Insider risk management, what, why and how

Posted by Harri Jaakkonen Posted on 13/12/2021 0 Comments on Insider risk management, what, why and how
Posted in Azure, Azure AD, Compliance, Defender

What is Insider risk management

Insider risk management is a solutions for example to prevent leavers to take precious company data with them when to go.

But there is also options to lower the risk for users, example anonymizing usernames.

Compliance analysts and investigators can easily use Microsoft Teams for collaboration on insider risk management cases. They can coordinate and communicate with other stakeholders in Microsoft Teams to:

  • Coordinate and review response activities for cases in private Teams channels
  • Securely share and store files and evidence related to individual cases
  • Track and review response activities by analysts and investigators

After Microsoft Teams is enabled for insider risk management, a dedicated Microsoft Teams team is created every time an alert is confirmed and a case is created. By default, the team automatically includes all members of the Insider Risk ManagementInsider Risk Management Analysts, and Insider Risk Management Investigators role groups (up to 100 initial users). Additional organization contributors may be added to the team after it is created and as appropriate. For existing cases created before enabling Microsoft Teams, analysts and investigators can choose to create a new Microsoft Teams team when working in a case if needed. Once you resolve the associated case in insider risk management, the team is automatically archived (moved to hidden and read-only).

Enable Unified Audit Logging

Check if logging is enabled in your tenant.

Connect to Compliance center with PowerShell

And run Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

If it’s disabled, connect to Exchange Online PowerShell and run Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

And it’s turned on.

It should be enabled by default but better to check than to be sorry.

Data theft policy

I will be covering as an example the data theft protection.

Name your policy

Choose your users

An choose the location that will be prioritized but no mandatory.

Then choose your location that will trigger High risk alerts but again not mandatory.

And sensitivity types that will be triggered as high risk. Example if you have trainable classifiers for customer data set.

and then the label you have applied thru Information protection to your content but again not mandatory.

And then to choose a HR connector (if created) and a trigger for Azure AD user account deletion.

If you want to enable Policy indicators, you have to do so manually before they can be used.

Device onboarding

If you want to use to use device indicators you have onboard the devices to Compliance Manager.

Takes some time, will get back to this one in the next posts.

Continuing the policy creation

You can choose the thresholds for for your indicators or use the default ones.

Oh wait, there is a warning.

And these are required.

So as you can see there needs to be devices onboarded so I will disable it for now by removing the following.

Then all is good just review and finish.

When done you can go to alerts page to see any High risk alerts.

Next part will be covering the alerts and device onboarding.

Part two here https://www.cloudpartner.fi/?p=2132

7 Insider Pinterest Strategy Tips You Need to Know (from Pinterest) | Keep calm and love, Words, Keep calm
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *