Incident Response & Insider Risk
DLP policies generate alerts when data crosses a policy boundary. Insider Risk Management (IRM) operates differently — it correlates behavioral signals over time to identify users whose pattern of activity poses risk, even when no individual action crosses a DLP threshold. The two systems complement each other: DLP stops transactions, IRM stops actors.
Activity Explorer
Activity Explorer is the first stop in any label-related incident investigation. It provides a timeline of labeling and DLP actions across Exchange, SharePoint, OneDrive, and Endpoint:
- Sensitivity label applied — who applied what label to which file
- Sensitivity label changed — includes the from-label, to-label, and justification text
- Sensitivity label removed — with justification if mandatory labeling is enabled
- DLP policy matched — which rule triggered, which workload, override or no override
- File uploaded to cloud — endpoint DLP events for cloud upload attempts
- File copied to USB — endpoint events for removable media
Accessing Activity Explorer:
Purview compliance portal → Data classification → Activity explorer
Filter by Label activity → Label downgraded or Label removed to identify mass downgrade events. Filter by user to build a timeline for a specific insider risk investigation.
Investigating a Mass Downgrade Event
If IRM or a DLP alert surfaces a mass downgrade pattern:
- Filter Activity Explorer:
Activity=Sensitivity label changed,Label action=Downgrade,Date range= past 7 days,User= suspect user - Export to CSV for offline analysis
- Cross-reference with file download events in the same period (SharePoint audit log)
- Cross-reference with email send events from Exchange (Unified Audit Log)
If the user downloaded files after downgrading labels, this is a strong indicator of intentional exfiltration and should be escalated per your incident response plan.
Insider Risk Management
Policy Configuration
IRM policies correlate signals from Purview labels, DLP events, HR system offboarding feeds, and Entra ID sign-in anomalies into a risk score per user.
| Setting | Value |
|---|---|
| Policy template | Data theft by departing users / Data leaks |
| Content to prioritize | Sensitivity labels — Confidential, Restricted (or CUI equivalents) |
| Scoring | Get alerts for all activity above threshold |
| Triggering event | User performs an exfiltration activity |
| Triggering threshold | Custom (see below) |
Triggering Events
The IRM policy activates risk scoring for a user when any of the following occur:
- Sends email with attachments to recipients outside the organization
- Sends email with attachments to free public email domains (gmail.com, yahoo.com, etc.)
- Sends email with attachments to their own personal email address
- Uses a browser to upload files to the web (Endpoint DLP signal required)
- File copied to a remote desktop session
- Sensitivity label downgraded or removed, then file downloaded, then exfiltrated
The last trigger — the Downgrade-Download-Exfiltrate sequence — is the highest-fidelity signal for intentional insider theft and should always be included.
Policy Indicators
| Category | Indicator |
|---|---|
| Label activity | Downgrading sensitivity labels on files |
| Label activity | Removing sensitivity labels from files |
| Label activity | Removing sensitivity labels from SharePoint sites |
| Cloud activity | Unusual mass downloading from a cloud app |
| Cloud activity | Unusual mass sharing from a cloud app |
| Endpoint activity | File copy to USB (if Endpoint DLP is configured) |
| Endpoint activity | Browser upload to unapproved cloud storage |
Detection Sequences
Enable all three cumulative detection sequences:
| Sequence | Description |
|---|---|
| Download → Exfiltrate | Large-scale download from M365, then external send |
| Downgrade/Remove → Exfiltrate | Label stripped to evade DLP, then external send |
| Downgrade/Remove → Download → Exfiltrate | Full bypass pattern: strip label, download locally, exfiltrate |
Cumulative Exfiltration and Boosters
| Setting | Value |
|---|---|
| Cumulative exfiltration | Detect when volume exceeds organizational norms |
| Booster — Daily volume | Activity is above the user's typical daily volume |
| Booster — Unusual recipient | Email sent to a domain not previously used by the user |
Boosters increase the risk score for an individual event without requiring a separate policy match. They are additive — a downgrade event with a daily-volume booster and an unusual-recipient booster generates a much higher score than a downgrade alone.
Adaptive Protection
- GCC High (CMMC)
- Commercial
Adaptive Protection dynamically applies a DLP action based on a user's current IRM risk level. This directly supports NIST SP 800-171 Rev. 3 3.13.3 (separate user functionality from system management functions based on risk).
| IRM Risk Level | Adaptive DLP Action |
|---|---|
| Minor | Policy tip added to all external sends |
| Moderate | Override-with-justification required for all external sends |
| Elevated | Block all external sharing; alert compliance team |
Enable Adaptive Protection under IRM → Adaptive Protection → link to DLP policies. The linked DLP policy must have a condition Adaptive protection risk level is with separate rules for each tier.
CMMC Control Mapping
| NIST Control | IRM Capability |
|---|---|
| 3.1.3 — Control CUI flow | Adaptive Protection blocks external CUI access for high-risk users |
| 3.3.1 — Create audit logs | All IRM alerts and risk score events written to Unified Audit Log |
| 3.3.2 — Review audit logs | Activity Explorer enables investigation of label downgrade timelines |
| 3.6.1 — Incident response plan | IRM alert → case → investigation workflow |
| 3.14.2 — Security monitoring | IRM cumulative exfiltration detection |
Adaptive Protection is valuable for commercial organizations with GLBA, HIPAA, or PCI requirements, where a high-risk user (flagged by IRM) should face stronger DLP controls without IT manual intervention.
A practical commercial configuration:
| IRM Risk Level | Adaptive DLP Action |
|---|---|
| Minor | Policy tip on Confidential label external sends |
| Moderate | Block Confidential label external sends; require justification |
| Elevated | Block all external sends; notify CISO |
Start with Adaptive Protection in Test mode for 30 days to calibrate false positive rates before enabling enforcement. Users whose risk score spikes due to a legitimate high-volume file migration (e.g., SharePoint restructure) should be excluded via an IRM policy exception during the migration window.
HR Connector — Offboarding Trigger
IRM can use departure date from HR as a triggering event — activating a departing user policy before the user's last day, not after.
Configure an HR data connector in the Purview compliance portal:
- Data connectors → HR connector
- Map CSV columns:
EmailAddress,ResignationDate,TerminationDate,LastWorkingDay - Schedule daily import via Azure Logic App or scheduled task
Once the connector is active, any user whose ResignationDate is within 30 days will automatically be enrolled in the departing-user IRM policy. Risk scoring begins immediately — not on the last day.
DSPM for AI Readiness
Data Security Posture Management (DSPM) for AI provides visibility into how AI tools (Microsoft 365 Copilot, Copilot Chat) interact with labeled content. It answers the question: "What sensitive data can Copilot reach, and for whom?"
Key DSPM for AI views:
| View | What It Shows |
|---|---|
| Oversharing summary | Files labeled Confidential or above shared with broad permissions (org-wide, Anyone) |
| AI interactions with sensitive data | Copilot prompts that referenced Confidential or Restricted content |
| Users with access to labeled content | Which users can reach restricted or sensitive files through Copilot |
Why labeling today prevents Copilot risk tomorrow:
Copilot cannot summarize or retrieve content that the user does not have access to. But if content is unlabeled and stored in a broadly accessible SharePoint site, Copilot will summarize it for any licensed Copilot user with SharePoint access — regardless of whether the content is sensitive.
The DSPM for AI report surfaces exactly this exposure: unlabeled sensitive content in broadly-shared locations. Labeling that content, combined with the Copilot DLP policy (see DLP Policies), closes the gap before Copilot is deployed.
Pre-Copilot Checklist:
- Run DSPM for AI in discovery mode
- Remediate overshared sites (remove "Everyone" and "Everyone except external users" sharing permissions)
- Apply appropriate sensitivity labels to unlabeled sensitive content identified by service-side auto-labeling
- Confirm Copilot DLP policy is enabled and verified
- Review DSPM for AI weekly for the first 60 days after Copilot launch
Incident Response Workflow
When a DLP alert or IRM case is generated, follow this workflow:
Alert generated (DLP violation or IRM high risk score)
↓
Triage in Purview Alerts or IRM Cases
↓
Open Activity Explorer — build user timeline
↓
Pull SharePoint/Exchange audit log for file/email evidence
↓
Determine: false positive or confirmed incident?
↓ (confirmed)
Open IRM Case → assign investigator
↓
Collect evidence package (Activity Explorer export + audit log CSV)
↓
Notify HR, Legal, and Security per incident response plan
↓
Apply Adaptive Protection elevated restriction if not already triggered
↓
Close case with disposition (no action / warning / HR action / law enforcement)
↓
Document in incident response log (NIST 3.6.2 audit evidence)
Purview IRM cases include a built-in evidence collection feature — Forensic evidence — that captures screen recordings on managed Windows devices for confirmed high-risk users (requires additional licensing). Enable this capability only after legal review, as it may be subject to employee privacy agreements.
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.