent configurations
  9. Sharing agent access with unauthorized users
  10. Priority content: Agent knowledge base sites, Copilot Studio projects
  11. Click Create policy

Step 4: Configure Priority User Groups

Portal Path: Insider risk management > Settings > Priority user groups

  1. Go to Settings > Priority user groups
  2. Click + Create priority user group
  3. Create groups:
Group Name Users Purpose
FSI-HighRiskUsers Departing + PIP users Enhanced monitoring
FSI-AgentAdmins Power Platform admins Agent access monitoring
FSI-TradingFloor Trading staff MNPI protection
FSI-CustomerData Client-facing staff NPI protection

Step 5: Configure Data Connectors

Portal Path: Insider risk management > Settings > Data connectors

  1. Go to Settings > Data connectors
  2. Configure HR connector:
  3. Configure Azure Logic App or API
  4. Map fields (user ID, resignation date, termination date)
  5. Test connection
  6. Configure additional connectors as needed

Step 6: Configure Investigation Settings

Portal Path: Insider risk management > Settings > Investigation

  1. Go to Settings > Investigation
  2. Configure:
  3. Case name format: Auto-generate or custom
  4. Reviewer notifications: Email on new alerts
  5. Investigation duration: Track SLAs
  6. Evidence collection:
  7. Collect activity explorer data
  8. Preserve audit logs
  9. Enable content preview (with privacy controls)

Step 7: Set Up Alert Workflow

Portal Path: Insider risk management > Alerts

  1. Navigate to Alerts tab
  2. Configure alert triage:
  3. Needs review: Initial state
  4. Confirmed: Escalate to case
  5. Dismissed: False positive (document reason)

  6. Resolved: No further action needed

  7. Configure escalation SLAs:

  8. Low/Medium alerts: 48-hour review
  9. High/Critical alerts: 4-hour review
  10. Confirmed: Create case with investigator assignment

Back to Control 1.12 | PowerShell Setup | Verification Testing | Troubleshooting

Updated: January 2026 | Version: v1.2