Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Use these steps to deploy the Microsoft Purview triage agent in Microsoft Purview Insider Risk Management.
Before you begin
If you're new to Microsoft Purview triage agent in Insider Risk Management, you should read this article.
SKU/subscriptions licensing
The Triage Agent in Insider Risk Management requires both the standard per seat licensing model and the pay-as-you-go billing model. Your organization must be licensed for:
- Microsoft Purview Insider Risk Management to use the Insider Risk Management triage agent.
Microsoft Purview triage agents consume security compute units (SCUs) as they perform their tasks. You must have SCUs provisioned for the triage agents to work. The number of SCUs consumed depends on the number and type of alerts that are processed. For more information about SCUs, see Security compute units (SCUs). You can track your SCU consumption in the usage monitoring tool. For more information about onboarding into Microsoft Security Copilot, see Get started with Microsoft Security Copilot.
For information on Security Copilot licensing in E5 see, Learn about Security Copilot in Microsoft 365 E5
For information on licensing, see
Permissions and Roles
There are different permissions and roles needed to perform different functions. For more information, see Permissions in the Microsoft Purview portal, and Roles and role groups in the Microsoft Purview portals.
Assign these roles for setting up the agent using a recommended agent identity, actions like configuring or customizing, or deactivating and removing agents:
For admins (any one from each group):
Group A
| Role | Role Groups containing the role |
|---|---|
| Role Management | Purview Administrators Organization Management |
| Insider Risk Management Admin | Compliance Administrator Insider Risk Management Insider Risk Management Admins Organization Management |
Group B
| Role | Role Groups containing the role |
|---|---|
| Security Copilot Contributor | (Managed in Security Copilot) |
| Purview Copilot Workspace Contributor | Included in multiple role groups. Some examples Organization Management Compliance Administrator Security Administrator Compliance Data Administrator Insider Risk Management Insider Risk Management Admins Insider Risk Management Analysts Insider Risk Management Investigators |
For analysts (any one from each group):
Group A
| Role | Role Groups containing the role |
|---|---|
| Insider Risk Management Analysis | Insider Risk Management Insider Risk Management Analysts |
| Insider Risk Management Investigation | Insider Risk Management Insider Risk Management Investigators |
Group B
| Role | Role Groups containing the role |
|---|---|
| Purview Agent Deployment | Included in multiple role groups. Some examples Compliance Administrator Data Security Management Insider Risk Management Insider Risk Management Analysts Insider Risk Management Investigators Purview Agent Management |
Group C
| Role | Role Groups containing the role |
|---|---|
| Security Copilot Contributor | (Managed in Security Copilot) |
| Purview Copilot Workspace Contributor | Included in multiple role groups. Some examples Organization Management Compliance Administrator Security Administrator Compliance Data Administrator Insider Risk Management Insider Risk Management Admins Insider Risk Management Analysts Insider Risk Management Investigators |
Important
Agents run in the security context of the last user that saved the agent configuration. This authentication is good for 90 days. After 90 days, the agent will stop running until the configuration is manually saved again.
Permissions for viewing triaged Insider Risk Management alerts
The account that you use to view the Insider Risk Management triage agent alert activity must be assigned the roles (any one from each group):
Group A
| Role | Role Groups containing the role |
|---|---|
| Insider Risk Management Analysis | Insider Risk Management Insider Risk Management Analysts |
| Insider Risk Management Investigation | Insider Risk Management Insider Risk Management Investigators |
Group B
| Role | Role Groups containing the role |
|---|---|
| Purview Agent Analysis | Included in multiple role groups. Some examples Compliance Administrator Data Security Management Insider Risk Management Insider Risk Management Analysts Insider Risk Management Investigators |
Group C
| Role | Role Groups containing the role |
|---|---|
| Security Copilot Contributor | (Managed in Security Copilot) |
| Purview Copilot Workspace Contributor | Included in multiple role groups. Some examples Organization Management Compliance Administrator Security Administrator Compliance Data Administrator Insider Risk Management Insider Risk Management Admins Insider Risk Management Analysts Insider Risk Management Investigators |
Deployment and configuration roadmap
Implementing the Microsoft Purview agents involves several phases:
Infrastructure prerequisites
Microsoft Purview triage agents run on Microsoft Security Copilot.
- Your tenant must be onboarded to Microsoft Security Copilot. For more information on how to onboard, see Get started with Microsoft Security Copilot.
- You must enable Microsoft 365 data sharing in Security Copilot. For more information, see Accessing data from Microsoft 365 services .
- You must enable the Microsoft Purview plug-in in Microsoft Security Copilot. For more information, see Enable the Microsoft Purview source in Microsoft Security Copilot.
Enabling agents
This procedure is for organizations that haven't enabled any of the Microsoft Purview agents or have removed agents and you want to enable them again. Once you enable the agents, they're available for use in Microsoft Purview. There can be only one instance of each agent in a tenant. This procedure works for both the Purview DLP triage agent and the Insider Risk Management triage agent.
- Sign in to the Microsoft Purview portal with an account that has the required permissions.
- In the left hand navigation pane, select Agents.
- Select Explore agents.
- Select the agent that you want to enable and select Add. This opens a page that shows the requirements to enable the agent.
- Select Setup, this opens the Deploy agent global configuration page. You can:
- Choose to Run automatically based on a set schedule. If you don't choose this option, you must run the agent manually one at a time. The scheduled is set by Microsoft and isn't configurable by organizations. You can change this setting later when you edit the agent.
- Select the alert timeframe, which is how far back the agent looks for alerts to triage. Analysts can shorten the timeframe when they edit the agent but not lengthen it. For more information, see Select Alert timeframe.
- Select Deploy. You see the Alert Triage Agent in <solution> is deployed message when the agent is successfully deployed.
Setup agents
Once an agent is enabled, you need to set specific triggers for the agent. The triggers are used to determine which alerts the agent triages. You can do this either in the Agents page or, for first run experience on the Alerts page for the solution. For this procedure, we'll use the first run experience Alerts page method. This procedure assumes that you still have the Microsoft Purview portal open to the Explore agents page from the previous procedure.
Important
The most recent agent configuration is always used.
- Select Go to <solution>. This opens the Alerts page for the solution.
- Because you are in the first run experience, you see dialog box that with a Customize button which, when selected, opens the Customize Alert Triage Agent flyout.
- Here, choose either to accept the default global setting for Select alert timeframe or change it to be shorter than what was configured during agent deployment.
- Enter custom instructions for the agent. The agent interprets your natural language input and uses it to better identifyw hich types of alerts matter most to you. This helps you identify and respond faster to the most relevant alerts.
- Choose Select policies to select the policies whose alerts will be triaged by the agent. In preview, all policies are selected by default, you can change that here.
- Select Review.
- Select Start agent. Allow up to 2 hours for the agent to complete triaging the in scope alerts and enabled manual runs from this initial setup.
Deactivate agents
- Sign in to the Microsoft Purview portal with an account that has the required permissions.
- In the left hand navigation pane, select Agents.
- Select Explore agents.
- Select View agent for the agent you want to deactivate. This opens the agent overview page.
- On the far right upper right hand corner of the agent overview page, select the ellipses (three dots) that are located next to the Edit agent button.
- Select Deactivate agent. Deactivating the agent stops the agent from triaging alerts. It doesn't remove the agent and it doesn't reset the Select alert timeframe reference point in time.
Remove agents
- Sign in to the Microsoft Purview portal with an account that has the required permissions.
- In the left hand navigation pane, select Agents.
- Select Explore agents.
- Select View agent for the agent you want to pause. This opens the agent overview page.
- On the far right upper right hand corner of the agent overview page, select the ellipses (three dots) that are located next to the Edit agent button.
- Select Remove agent. Removing the agent deletes it from Microsoft Purview. If you want to use it again you must go through the Enable the Agents, and Setup agents procedures again. Removing the agent resets Select Alert timeframe reference point in time.
Editing agents
- Sign in to the Microsoft Purview portal with an account that has the required permissions.
- In the left hand navigation pane, select Agents.
- Select Explore agents.
- Select View agent for agent you want to edit. This opens the agent overview page.
- Select Edit agent. This opens the Edit agent page.
- Select Triggers.
- Here you can change when the agent runs, either Agent will run manually on one alert at a time or Agent will run automatically based on a set schedule.
- Select Edit to change the Select alert timeframe value and the policies that the agent will triage alerts from.
- If you select Agent will run manually on one alert at a time, you can select a single alert in the Alerts page for the solution. Set the toggle to Alert Triage Agent and select Run Agent.
- You can also change the Intent if you want.
Monitoring SCU usage
- Sign in to the Microsoft Purview portal with an account that has the required permissions.
- In the left hand navigation pane, select Agents.
- Select Explore agents.
- Select View agent for agent you want to edit. This opens the agent overview page.
- Select Edit agent. This opens the Edit agent page.
- Select Usage monitoring.
- You can track your SCU consumption in the usage monitoring tool.
Alerts page overview
- Sign in to the Microsoft Purview portal with an account that has the required permissions.
- Open the solution you want to view the triaged alerts for.
- Open the Alerts page for the solution.
- In the top right hand area of the page, there's a new toggle that lets you choose between the Standard view of the alerts page and a Triage Agent view of the alerts page. Set the toggle to the Triage Agent view. This view shows the alerts that have been triaged by the agent. The alerts are grouped by the agent into four categories:
- All
- Needs attention
- Less Urgent
- Not categorized
Next steps
Refer to solution specific articles for information on reviewing the triaged alerts.