Skip to content

Control 1.12: Insider Risk Detection and Response

Overview

Control ID: 1.12 Control Name: Insider Risk Detection and Response Regulatory Reference: FINRA 4511, GLBA 501(b), SOX 404, SEC Reg SHO Setup Time: 2-3 hours (initial); ongoing tuning and investigation

Purpose

Insider Risk Management detects potentially malicious or inadvertent insider activities that could harm the organization. For financial services and AI agent governance, insider risk detection is critical for:

  • Data Exfiltration Prevention: Detecting unauthorized data extraction via agents
  • GLBA 501(b): Protecting customer NPI from insider misuse
  • SOX 404: Internal control monitoring for financial data
  • SEC Reg SHO: Detecting potential market manipulation via insider access
  • Agent Abuse Detection: Identifying misuse of agent capabilities
  • IP Protection: Preventing theft of proprietary models and configurations

Prerequisites

Primary Owner Admin Role: Purview Insider Risk Roles Supporting Roles: None

Required Licenses

  • Microsoft 365 E5 OR Microsoft 365 E5 Insider Risk Management add-on
  • Microsoft Purview Insider Risk Management

Required Permissions

  • Insider Risk Management Admin (full configuration)
  • Insider Risk Management Analysts (review alerts)
  • Insider Risk Management Investigators (investigate cases)
  • Insider Risk Management Auditors (read-only audit)

Dependencies

  • Control 1.7 (Audit Logging): Audit data for risk indicators
  • Control 1.5 (DLP): DLP signals for insider risk
  • Control 1.10 (Communication Compliance): Communication signals

Pre-Setup Checklist

  • [ ] HR data connector configured (optional but recommended)
  • [ ] Priority user groups identified
  • [ ] Investigation team trained
  • [ ] Privacy settings reviewed with Legal
  • [ ] Escalation procedures documented

Governance Levels

Baseline (Level 1)

Implement insider risk policies; monitor for data exfiltration and unauthorized access.

Advanced insider risk indicators with ML detection; defined escalation and response procedures.

Regulated/High-Risk (Level 4)

Real-time risk scoring with immediate alerts; automated containment where possible; mandatory incident investigation.

Setup & Configuration

Step 1: Enable Insider Risk Management

Portal Path: Microsoft Purview Compliance PortalInsider risk managementSettings

  1. Navigate to Purview Compliance Portal
  2. Go to Insider risk management
  3. If first time, complete initial setup wizard:
  4. Accept terms and conditions
  5. Configure basic settings
  6. Navigate to Settings to configure detailed options

Portal Path: Purview → Insider risk managementSettingsAnalytics

  1. Go to SettingsAnalytics
  2. Enable Insider risk analytics
  3. Wait 24-48 hours for initial analysis
  4. Review analytics dashboard for:
  5. Potential data leaks
  6. Security policy violations
  7. Risky user activity patterns

Step 3: Create Insider Risk Policies

Portal Path: Purview → Insider risk managementPolicies+ Create policy

Policy 1: Data Theft by Departing Users

  1. Click + Create policy
  2. Template: Data theft by departing users
  3. Policy name: FSI-DepartingUser-DataTheft
  4. Users and groups:
  5. All users OR
  6. Priority user groups (recommended for FSI)
  7. Priority content:
  8. ✅ SharePoint sites (sensitive sites)
  9. ✅ Sensitivity labels (Confidential, MNPI)
  10. ✅ Sensitive info types (Financial SITs)
  11. Triggering event:
  12. HR connector (resignation date) OR
  13. Azure AD account deletion indicator
  14. Indicators:
  15. ✅ Downloading content from SharePoint
  16. ✅ Sending email with attachments outside org
  17. ✅ Uploading files to cloud storage
  18. ✅ Printing documents
  19. ✅ Copying to USB
  20. Thresholds: Default or customize
  21. Click Create policy

Policy 2: Data Leaks (General)

  1. Click + Create policy
  2. Template: Data leaks
  3. Policy name: FSI-DataLeaks-General
  4. Users: All users
  5. Priority content:
  6. Sensitivity labels
  7. Sensitive info types
  8. Agent configuration sites
  9. Indicators:
  10. ✅ Email to external recipients
  11. ✅ File sharing externally
  12. ✅ Endpoint exfiltration
  13. ✅ Cumulative exfiltration
  14. Policy settings:
  15. ✅ Include DLP policy matches as risk indicators
  16. Click Create policy

Policy 3: Security Policy Violations

  1. Click + Create policy
  2. Template: Security policy violations
  3. Policy name: FSI-SecurityViolations
  4. Indicators:
  5. ✅ Security alert indicators
  6. ✅ Defender for Endpoint alerts
  7. ✅ Failed authentication attempts
  8. ✅ Risky sign-in behavior
  9. Users: Priority users (agent administrators, developers)
  10. Click Create policy
  1. Click + Create policy
  2. Template: Custom policy
  3. Policy name: FSI-AgentRelated-InsiderRisk
  4. Description: "Monitor for agent misuse and data exfiltration via AI"
  5. Triggering event: Activity-based
  6. Indicators:
  7. ✅ Access to sensitive SharePoint sites (agent knowledge sources)
  8. ✅ Bulk download of agent-related content
  9. ✅ Modification of agent configurations
  10. ✅ Sharing agent access with unauthorized users
  11. Priority content:
  12. Agent knowledge base sites
  13. Copilot Studio projects
  14. Configuration documentation
  15. Click Create policy

Step 4: Configure Priority User Groups

Portal Path: Purview → Insider risk managementSettingsPriority user groups

  1. Go to SettingsPriority user groups
  2. Click + Create priority user group
  3. Create groups:
Group Name Users Purpose
FSI-HighRiskUsers Departing + PIP users Enhanced monitoring
FSI-AgentAdmins Power Platform admins Agent access monitoring
FSI-TradingFloor Trading staff MNPI protection
FSI-CustomerData Client-facing staff NPI protection

Step 5: Configure Data Connectors

Portal Path: Purview → Insider risk managementSettingsData connectors

  1. Go to SettingsData connectors
  2. Configure relevant connectors:
Connector Purpose FSI Relevance
HR connector Resignation, termination dates High - departing user detection
Physical badging Badge-in/out data Medium - after-hours access
Healthcare Patient data access N/A
Custom connector Agent-specific signals High
  1. For HR connector:
  2. Configure Azure Logic App or API
  3. Map fields (user ID, resignation date, termination date)
  4. Test connection

Step 6: Configure Investigation Settings

Portal Path: Purview → Insider risk managementSettingsInvestigation

  1. Go to SettingsInvestigation
  2. Configure:
  3. Case name format: Auto-generate or custom
  4. Reviewer notifications: Email on new alerts
  5. Investigation duration: Track SLAs
  6. Evidence collection:
  7. ✅ Collect activity explorer data
  8. ✅ Preserve audit logs
  9. ✅ Enable content preview (with privacy controls)

Step 7: Set Up Alert Workflow

Portal Path: Purview → Insider risk managementAlerts

Configure alert triage workflow:

  1. Navigate to Alerts tab
  2. For each alert:
  3. Needs review: Initial state
  4. Confirmed: Escalate to case
  5. Dismissed: False positive (document reason)

  6. Resolved: No further action needed

  7. Configure escalation: 

    Alert (Low/Medium) → Analyst Review (48h)
                   ↓
Alert (High/Critical) → Immediate Review (4h)
                   ↓
Confirmed → Create Case → Investigator Assignment
                   ↓
Investigation → Remediation Actions
├── HR notification
├── Access revocation
├── Legal escalation
└── Regulatory reporting

PowerShell Configuration

# Insider Risk Management Configuration
# Requires: Security & Compliance PowerShell

# Connect to Security & Compliance Center
Connect-IPPSSession

# ===== GET INSIDER RISK POLICIES =====

Get-InsiderRiskPolicy | Select-Object Name, Mode, Enabled, Priority |
    Format-Table -AutoSize

# ===== GET PRIORITY USER GROUPS =====

Get-InsiderRiskPriorityUserGroup | Select-Object Name, Members | Format-List

# ===== CREATE PRIORITY USER GROUP =====

# Note: Creating priority user groups via PowerShell
# New-InsiderRiskPriorityUserGroup -Name "FSI-AgentAdmins" -Members @("admin1@contoso.com", "admin2@contoso.com")

# ===== GET CURRENT ALERTS =====

$Alerts = Get-InsiderRiskAlert -Filter "Status -eq 'NeedsReview'"

Write-Host "`nPending Insider Risk Alerts:" -ForegroundColor Yellow
$Alerts | Select-Object AlertId, User, Severity, CreatedTime | Format-Table

# ===== AUDIT LOG SEARCH FOR INSIDER ACTIVITIES =====

$StartDate = (Get-Date).AddDays(-30)
$EndDate = Get-Date

# Search for bulk file downloads
$BulkDownloads = Search-UnifiedAuditLog `
    -StartDate $StartDate `
    -EndDate $EndDate `
    -Operations FileDownloaded, FileSyncDownloadedFull `
    -ResultSize 5000

# Analyze download patterns
$DownloadByUser = $BulkDownloads | Group-Object UserIds |
    Sort-Object Count -Descending |
    Select-Object -First 20 Name, Count

Write-Host "`nTop File Downloaders (Last 30 days):" -ForegroundColor Cyan
$DownloadByUser | Format-Table

# Identify potential exfiltration (high volume)
$PotentialExfiltration = $DownloadByUser | Where-Object { $_.Count -gt 100 }

if ($PotentialExfiltration) {
    Write-Host "`n⚠️ POTENTIAL EXFILTRATION DETECTED:" -ForegroundColor Red
    $PotentialExfiltration | Format-Table
}

# ===== SEARCH FOR EXTERNAL SHARING =====

$ExternalSharing = Search-UnifiedAuditLog `
    -StartDate $StartDate `
    -EndDate $EndDate `
    -Operations SharingSet, AnonymousLinkCreated, SecureLinkCreated `
    -ResultSize 1000

Write-Host "`nExternal sharing events: $($ExternalSharing.Count)" -ForegroundColor Yellow

# Parse for risky sharing
$RiskySharing = $ExternalSharing | ForEach-Object {
    $AuditData = $_.AuditData | ConvertFrom-Json

    [PSCustomObject]@{
        Date = $_.CreationDate
        User = $_.UserIds
        Operation = $AuditData.Operation
        Target = $AuditData.ObjectId
        ExternalUser = $AuditData.TargetUserOrGroupName
    }
} | Where-Object { $_.ExternalUser -like "*#ext#*" -or $_.Operation -eq "AnonymousLinkCreated" }

Write-Host "`nRisky sharing events: $($RiskySharing.Count)" -ForegroundColor Yellow

# ===== GENERATE INSIDER RISK REPORT =====

$PolicyCount = (Get-InsiderRiskPolicy).Count
$AlertCount = (Get-InsiderRiskAlert).Count

$Report = @{
    ActivePolicies = $PolicyCount
    TotalAlerts = $AlertCount
    PendingAlerts = ($Alerts | Measure-Object).Count
    BulkDownloadUsers = $PotentialExfiltration.Count
    RiskySharingEvents = $RiskySharing.Count
    ReportPeriod = "$StartDate to $EndDate"
    ReportDate = Get-Date
}

Write-Host "`n=== INSIDER RISK SUMMARY ===" -ForegroundColor Cyan
$Report | Format-List

# Export details
$RiskySharing | Export-Csv "C:\Governance\RiskySharing-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

Financial Sector Considerations

Regulatory Alignment

Regulation Insider Risk Requirement
GLBA 501(b) Protect customer NPI from insider misuse
SOX 404 Internal controls over financial data access
SEC Reg SHO Detect potential market manipulation
FINRA 4511 Supervision of access to books/records
FINRA 3110 Supervisory controls over trading
Insider Trading Laws Prevent and detect MNPI misuse

Insider Risk Indicators for FSI

Indicator Risk Signal FSI Priority
Bulk Download Before Resignation Data theft Critical
Access to Restricted Lists MNPI exposure Critical
After-Hours Access to Trading Systems Unauthorized trading High
External Sharing of Financial Data Data leak High
USB Copy of Customer Data NPI exfiltration High
Agent Config Modification Sabotage/backdoor Medium
Failed Access to Sensitive Sites Attempted breach Medium

Zone-Specific Configuration

Zone 1 (Personal Productivity)

Policies: Data leaks (basic)
Priority Users: None specific
Monitoring Scope: Limited
Alert Threshold: High only
Investigation: As-needed

Zone 2 (Team Collaboration)

Policies: Data leaks + Security violations
Priority Users: Managers, developers
Monitoring Scope: Standard
Alert Threshold: Medium and above
Investigation: 48-hour SLA

Zone 3 (Enterprise Managed)

Policies: All policies including custom
Priority Users: All agent admins, traders
Monitoring Scope: Comprehensive
Alert Threshold: All severities
Investigation: 4-hour SLA for critical
Automated Response: Access suspension capability

FSI Insider Risk Scenarios

Scenario Detection Response Regulation
Trader exports MNPI Bulk download + restricted list access Immediate suspension SEC
Departing advisor downloads client list HR trigger + download volume Block + investigate GLBA
Developer exports agent config Unusual access + external share Alert + access review IP
Admin modifies agent without approval Config change + no ticket Compliance review Internal
Analyst sends research externally Email to competitor domain Block + escalate FINRA

FSI Configuration Example: Asset Manager

Scenario: An asset manager needs to detect insider trading indicators and protect investment strategies.

Insider Risk Configuration: 

Policy 1: MNPI Protection
├── Template: Data theft
├── Priority Users:
│   ├── Investment team
│   ├── Research analysts
│   └── Portfolio managers
├── Triggering Events:
│   ├── Access to restricted securities list
│   ├── Research report access before publish
│   └── Earnings data access
├── Indicators:
│   ├── External email with attachments
│   ├── Personal device sync
│   ├── After-hours access
│   └── Communication with external parties
├── Alert Threshold: Low (catch all)
└── Response: Immediate Legal escalation

Policy 2: Client Data Protection
├── Template: Data leaks
├── Priority Content:
│   ├── Client portfolio sites
│   ├── Account statement repositories
│   └── CRM data
├── Indicators:
│   ├── Bulk download
│   ├── External sharing
│   ├── Print queue activity
│   └── USB copy
├── Alert Threshold: Medium
└── Response: Compliance investigation

Policy 3: Departing Investment Staff
├── Template: Departing user
├── HR Connector: Resignation date -30 days
├── Enhanced Monitoring:
│   ├── All file access logged
│   ├── Email monitoring enabled
│   ├── Download restrictions applied
│   └── External sharing blocked
├── Alert Threshold: Low
└── Response: HR + Legal coordination

Verification & Testing

Verification Steps

  1. Confirm Policies Active:
  2. Purview → Insider risk management → Policies

  3. EXPECTED: All FSI policies enabled

  4. Verify Analytics:

  5. Check Analytics dashboard for insights

  6. EXPECTED: Analytics showing risk patterns

  7. Test Alert Generation:

  8. Simulate risky activity (test user)

  9. EXPECTED: Alert generated in queue

  10. Validate Workflow:

  11. Triage test alert through workflow

  12. EXPECTED: Case created and assignable

  13. Check Connectors:

  14. Verify HR and other connectors active
  15. EXPECTED: Connector status healthy

Verification Evidence

  • [ ] Screenshot: Policy configurations
  • [ ] Export: Alert summary by policy
  • [ ] Documentation: Priority user groups
  • [ ] Screenshot: Connector status
  • [ ] Audit log: Investigation workflow
  • [ ] Report: Risk analytics insights

Troubleshooting & Validation

Issue: No Alerts Being Generated

Symptoms: Policy active but no alerts

Solutions:

  1. Verify policy is in "Production" mode (not test)
  2. Check user scope includes target users
  3. Review indicator thresholds (may be too high)
  4. Verify data connectors are functioning
  5. Wait 24-48 hours for initial data collection

Issue: Too Many False Positives

Symptoms: High volume of non-risky alerts

Solutions:

  1. Adjust threshold settings to higher values
  2. Refine priority content selection
  3. Use priority user groups to focus
  4. Add exclusions for known legitimate activities
  5. Review and tune indicator weights

Issue: HR Connector Not Working

Symptoms: Departing user policy not triggering

Solutions:

  1. Verify HR connector configuration
  2. Check field mappings are correct
  3. Validate test user has resignation date
  4. Review connector logs for errors
  5. Ensure Azure AD integration is active

Issue: Cannot See User Activities

Symptoms: Alert shows no activity details

Solutions:

  1. Verify audit logging is enabled
  2. Check user isn't in privacy exclusion
  3. Confirm reviewer has proper role
  4. Review privacy settings in config
  5. Enable content preview if needed

Additional Resources

Control Relationship
Control 1.5 DLP signals for insider risk
Control 1.7 Audit data for detection
Control 1.10 Communication signals
Control 1.8 Threat detection correlation
Control 4.5 SharePoint monitoring

Support & Questions

For implementation support or questions about this control, contact:

  • Insider Risk Team: Policy configuration and tuning
  • HR: Data connector and departing user coordination
  • Legal: Investigation procedures and escalation
  • Security Operations: Alert triage and response

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification