Monitoring & Investigation
With oversharing remediated and access controls in place, this section establishes ongoing visibility into user activities and enables legal response capabilities.
Insider Risk & Audit {#insider-risk}
Deploy Insider Risk Management for behavioral analytics and leverage Audit (Premium) for forensic investigations.
Insider Risk Management Overview
IRM uses signals from across M365 to detect risky behaviors:
| Signal Source | Examples |
|---|---|
| Unusual attachment volume, external sends | |
| Files | Mass downloads, USB copies, cloud uploads |
| Identity | Sign-ins from new locations, privilege escalation |
| HR Events | Resignation dates, performance issues |
Policy Templates
| Template | Detects |
|---|---|
| Data theft by departing users | Exfiltration when employees resign |
| Data leaks | Unusual sharing or downloading |
| Security policy violations | Access to blocked sites |
Step 1 – Enable Insider Risk Management
Click-Ops:
- Navigate to Microsoft Purview portal → Solutions → Insider Risk Management
- Complete initial setup wizard
- Create policy from template:
- Select Data theft by departing users
- Configure HR connector for resignation signals
- Enable pseudonymization for privacy
- Set alert thresholds
Step 2 – Configure Audit (Premium)
Goal: Ensure 1-year audit retention and capture forensic events.
Key Premium Events:
| Event | Value |
|---|---|
| MailItemsAccessed | See what emails were read (not just accessed) |
| SearchQueryInitiatedExchange | See what users searched for |
| SearchQueryInitiatedSharePoint | SharePoint search queries |
Adaptive Protection {#adaptive-protection}
Dynamically adjust DLP enforcement based on user risk level from Insider Risk Management.
How Adaptive Protection Works
| User Risk Level | DLP Response |
|---|---|
| Minor | Standard policy enforcement, policy tips shown |
| Moderate | Sharing blocked, requires business justification |
| Elevated | Hard block on sensitive actions, security team notified |
Enable Adaptive Protection
Click-Ops:
- Navigate to Microsoft Purview portal → Solutions → Insider Risk Management → Adaptive Protection
- Enable the feature
- Configure risk level thresholds
- Link to existing DLP policies
How It Works:
- IRM calculates user risk based on behavioral signals
- DLP policies automatically escalate enforcement for high-risk users
- Reduces friction for trusted users while protecting against threats
Retention and records management is now covered in Prevention, as lifecycle policies are part of deeper protection after oversharing remediation.
eDiscovery Premium {#ediscovery}
Set up eDiscovery capabilities for legal investigations, FOIA requests, and compliance audits.
eDiscovery Workflow
| Phase | Action |
|---|---|
| Identification | Determine custodians and data sources |
| Preservation | Place legal holds |
| Collection | Search and gather content |
| Processing | Deduplicate, extract text |
| Review | Analyze, tag, cull |
| Production | Export for legal |
Step 1 – Create an eDiscovery Case
Click-Ops:
- Navigate to Purview > eDiscovery > Premium
- Click + Create a case
- Add case members (legal team)
- Configure custodians and data sources
- Create searches and place holds
Step 2 – Configure Hold Policies
Goal: Preserve content for legal matters.
Hold Types:
| Type | Use Case |
|---|---|
| Custodian-based | Hold all content for specific users |
| Query-based | Hold content matching search criteria |
| Site-based | Hold entire SharePoint sites |
Content under legal hold is never deleted, regardless of retention policy settings.
Validation Checklist
| # | Item | Success Criteria |
|---|---|---|
| 1 | IRM policies | At least one policy active |
| 2 | Audit Premium | 1-year retention configured |
| 3 | Retention policies | Deployed to key locations |
| 4 | eDiscovery | Can create cases and holds |
Next Steps
With monitoring in place, proceed to Prevention to implement DLP, retention policies, and Communication Compliance.