Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
Inline alert customization in Microsoft Purview Insider Risk Management enables you to quickly tune an Insider Risk Management policy directly from the Alert dashboard while reviewing the alert. Alerts are generated when a risk management activity meets the thresholds configured in the related policy. To reduce the number of alerts you get from this type of activity, you can change the thresholds or remove the risk management activity from the policy altogether.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Microsoft Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
You can enable inline alert customization to allow users assigned to the Insider Risk Management Analysts and Insider Risk Management Investigators role groups to edit policy thresholds and to disable specific indicators. If you don't enable inline alert customization, only users assigned to the Insider Risk Management Admins or Insider Risk Management role groups can edit these policy conditions. Inline alert customization supports alerts regardless of the current alert status, so analysts and investigators can update policies for Dismissed and Resolved alerts if needed.
When enabled, analysts and investigators can select Reduce alerts for this activity for an alert on the Alert dashboard and view details about the risk management activity and indicators associated with the alert. The portal displays the current policy thresholds for the number of events used to create low, medium, and high severity alerts. If you select Reduce alerts for this activity and a previous policy edit changes the threshold or removes the associated indicator, you see a notification message detailing previous changes to the policy.
Analysts and investigators can choose from the following options on the Reduce alerts for this activity pane to quickly edit the policy that created the alert:
- Reduce alerts using Microsoft's recommended thresholds: This option automatically increases the thresholds in the policy for you. You can review the new recommended threshold settings before changing the policy.
- Reduce alerts by choosing your own thresholds: This option lets you manually increase the thresholds for this type of activity for the current and future alerts. You can review the current threshold settings and configure the new threshold settings before changing the policy.
- Stop getting alerts for this activity: This option removes this indicator from the policy and the risk management activity is no longer detected by the policy. This option applies to all indicators, regardless of whether the indicator is threshold-based.
After choosing an option, analysts and investigators can choose two options to update the policy:
- Save and dismiss alert: Saves the changes to the policy and updates the alert status to Resolved.
- Save only: Saves the changes to the policy, but the alert status remains the same.
Enable inline alert customization
Sign in to the Microsoft Purview portal with credentials for an admin account in your Microsoft 365 organization.
Select Settings in the upper-right corner of the page.
Select Insider Risk Management to go to the Insider Risk Management settings.
Under Insider risk settings, select Inline alert customization, and then turn on the setting.
Select Save.
Note
After turning on the Inline alert customization setting, it takes approximately one hour before inline alert customization is available in new and existing policy alerts.