Learn about and configure insider risk management browser signal detection - Microsoft Purview (compliance) (2023)

  • Article
  • 8 minutes to read

Important

Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

Web browsers are often used by users to access both sensitive and non-sensitive files within an organization. Insider risk management allows your organization to detect and act on browser exfiltration signals for all non-executable files viewed in Microsoft Edge and Google Chrome browsers. With these signals, analysts and investigators can quickly act when any of the following activities are performed by in-scope policy users when using these browsers:

  • Files copied to personal cloud storage
  • Files printed to local or network devices
  • Files transferred or copied to a network share
  • Files copied to USB devices
  • Browsing risky websites

Signals for these events are detected in Microsoft Edge using built-in browser capabilities and using the Microsoft Compliance Extension add-on. In Google Chrome, customers use the Microsoft Compliance Extension for signal detection.

The following table summarizes detected activities and extension support for each browser:

Detected activitiesMicrosoft EdgeGoogle Chrome
Files copied to personal cloud storageNativeExtension
Files printed to local or network devicesNativeExtension
Files transferred or copied to a network shareExtensionExtension
Files copied to USB devicesExtensionExtension
Browsing risky websitesExtensionExtension

Tip

If you're not an E5 customer, you can try all the premium features in Microsoft Purview for free. Use the 90-day Purview solutions trial to explore how robust Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Common requirements

Before installing the Microsoft Edge add-on or Google Chrome extension, customers need to ensure that devices for in-scope policy users meet the following requirements:

  • Latest Windows 10 x64 build is recommended, minimum Windows 10 x64 build 1809 for signal detection support. Browser signal detection isn't currently supported on non-Windows devices.
  • Current Microsoft 365 subscription with insider risk management support.
  • Devices must be onboarded to the Microsoft Purview compliance portal.

For specific browser configuration requirements, see the Microsoft Edge and Google Chrome sections later in this article.

Additional requirements

If you're using policies based on the Risky browser usage template, at least one Browsing indicator must be selected in Insider risk management > Settings > Policy indicators.

Configure browser signal detection for Microsoft Edge

Microsoft Edge browser requirements

  • Meet the common requirements
  • Latest Microsoft Edge x64, version (91.0.864.41 or higher)
  • Latest Microsoft Compliance Extension add-on (1.0.0.44 or higher)
  • Edge.exe is not configured as an unallowed browser

Option 1: Basic setup (recommended for testing with Edge)

Use this option to configure a single machine selfhost for each device in your organization when testing browser signal detection.

(Video) Insider Risk Management - Walk through use cases

For the basic setup option, complete the following steps:

  1. Navigate to Microsoft Compliance Extension.
  2. Install the extension.

Option 2: Intune setup for Edge

User this option to configure the extension and requirements for your organization using Intune.

For the Intune setup option, complete the following steps:

  1. Sign-in to the Microsoft Endpoint Manager Admin Center using Administrator permissions.
  2. Navigate to Configuration Profiles.
  3. Select Create Profile.
  4. Choose Windows 10 as the platform.
  5. Choose Administrative Templates as Profile type and select Create.
  6. Select the Settings tab.
  7. Select Edge Version 77 and later.
  8. Search for Extensions which gives you an overview of all extension-related settings.
  9. Select the setting Control which extensions are installed silently.
  10. Select Enabled.
  11. Add the extension ID when prompted: lcmcgbabdcbngcbcfabdncmoppkajglo**.**
  12. Select OK.

Option 3: Group Policy setup for Edge

Use this option to configure the extension and requirements organization-wide using Group Policy.

For the Group Policy setup option, complete the following steps:

Step 1: Import the latest Microsoft Edge Administrative Template (.admx) file.

Devices must be manageable using Group Policies and all Microsoft Edge Administrative Templates need to be imported into the Group Policy Central Store. For more information, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

Step 2: Add the Microsoft Compliance Extension add-on to the Force Install list.

Complete the following steps to add the extension:

  1. In the Group Policy Management Editor, navigate to your Organizational Unit (OU).
  2. Expand the following path Computer/User configuration > Policies > Administrative templates > Classic administrative templates > Microsoft Edge > Extensions. This path may vary depending on the configuration of your organization.
  3. Select Configure which extensions are installed silently.
  4. Right-click and select Edit.
  5. Check the Enabled radio button.
  6. Select Show.
  7. For Value, add the following entry: lcmcgbabdcbngcbcfabdncmoppkajglo;https://edge.microsoft.com/extensionwebstorebase/v1/crx
  8. Select OK and the select Apply.

Configure browser signal detection for Google Chrome

Insider risk management browser signal detection support for Google Chrome is enabled through the Microsoft Compliance Extension. This extension also supports Endpoint DLP on Chrome. For more information about Endpoint DLP support, see Get started with the Microsoft Compliance Extension (preview).

Google Chrome browser requirements

  • Meet common requirements
  • Latest version of Google Chrome x64
  • Latest Microsoft Compliance Extension version (2.0.0.183 or higher)
  • Chrome.exe is not configured as an unallowed browser

Option 1: Basic setup (recommended for testing with Chrome)

Use this option to configure single machine selfhost for each device in your organization when testing browser signal detection.

For the basic setup option, complete the following steps:

Step 1: Enable required Registry keys with PowerShell

Get-Item -path "HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force

Important

These registry keys are required to ensure proper functionality of the extension. You must enable these registry keys before testing any signals.*

(Video) Microsoft Purview Insider Risk Management | Admin Set-up Tutorial

Step 2: Install the Microsoft Compliance Extension

  1. Navigate to Microsoft Compliance Extension.
  2. Install the extension.

Option 2: Intune setup for Chrome

User this option to configure the extension and requirements for your organization using Intune.

For the Intune setup option, complete the following steps:

Step 1: Enable required Registry key with Intune

  1. Run the following PowerShell script:
Get-Item -path "HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
  1. Sign-in to the Microsoft Endpoint Manager Admin Center.

  2. Navigate to Devices > Scripts and select Add.

  3. Browse to the location of the script created when prompted.

  4. Select the following settings:

    • Run this script using the logged-on credentials: Yes
    • Enforce script signature check: No
    • Run script in 64-bit PowerShell Host: Yes
  5. Select the appropriate device groups and apply the policy.

Step 2: Configure Intune Force Install

Before adding the Microsoft DLP Chrome extension to the list of force installed extensions, you must install the Chrome Administrative Template (.admx) file for Intune management. For step-by-step guidance, see Manage Chrome Browser with Microsoft Intune. After installing the Administrative Template file, complete the following steps:

  1. Sign-in to the Microsoft Endpoint Manager Admin Center.

    (Video) Insider risk management

  2. Navigate to Configuration Profiles.

  3. Select Create Profile.

  4. Choose Windows 10 as the Platform.

  5. Choose Custom as the Profile type.

  6. Select the Settings tab.

  7. Select Add.

  8. Enter the following policy information:

    • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
    • Data type: String
    • Value: <enabled/><data id="ExtensionInstallForcelistDesc" value="1&#xF000; echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx"/>
  9. Select Create.

Option 3: Group Policy setup for Chrome

Use this option to configure the extension and requirements organization-wide using Group Policy.

For the Group Policy setup option, complete the following steps:

Step 1: Import the Chrome Administrative Template file

Your devices must be manageable using Group Policy and all Chrome Administrative Templates need to be imported into the Group Policy Central Store. For more information, see How to create and manage the Central Store for Group Policy Administrative Templates in Windows.

Step 2: Enable required Registry key with PowerShell

  1. Create a PowerShell script with the following contents:

    (Video) Insider Risk Management from Microsoft 365

    Get-Item -path "HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Miscellaneous Configuration" | New-ItemProperty -Name DlpDisableBrowserCache -Value 0 -Force
  2. Open the Group Policy Management Console and navigate to your organizational unit (OU).

  3. Right-click and select Create a GPO in this domain and link it here. When prompted, assign a descriptive name to this Group Policy Object (GPO). For example, DLP Chrome Immediate PowerShell Script.

  4. After creating the GPO, right-click and select Edit. This selection takes you to the Group Policy Object.

  5. Navigate to Computer configuration > Preferences > Control panel settings > Scheduled tasks.

  6. Right-click on the blank area under Scheduled Tasks and select New > Immediate Task (at least Windows 7).

  7. Enter a task Name and Description.

  8. Choose the corresponding account to run the immediate task. For example, NT Authority.

  9. Select Run with highest privileges.

  10. Configure the policy for Windows 10.

  11. On the Actions tab, choose Start a program.

  12. Enter the path to the program/script created in Step 1.

  13. Select Apply.

Step 3: Add the Chrome extension to the Force Install list

  1. In the Group Policy Management Editor, navigate to your organizational unit (OU).
  2. Expand the following path Computer/User configuration > Policies > Administrative templates > Classic administrative templates > Google > Google Chrome > Extensions. This path may vary depending on the configuration for your organization.
  3. Select Configure the list of force installed extensions.
  4. Right-click and select Edit.
  5. Select the Enabled radio button.
  6. Select Show.
  7. For Value, add the following entry: echcggldkblhodogklpincgchnpgcdco;https://clients2.google.com/service/update2/crx
  8. Select OK and the select Apply.

Test and verify insider risk management browser signal detections

  1. Create an insider risk management policy with device indicators enabled.

    (Video) Insider risk management in Microsoft 365. (Microsoft Ignite)

  2. To test signal detection for files copied to personal cloud storage, complete the following steps from a supported Windows device:

    • Open a file sharing website (Microsoft OneDrive, Google Drive, etc.) with the browser type that you've configured for signal detection.
    • With the browser, upload a non-executable file to the website.
  3. To test signal detection for files printed to local or network devices, files transferred or copied to a network share, and files copied to USB devices, complete the following steps from a supported Windows device:

    • Open a non-executable file directly in the browser. The file must be opened directly through File Explorer or opened in a new browser tab for viewing rather than a webpage.
    • Print the file.
    • Save the file to a USB device.
    • Save the file to a network drive.
  4. After your first insider risk management policy was created, you'll start to receive alerts from activity indicators after about 24 hours. Check the Alerts dashboard for insider risk management alerts for the tested activities.

FAQs

How do you configure insider risk management? ›

In the Microsoft Purview compliance portal, go to Insider risk management and select the Policies tab. Select Create policy to open the policy wizard. On the Policy template page, choose a policy category and then select the template for the new policy.

What is Microsoft insider risk management? ›

Microsoft Purview Insider Risk Management is a compliance solution that helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization.

What are the four phases in Microsoft security risk management process? ›

Risk management activities fall into four phases: identification, assessment, response, and monitoring and reporting.

What is Microsoft compliance Manager? ›

Compliance Manager gives you an initial score based on the Microsoft 365 data protection baseline. This baseline is a set of controls that includes key regulations and standards for data protection and general data governance.

What is Microsoft communication Compliance? ›

Microsoft Purview Communication Compliance is an insider risk solution in Microsoft 365 that helps minimize communication risks by helping you detect, capture, and act on inappropriate messages in your organization.

Which Microsoft 365 compliance feature can you use to encrypt? ›

Microsoft 365 provides baseline, volume-level encryption enabled through BitLocker and Distributed Key Manager (DKM). Microsoft 365 offers an added layer of encryption for your content. This content includes data from Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Microsoft Teams.

What is eDiscovery Microsoft? ›

Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that can be used as evidence in legal cases.

How does Microsoft protect your data? ›

With state-of-the-art encryption, Microsoft protects your data both at rest and in transit. Our encryption protocols erect barriers against unauthorized access to the data, including two or more independent encryption layers to protect against compromises of any one layer.

How many days will the insider risk alerts be visible in the dashboard? ›

The insider risk Alert dashboard allows you to view and act on alerts generated by insider risk policies. Each report widget displays information for the last 30 days.

What is Microsoft purview compliance? ›

Microsoft Purview helps protect your organization's data with Insider Risk Management, eDiscovery, Communication Compliance, and more.

What is Microsoft purview? ›

Microsoft Purview provides a unified data governance solution to help manage and govern your on-premises, multicloud, and software as a service (SaaS) data. Easily create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage.

What is compliance tool? ›

What is a compliance tool? Compliance tools are software products that automate or facilitate processes and procedures that businesses must have in place to be compliant with industry, legal, security and regulatory requirements.

What are the 5 risk management processes? ›

Here Are The Five Essential Steps of A Risk Management Process
  • Identify the Risk.
  • Analyze the Risk.
  • Evaluate or Rank the Risk.
  • Treat the Risk.
  • Monitor and Review the Risk.
20 Jan 2022

How do you create a communication compliance policy? ›

In the Microsoft Purview compliance portal, select Communication compliance. Select the Policies tab. Select Create policy to create and configure a new policy from a template or to create and configure a custom policy.

Is DLP included in E3? ›

Office 365 and Microsoft 365 E3 include DLP protection for SharePoint Online, OneDrive, and Exchange Online. This also includes files that are shared through Teams because Teams uses SharePoint Online and OneDrive to share files.

How do I create an eDiscovery case in Office 365? ›

Go to the compliance portal and sign in using the credentials for an admin account in your Microsoft 365 or Office 365 organization. On the Permissions page, select the eDiscovery Manager role group. On the eDiscovery Manager flyout page, click Edit next to the eDiscovery Manager section.

Which three tasks can be performed by using Azure AD identity protection? ›

Identity Protection allows organizations to accomplish three key tasks: Automate the detection and remediation of identity-based risks. Investigate risks using data in the portal. Export risk detection data to other tools.

How do you create a data loss prevention? ›

Create the DLP policy from a template
  1. Sign in to the Microsoft Purview compliance portal.
  2. In the Microsoft Purview compliance portal > left navigation > Solutions > Data loss prevention > Policies > + Create policy.
  3. Choose the DLP policy template that protects the types of sensitive information that you need > Next.
3 Oct 2022

Which three authentication methods can be used by Azure multi factor authentication? ›

Available verification methods

The following additional forms of verification can be used with Azure AD Multi-Factor Authentication: Microsoft Authenticator app. Windows Hello for Business. FIDO2 security key.

What is the longest possible time frame that can be configured for insider risk management? ›

Policy timeframes

The window activates for 1 to 30 days after a triggering event occurs for any user assigned to the policy. For example, you've configured an insider risk management policy and set the Activation window to 30 days.

Can an insider risk alert score be customized? ›

Using templates, you can select specific risk indicators and customize event thresholds for policy indicators, effectively customizing risk scores, and level and frequency of alerts.

Can you use insider risk in Content Explorer? ›

The insider risk management Content explorer allows users assigned the Insider Risk Management Investigators role to examine the context and details of content associated with activity in alerts. The case data in Content explorer is refreshed daily to include new activity.

What is the longest activation window you can set for insider risk management policy? ›

You temporarily add a user to your Data leaks insider risk policy and define 30 days as the Activation window for this user. The global Activation window setting of 15 days is overridden by defining the Activation window setting of 30 days for the temporarily added user.

For what period can review the alerts in the insider risk management dashboard? ›

The insider risk Alert dashboard allows you to view and act on alerts generated by insider risk policies. Each report widget displays information for the last 30 days.

Which users are added to the contributors tab of the case? ›

Contributors. The Contributors tab in the case is where risk analysts and investigators can add other reviewers to the case. By default, all users assigned the Insider Risk Management Analysts and the Insider Risk Management Investigators roles are listed as contributors for each active and closed case.

What is the risk management policy? ›

The purpose of the risk management policy is to provide guidance regarding the management of risk to support the achievement of corporate objectives, protect staff and business assets and ensure financial sustainability.

Which type of alert can you manage from the Microsoft 365 Defender Portal? ›

This article describes security alerts in Microsoft 365 Defender. However, you can use activity alerts to send email notifications to yourself or other admins when users perform specific activities in Microsoft 365. For more information, see Create activity alerts - Microsoft Purview | Microsoft Docs.

What is a characteristic of a sensitivity label in Microsoft 365? ›

You can configure a sensitivity label to: Encrypt emails and documents to prevent unauthorized people from accessing this data. You can additionally choose which users or group have permissions to perform which actions and for how long.

Where can I find Microsoft 365 Defender? ›

Get started. Microsoft 365 Defender licensing requirements must be met before you can enable the service in the Microsoft 365 Defender portal at https://security.microsoft.com For more information, see: Licensing requirements.

Videos

1. What's new from Microsoft Ignite regarding Insider Risk?
(Microsoft Security)
2. An in-depth look at intelligently managing insider risks with Insider Risk Management | OD295
(Microsoft Ignite)
3. Ask the Experts: Secure your sensitive information with Insider Risk Management | ATE110
(Microsoft Ignite)
4. Microsoft 365 Insider Risk Management and St. Luke's University Health Network
(Microsoft Security)
5. Secure your sensitive information with Insider Risk Management | OD361
(Microsoft Ignite)
6. Building the Insider Risk Management Program - Sam Fong, Lead Technology Architect, Microsoft
(Cyber Tech & Risk)
Top Articles
Latest Posts
Article information

Author: Nathanial Hackett

Last Updated: 02/11/2023

Views: 5803

Rating: 4.1 / 5 (72 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Nathanial Hackett

Birthday: 1997-10-09

Address: Apt. 935 264 Abshire Canyon, South Nerissachester, NM 01800

Phone: +9752624861224

Job: Forward Technology Assistant

Hobby: Listening to music, Shopping, Vacation, Baton twirling, Flower arranging, Blacksmithing, Do it yourself

Introduction: My name is Nathanial Hackett, I am a lovely, curious, smiling, lively, thoughtful, courageous, lively person who loves writing and wants to share my knowledge and understanding with you.