+ 2. **Activities**: Select the drop-down list to display the activities that you can search for. User and admin activities are organized into groups of related activities. You can select specific activities or you can select the activity group name to select all activities in the group. You can also select a selected activity to clear the selection. After you run the search, only the audit log entries for the selected activities are displayed. Selecting **Show results for all activities** displays results for all activities performed by the selected user or group of users.<br/><br/>Over 100 user and admin activities are logged in the audit log. See the [Audit log activities](audit-log-activities.md) article to see the descriptions of every activity in each of the different services.

+Your organization requires access to critical audit log event data to gain insight and further investigate user activities. Previously, your search jobs in the Microsoft Purview compliance portal were limited to creating concurrent audit search jobs and reviewing historical search jobs. These critical audit search jobs also had a dependency on the browser window remaining open in order to complete.

+- Search jobs initiated via the compliance portal no longer require the web browser window to remain open in order to complete. These jobs will continue to run even after the browser window is closed.

+- Completed search jobs are now stored for 30 days, giving you the ability to reference historical audit searches.

+## Before you begin

+- Review the following Microsoft Purview Audit articles for activity detail information. Search job creation and export functionality are highly dependent the nuances of the audit log data.

+ - [Audit log activities](audit-log-search.md)

+ - [Detailed properties in the audit log](audit-log-detailed-properties.md)

+ - [Export, configure, and view audit log records](audit-log-export-records.md)

+- Searching via an Exchange Online PowerShell session using the [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog) cmdlet isn't currently compatible with the New Search.

+Complete the following steps to get started with the Audit New Search:

+1. Sign into the [Microsoft Purview compliance portal](https://compliance.microsoft.com).

+2. Select the **Audit** tab on the left panel of the homepage to navigate to the Audit tool.

+3. Select **New Search** tab at the top of the **Audit** page.

+4. On the **New Search** tab, configure the following search criteria as applicable:

+ 1. **Start date** and **End date**: The last seven days are selected by default. Select a date and time range to display the events that occurred within that period. The date and time are presented in Coordinated Universal Time (UTC). The maximum date range that you can specify is 90 days. An error is displayed if the selected date range is greater than 90 days.

+ > [!TIP]

+ > If you're using the maximum date range of 90 days, select the current time for the **Start date**. Otherwise, you'll receive an error saying that the start date is earlier than the end date. If you've turned on auditing within the last 90 days, the maximum date range can't start before the date that auditing was turned on.

+ 2. **Keyword Search**: Enter a keyword or phrase to search for in the audit log. The keyword or phrase is searched for in the audit log or in the file, folder, or sites (if specified) for the search. To search for text that contains special characters, replace the special characters with an asterisk(\*) in your keyword search. For example, to search for *test_search_document*, use *test\*search\*document*.

+ > [!IMPORTANT]

+ > Terms entered in the **Keyword Search** field are only searched within indexed content (content within the Audit *common schema*). Audit *data content* in the audit log isn't searched for these keywords.

+ 3. **Admin Units (preview)**: Select the drop-down list to display the [administrative units](/microsoft-365/compliance/microsoft-365-compliance-center-permissions#administrative-units-preview) you want the audited activities scoped to for your search. You can select one or more administrative units to scope your search to. Leave this box blank to return entries for all administrative units in your organization.

+ 4. **Activities - friendly names**: Select the drop-down list to display the friendly names for audited activities that you can search for. Friendly names for user and admin activities are organized into groups of related activities. Using friendly names, you can select specific audited activities or you can select the activity group name to select all activities in the group. You can also select a selected activity to clear the selection. To search for a friendly name for the activities in the list, use the search box above the list.

+ 5. **Activities - operations names (preview)**: Enter the exact operation names to search for audited activities to include in your search results. You can enter one or more operation names, separated by commas. This search criterion is similar to previous searches only available in PowerShell and provides greater flexibility helping you find the data that you need.

+ > [!IMPORTANT]

+ > Operation names must be entered exactly as they are named. If operation names are entered incorrectly, no results are returned.

+ For example, to search for all activities related to enabling and disabling information barriers for a SharePoint site in your organization, you would:

+ - Review the [audit activities](/microsoft-365/compliance/audit-log-activities) article to find the exact operation name for the information barriers activities you want to search for. In this [example](/microsoft-365/compliance/audit-log-activities#information-barriers-activities), the operation names are *SPOIBIsEnabled* and *SPOIBIsDisabled*.

+ - Enter *SPOIBIsEnabled,SPOIBIsDisabled* in operation search field. We recommend copying and pasting the operation names directly from the article to the operation search field to ensure that they're entered correctly and without typos.

+ 6. **Record types**: Select the drop-down list to display the record types for audited activities that you can search for. You can select one or more record types to search for. To search for a record type in the list, use the search box above the list.<br><br> Specific [record types](/microsoft-365/compliance/audit-log-search#microsoft-365-services-that-support-auditing) are associated with specific Microsoft services and applications. For example, if you wanted to scope your search for specific record types associated with sensitivity labels in Microsoft Purview Information Protection (MIP), you could select the *MIPLabel*, *MipAutoLabelExchangeItem*, *MipAutoLabelSharePointItem*, and *MipAutoLabelSharePointPolicyLocation* record types from the list.

+ 7. **Search name**: Enter in a custom name for your search job. This name is used to identify your search job in the search job history. If you don't enter a name, the search job is automatically named using a combination of the date and time defined for the search and other defined search criteria values.

+ 8. **Users**: Select this field and choose the names one or more users to display search results for. The audit log entries for the selected activity performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users (and service accounts) in your organization.

+ 9. **File, folder, or site**: Enter some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. This search criterion returns all related results for corresponding file, folders, and sites. You can also specify a URL of a file or folder. If you use a URL, be sure the type the full URL path or if you type a portion of the URL, don't include any special characters or spaces (however, using the wildcard character (\*) is supported). Leave this box blank to return entries for all files and folders in your organization.

+5. Select **Search** to start your search job. A maximum of 10 search jobs can be run in parallel for one user account. If a user requires more than 10 search jobs, they must wait for an *In progress* job to finish or delete a search job.

+## Search job dashboard

+Active and completed search jobs are displayed in the search job dashboard. The dashboard displays the following information for each search job:

+- **Search name**: The name of the search job. The full search name for a job can be seen by hovering the cursor over the search job name.

+- **Job status**: The status of the search job. The status can be *Queued*, *In Progress*, or *Completed*.

+- **Progress (%)**: The percentage of the search job that has been completed.

+- **Search time**: The total running time that elapsed to complete the search job.

+- **Total results**: The total number of results returned by the search job.

+- **Creation time**: The date and time the search job was created in UTC.

+- **Search performed by**: The user account that created the search job.

+

+Delete search jobs by selecting the job and then selecting **Delete** on the command bar. Deleting a search job doesn't delete the backend data associated with search. It only deletes the search job definition and the associated search result.

+To copy the search criteria for an existing search job, select the job and then select **Copy this search** on the command bar. The search criteria are copied to the search page and you can modify the search criteria as needed for a new search.

+## Search job details dashboard

+To view details about a search job, select the search job. The total number of items in the job is included at the top of the dashboard. The total result number deducts duplicates, which is why it might be less than the number of items in the search job dashboard.

+

+The search job details dashboard displays following information about the individual items gathered in the search job results:

+- **Date (UTC)**: The date and time the activity occurred.

+- **IP Address**: The IP address of the device that was used to perform the activity.

+- **User**: The user account that performed the activity.

+- **Record type**: The record type associated with the activity.

+- **Activity**: The friendly name of the activity that was performed.

+- **Item**: The name of the file, folder, or site that the activity was acted on.

+- **Admin Units (preview)**: The admin unit that the user account that performed the activity belongs to.

+- **Details**: Additional details about the activity.

+You can sort the search job items using the column headers or create a custom filter using the filter pane. Use the filter to filter the search job items for specific values for any of the dashboard column criteria. To export all search job items to a .csv file, select **Export** on the command bar. Export supports results up to 50 KB for Audit (Standard) and up to 500 KB (500,000 rows) for Audit (Premium).

+Select a specific activity to see more details about the activity in a fly-out window. The fly-out window displays the additional information about the activity.

+

+- If you move an item with a default retention label from one folder to another folder with no default retention label: The old default retention label is removed [unless the new folder is the **Deleted Items** folder](/exchange/reference/retention-deleted-items).

+|Setting |Sub setting |Windows 10, 1809 and later, Windows 11 |macOS (three latest released versions) |Notes |

+||||||

+|**Advanced classification scanning and protection**|**Allocated bandwidth limits** | Supported | Supported |Advanced classification enables these features for macOS (preview): - [Document Fingerprinting](document-fingerprinting.md) </br>- [Exact data match based sensitive information types](sit-learn-about-exact-data-match-based-sits.md#learn-about-exact-data-match-based-sensitive-information-types) </br>- [Trainable classifiers](classifier-learn-about.md) </br>- [Learn about named entities](named-entities-learn.md) |

+|**File path exclusions for Windows** | n/a |Supported |n/a | |

+|**File path exclusions for Mac**|n/a |n/a| Supported|macOS includes a recommended list of exclusions that is on by default |

+|**Setup evidence collection for file activities on devices**| **Set evidence cache on device** | Supported (preview)| Not supported| |

+|**Network share coverage and exclusions** | n/a | Supported |Not Supported| |

+|**Restricted apps and app groups** |**Restricted app groups** |Supported |Supported (preview) | |

+|**Restricted apps and app groups** |**Restricted apps** |Supported | Supported | |

+|**Restricted apps and app groups** |**Auto-quarantine settings**| Supported | Supported (preview)| |

+|**Unallowed Bluetooth apps** |n/a |Supported |Supported | |

+|**Browser and domain restrictions to sensitive data** | **Unallowed browsers** |Supported |Supported | |

+|**Browser and domain restrictions to sensitive data** | **Service domains** | Supported | Supported| |

+|**Browser and domain restrictions to sensitive data** | **Sensitive service domain groups** | Supported | Not supported| |

+|**Additional settings for Endpoint DLP** | **Business justification in policy tips** |Supported |Supported (preview) |Only the default business justifications are supported for macOS devices |

+|**Always audit file activity for devices** | n/a |Supported |Supported | |

+|**Printer groups** | n/a| Supported |Not supported| |

+|**Removable USB device groups** |n/a | Supported | Not supported | |

+|**Network share groups** |n/a | Supported | Not supported | |

+|**VPN settings** |n/a | Supported | Not supported | |

+### Other settings

+|Setting | Windows 10/11 | macOS (three latest released versions)|

+|-||-|

+|Archive file| Supported | Not supported |

+|File type and File extension |Supported | Not supported|

+### Auto-quarantine

+To prevent sensitive items from being synced to the cloud by cloud sync apps such as *onedrive.exe*, add the cloud sync app to the **Restricted apps** list with **Auto-quarantine**

+

+When enabled, Auto-quarantine is triggered when a restricted app attempts to access a DLP-protected sensitive item. Auto-quarantine moves the sensitive item to an admin-configured folder. If configured to do so, autoquarrantine can leave a placeholder (`.txt`) file in place of the original. You can configure the text in the placeholder file to tell users the new location of the item, and other pertinent information.

+Use this when an unallowed cloud-sync app tries to access an item that is protected by a blocking DLP policy, DLP may generate repeated notifications. You can avoid these repeated notifications by enabling **Auto-quarantine**.

+## Browser and domain restrictions to sensitive data

+### Service domains

+#### Allow

+#### Block

+### Sensitive service domain groups

+## Removable USB device groups

+### Create a removable USB device group

+> If the **T** value is greater than 9999, it will be replaced with 10000 and the **Send Anyway** button will not appear. This holds the message until the policy evalution completes with no option for user override. The duration to complete the evaluation can vary depending on factors such as internet speed, content length, and the number of defined policies. Some users may encounter policy evaluation messages more frequently than others depending on what policies are deployed on their mailbox.

+## Upgrade a case to eDiscovery (Premium)

+ > [!IMPORTANT]

+ > When you select a distribution list to be placed on hold, the hold is placed on each of the member mailboxes in the distribution list when the policy is created. Subsequent changes in the distribution list do not change or update the holds or the policy.

+ 2. **SharePoint sites**: Set the toggle to **On** and then select **Choose sites** to specify SharePoint sites and OneDrive accounts to place on hold. Type the URL for each site that you want to place on hold. You can also add the URL for the SharePoint site for a Microsoft Team, Microsoft 365 group or a Yammer Group.

+- A query-based hold initially preserves all documents in a site for a short period of time after they're deleted. That means when a document is deleted, it is moved to the Preservation Hold library even if it doesn't match the criteria of the query-based hold. However, deleted documents that don't match a query-based hold will be removed by a timer job that processes the Preservation Hold library. The timer job runs periodically and compares all documents in the Preservation Hold library to your query-based eDiscovery holds (and other types of holds and retention policies). The timer job deletes the documents that don't match a query-based hold and preserves the documents that do.

+ - **DelayReleaseHoldApplied:** This property applies to cloud-based content (generated by non-Outlook apps such as Microsoft Teams, Microsoft Forms, and Microsoft Yammer) that's stored in a user's mailbox. Cloud data generated by a Microsoft app is typically stored in a hidden folder in a user's mailbox.

+ 1. **Exchange email**: Select **Choose users, groups, or teams** and then select **Choose users, groups, or teams** again to specify mailboxes to place on hold. Use the search box to find user mailboxes and distribution groups (to place a hold on the mailboxes of group members) to place on hold. You can also place a hold on the associated mailbox for a Microsoft 365 group or a Microsoft Team. Select the user, group, team check box, select **Choose**, and then select **Done**.

+ > [!IMPORTANT]

+ > When you select a distribution list to be placed on hold, the hold is placed on each of the member mailboxes in the distribution list when the policy is created. Subsequent changes in the distribution list do not change or update the holds or the policy.

+ 1. **SharePoint Sites**: Select **Choose sites** and then select **Choose sites** again to specify SharePoint and OneDrive for Business sites to place on hold. Type the URL for each site that you want to place on hold. You can also add the URL for the SharePoint site for a Microsoft 365 group or a Microsoft Team. Select **Choose**, and then select **Done**.

+ 1. **Exchange public folders**: Move the toggle switch to the All position to put all public folders in your Exchange Online organization on hold. You can't choose specific public folders to put on hold. Leave the toggle switch set to **None** if you don't want to put a hold on public folders.

+ Title: "Set up a connector to import third-party insider risk detections (preview)"

+description: "Administrators can set up a data connector to import pre-processed aggregated detections and use them in Microsoft Purview Insider Risk Management. This lets you extend your detections to third-party workloads such as Salesforce or Dropbox and use them alongside the built-in detections of insider risk management."

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: medium

+search.appverid:

+- MET150

+- tier3

+- purview-compliance

+- data-connectors

+# Set up a connector to import third-party insider risk detections (preview)

+You can set up a connector in the Microsoft Purview compliance portal to extend the Microsoft Purview Insider Risk Management solution to include third-party (non-Microsoft) detections. For example, you might want to extend your detections to include Salesforce and Dropbox activities and use them alongside the built-in detections provided by insider risk management, which is focused on Microsoft services like SharePoint Online and Exchange Online.

+To bring your own detections to the insider risk management solution, you import pre-processed, aggregated detections from security information and event management (SIEM) solutions such as Microsoft Sentinel or Splunk. You'll import a sample file into the Insider Risk Indicators connector wizard. The connector wizard analyzes the sample file and configures the required schema for insider risk management.

+> [!NOTE]

+> Currently, you cannot import "raw" detection signals into insider risk management. You can only import pre-processed aggregations as a file.

+## Overall process

+Bringing your own detections to insider risk management is a three-step process:

+1. In Microsoft Purview, create the Insider Risk Indicators (preview) connector as described in this article.

+2. In the insider risk management solution, [create custom indicators](insider-risk-management-settings-policy-indicators.md#custom-indicators).

+3. In the insider risk management solution, [use the custom indicators in policies as triggers or indicators and define thresholds](insider-risk-management-configure.md#step-6-required-create-an-insider-risk-management-policy).

+When user activity crosses the threshold value that you specify for the policy, the user is brought into scope of the insider risk management policy and is scored for risk. An alert is generated and analysts can investigate the alert using custom indicator details.

+> [!NOTE]

+> You can only use custom indicators with the *Data theft* and *Data leaks* templates.

+## Before you begin

+1. **Determine the scenarios and data you want to import to Microsoft 365**. This helps you determine how many CSV files and Insider Risk Indicator connectors you need to create and how to structure the CSV files. The imported data is determined by the types of triggers and indicators you want to create. See [Determining how many CSV files to prepare for indicator data](#determining-how-many-csv-files-to-prepare-for-indicator-data).

+2. **Determine how to retrieve or export the data from your internal system and add it to the CSV files that you prepare in Step 2**. The script that you run in Step 4 uploads the data in the CSV files to the insider risk management solution.

+3. **Assign the *Data Connector Admin* role**. This role is required to add connectors on the **Data connectors** page in the compliance portal, so the user who creates the connector in Step 3 must be assigned this role. This role is added by default to multiple role groups. For a list of these role groups, see [Roles in Microsoft Defender for Office 365 and Microsoft Purview compliance](../security/office-365-security/scc-permissions.md#roles-in-microsoft-defender-for-office-365-and-microsoft-purview-compliance). Alternatively, an admin in your organization can create a custom role group, assign the *Data Connector Admin* role to the custom role group, and then add the appropriate users as members. For guidance, see [Create a custom Microsoft Purview role group](microsoft-365-compliance-center-permissions.md#create-a-custom-microsoft-purview-role-group).

+4. **Add the *webhook.ingestion.office.com* domain to your firewall allowlist for your organization**. The script that you run in Step 4 won't work if you don't add this domain to the allowlist.

+> [!IMPORTANT]

+> The sample script that you run in Step 4 uploads your data to the Microsoft cloud so that it can be used by the insider risk management solution. This sample script isn't supported under any Microsoft standard support program or service. The sample script is provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample script and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

+### Determining how many CSV files to prepare for indicator data

+In Step 3, you have the choice of preparing separate CSV files that contain data for each indicator or you can prepare a single CSV file that contains data for two or more indicators.

+Here are some guidelines to help you determine how many CSV files to prepare:

+- If the insider risk management policy you want to implement requires multiple indicators, consider using a single CSV file that contains the data for all the indicators. As a general rule, the number of connectors that you need to create is determined by the services in a CSV file. For example, if a CSV file contains all the services required to support your insider risk management implementation, you only need one connector. Having fewer CSV files allows you to have fewer connectors to create and manage. If you have two separate CSV files that each contain a single service, you'll have to create two connectors.

+- The method for generating or collecting the data may determine the number of CSV files. For example, if the different types of data used to configure a connector are located in a single system in your organization, you may be able to export the data to a single CSV file. But if data is distributed across different systems, it might be easier to export data to different CSV files. How you retrieve or export data from your systems may determine the number of CSV files you'll need.

+## Step 1: Create an app in Azure Active Directory

+The first step is to create and register a new app in Azure Active Directory (Azure AD) for the connector that you create in Step 3. Creating this app allows Azure AD to authenticate the connector when it runs and attempts to access your organization. This app is also used to authenticate the script that you run in Step 4 to upload your data to the Microsoft cloud. When you create the Azure AD app, be sure to save the following information:

+- Azure AD application ID (app ID or client ID)

+- Azure AD application secret (client secret)

+- Tenant ID (directory ID)

+The above values are used in Steps 3 and 4. For step-by-step instructions on creating an app in Azure AD, see [Register an application with the Microsoft identity platform](/azure/active-directory/develop/quickstart-register-app).

+## Step 2: Prepare CSV file(s) with your insider risk indicators data

+The next step is to prepare a CSV file that contains the indicator data that the connector imports to Microsoft 365. This data is used by the insider risk management solution. You can import data for the following scenarios:

+- Create a trigger that, when activated, brings a user into scope for a policy. [Example 1 below](import-insider-risk-indicators.md#example-1-prepare-a-csv-file-for-a-simple-trigger-that-brings-a-user-into-scope-for-a-policy) shows how to prepare a CSV file for a 'home-grown' trigger that predicts the probability of an employee leaving an organization.

+- Create a policy indicator that monitors user activities. [Example 2 below](import-insider-risk-indicators.md#example-2-prepare-a-single-csv-file-to-create-multiple-policy-indicators) shows how to prepare a single CSV file for multiple indicators (one for Dropbox and one for Salesforce).

+For each scenario, you need to provide the corresponding indicator data in one or more CSV files. See [Determining how many CSV files to use for indicator data](#determining-how-many-csv-files-to-prepare-for-indicator-data).

+After you create the CSV file with the required indicator data, store it on the local computer that you run the script on in Step 4. You should also implement an update strategy to make sure that the CSV file always contains the most current information so that whenever you run the script, the most current indicator data is uploaded to the Microsoft cloud and accessible to the insider risk management solution.

+> [!IMPORTANT]

+> The column names described in the following sections are examples, not required parameters. You can use any column names in your CSV files. However, the column names that you use in a CSV file must be mapped to a data type when you create the connector in Step 3. Also note that the sample CSV files in the following sections are shown in NotePad. It's much easier to view and edit CSV files in Microsoft Excel.

+### Example 1: Prepare a CSV file for a simple trigger that brings a user into scope for a policy

+This example shows how to structure a CSV file to create a 'home-grown' trigger that could be used to predict the probability of an employee leaving an organization. This example uses the following sample data:

+```text

+UPN,PredictionTime,PredictionScore,ModelInfo

+sarad@contoso.com,2023-04-20T05:52:56.962686Z,6,Model accuracy: 67%, Model name: LeaverPrediction_M1

+sarad@contoso.com,2023-04-24T05:52:56.962686Z,9,Model accuracy: 67%, Model name: LeaverPrediction_M1

+sarad@contoso.com,2023-04-24T05:52:56.962686Z,3,Model accuracy: 67%, Model name: LeaverPrediction_M1

+```

+The following table describes each column in the CSV file.

+| Column | Description |

+|--|--|

+| UPN | Mandatory email address field used to identify the user. |

+| Prediction Time | Mandatory field that displays the date/time that the activity occurred. |

+| Prediction Score | Risky activity score. This field is used for the trigger threshold setting. Only *Number* fields can be used for threshold settings. |

+| Model Info | Extra field used to track information about the prediction model. |

+> [!NOTE]

+> Only the email address and date/time fields are mandatory. All other fields are optional but can be helpful for the analyst or investigator in decision making when they triage alerts (these fields appear in the Activity explorer and in alerts and cases).

+When you create the connector in Step 3, you'll use the data in the `PredictionScore` field as a threshold value for the trigger. If a user crosses the threshold value that you set later in the policy, the user is brought into the scope of the policy.

+### Example 2: Prepare a single CSV file to create multiple policy indicators

+This example shows how to create multiple policy indicators (one for Dropbox and one for Salesforce) from a single CSV file. This example uses the following sample data:

+```text

+UPN,Display_Name,Alert_Severity,Alert_Count,Aggregation_Date,Source_Workload,AdditionalInfo_Salesforce,AdditionalInfo_Dropbox

+sarad@contoso.com,Salesforce - Sensitive report downloaded and emailed externally,High,10,2023-04-24T05:52:56.962686Z,Salesforce,text,text

+sarad@contoso.com,Salesforce - Anomalous download of sales lead reports,Medium,6,2023-04-24T05:52:56.962686Z,Salesforce,text,text

+bradh@contoso.com,Salesforce - Printing sales reports,Low,50,2023-04-24T05:52:56.962686Z,Salesforce,text,text

+bradh@contoso.com,Salesforce - Excessive modifications to sensitive reports,Medium,3,2023-04-24T05:52:56.962686Z,Salesforce,text,text

+sarad@contoso.com,Dropbox - Sensitive files saved to personal Dropbox,High,14,2023-04-24T05:52:56.962686Z,Dropbox,text,text

+bradh@contoso.com,Dropbox - Anomalous file copy activity,Medium,5,2023-04-24T05:52:56.962686Z,Dropbox,text,text

+```

+The following table describes each column in the CSV file.

+| Column | Description |

+|--|--|

+| UPN | Mandatory email address field used to identify the user. |

+| Display Name | Name of the risky activity. |

+| Alert Severity | Severity categories: *Low*, *Medium*, and *High*. |

+| Alert Count | Number of incidences of each activity. Data in this field is used for the indicator threshold setting. |

+| Aggregation Date | Mandatory field that displays the date/time that the activity occurred. |

+| Source Workload | This is the key field for the multiple indicators scenario. You'll select this field for the **Source column** field when you create the connector, and the values in this field (**Dropbox** and **Salesforce**) will be used in the **Related values in source column** field in the connector. |

+| Additional Info Salesforce | Any additional info that you want to note about the Salesforce indicator |

+| Additional Info Dropbox | Any additional info that you want to note about the Dropbox indicator |

+See the example below to see how this CSV file is used when creating the data connector.

+## Step 3: Create the Insider Risk Indicators connector

+The next step is to create a connector in the compliance portal. After you run the script in Step 4, the connector that you create imports the data from the CSV file and uploads it to your Microsoft 365 organization.

+> [!NOTE]

+> Before you create a connector, make sure that you have a list of the scenarios and the corresponding CSV column names for each scenario.

+### Example 1: Create a connector file for a simple trigger

+1. Go to the compliance portal, and then select **Data connectors**.

+2. On the **Data connectors** page, select **Insider Risk Indicators (preview)**.

+3. On the **Insider Risk Indicators (preview)** page, select **Add connector**.

+4. Review the terms of service, and then select **Accept** if you want to continue creating the connector.

+5. On the **Authentication** page, complete the following:

+ 1. Enter a name for the connector.

+ 2. Paste the Azure AD application ID for the Azure app that you created in Step 1.

+ 3. Select **Next**.

+6. On the **Sample file** page:

+ 1. Select **Upload sample file**, and then select the CSV file that you want to upload.

+ 2. In the **Source column** list, select **None (Single source)**.

+ 3. In the **Verify sample data and data type** section, review each field to make sure that the right data types have been assigned to each field. If a field will be used later as a threshold value, make sure that it has a *Number* data type. For example, in this scenario, the `PredictionScore` field is used as a threshold value and the data type is set appropriately to *Number*.

+7. Select **Next**.

+8. On the **Data mapping** page:

+ 1. Enter the values for **Event time (UTC time)** and **Microsoft 365 user email address** based on the appropriate values from the CSV file. These are mandatory fields for the connector.

+ 2. In the **Default** field, use the list to select each field you want to include from the CSV file. For example, select a Number field to use later as a threshold value for the indicator or select other fields to use as supporting information.

+8. Select **Next**.

+9. On the **Finish** page, review all the information, and if everything looks OK, select **Finish**.

+10. Copy the job ID for the connector. You'll need it for the next step.

+11. [Go to Step 4 to run the script that uploads the data to Microsoft 365](#step-4-run-the-sample-script-to-upload-your-data).

+### Example 2: Create a connector that includes multiple policy indicators

+This example shows how to set up a single connector to create multiple policy indicators (Salesforce and Dropbox). You could create two separate connectors (one for Salesforce and one for Dropbox), but creating a single connector that works for both can reduce overall file maintenance.

+1. Go to the compliance portal, and then select **Data connectors**.

+2. On the **Data connectors** page, select **Insider Risk Indicators (preview)**.

+3. On the **Insider Risk Indicators (preview)** page, select **Add connector**.

+4. Review the terms of service, and then select **Accept** if you want to continue creating the connector.

+5. On the **Authentication** page, do the following:

+ 1. Enter a name for the connector.

+ 2. Paste the Azure AD application ID for the Azure app that you created in Step 2.

+ 3. Select **Next**.

+6. On the **Sample file** page:

+ 1. Select **Upload sample file**, and then select the CSV file that you want to upload.

+ 2. In the **Source column** list, select the column to use as the source. In the example CSV file, the source column is `SourceWorkload`, since it stores the values for the two separate workloads (Salesforce and Dropbox).

+ 3. In the **Related values in source column** field, enter the related values. For this example, enter 'Salesforce,Dropbox'. Don't include spaces between values.

+ > [!IMPORTANT]

+ > Make sure that the values you enter in the **Related values in source column** field match the values in the **Source column** list. The connector fails if the column values don't match.

+ 4. In the **Verify sample data and data type** section, review each field to make sure that the right data types have been assigned for each field. If a field will be used later as a threshold value, make sure that it has a Number data type. For example, in this example scenario, the `AlertCount` field is used as a threshold value and the data type is set appropriately to *Number*.

+ 5. Select **Next**.

+7. On the **Data mapping** page:

+ 1. Enter the values for **Event time (UTC time)** and **Microsoft 365 user email address** based on the appropriate values from the CSV file. These fields are mandatory and common to both indicators you're creating for this example.

+ 2. Select the columns from your sample file that you want to map to the two workloads, Salesforce and Dropbox.

+ > [!TIP]

+ > You could use the same process described above to create multiple policy indicators based on severity levels. For example, you could use a single connector to create separate Low, Medium, and High indicators. In the **Source column** list in that case, you would select the field that holds the values for the separate workloads (Low, Medium, High), enter those workload values in the **Related values in source column** field, and then map the appropriate fields in the **Data mapping** page.

+8. Select **Next**.

+9. On the **Finish** page, review all the information, and if everything looks correct, select **Finish**.

+10. Copy the job ID for the connector. You'll need it for the next step.

+11. Go to the next step (Step 4) to run the script that uploads the data to Microsoft 365.

+## Step 4: Run the sample script to upload your data

+> [!IMPORTANT]

+> You must add the *webhook.ingestion.office.com* domain to your firewall allowlist for your organization. If this domain is blocked, the script won't run.

+The last step in setting up a connector is to run a sample script that uploads the data in the CSV file. When you run the script, the connector that you created in Step 3 imports the data to your Microsoft 365 organization where it can be accessed by the insider risk management solution. After you run the script, consider scheduling a task to run it automatically on a daily basis so the most current data is uploaded to the Microsoft cloud. See [Schedule the script to run automatically](#optional-step-6-schedule-the-script-to-run-automatically).

+To run the sample script:

+1. Go to the window that you left open from the previous step to access the GitHub site with the sample script. Alternatively, open the bookmarked site or use the URL that you copied. You can also access the script at [https://github.com/microsoft/m365-compliance-connector-sample-scripts/blob/main/sample_script.ps1](https://github.com/microsoft/m365-compliance-connector-sample-scripts/blob/main/sample_script.ps1).

+2. Select the **Raw** button to display the script in text view.

+3. Copy all the lines in the sample script, and save them to a text file.

+4. Modify the sample script for your organization, if necessary.

+5. Save the text file as a Windows PowerShell script file by using a filename suffix of `.ps1`; for example, `HRConnector.ps1`. Alternatively, you can use the GitHub filename for the script, which is `upload_termination_records.ps1`.

+6. Open a command prompt on your local computer, and then go to the directory where you saved the script.

+7. Run the following command to upload the data in the CSV file to the Microsoft cloud; for example:

+ ```powershell

+ .\HRConnector.ps1 -tenantId <tenantId> -appId <appId> -appSecret <appSecret> -jobId <jobId> -filePath '<filePath>'

+ ```

+ The following table describes the parameters to use with this script and their required values. The information you obtained in the previous steps is used in the values for these parameters.

+ | Parameter | Description |

+ | :-|:-|

+ | `tenantId` | This is the ID for your Microsoft 365 organization that you obtained in Step 1. You can also obtain the tenant ID for your organization on the **Overview** blade in the Azure AD admin center. This is used to identify your organization. |

+ | `appId` | This is the Azure AD application ID for the app that you created in Azure AD in Step 1. This is used by Azure AD for authentication when the script attempts to access your Microsoft 365 organization. | |

+ | `appSecret` | This is the Azure AD application secret for the app that you created in Azure AD in Step 1. This is also used for authentication. |

+ | `jobId` | This is the job ID for the connector that you created in Step 3. This is used to associate the data that is uploaded to the Microsoft cloud with the connector. |

+ | `filePath` | This is the file path for the file (stored on the same system as the script) that you created in Step 1. Try to avoid spaces in the file path; otherwise use single quotation marks. |

+ Here's an example of the syntax for the connector script using actual values for each parameter:

+ ```powershell

+ .\HRConnector.ps1 -tenantId d5723623-11cf-4e2e-b5a5-01d1506273g9 -appId 29ee526e-f9a7-4e98-a682-67f41bfd643e -appSecret MNubVGbcQDkGCnn -jobId b8be4a7d-e338-43eb-a69e-c513cd458eba -filePath 'C:\Users\contosoadmin\Desktop\Data\insider_risk_indicator_data.csv'

+ ```

+ If the upload is successful, the script displays the **Upload Successful** message.

+ > [!NOTE]

+ > If you have problems running the previous command because of execution policies, see [About Execution Policies](/powershell/module/microsoft.powershell.core/about/about_execution_policies) and [Set-ExecutionPolicy](/powershell/module/microsoft.powershell.security/set-executionpolicy) for guidance about setting execution policies.

+## Step 5: Monitor the connector

+After you create the connector and run the script to upload your data, view the connector and upload status in the compliance portal. If you schedule the script to run automatically regularly, you can view the current status after the last time the script ran.

+1. Go to the compliance portal and select **Data connectors**.

+2. Select the **Connectors** tab, and select the connector to display the flyout page. This page contains the properties and information about the connector.

+3. Under **Progress**, select the **Download log** link to open (or save) the status log for the connector. This log contains information about each time the script runs and uploads the data from the CSV file to the Microsoft cloud.

+ The `RecordsSaved` field indicates the number of rows in the CSV file that uploaded. For example, if the CSV file contains four rows, the value of the `RecordsSaved` field is 4 if the script successfully uploaded all the rows in the CSV file.

+If you've haven't run the script in Step 4, a link to download the script is displayed under **Last import**. You can download the script and then follow the steps to run the script.

+## (Optional) Step 6: Schedule the script to run automatically

+To make sure the latest data from your organization is available to the insider risk management solution, schedule the script to run automatically on a recurring basis, such as once a day. This requires that you update the data in the CSV file on a similar (if not the same) schedule so that it contains the latest information. The goal is to upload the most current data so that the connector can make it available to the insider risk management solution.

+You can use the Task Scheduler app in Windows to automatically run the script every day.

+1. On your local computer, select the Windows **Start** button and type **Task Scheduler**.

+2. Select the **Task Scheduler** app.

+3. In the **Actions** section, select **Create Task**.

+4. On the **General** tab, enter a descriptive name for the scheduled task. For example, **HR Connector Script**. You can also add an optional description.

+5. Under **Security options**, complete the following:

+ 1. Determine whether to run the script only when you're logged on to the computer or when you're logged on or not.

+ 1. Make sure that the **Run with the highest privileges** check box is selected.

+6. Select the **Triggers** tab, select **New** and complete the following:

+ 1. Under **Settings**, select the **Daily** option, and choose a date and time to run the script for the first time. The script runs every day at the same specified time.

+ 1. Under **Advanced settings**, make sure that the **Enabled** check box is selected.

+ 1. Select **OK**.

+7. Select the **Actions** tab, select **New** and complete the following:

+ 1. In the **Action** dropdown list, make sure that **Start a program** is selected.

+ 1. In the **Program/script** box, select **Browse**, and then go to the following location and select it so the path is displayed in the box: `C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe`.

+ 1. In the **Add arguments (optional)** box, paste the same script command that you ran in Step 4. For example, `.\HRConnector.ps1 -tenantId "d5723623-11cf-4e2e-b5a5-01d1506273g9" -appId "c12823b7-b55a-4989-faba-02de41bb97c3" -appSecret "MNubVGbcQDkGCnn" -jobId "e081f4f4-3831-48d6-7bb3-fcfab1581458" -filePath "C:\Users\contosoadmin\Desktop\Data\insider_risk_indicator_data.csv"`

+ 1. In the **Start in (optional)** box, paste the folder location of the script that you ran in Step 4. For example, `C:\Users\contosoadmin\Desktop\Scripts`.

+ 1. Select **OK** to save the settings for the new action.

+8. In the **Create Task** window, select **OK** to save the scheduled task. You might be prompted to enter your user account credentials.

+ The new task is displayed in the Task Scheduler Library. The last time the script ran and the next time it's scheduled to run are displayed. Double click the task to edit it.

+ You can also verify the last time the script ran on the flyout page of the corresponding connector in the compliance portal.

+## (Optional) Step 7: Upload data using Power Automate templates

+You can upload the CSV data using Power Automate templates and define triggers. For example, you can configure a Power Automate template to trigger when new connector files are available in SharePoint or OneDrive locations. You can also streamline this process by storing confidential information like the Azure AD application secret (created in Step 1) in Azure Key Vault and using it with Power Automate for authentication.

+Complete the following steps to automatically upload data when new files become available on OneDrive for Business:

+1. Download the *ImportHRDataforIRM.zip* package from the [GitHub site](https://github.com/microsoft/m365-compliance-connector-sample-scripts/blob/main/ImportHRDataforIRM.zip).

+2. In [Power Automate](https://make.preview.powerautomate.com), go to **My flows**.

+3. Select **Import** and upload the *ImportHRDataforIRM.zip* package.

+4. After the package is uploaded, update the content (name and OneDrive for Business connection) and select **Import**.

+5. Select **Open flow** and update the parameters. The following table describes the parameters to use in this Power Automate flow and their required values. The information you obtained in the previous steps is used in the values for these parameters.

+ | **Parameter** | **Description** |

+ |:-|:-|

+ | `appId` | This is the Azure AD application ID for the app that you created in Azure AD in Step 1. This is used by Azure AD for authentication when the script attempts to access your Microsoft 365 organization. |

+ | `appSecret` | This is the Azure AD application secret for the app that you created in Azure AD in Step 1. This is used for authentication. |

+ | `fileLocation` | This is the OneDrive for Business location where Power Automate monitors for 'new file created' activities to trigger this flow. |

+ | `jobId` | Identifier for the connector created in Step 3. This is used to associate the data uploaded to the Microsoft cloud with the connector. |

+ | `tenantId` | Identifier for your Microsoft 365 organization obtained in Step 1. You can also obtain the tenant ID for your organization on the **Overview** blade in the Azure AD admin center. This is used to identify your organization. |

+ | `URI` | Verify that the value for this parameter is *https://webhook.ingestion.office.com/api/signals* |

+6. Select **Save**.

+7. Go to **Flow overview** and select **Turn on**.

+8. Test the flow manually by uploading a new file to your OneDrive for Business folder and verify that it runs successfully. This may take a few minutes after the upload before the flow is triggered.

+9. You can now monitor the connector as described in Step 5.

+If needed, you can update the flow to create triggers based on file availability and modification events on SharePoint and other data sources supported by Power Automate flows.

+## Next steps

+- [Create custom indicators in insider risk management](insider-risk-management-settings-policy-indicators.md#custom-indicators)

+- [Use the custom indicators in policies as triggers or indicators and define thresholds](insider-risk-management-configure.md#step-6-required-create-an-insider-risk-management-policy)

+To use the **Activity explorer**:

+1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com), go to **Insider risk management** and select the **Alerts** tab.

+2. On the **Alerts dashboard**, select the alert you want to triage.

+3. On the **Alerts detail pane**, select **Open expanded view**.

+4. On the page for the selected alert, select the **Activity explorer** tab.

+When reviewing activities in the Activity explorer, investigators and analysts can select a specific activity and open the activity details pane. The pane displays detailed information about the activity that investigators and analysts can use during the alert triage process. Detailed information may provide context for the alert and assist with identifying the full scope of the risk activity that triggered the alert.

+When selecting an activity's events from the activity timeline, the number of activities displayed in the explorer might not match the number of activity events listed in the timeline. Examples of why this difference may occur:

+- **Cumulative exfiltration detection**: Cumulative exfiltration detection analyzes event logs, but applies a model that includes de-duplicating similar activities to compute cumulative exfiltration risk. Additionally, there may also be a difference in the number of potentially risky activities displayed in the Activity explorer if you have made changes to your existing policy or settings. For example, if you modify allowed/unallowed domains or add new file type exclusions after a policy has been created and potentially risky activity matches have occurred, the cumulative exfiltration detection activities will differ from the results before the policy or settings changes. Cumulative exfiltration detection activity totals are based on the policy and settings configuration at the time of computation and don't include activities prior to the policy and settings changes.

+- **Emails to external recipients**: Potentially risky activity for emails sent to external recipients is assigned a risk score based on the number of emails sent, which may not match the activity event logs.

+

+### Filter alerts in the Activity explorer

+To filter alerts in the Activity explorer for column information, select **Filter**. You can filter alerts by one or more attributes listed in the details pane for the alert. Activity explorer also supports customizable columns to help investigators and analysts focus the dashboard on the information most important to them.

+#### Save a view of a filter to reuse later

+If you create a filter and customize columns for the filter, you can save a view of your changes so that you or others can quickly filter for the same changes again later. When you save a view, you save both the filters and columns. When you load the view, it will load both saved filters and columns.

+1. Create a filter and customize columns.

+ > [!TIP]

+ > If you want to start over at any point, select **Reset filters**. To change columns that you've customized, select **Reset columns**.

+2. When you have the filter the way you want it, select **Save this view**, enter a name for the view, and then select **Save**.

+ > [!NOTE]

+ > The maximum length for a view name is 40 characters and you can't use any special characters.

+3. To reuse the view of the filter later, select **Views**, and then select the view you want to open from the **Recommended views** tab (shows the most-used views) or the **Custom views** tab (the most frequently used filters are displayed at the top of the list).

+When you select a view this way, it will reset all the existing filters and replace them with the view that you selected.

+- The following templates:

+ - [Data theft by departing users](insider-risk-management-policy-templates.md#data-theft-by-departing-users)

+ - [Data leaks](insider-risk-management-policy-templates.md#data-leaks)

+ - [Risky browser usage (preview)](/microsoft-365/compliance/insider-risk-management-policy-templates#risky-browser-usage-preview)

+## Browsers and templates

+Web browsers are often used by users to access both sensitive and non-sensitive files within an organization. Insider risk management allows your organization to detect and act on browser exfiltration signals for all non-executable files viewed in [Microsoft Edge](https://www.microsoft.com/edge) and [Google Chrome](https://www.google.com/chrome) browsers. With these signals, analysts and investigators can quickly act when any of the following risky activities are performed by in-scope policy users when using these browsers:

+| Browsing potentially risky websites | Extension | Extension |

+The following table summarizes activities by template:

+| **Detected activities** | **Data theft by departing users** | **Data leaks** |**Risky browser usage**|

+| -- | --| --|--|

+| Files copied to personal cloud storage | Yes | Yes |No|

+| Files printed to local or network devices | Yes| Yes |No|

+| Files transferred or copied to a network share | Yes | Yes |No|

+| Files copied to USB devices | Yes | Yes |No|

+| Browsing potentially risky websites | No | No | Yes|

+### Configure Insider Risk Indicator (preview) connector

+You can extend insider risk management by importing detections for non-Microsoft (third-party) workloads. For example, you might want to extend your detections to include Salesforce and Dropbox activities and use them alongside the built-in detections provided by the insider risk management solution, which is focused on Microsoft services like SharePoint Online and Exchange Online.

+To bring your own detections to the insider risk management solution, you import pre-processed, aggregated detections from security information and event management (SIEM) solutions such as Microsoft Sentinel or Splunk. You do this by importing a sample file into the Insider Risk Indicators connector wizard. The connector wizard analyzes the sample file and configures the required schema.

+> [!NOTE]

+> Currently, you cannot import "raw" detection signals into insider risk management. You can only import pre-processed aggregations as a file.

+You can use a custom indicator as:

+- A trigger used to bring a user into the scope of a policy.

+- A policy indicator used to score the user for risk.

+See the [Insider Risk Indicator connector](import-insider-risk-indicators.md) article for step-by-step guidance to configure the Insider Risk Indicator connector for your organization. After you've configured the HR connector, return to these configuration steps.

+> [!NOTE]

+> To create a custom trigger or indicator for a non-Microsoft workload, see [Custom indicators](insider-risk-management-settings-policy-indicators.md#custom-indicators).

+## Define the insider risk policy indicators that are enabled in all insider risk policies

+1. Select the **Settings** button, and then select **Policy indicators**.

+2. Select one or more policy indicators.

+ The indicators selected on the **Policy indicators** settings page can't be individually configured when creating or editing an insider risk policy in the policy wizard.

+ > [!NOTE]

+ > It may take several hours for new manually added users to appear in the **Users dashboard**. Activities for the previous 90 days for these users may take up to 24 hours to display. To view activities for manually added users, select the user on the **Users dashboard** and open the **User activity** tab in the details pane.## Two types of policy indicators: built-in indicators and custom indicators

+## Built-in indicators vs. custom indicators

+Policy indicators are organized into two tabs:

+- **Built-in indicators**: Insider risk management includes many built-in indicators for various scenarios that you can use right away in your policies. Choose the indicators that you want to activate, and then customize indicator thresholds for each indicator level when you create an insider risk policy. The built-in indicators are described in more detail below.

+- **Custom indicators**: Use custom indicators together with the [Insider Risk Indicators (preview) connector](import-insider-risk-indicators.md) to bring non-Microsoft detections to insider risk management. For example, you might want to extend your detections to include Salesforce and Dropbox and use them alongside the built-in detections provided by the insider risk management solution, which is focused on Microsoft workloads (SharePoint Online and Exchange Online, for example). [Learn more about creating a custom indicator](#custom-indicators)

+### Built-in indicators

+Insider risk management includes the following built-in indicators.

+#### Office indicators

+#### Device indicators

+#### Microsoft Defender for Endpoint indicators (preview)

+#### Health record access indicators

+#### Physical access indicators

+#### Microsoft Defender for Cloud Apps indicators

+#### Risky browsing indicators (preview)

+#### Cumulative exfiltration detection (preview)

+#### Risk score boosters

+### Custom indicators

+Use the **Custom Indicators** tab to create a custom indicator to use as a trigger or as a policy indicator in your policies.

+> [!NOTE]

+> Before you can create a custom indicator to import third-party indicator data, you must [create an Insider Risk Indicators connector](import-insider-risk-indicators.md) (preview).

+1. In Settings, select **Policy indicators** and select the **Custom Indicators** tab.

+2. Select **Add custom indicator**.

+3. Enter an indicator name and a description (optional).

+4. In the **Data connector** list, select the Insider Risk Indicator connector that you created previously.

+ When you select a data connector:

+ - The name of the source column that you selected when you created the connector is displayed in the **Source column from mapping file** field. If you didnΓÇÖt select a source column when you created the connector, **None** appears in this field and you donΓÇÖt need to make a selection.

+ - In the **Values in source column** list, select the value that you want to assign to the custom indicator. These are the values that are related to the source column that you specified when you created the connector. For example, if you created a single connector that includes data for two indicators (Salesforce and Dropbox), you would see those values in the list.

+5. If you want to use a column to set threshold values, in the **Data from mapping file** list, select the column that you want to use for the threshold setting; otherwise, select the **Use only as a triggering event without any thresholds** option.

+ > Only fields that have a *Number* data type appear in the **Data from mapping file** list, since a *Number* data type is required to set a threshold value. The data type is specified when you set up the connector.

+6. Select **Add indicator**. The indicator is added to the **Custom Indicators** list.

+Now you can [use the custom indicator](insider-risk-management-configure.md#step-6-required-create-an-insider-risk-management-policy) in any *Data theft* or *Data leaks* policies that you create or edit.

+- If you're using the custom indicator as a trigger, select your custom trigger on the **Triggers** page when you create or edit the policy.

+- If you're using the custom indicator as a policy indicator, select your custom indicator on the **Indicators** page when you create or edit the policy.

+> [!NOTE]

+> After selecting your custom trigger or indicator, make sure to set a custom threshold (it's not recommended that you use the default thresholds). You can't set trigger thresholds on a custom indicator if you selected the **Use only as a triggering event without any thresholds** option.

+After adding the custom indicator to your policies, the triggers and insights generated based on the custom indicators appear in the **Alerts dashboard**, **Activity explorer**, and **User timeline**.

+3. Select **Device management** to open the **Devices** list. The list is empty until you onboard devices.

+If Microsoft Defender for Endpoint is already deployed and endpoint devices are reporting in, the endpoint devices appear in the managed devices list. You can continue to onboard new devices into insider risk management to expand coverage by going to [Step 2: Onboarding devices](#step-2-onboard-devices).

+When you're done and endpoint devices are onboarded, they should be visible under the **Devices** tab and the endpoint devices start reporting audit activity logs to insider risk management.

+Another option for policy thresholds is to assign the policy triggering event to risk management activity that is above the typical daily number of users. Instead of being defined by specific threshold settings, each threshold is dynamically customized for anomalous activities detected for in-scope policy users. If threshold activity for anomalous activities is supported for an individual indicator, you can select **Activity is above user's usual activity for the day** in the policy wizard for that indicator. If this option isn't listed, anomalous activity triggering isn't available for the indicator. If the **Activity is above user's usual activity for the day** option is listed for an indicator, but isn't selectable, you need to enable this option in **Insider risk settings** > **Policy indicators**.

+- **C**. An insight for each indicator, displayed below the thresholds. The insight shows the approximate number of users whose activities from the past 10 days exceeded the currently specified low thresholds for this indicator. For example, if the low threshold setting for *Downloading content from SharePoint* is set to 100, the insight shows the number of users in the policy who performed more than 100 download activities on an average in the past 10 days. If you adjust the threshold setting to 200, the insight updates in real time to show you the number of users whose activity exceeded levels that exceeded the new thresholds. This helps you quickly configure the appropriate thresholds for each indicator and achieve the highest level of alert effectiveness before activating your policies.

+> The AIP add-in used PowerShell advanced settings for [oversharing popup messages in Outlook](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#implement-pop-up-messages-in-outlook-that-warn-justify-or-block-emails-being-sent). When you use built-in labeling, the equivalent of this configuration is now available as a [DLP policy configuration](dlp-osp-get-started.md).

+This implementation means that if you share documents with another organization that uses different label names, each organization can apply and see their own label applied to the document.

+> [!NOTE]

+> Two exceptions where another organization can't apply their own sensitivity labels:

+> - Using Office for the web, external users connect to your SharePoint sites or OneDrive locations and don't see their sensitivity labels because the site is owned by another organization.

+> - Using co-authoring from desktop or mobile apps, external users [won't be able to apply their own sensitivity labels that are configured to apply encryption](https://support.microsoft.com/topic/you-can-t-apply-your-own-protected-sensitivity-label-to-this-file-3e592e7f-5498-481a-b930-c1259924e9ab).

+|[Preventing oversharing as DLP policy tip](dlp-osp-get-started.md)|Current Channel: 2305+ <br /><br> Monthly Enterprise Channel: 2307+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |

+There's no limit to the number of sensitivity labels that you can create and publish, with one exception: If the label applies encryption that specifies the users and permissions, there's a maximum of 500 labels per tenant supported with this configuration. However, as a best practice to lower admin overheads and reduce complexity for your users, try to keep the number of labels to a minimum.

+> [!TIP]

+> Real-world deployments have proved effectiveness to be noticeably reduced when users have more than five main labels or more than five sublabels per main label. You might also find that some applications can't display all your labels when too many are published to the same user.

+- **Rolling out**: A [default retention label for Outlook](create-apply-retention-labels.md#default-labels-for-sharepoint-and-outlook) is always retained when an item is moved to the **Deleted Items** folder.

+- **In preview**: Prevent [oversharing of labeled emails as a DLP policy tip](dlp-osp-get-started.md). This DLP policy configuration is an equivalent for the AIP add-in with PowerShell advanced settings that implement pop-up messages in Outlook that warn, justify, or block emails being sent.

+> We recommend waiting a period of **48 hours**. If your tenants are still reporting as *incompatible*, contact support.

+- Viva Pulse [Data Location](/viva/pulse/get-started/data-residency-for-viva-pulse)

+- Yammer [Data Location](m365-dr-workload-other.md#viva-engage)

+This profile contains a license information for Microsoft Defender for Endpoint. Without license information, Microsoft Defender for Endpoint will report that it isn't licensed.

+1. Choose a name for the profile, for example, "Defender for Cloud or Endpoint onboarding for macOS". Click **Next**.

+1. Choose a name for the configuration profile name, for example, "Defender for Endpoint onboarding for macOS".

+When [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md) is being deployed, an error message with an **x** on top of the Microsoft Defender for Endpoint on macOS shield appears.

+Select the **x** symbol.

+### Message

+When you select the **x** symbol, you'll see options as shown in the following screenshot:

+When you select **Action needed**, you'll get the error message as shown in the following screenshot:

+You'll encounter this message in a different way: If you're using the terminal to enter **mdatp health** without the double quotes, the message as shown in the following screenshot is displayed:

+### Cause

+1. You've deployed and/or installed the Microsoft Defender for Endpoint on macOS package [Download installation packages](mac-install-manually.md#download-installation-and-onboarding-packages), but might not have run the configuration script [Download the onboarding package](mac-install-with-intune.md#download-the-onboarding-package) that contains the license settings. For information on troubleshooting in this scenario, see [For not running the configuration script](#for-not-running-the-configuration-script).

+1. You can also encounter this error message when the Microsoft Defender for Endpoint on macOS agent isn't up to date. For information on troubleshooting in this scenario, see [For Microsoft Defender for Endpoint on macOS not being up to date](#for-microsoft-defender-for-endpoint-on-macos-not-being-up-to-date).

+1. You can also encounter this error message if you haven't assigned a license to the user. For information on troubleshooting in this scenario, see [For not assigning a license to the user](#for-not-assigning-a-license-to-the-user).

+### Solutions

+#### For not running the configuration script

+This section describes the troubleshooting measures when the error/warning message is caused by non-execution of the configuration script that contains the license settings after you have deployed and/or installed the Microsoft Defender for Endpoint on macOS package.

+Depending on the deployment management tool used, follow the tool-specific instructions to onboard the package (register the license) as described in the following table:

+|Management |License deployment instructions (Onboarding instructions) |

+|||

+|Intune | [Download the onboarding package](mac-install-with-intune.md#download-the-onboarding-package) |

+|JamF | [Step 1: Get the Microsoft Defender for Endpoint onboarding package](mac-jamfpro-policies.md#step-1-get-the-microsoft-defender-for-endpoint-onboarding-package) |

+|Other MDM | [License settings](mac-install-with-other-mdm.md#license-settings) |

+|Manual installation | [Download installation and onboarding packages](mac-install-manually.md#download-installation-and-onboarding-packages); and [Client configuration](mac-install-manually.md#client-configuration) |

+> [!NOTE]

+#### For Microsoft Defender for Endpoint on macOS not being up to date

+For scenarios where Microsoft Defender for Endpoint on macOS isn't up to date, you'll need to [update](mac-updates.md) the agent.

+#### For not assigning a license to the user

+1. In the Microsoft 365 Defender portal (security.microsoft.com):

+ 1. Select **Settings**. The **Settings** screen appears.

+ 1. Select **Endpoints**.

+

+ :::image type="content" source="images/endpoints-option-on-settings-screen.png" alt-text="Screenshot of the Settings screen on which the Endpoints option is listed." lightbox="images/endpoints-option-on-settings-screen.png":::

+

+ The **Endpoints** screen appears.

+

+ :::image type="content" source="images/endpoints-screen.png" alt-text="Screenshot of the Endpoints page." lightbox="images/endpoints-screen.png":::

+ 1. Select **Licenses**.

+

+ :::image type="content" source="images/selecting-licenses-option-from-endpoints-screen.png" alt-text="Screenshot of the Endpoints page from which the Licenses options can be selected." lightbox="images/selecting-licenses-option-from-endpoints-screen.png":::

+

+ 1. Select **View and purchase licenses in the Microsoft 365 admin center**. The following screen in the Microsoft 365 admin center portal appears:

+ :::image type="content" source="images/m365-admin-center-purchase-assign-licenses.png" alt-text="Screenshot of the Microsoft 365 admin center portal page from which licenses can be purchased and assigned." lightbox="images/m365-admin-center-purchase-assign-licenses.png":::

+ 1. Check the checkbox of the license you want to purchase from Microsoft, and select it. The screen displaying detail of the chosen license appears:

+

+ :::image type="content" source="images/resultant-screen-of-selecting-preferred-license.png" alt-text="Screenshot of the product page from which you can select the option of assigning the purchased license." lightbox="images/resultant-screen-of-selecting-preferred-license.png":::

+ 1. Select the **Assign licenses** link.

+

+ :::image type="content" source="images/assign-licenses-link.png" alt-text="Screenshot of the product page from which you can select the Assign licenses link." lightbox="images/assign-licenses-link.png":::

+ The following screen appears:

+ :::image type="content" source="images/screen-containing-option-to-assign-licenses.png" alt-text="Screenshot of the page containing the + Assign licenses option." lightbox="images/screen-containing-option-to-assign-licenses.png":::

+ 1. Select **+ Assign licenses**.

+ 1. Enter the name or email address of the person to whom you want to assign this license.

+

+ The following screen appears, displaying the details of the chosen license assignee and a list of options.

+ :::image type="content" source="images/assignee-details-and-options.png" alt-text="Screenshot of the page displaying the assignee's details and a list of options." lightbox="images/assignee-details-and-options.png":::

+

+ 1. Check the checkboxes for **Microsoft 365 Advanced Auditing**, **Microsoft 365 Defender**, and **Microsoft Defender for Endpoint**.

+ 1. Select **Save**.

+On implementing these solution-options (either of them), if the licensing issues have been resolved, and then you run **mdatp health**, you should see the following results:

+### Message

+Create new account or Switch to enterprise app.

+### Cause

+You've downloaded and installed [Microsoft Defender for individuals on macOS](https://www.microsoft.com/en-us/microsoft-365/microsoft-defender-for-individuals) on top of previously installed Microsoft Defender for Endpoint.

+### Solution

+Select **Switch to enterprise app** to switch to Enterprise experience.

+You can also suppress switching to experience for Individuals on MDM-enrolled machines by including **userInterface**/**consumerExperience** in the Defender's settings:

+## Recommended content

+- [Manual deployment for Microsoft Defender for Endpoint on macOS](mac-install-manually.md): Install Microsoft Defender for Endpoint on macOS manually from the command line.

+- [Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro](mac-jamfpro-policies.md): Learn how to set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro.

+- [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md): Learn how to install, configure, update, and use Microsoft Defender for Endpoint on Mac.

+- [Deploying Microsoft Defender for Endpoint on macOS with Jamf Pro](mac-install-with-jamf.md): Learn how to deploy Microsoft Defender for Endpoint on macOS with Jamf Pro.

+### Jul-2023 (Build: 101.23052.0004 | Release version: 20.123052.4.0)

+| Build: | **101.23052.0004** |

+|--|--|

+| Release version: | **20.123052.4.0** |

+| Engine version: | **1.1.20100.7** |

+| Signature version: | **1.391.2163.0** |

+##### What's new

+- Client version schema change

+- Fix: Defender does not start on a machine with certain versions of Edge due to directory permission issue

+- Bug and performance fixes

+### Jun-2023 (Build: 101.98.84 | Release version: 20.123042.19884.0)

+### June-2023 (Platform: 4.18.x.x | Engine: 1.1.23060.1005)

+- Release date: **July 10, 2023 (Engine)** / (*Platform release date is pending*)

+- Platform: **4.18.x.x** (*platform version number is pending*)

+|[Kroll](https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder)|Kroll|Kroll provides proprietary data, technology and insights to help our clients stay ahead of complex demands related to risk, governance and growth. Our solutions deliver a powerful competitive advantage, enabling faster, smarter and more sustainable decisions. With 5,000 experts around the world, we create value and impact for our clients and communities.|

+### Q: How many training videos are available?

+A: Currently, there are more than 85 training modules available in the content library.

+ - **If a message is detected as domain impersonation**^\*: Select **Quarantine the message**. Select nothing in the **Apply quarantine policy** box that appears to use the default [quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy) that applies to messages that are quarantined by user domain impersonation protection.

+Applications are a very useful part of Microsoft Teams, but it's recommended to maintain a list of allowed apps rather than allowing all apps by default.

+6. Under the **Meeting join & lobby** heading, ensure **People dialing in can bypass the lobby** is set to **off**.

+7. Ensure **Anonymous users can join a meeting** is set to **off**.

+8. Under the **Meeting engagement** heading, Set **Meeting chat** to **"On for everyone but anonymous users"**.

+9. Select **Save**.

+4. Under the **Content sharing** heading, set **Who can present** to **Only organizers and co-organizers**.

+5. Select **Save**.

+## Limit domains for external access

+External access allows your users to communicate externally in Teams, allowing external organizations to start a conversation with your users and vice versa, which is useful for collaboration, but also for attackers to directly communicate with your organization if they know a victim's email address.

+4. Enter any external domains users should be able to communicate with by selecting **Allow domains**, using the flyout, and selecting **Done** when finished.

+5. Select **Save**.

+Note that external organizations must also allow your organization's domain for external access to work.

+- **In the Microsoft 365 Defender portal**: On by default for new tenants. Existing tenants need to enable it. If user reporting of messages is turned on in the Teams admin center, it also needs to be turned on the Defender portal for user reported messages to show up correctly.

+ As previously described, this setting is turned on by default for new tenants, and existing tenants need to enable it. You typically leave it turned on if message reporting is also turned on in Teams admin center.

+A: After your trial expires, you have access to your trial data (data from features in Defender for Office 365 that you didn't have previously) for 30 days. After this 30 day period, all policies and data that were associated with the Defender for Office 365 trial are deleted.

+ Title: Train a structured or freeform document processing model in Microsoft Syntex

+description: Learn how to train a structured or freeform document processing model in Microsoft Syntex.

+# Train a structured or freeform document processing model in Microsoft Syntex

+Follow the instructions in [Create a model in Syntex](create-syntex-model.md) to create a structured or freeform document processing model in a content center. Or, follow the instructions in [Create a model on a local SharePoint site](create-local-model.md) to create the model on a local site. Then use this article to train your model.

+To train a structured or freeform document processing model, follow these steps:

+After you create your structured or freeform document processing model, the **Choose information to extract** page opens. Here you list all pieces of information that you want the AI model to extract from your documents, such as *Name*, *Address*, or *Amount*.

+Two flows are available to process a selected file or batch of files in a library where a structured or freeform document processing model has been applied.

+6. You're now ready to [train the model](create-a-form-processing-model.md).

+ Title: Overview of structured and freeform document processing in Microsoft Syntex

+description: Learn how to use AI Builder to create structured or freeform document processing models in Microsoft Syntex.

+# Overview of structured and freeform document processing in Microsoft Syntex

+Use the freeform document processing model ([freeform selection method](create-syntex-model.md#train-a-custom-model)) to automatically extract information from unstructured and freeform documents, such as letters and contracts.

+## Introduction to structured and freeform models

+Microsoft Syntex uses Microsoft Power Apps [AI Builder](/ai-builder/form-processing-model-overview) document processing (formerly known as form processing) to create structured and freeform document processing models within SharePoint document libraries.

+You can use AI Builder document processing to create structured or freeform document processing models that use machine learning technology to identify and extract key-value pairs and table data from structured or semi-structured documents, such as forms and invoices, and unstructured or freeform documents, such as contracts and correspondence.

+Organizations often receive invoices in large quantities from various sources, such as mail, fax, and email. Processing these documents and manually entering them into a database can take a considerable amount of time. By using AI to extract the text, key-value pairs, and tables from your documents, Syntex automates this process.

+For example, you can create a structured or freeform document processing model that identifies all documents that are uploaded to the document library. From each document, you can then extract and display specific data that is important to you.

+You can only create a structured or freeform document processing model in SharePoint document libraries for which it's enabled. If it has been enabled, you're able to see the **Classify and extract** option in your document library.

+For more information, see [Overview of structured and freeform document processing](form-processing-overview.md).

+For more information, see [Overview of structured and freeform document processing](form-processing-overview.md).

+[Learn more about structured and freeform models in Microsoft Syntex.](form-processing-overview.md)