3.0 Pre-Course Essentials: Key Notes and Guide

This module acts as an additional resource, offering important notes and a quick guide through the Purview portal. To gain a better understanding, you should complete this module before starting the official 4-module course.

Microsoft Purview

• Microsoft Purview is a data governance and compliance solution designed to help organizations manage and secure their data across various platforms.
• It offers capabilities such as data cataloging, data classification, and risk management to ensure data compliance and protection. By providing a unified view of data assets, it helps organizations maintain control over their data landscape.
• Data cataloging is listing and describing data
• Data classification is sorting data by sensitivity or importance.

Data Loss Prevention (DLP) Alerts

• Purpose: Notify when sensitive information is detected or when DLP policies are violated.
• Sources: Microsoft Purview Compliance or Microsoft Defender for Cloud Apps.
• if we deploy in one the other will also be deployed in
• Usage:
• Identify and investigate data loss incidents.
• Monitor and enforce compliance with DLP policies.
• Educate users about DLP policies and help them stay compliant.
• Management: View and manage alerts in Microsoft Purview compliance portal or Microsoft Defender for Cloud Apps portal.
• Features:
• Alerts can be filtered and sorted.
• Valuable for security operations analysts to protect sensitive information and comply with regulations.

Definition and Components

Insider Risk Management

• Insider Risk Management in Microsoft helps detect, investigate, and respond to potential risks from within an organization, such as data leaks or policy violations. It uses advanced analytics and machine learning to identify unusual behaviors and mitigate insider threats.
• Example Policy: Departing employee data theft.
• Policy Settings:
• Privacy: Anonymize usernames.
• Indicators: Sharing files from SharePoint Online, downloading content, copying to USB or cloud, printing documents.

Manage Insider Risk In Microsoft Purview

Traditional Approaches to Identifying Insider Risks

• Features:
• User behavior analytics
• Monitoring user activity
• Data loss prevention
• Limitations:
• Complex deployment scenarios
• Limited insights
• Lack of workload integration beyond SECOPS
• Security Operations is a collaboration between IT security and operations teams that integrates tools, processes, and technology to keep an enterprise secure while reducing risk.

Purview Provides Protection From Internal Risk

• Real-Time Native Signals:
• File activity
• Communications sentiment
• Abnormal user behaviors
• Resignation date
• Policy Templates, Configurable and tailored for risks such as:
• Digital IP theft
• Confidentiality breach
• HR violations
• Machine Learning and Intelligence:
• Correlate signals to identify hidden patterns and risks that traditional or manual methods might miss
• Insider Risk Leveraged Components:
• Microsoft Graph
• Microsoft Graph is a unified API endpoint that provides access to a wide range of data and insights from across Microsoft 365 services. It enables integration with various Microsoft applications, such as Office 365, Azure Active Directory, and more
• Security services and connectors to human resources (HR) systems like SAP

Table Of Insider Risk Management Role Groups:

• Insider Risk Management Admin: Configure features and assign permissions.
• Insider Risk Management Analysts: Access and investigate alerts and cases.
• Insider Risk Management Investigators: Access and investigate all alerts, cases, and templates.

Policy Creation and Management

1. Go to Microsoft Purview Compliance Portal.
2. Click Insider Risk Management.
3. Click Policies.
4. Click Create Policy.
5. Select Policy Template.
6. Configure Settings.
7. Click Create.

Forensic Evidence Management

Create Insider Risk Management Notice Templates

• Automatically email users when their actions match a policy, confirm an alert, and trigger case creation.
• Alerts often stem from mistakes or unintentional actions.
• Notices serve as reminders to exercise caution and include links to training resources or corporate policies.
• Help create a documented audit trail for users who repeatedly engage in risky behaviors.
• Notices can only be sent to the email address associated with the specific case.
• Notice templates can be used with predefined field values or customized as needed.

Investigate threats by using audit features in Microsoft 365 Defender and Microsoft Purview Standard

Differences between Audit (Standard) and Audit (Premium)

• Audit (Standard): Basic logging capabilities, default enabled.
• Audit (Premium): Advanced features, long-term retention, forensic investigations.
• Audit Log Retention Policies: Define how long audit logs are kept to meet regulatory or legal requirements.
• Forensic Investigations: Use Audit (Premium) to investigate security incidents by searching, filtering, and exporting audit log events.

Searching for Audited Activities:

• Use the audit log search tool in the Microsoft Purview compliance portal for a unified audit log of Microsoft 365 services.
• Exporting and Configuring Audit Logs:
• Export search results to a CSV file.
• Configure the tool to display specific fields and filter results.
• Investigating Support Issues:
• Use audit log searches to address issues with user accounts, permissions, and file access.

Microsoft Purview (Premium):

• A cloud-based compliance solution for managing data and meeting compliance requirements.
• Features include audit logging, data loss prevention, and eDiscovery.
• Content Search: Search mailboxes for imported third-party data, refine results using search queries, and export the findings.
• eDiscovery (Standard): Build on search and export functions by creating cases, controlling access to case data, and placing holds on relevant mailboxes or data.
• eDiscovery (Premium): Expands on eDiscovery (Standard) by managing custodians, placing their data on hold, and reviewing it for detailed analysis, including theme detection and duplicate identification.

To investigate threats using audit, follow these steps:

1. Identify the threat to investigate.
2. Determine relevant audit logs.
3. Search audit logs for suspicious activity.
4. Analyze logs to identify the root cause.
5. Take action to remediate and prevent recurrence.

What is Content Search?

• Content search is a tool for searching across Microsoft 365, including email, documents, and instant messaging.
• It helps investigate threats, troubleshoot issues, and comply with regulations.

eDiscovery Location search

• Exchange Online
• OneDrive for Business
• SharePoint Online
• Microsoft Teams
• Microsoft 365 Groups
• Yammer teams.

Content Search and eDiscovery

• Content Search: Search for and export imported third-party data in mailboxes using queries.
• eDiscovery (Standard): Create cases, control access, and place holds on mailboxes or data.
• eDiscovery (Premium): Manage custodians, place their data on hold, and review it for detailed analysis, including detecting themes and duplicates.

Practical Part

Create a policy from a template policy

1. opening the purview portal

2. going to the DLP section

1. overview about DLP analytics, alerts, polices, classifiers, etc.
2. classifiers: to classify data in way DLP polices will use to detect data

3. click on polices then create policy ( we want compliance admin role to create a policy )
1. templates for the polices

2. check each policy template with it’s related regulations that can be used

1. we need to check what information does its protect, and if it meets our standards

4. let’s start with GDPR

5. select the name and the description

6. restrict the policy to be matched on some users that are registered inside the Entra-ID

1. default is full directory as all the users we have
7. select the data location to apply the policy on and what is the scope of users


8. Then follow up the steps …

Create a policy as custom policy

1. select the name and the description

2. select the admin units

3. select the data locations to apply the policy on

4. as we didn’t select a template then we need to make the customization manually as advanced customization DLP rule

5. create new rule

6. select the name, description, conditions
• confidence means how confidence level am I towards this policy that I’m making


7. select the specific action to take when the policy is triggered

8. select the audit action

9. select the severity level to notify the admin

10. overview of the created rule

11. select the policy mode

1. on, off, or simulation
2. simulation meaning we are going to test the policy without any taken actions, for 14 Days
12. review and finish the policy

Insider Risk Management

1. select the insider risk management form the portal

1. overview and recommended actions to follow

2. select the name and description

3. select the users

4. exclude users

5. we can make some priorities and how to apply this policy


6. select the priority depend on the sensitivity labels

7. select what alerts we want to receive as depending on the whole policy or sensitivity labels, etc.

8. what action needs to be preformed in order to trigger the policy

9. select the intended IOC


10. at the end we have the IOC threshold, to select when do we get alerts on how many times the policy must be triggered in order to generate an alert or notify about a risky user

Information Protection

1. we select the sensitivity labels in order to classify the data, by user or automatically

2. create a label, with related name, description and priority

3. what does it cover as the scope

4. select the protection settings

5. select the permissions and when does it expires

6. follow up the steps …
7. how does it shows

1. the user scope with information related type and location

Classifiers

1. classifiers automatically categorize and tag data based on its content and context, helping to organize and identify sensitive information, it should be trained on data in order to know it later, using ML
2. Policies on the other hand, enforce data governance rules like retention and access controls, ensuring proper data management and compliance with regulations, it uses the classifiers to know the matching data