Share via

Take action on Insider Risk Management cases

Important

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

Cases are the core of Insider Risk Management. They let you investigate and act on issues that risk indicators in your policies generate. Create cases manually from alerts when you need to take extra steps to address a compliance-related issue for a user. Each case focuses on one user, and you can add multiple alerts for that user to an existing case or start a new case.

After you investigate the details of a case, you can take action by:

  • Sending the user a notice
  • Resolving the case as benign
  • Sharing the case with your ServiceNow instance or with an email recipient
  • Escalating the case for an eDiscovery (Premium) investigation

For an overview of how you investigate and manage cases in Insider Risk Management, see the Insider Risk Management Investigation and Escalation video.

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Cases dashboard

Tip

To see reports for cases, go to the Reports page. Each report widget on the Reports page displays information for last 30 days:

  • Active cases: The total number of active cases under investigation.
  • Cases over past 30 days: The total number of cases created, sorted by Active and Closed status.
  • Statistics: Average time of active cases, listed in hours, days, or months.

The Insider Risk Management Cases dashboard enables you to view and act on cases. The case queue lists all active and closed cases for your organization, along with the current status of the following case attributes:

  • Case ID: The ID of the case.
  • Case name: The name of the case, defined when you confirm an alert and create the case.
  • Status: The status of the case, either Active or Closed.
  • User: The user for the case. If you enable anonymization for usernames, the portal displays anonymized information.
  • Time case opened: The time that passes since the case is opened.
  • Total policy alerts: The number of policy matches included in the case. This number might increase if you add new alerts to the case.
  • Case last updated: The time that passes since you add a case note or change the case state.
  • Last updated by: The name of the Insider Risk Management analyst or investigator that last updated the case.

Note

If you scope your policies by one or more administrative units, you can only give ownership of a case to Insider Risk Management users with the appropriate role group permissions. The user highlighted in the alert must be in scope of the admin unit. For example, if an administrative scope applies to just users in Germany, the Insider Risk Management user can only see alerts for users in Germany. Unrestricted administrators can see all cases for all users in the organization.

Use the Search control to search for a Case ID or to search for specific text in case names. Use the case filter to sort cases by the following attributes:

  • Status
  • Time case opened, start date, and end date
  • Last updated, start date, and end date

Assign a case

If you're an administrator with the appropriate permissions, you can assign ownership of a case to yourself or to an Insider Risk Management user with the Insider Risk Management, Insider Risk Management Analyst, or Insider Risk Management Investigator role. After you assign a case, you can reassign it to a user with any of the same roles. You can only assign a case to one admin at a time.

If you assign an admin to a case, you can filter by admin.

Assign a case from the Cases dashboard

  1. Sign in to the Microsoft Purview portal with credentials for an admin account in your Microsoft 365 organization.
  2. Go to the Insider Risk Management solution.
  3. Select Cases in the left navigation.
  4. On the Cases dashboard, select the cases that you want to assign.
  5. In the command bar over the cases queue, select Assign.
  6. On the Assign owner pane on the right side of the screen, search for an admin with the appropriate permissions, and then select the checkbox for that admin.
  7. Select Assign.

Assign a case from the Cases detail page

  1. Sign in to the Microsoft Purview portal with credentials for an admin account in your Microsoft 365 organization.
  2. Go to the Insider Risk Management solution.
  3. Select Cases in the left navigation.
  4. Select a case.
  5. In the detail pane for the case, select Assign.
  6. In the Suggested contacts list, select the appropriate admin.

Filter cases

Depending on the number and type of active Insider Risk Management policies in your organization, reviewing a large queue of cases can be challenging. By using case filters, analysts and investigators can sort cases by several attributes. To filter alerts on the Cases dashboard, select the Filter control. You can filter cases by one or more attributes:

  • Status: Select one or more status values to filter the case list. The options are Active and Closed.
  • Time case opened: Select the start and end dates for when the case was opened.
  • Last updated: Select the start and end dates for when the case was updated.

Filter cases, save a view of a filter set, customize columns, or search for alerts

Depending on the number and type of active Insider Risk Management policies in your organization, reviewing a large queue of cases can be challenging. To help you keep track of cases, you can:

  • Filter cases by various attributes.
  • Save a view of a filter set to reuse later.
  • Display or hide columns.
  • Search for an alert.

Filter cases

  1. Select Add filter.

  2. Select one or more of the following attributes:

    Attribute Description
    Assigned to The admin that the alert is assigned to for triaging (if assigned).
    Case last updated The start and end dates for when the case was last updated.
    Status Current status of the case. The options are Active and Closed.
    Time case opened The start and end dates for when the case was opened.

    The filter bar shows the attributes that you select.

  3. Select an attribute in the filter bar, then select a value to filter by. For example, select the Last activity date attribute, enter or select the dates in the Start date and End date fields, then select Apply.

    Tip

    To start over at any point, select Reset all on the filter bar.

Save a view of a filter set to reuse later

  1. After applying the filters described in the preceding procedure, select Save over the filter bar, enter a name for the filter set, and then select Save.

    The filter set appears as a card over the filter bar. It includes a number that shows the count of cases that meet the criteria in the filter set.

    Note

    You can save up to five filter sets. To delete a filter set, select the ellipsis (three dots) in the upper-right corner of the card, then select Delete.

  2. To reapply a saved filter set, select the card for the filter set.

Display or hide columns

  1. On the right side of the page, select Customize columns.

  2. Select or clear the checkboxes for the columns you want to display or hide.

The column settings are saved across sessions and across browsers.

Search for alerts

Use the Search control to search for a user principal name (UPN), an assigned admin name, or an Alert ID.

Investigate a case

Deeper investigation into Insider Risk Management alerts is critical to taking proper corrective actions. Insider Risk Management cases are the central management tool to dive deeper into user risk activity history, alert details, the sequence of risk events, and to explore the content and messages exposed to risks. Risk analysts and investigators also use cases to centralize review feedback and notes and to process case resolution.

Selecting a case opens the case management tools and allows analysts and investigators to dig into the details of cases.

Case overview

The Case overview tab summarizes the case details for risk analysts and investigators. It includes the following information in the About this case area:

  • Case ID: The ID of the case.
  • Status: The current status of the case, either Active or Closed.
  • Case created on: The date and time the case was created.
  • User's risk score: The current calculated risk level of the user for the case. The system calculates this score every 24 hours and uses alert risk scores from all active alerts associated to the user. When User is detected as a potential high impact user or User is a member of a priority user group risk booster is enabled as Risk score boosters in the Policy indicators section of the Insider Risk Management settings page, the User details page includes detailed information about the user's calculated risk level.
  • Email: The email alias of the user for the case.
  • Organization or department: The organization or department that the user is assigned to.
  • Manager name: The name of the user's manager.
  • Manager email: The email alias of the user's manager.

Insider Risk Management case details

The Case overview tab also includes an Alerts section that includes the following information about policy match alerts associated with the case:

  • Policy matches: The name of the Insider Risk Management policy associated with the match alerts for potentially risky user activity that might lead to a security incident.
  • Status: Status of the alert.
  • Severity: Severity of the alert.
  • Time detected: The time that has passed since the alert was generated.

Alerts

The Alerts tab summarizes the current alerts included in the case. You can add new alerts to an existing case. When you assign new alerts, the Alert queue includes them. The queue lists the following alert attributes:

  • Alert
  • Alert ID
  • Status
  • Severity
  • Time detected

Select an alert from the queue to display the Alert detail page.

Use the search control to search for an Alert ID or specific text in alert names. Use the alert filter to sort cases by the following attributes:

  • Status
  • Severity
  • Time detected, start date, and end date

Use the filter control to filter alerts by several attributes, including:

  • Status: Select one or more status values to filter the alert list. The options are Confirmed, Dismissed, Needs review, and Resolved.
  • Severity: Select one or more alert risk severity levels to filter the alert list. The options are High, Medium, and Low.
  • Time detected: Select the start and end dates for when the alert was created.
  • Policy: Select one or more policies to filter the alerts generated by the selected policies.

User activity

The User activity tab lets risk analysts and investigators review user activity details. It provides a visual representation of all the potentially risky activities associated with risk alerts and cases. Use this information to determine whether those risky activities might lead to a security incident. For example, as part of the alert triage process, analysts might need to review all the risk activities associated with the case for more details. In cases, risk investigators can review user activity details and the bubble chart to help understand the overall scope of the risk activities associated with the case. For more information about the User activity chart, see the Insider Risk Management activities article.

Activity explorer (preview)

The Activity explorer tab enables risk analysts and investigators to review case activity details associated with risk alerts. For example, as part of the case management actions, investigators and analysts might need to review all the risk activities associated with the case for more details. With the Activity explorer, reviewers can quickly examine a timeline of detected potentially risky activity and identify and filter all risk activities associated with alerts.

For more information about the Activity explorer, see the Insider Risk Management activities article.

Forensic evidence

The Forensic evidence tab enables risk investigators to review visual captures associated with risk activities included in cases. For example, as part of the case management actions, investigators might need to help clarify the context of the user activity under review. Viewing the actual clips of the activity can help the investigator determine if the user activity is potentially risky and might lead to a security incident.

For more information about forensic evidence, see the Learn about Insider Risk Management forensic evidence article.

Content explorer

The Content explorer tab enables risk investigators to review copies of all individual files and email messages associated with risk alerts. For example, if an alert is created when a user downloads hundreds of files from SharePoint Online and the activity triggers a policy alert, the case captures and copies all the downloaded files for the alert to the Insider Risk Management case from original storage sources.

The Content explorer is a powerful tool with basic and advanced search and filtering features. To learn more about using the Content explorer, see Insider Risk Management Content explorer.

Insider Risk Management case Content explorer.

Case notes

Risk analysts and investigators use the Case notes tab in a case to share comments, feedback, and insights about their work for the case. Notes are permanent additions to a case. After saving a note, you can't edit or delete it. When you create a case from an alert, the comments you enter in the Confirm alert and create insider risk case dialog box automatically become a case note.

The case notes dashboard shows notes by the user who created the note and the time that passes since the note is saved. To search the case note text field for a specific keyword, use Search on the case dashboard and enter a specific keyword.

Add a case note

  1. Sign in to the Microsoft Purview portal with credentials for an admin account in your Microsoft 365 organization.
  2. Go to the Insider Risk Management solution.
  3. Select Cases in the left navigation.
  4. Select a case, then select the Case notes tab.
  5. Select Add case note.
  6. In the Add case note dialog box, type the note.
  7. Select Save to add the note to the case.

Contributors

The Contributors tab in the case is where risk analysts and investigators can add other reviewers to the case. By default, all users assigned the Insider Risk Management Investigators and the Insider Risk Management roles are listed as contributors for each active and closed case.

You can grant temporary access to a case by adding a user as a contributor, but with the following restrictions:

  • Analysts and investigators can add contributors.
  • You can't add analysts as contributors.
  • Contributors can't add contributors.

Contributors have all case management control on the specific case except for:

  • Permission to confirm or dismiss alerts.
  • Permission to edit the contributors for cases.

Add a contributor to a case

  1. Sign in to the Microsoft Purview portal with credentials for an admin account in your Microsoft 365 organization.
  2. Go to the Insider Risk Management solution.
  3. Select Cases in the left navigation.
  4. Select a case, then select the Contributors tab.
  5. Select Add contributor.
  6. In the Add contributor dialog box, start typing the name of the user you want to add, then select the user from the suggested user list. This list comes from the Microsoft Entra ID of your tenant subscription.
  7. Select Add to add the user as a contributor.

Case actions

Risk investigators can take action on a case in one of several methods, depending on the severity of the case, the history of risk of the user, and the risk guidelines of your organization. In some situations, you might need to escalate a case to a user or data investigation to collaborate with other areas of your organization and to dive deeper into risk activities. Insider Risk Management is tightly integrated with other Microsoft Purview solutions to help you with end-to-end resolution management.

Send email notice

In most cases, user actions that create insider risk alerts are inadvertent or accidental. Sending a reminder notice to the user by email is an effective method for documenting case review and action. This method reminds users of corporate policies or points them to refresher training. You generate notices from notice templates that you create for your Insider Risk Management infrastructure.

Remember that sending an email notice to a user does not resolve the case as Closed. In some cases, you might want to leave a case open after sending a notice to a user to look for more risk activities without opening a new case. If you want to resolve a case after sending a notice, select Resolve case as a follow-on step after sending a notice.

Send a notice to the user assigned to a case

  1. Sign in to the Microsoft Purview portal with credentials for an admin account in your Microsoft 365 organization.
  2. Go to the Insider Risk Management solution.
  3. Select Cases in the left navigation.
  4. Select a case, then select Send email notice on the case action toolbar.
  5. In the Send e-mail notice dialog box, select the Choose a notice template dropdown control to select the notice template for the notice. This selection pre-fills the other fields in the notice.
  6. Review the notice fields and update as appropriate. The values you enter override the values in the template.
  7. Select Send to send the notice to the user. All sent notices are added to the case notes queue on the Case notes dashboard.

Escalate for investigation

Escalate the case for user investigation when you need extra legal review for the user's risk activity. This escalation opens a new Microsoft Purview eDiscovery (Premium) case in your Microsoft 365 organization. eDiscovery (Premium) provides an end-to-end workflow to preserve, collect, review, analyze, and export content that's responsive to your organization's internal and external legal investigations. It also lets your legal team manage the entire legal hold notification workflow to communicate with custodians involved in a case. Escalating to an eDiscovery (Premium) case from an Insider Risk Management case helps your legal team take appropriate action and manage content preservation. For more information about eDiscovery (Premium) cases, see Overview of Microsoft Purview eDiscovery (Premium).

Escalate a case to a user investigation

  1. Sign in to the Microsoft Purview portal with credentials for an admin account in your Microsoft 365 organization.
  2. Go to the Insider Risk Management solution.
  3. Select Cases in the left navigation.
  4. Select a case, then select Escalate for investigation on the case action toolbar.
  5. In the Escalate for investigation dialog box, enter a name for the new user investigation. If needed, enter notes about the case, then select Escalate.
  6. Review the notice fields and update as appropriate. The values you enter override the values on the template.
  7. Select Confirm to create the user investigation case.

After you escalate the Insider Risk Management case to a new user investigation case, you can review the new case in the eDiscovery > Advanced area in the Microsoft Purview portal.

Run automated tasks with Power Automate flows for the case

Using recommended Power Automate flows, risk investigators and analysts can quickly take action to:

  • Request information from HR or business about a user in an insider risk case.
  • Notify manager when a user has an insider risk alert.
  • Create a record for an Insider Risk Management case in ServiceNow.
  • Notify users when they're added to an insider risk policy.

To run, manage, or create Power Automate flows for an Insider Risk Management case:

  1. Select Automate on the case action toolbar.
  2. Choose the Power Automate flow to run, then select Run flow.
  3. After the flow completes, select Done.

For more information about Power Automate flows for Insider Risk Management, see Getting started with Insider Risk Management settings.

View or create a Microsoft Teams team for the case

When you enable Microsoft Teams integration for Insider Risk Management in settings, the solution automatically creates a Microsoft Teams team every time you confirm an alert and create a case. Risk investigators and analysts can quickly open Microsoft Teams and navigate directly to the team for a case by selecting View Microsoft Teams team on the case action toolbar.

For cases you open before enabling Microsoft Team integration, risk investigators and analysts can create a new Microsoft Teams team for a case by selecting Create Microsoft Teams team on the case action toolbar.

When you resolve a case, the solution automatically archives the associated Microsoft Team (hides it and turns it to read-only).

For more information about Microsoft Teams for Insider Risk Management, see Getting started with Insider Risk Management settings.

Resolve the case

After risk analysts and investigators complete their review and investigation, resolve a case to act on all the alerts currently included in the case. Resolving a case adds a resolution classification, changes the case status to Closed, and automatically adds the resolution action reasons to the case notes queue on the Case notes dashboard. Resolve cases as either:

  • Benign: The classification for cases where policy match alerts are evaluated as low risk, non-serious, or false positive.
  • Confirmed policy violation: The classification for cases where policy match alerts are evaluated as risky, serious, or the result of malicious intent.

Resolve a case

  1. Sign in to the Microsoft Purview portal with credentials for an admin account in your Microsoft 365 organization.
  2. Go to the Insider Risk Management solution.
  3. Select Cases in the left navigation.
  4. Select a case, then select Resolve case on the case action toolbar.
  5. In the Resolve case dialog box, select the Resolve as dropdown control to select the resolution classification for the case. The options are Benign or Confirmed policy violation.
  6. In the Resolve case dialog box, enter the reasons for the resolution classification in the Action taken text field.
  7. Select Resolve to close the case.