top of page
Search
11 hours ago3 min read

How to Get Alerts When Users Downgrade and Mishandle Sensitivity Labels in Insider Risk Management

Insider Risk Management (IRM) in Microsoft Purview provides organizations with powerful tools to monitor, detect, and respond to potentially risky activities.

One important risk indicator is when users downgrade or remove sensitivity labels from files, and then exfiltrate the file or otherwise mishandle sensitive data.

I will guide you through the steps to configure IRM policy that generate alerts related to files that are labeled with a sensitivity label.

Why Monitoring a Particular Sensitivity Label Matters


When labels are downgraded—for example, changing a file labeled "Top Secret" to "Confidential"—it can indicate:

  • An attempt to bypass restrictions tied to higher-level labels.

  • Malicious intent to exfiltrate sensitive data.

  • Unintentional actions by users that could lead to data exposure.

Detecting and responding to such actions in real time is crucial for safeguarding critical information.


Focusing on Your Most Sensitive Assets


Organizations often use a variety of sensitivity labels to classify their data based on its importance and level of sensitivity. For instance, you might have:

  • Public: For content intended to be freely accessible or shared externally without restrictions.

  • Internal Only: For content that should remain within the organization but is not highly sensitive.

  • Confidential: For content that is sensitive and requires restricted access.

  • Top Secret: For the most sensitive content that requires the highest level of protection.

While it's essential to maintain oversight of all classified content, you might want to prioritize monitoring your most sensitive assets. For this example, we will focus on monitoring the "Top Secret" label.

By narrowing your monitoring scope to high-priority labels like "Top Secret," you can detect and respond more effectively to actions that pose significant risks.


Create IRM Policy


In Microsoft Purview, navigate to the Insider Risk Management solution.


Go to Policies. Click “Create policy” and select “Custom Policy.”



Choose “Data Leaks” Policy template in “Data Leaks” Policy Templates section.




Name your Policy and click Next.


In the “Exclude User and Group” screen, click Next to skip.


“Decide whether to prioritize content” screen is the most important one for our purpose. The selections in this screen define what IRM will monitor for this policy.



Keep “I want to prioritize content” enabled.


Then, clear all content except “Sensitivity labels.”


Next screen will allow you to choose which Sensitivity label you want this policy to prioritize. You can choose up to 50 labels.

I am going to select “Top Secret” label and add it.


Next screen will let you decide if you want this policy to score only activity with priority content.


You have two options:

  1. Get alerts for all activity, regardless of whether they include priority content.

  2. Get alerts only for activity that includes priority content. Activities without priority content won’t be scored. You can still be able to review them if an alert is generated.

Make sure that you select “Get alerts only for activity that includes priority content” so that we are only monitoring the “Top Secret” label for this policy.


Next screen will allow us to choose triggering event for this policy. We will use “User performs an exfiltration activity” option. It has a number of activities that can trigger the policy.



Note: make sure that your IRM is properly configured and all your indicators are enabled in the IRM settings.

Scroll down to view Sequences that include downgrading sensitivity label.


To learn about the sequences, follow this link.

In a nutshell, sequences are the activities that are executed by the user as one sequence, rather than isolated events.



There are four different sequences that involve downgrading Sensitivity Labels:

  • Downgrade or remove label then exfiltrate

  • Downgrade or remove label, download, then exfiltrate

  • Downgrade or remove label, download, exfiltrate, then delete

  • Downgrade or remove label, download, obfuscate, then exfiltrate


I kept all activities selected for this policies.


In the next screen we are going to choose thresholds for triggering events. You can apply built-in thresholds or choose your own thresholds.


Click “Choose your own thresholds.”




The policy will trigger the alerts when the number of activities meet a certain threshold.


I am going to modify thresholds for all activities that are matching priority content, which is our Sensitivity Label “Top Secret.”


I set all thresholds for activities matching priority content to 1. I don’t want to take any chances with “Top Secret” label. One activity is too many.



In the next screen, “Sequence detection,” I am going to select all sequences and click “Next.”

I will keep thresholds provided by Microsoft for the indicators and click Next.


Review and Submit your policy.


Conclusion


By configuring IRM policies to monitor Priority Content for specific sensitivity labels, you can partition the policies in such a way that when alerts are triggered, your investigators will be able to differentiate these alerts from those triggered by other activities.


This ensures that potential data leaks involving the most sensitive content are quickly detected and prioritized over other alerts.

0 views0 comments

Recent Posts

See All

Comments

bottom of page