Enable Insider Risk Analytics in Microsoft Purview – Part 6

[ad_1]

Reading Time: 4 minutes

If you missed the previous parts, here they are:

Part 1: Introduction to Microsoft Purview
Part 2: Microsoft Purview Portal
Part 3: Microsoft Purview Roles and Scopes
Part 4: Turn on audit logs in Microsoft Purview
Part 5: Microsoft Purview Device Onboarding

In this blog post, I’ll walk you through step by step instructions on how to enable Microsoft Purview Insider Risk Analytics and configure data sharing to help your organisation proactively manage insider threats.

What is Microsoft Purview Insider Risk

Before diving into the steps to enable analytics and data sharing, it’s important to first provide a brief overview of Microsoft Purview Insider Risk. I’ll be exploring Microsoft Purview Insider Risk in more detail later in this blog series.

Organisations are facing growing challenges not only from external threats but increasingly from within the organisation. Microsoft Purview Insider Risk Management is a powerful solution designed to help organisations detect, investigate, and mitigate insider risks, whether those actions are accidental or intentional.

Microsoft Purview Insider Risk Management correlates various signals to identify insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized (where user identities are hidden or replaced with fake names) by default.

Table of Contents

Why It Matters:

According to Microsoft’s Data Security Index 2024, insider threats are a major concern:

63% of all data breaches originate from insider activity.
93% of organisations report being concerned about insider risks.

These statistics show why it’s so important for organisation’s to take a proactive approach to insider risk management. Microsoft Purview Insider Risk Management can play a key role in helping to detect and respond to these risks early.

Common Use Cases:

Microsoft Purview Insider Risk Management helps organisations spot and respond to risky activities before they become serious issues. Here are some everyday examples:

Employees leaving the company: A staff member downloads sensitive files or sends them to personal email just before resigning.
Disgruntled or upset employees: Someone unhappy with their role starts accessing confidential data and uploading large amounts of data to personal cloud storage.
Data theft: An employee tries to copy files to a USB drive without permission.
Cross-team investigations: HR, legal, and security teams can work together to understand and respond to suspicious behaviour.

I’ll go into more detail about Microsoft Purview Insider Risk later in this blog series, but first, let’s look at how to enable Insider Risk analytics and data sharing.

This is a crucial first step as it enables organisations to conduct an evaluation of potential insider risks in your organisation without configuring any insider risk policies. Once enabled, analytics can highlight risky user activity, generate severity scores, and share insights with tools like Data Loss Prevention (DLP), Communication Compliance, and Microsoft Defender (More on these features later in the series). These insights help build a strong foundation for managing insider risks effectively.

Access purview.microsoft.com
Click solutions from the left pane and then Insider Risk Management

3. Click Data sharing from the left pane

4. Turn on share user risk details with other security solutions and click save

When turned on, admins with the correct permissions will be able to review user risk details from Insider Risk Management within other solutions such as Data Loss Prevention (DLP), Communication Compliance, and Microsoft Defender. The data shared is based on user activities detected by Insider Risk Management policies and user-level analytics. I’ll enable user-level analytics in the next step, as it’s a required configuration for sharing user risk details with other security solutions.

Export alert details to SIEM services: I will leave this option off. This option allows the export of alert details to third party SIEM solutions.

5. Click analytics from the left pane and turn on both settings to get a complete coverage of insights across the tenant and from different security solutions.

– Show insights at tenant level
When enabled, this setting aggregates data across the organisation and displays it in analytics reports. It doesn’t provide detailed user-level insights or integrate with other security tools like DLP (Data Loss Prevention) or Microsoft Defender. Microsoft recently introduced user-level insights to address this gap.

Note: User-level insights cannot be enabled on their own, tenant-level insights must be turned on first. Disabling tenant-level insights will also disable user-level insights.

Show insights at user level
This works with the data sharing option I enabled in the previous step. User-level analytics provide insights for all eligible users in your organisation, including those not covered by any Insider Risk Management policy. When investigating alerts in Microsoft Defender, DLP, or Communication Compliance, analysts with the right permissions automatically gain access to user-level data, helping improve risk assessments. I’ll explore Insider Risk policies later in this blog series.

A close-up of the options is shown below. To gain the most complete insights, I’ll be enabling both tenant-level and user-level analytics.

Note: Tenant-level analytics must be turned on before enabling user-level analytics. If tenant-level analytics is disabled, user-level analytics will also be turned off.

Additionally, data sharing must be enabled alongside user-level analytics. I enabled data sharing in the previous step.

6. Enable both and click save

Note: To enable insider risk user-level analytics, you must be a member of the Insider Risk Management, Insider Risk Management Admins, or Microsoft 365 Global admin role group.