Best practices for managing the volume of alerts in communication compliance

Important

Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance (for example, SEC or FINRA) and business conduct violations such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

After you configure Microsoft Purview Communication Compliance, some adjustments can help you manage the volume of alerts that you receive. Use the list of best practices in this article to help create policies that cover as many users as possible while reducing the number of non-actionable alerts.

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Understand keyword list volumes

Many customers use custom keyword lists for compliance scenarios. Understanding the volume of policy matches for each keyword can help you tune your policies. Use the Sensitive information type per location report to analyze keyword lists to see which keywords trigger most matches. You can then investigate further to see if those keywords have high false-positive rates. You can also use the Message details reports to get data on keyword matches for a specific policy.

Use the data classification dashboard

It’s important to understand the volume of items classified by trainable classifiers and sensitive information types. You can use the Content explorer in the data classification dashboard to help you understand the volume that you can expect for your organization.

When you first start using trainable classifiers, you might not get enough matches, or you might get too many matches. The following table shows the volume level to expect for different types of trainable classifiers.

Trainable classifier Volume
Discrimination Low
Targeted harassment Low
Threat Low
Adult images Low
Customer complaints Medium
Profanity Medium
Racy images Medium
Gory images Medium
Gifts & entertainment Medium
Money laundering Medium
Regulatory collusion Medium
Stock manipulation Medium
Unauthorized disclosure High

Consider using the Adult images classifier instead of the Racy images classifier since the Adult images classifier detects a more explicit image. You can use the Content explorer to help you understand the volume that you can expect for your organization for each of the trainable classifiers.

Filter email blasts

You can filter out email messages that are generic and intended for mass communication. For example, filtering out spam, newsletters, and so on. For more information, see Learn about the Email blast senders report.

Filter out email signatures/disclaimers

Sensitive information types can be triggered from footers in emails, such as disclaimers. If many of your non-actionable alerts come from a specific set of sentences or phrases in an email signature or disclaimer, you can filter out the email signature or disclaimer.

Use sentiment evaluation

Messages in alerts include sentiment evaluation to help you quickly prioritize potentially riskier messages to address first. Using sentiment evaluation doesn't reduce your detection volumes but make it easier to prioritize detections. Messages are flagged as Positive, Negative, or Neutral sentiment. For some organizations, messages with Positive sentiment may be determined to be a lower priority, allowing you to spend more time on other message alerts.

Report messages as misclassified

Reporting false positives as misclassified help to improve Microsoft’s models and reduce the number of false positives that you see in the future.

Filter out specific senders by using a condition

If you have senders that consistently trigger detections, you can filter out these particular senders using the following conditional setting:

Some examples of consistently triggering detections can occur through newsletters, automated mails, and so on. For more scenario information, see Scenarios for creating conditions in communication compliance policies.

Use communication direction to target a particular set of users

If you’re detecting standards of business conduct scenarios and only care about communications from your users (not from guests), consider using a policy that detects only outbound communications. If you make the entire organization in scope, you can ensure that all of the users in your organization are covered but exclude users from outside your organization.

Combine trainable classifiers

Consider combining two or more trainable classifiers together. For example, combine the Threat and Profanity classifiers or the Targeted harassment and Profanity classifiers to raise the threshold for messages captured.

Lower the percentage of reviewed communications

If you just want to sample a subset of all the messages that trigger alerts, specify a percentage of communications to review.