AzureFeeds

Surface the highest-risk alerts across your environment, no matter their default severity, and take action. Customize how your agents reason, teach them what matters to your organization, and continuously refine to reduce time-to-resolution. 

Talhah Mir, Microsoft Purview Principal GPM, shows how to triage, investigate, and contain potential data risks before they escalate. 

Focus on the most high-risk alerts in your queue. 

Save time by letting Alert Triage Agents for DLP and IRM surface what matters. Watch how it works.

Stay in control. 

Tailor triage priorities with your own rules to focus on what really matters. See how to customize your alert triage agent using Security Copilot.

View alert triage agent efficiency stats. 

Know what your agent is doing and how well it’s performing. Check out Microsoft Purview.

QUICK LINKS: 

00:00 — Agents in Microsoft Purview 

00:58 — Alert Triage Agent for DLP 

01:54 — Customize Agents 

03:32 — View prioritized alerts 

05:17 — Calibrate Agent Behavior with Feedback 

06:38 — Track Agent Performance and Usage 

07:34 — Wrap up

Link References 

Check out https://aka.ms/PurviewTriageAgents 

Unfamiliar with Microsoft Mechanics? 

As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. 

• Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries


• Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog 


• Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast 

Keep getting this insider knowledge, join us on social: 

• Follow us on Twitter: https://twitter.com/MSFTMechanics 


• Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/


• Enjoy us on Instagram: https://www.instagram.com/msftmechanics/


• Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics

Video Transcript:

-Staying ahead of potential data security threats and knowing which alerts deserve your attention isn’t just challenging. It’s overwhelming. Every day, your organization generates an increasing and enormous volume of data interactions, and it’s hard to know which potential risks are slipping through the cracks. In fact, on average, for every 66 new alerts logged in a day, nearly a third are not investigated because of the time and effort involved. And this is exactly where automation and AI in Microsoft Purview can make a material difference. With an agent-managed alert queue that, just like an experienced tier 1 analyst, sifts through the noise to identify Data Loss Prevention and Insider Risk Management alerts that pose the greatest risks to your organization, letting you focus your time and efforts on the most critical risks to your data. 

-Today, I’ll show you how the agents in Microsoft Purview work, the reasoning they use the prioritize alerts, and how to get them running in your environment. I’ll start with Alert Triage Agent for DLP. I’m in the Alerts page for Data Loss Prevention. You’ll see that just for this small date range, I have a long list of 385 active alerts. Now, I could use what’s in the Severity column to sort and prioritize what to work on first, clicking each, analyzing the details, which policies were triggered, and then repeating that process until I’ve worked my way through the list over the course of my day. And even then, I wouldn’t necessarily have the full picture. To save time, I ended up deprioritizing low and medium severity alerts, which still could present risks that need to be investigated, but it doesn’t have to be this way. 

-Instead, if I select my Alert Triage Agent view, I can see it’s done the work to triage the most important alerts, regardless of severity, that require my attention. There’s a curated list of 17 alerts for me to focus in on. And if you’re wondering if you can trust this triage list of alerts to be the ones that really need the most attention, you remain in control because you’re able to teach Copilot what you want to prioritize when you set up your agent. Let me show you. I’m in the Agents view and I’ll select the DLP agent. And if this is your first time using the agent, you’ll need to review what it does and how it’s triggered. In fact, it lists what it needs permissions for as it reasons over each alert. This includes your DLP configuration, reading incoming activity details and corresponding content, and then storing your feedback to refine how it will triage DLP alerts. 

-Next, you can move on to deployment settings. Here, you can choose how the agent runs or triggered and select the alert timeframe. The default is last 30 days. From there, I’ll deploy the agent. You’ll see that it tells me the next step is to customize it before it begins triaging alerts. This takes a little while to provision, and once it’s ready, there’s just one more step. Back in Alerts, I need to customize the agent. Here, I can enter my own instructions as text to help the agent prioritize alerts based on what’s important to my organization. For example, I can focus it on specific labels or projects, which can be modified over time. 

-Next, I can select the individual policies that I want to focus the agent on. I’m going to select all of these in this case, then hit Save. Once I hit Review, it generates custom classifiers and rules specific to what I’ve asked the agent to look for. Then I just need to start the agent, and that’s the magic behind agent-prioritized queue that I showed you earlier. So now, once the agent is ready, instead of trying to find that needle in our haystack of 385 alerts, I can just hit the toggle button to view the prioritized alerts from the Alert Triage Agent. Notice I’m not losing any of the alert details from before. It’s just presented as a triaged and prioritized queue, starting with the top handful of alerts that need my immediate attention with less urgent and not categorized alerts available to view in other tabs. 

-I’ll focus on what needs attention and click into the top one to see what the agent found. The Agent summary tells me that there are 25 files and eight with verified policy matches. Data includes credit cards, bank account numbers shared using SharePoint. Below that, you’ll see the sensitivity risk for each shared file, the exfiltration risk related primarily to the files containing financial data, and the policy risk. And I could see in this case, the DLP policy was triggered, and the user was allowed to share without restrictions. In the Details tab, you’ll notice that the alert severity set to low based on the policy configuration, but the triage agent, much like a human analyst, can render a verdict taking the entire context into account. Clicking into view details, I can find more information, including the related assets, where I can see each of the corresponding names, trainable classifiers if defined, and sensitive information types. I’ll scroll back up and show you one more tab here. 

-In Overview, I can see the user associated with the alert. Turns out this is an important policy match to prioritize Labels on 18 highly sensitive files were downgraded and it was shared without proper restriction. The user was warned and chose to proceed. I can now work on containing the risk and improving related policy protections to prevent future incidents like this one. Let’s continue to work through our prioritized alert queue, and you can see I’m now left with six. I’ll click into the first one. It’s a policy match for business-critical files containing financial and legal information. This is credit card information and a legal agreement in the shared content. That said, this happens to be a close partner of our company that typically handles this type of information, so it’s not important. And to prevent this and future similar alerts from being flagged as needing my attention, I can calibrate the agent’s response based on what matters to me. Kind of like you would teach a junior member of your team. So, in this alert categorization, I’ll click Change to add more context about why I disagree with this categorization so that other recipients from that domain are deprioritized. 

-In the details pane, I’ll change it to less urgent and add another property to deprioritize these types of alerts. In this case, I’ll add the external recipient email address. And after I hit submit, this will be added to the agent’s instruction set to further refine its rationale for prioritization. In fact, here in our list of what needs attention, you’ll see that the alert is no longer on the list. That’s how easy it is to get the agent to work on your behalf. And once you’ve been using the agent at any time, you can view its progress. In the Agent Overview, I can see my deployed agents and trending activities. If I click into my Data Loss Prevention Agent, I can see details about its recent activities. In the Performance tab, I can also see the agent effectiveness trend over time, and below that, a detailed breakdown of units consumed per day. This way, you can reduce your time to resolution even while your team is spread thin. 

-Now, I focused on the DLP agent today, and similarly, our alert triage agent in Insider Risk Management works on your behalf to create a prioritized alert queue of data incidents by risky users in your organization that require your attention, including evaluating the user risk based on historical context, as well as analyzing the user’s activity over weeks or months to help evaluate their risk, whether they’re intentional or not. In many ways, Purview’s new Alert Triage Agents for DLP and IRM, powered by Security Copilot, reduce the time, effort, and expert resources needed to truly understand the context of your alerts. It works alongside you and the whole team to accelerate and simplify your investigations. To learn more, check out aka.ms/PurviewTriageAgents, subscribe to Microsoft Mechanics if you haven’t yet, and thank you for watching.