Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance (for example, SEC or FINRA) and business conduct violations such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Communication Compliance is built with privacy by design. Usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.
After you configure Microsoft Purview Communication Compliance, make some adjustments to manage the volume of alerts that you receive. Use the list of best practices in this article to help create policies that cover as many users as possible while reducing the number of nonactionable alerts.
Tip
Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.
Understand keyword list volumes
Many customers use custom keyword lists for compliance scenarios. Understanding the volume of policy matches for each keyword can help you tune your policies. Use the Sensitive information type per location report to analyze keyword lists to see which keywords trigger most matches. You can investigate further to see if those keywords have high false-positive rates. You can also use the Message details reports to get data on keyword matches for a specific policy.
Use Microsoft Purview Reports and the data explorers
It's important to understand the volume of items classified by Microsoft provided trainable classifiers and sensitive information types. Microsoft Purview Reports is the primary tool you should use. You can also use these tools to help you understand the volume that you can expect for your organization.
- Get started with content explorer (classic)
- Get started with data explorer
- Get started with activity explorer
When you first start using Microsoft provided trainable classifiers, you might not get enough matches, or you might get too many matches. The following table shows the volume level to expect for different types of Microsoft provided trainable classifiers.
| Microsoft trainable classifier | Volume |
|---|---|
| Adult images | Low |
| Customer complaints | Medium |
| Discrimination | Low |
| Gifts & entertainment | Medium |
| Gory images | Medium |
| Money laundering | Medium |
| Profanity | Medium |
| Racy images | Medium |
| Regulatory collusion | Medium |
| Stock manipulation | Medium |
| Targeted harassment | Low |
| Threat | Low |
| Unauthorized disclosure | High |
Consider using the Adult images classifier instead of the Racy images classifier since the Adult images classifier detects a more explicit image. You can use the Content explorer to help you understand the volume that you can expect for your organization for each of the Microsoft provided trainable classifiers.
Filter email blasts
You can filter out email messages that are generic and intended for mass communication. For example, you can filter out spam, newsletters, and similar messages. For more information, see Learn about the Email blast senders report.
Filter out email signatures and disclaimers
Sensitive information types can be triggered from footers in emails, such as disclaimers. If many of your nonactionable alerts come from a specific set of sentences or phrases in an email signature or disclaimer, you can filter out the email signature or disclaimer.
Use sentiment evaluation
Messages in alerts include sentiment evaluation to help you quickly prioritize potentially riskier messages to address first. Using sentiment evaluation doesn't reduce your detection volumes but makes it easier to prioritize detections. Messages are flagged as Positive, Negative, or Neutral sentiment. For some organizations, messages with Positive sentiment might be a lower priority, allowing you to spend more time on other message alerts.
Report messages as misclassified
Reporting false positives as misclassified helps improve Microsoft’s models and reduces the number of false positives that you see in the future.
Filter out specific senders by using a condition
If you have senders that consistently trigger detections, you can filter out these particular senders by using the following conditional setting:
Some examples of consistently triggering detections can occur through newsletters, automated mails, and so on. For more scenario information, see Scenarios for creating conditions in Communication Compliance policies.
Use communication direction to target a particular set of users
If you’re detecting standards of business conduct scenarios and only care about communications from your users (not from guests), consider using a policy that detects only outbound communications. If you make the entire organization in scope, you can ensure that all of the users in your organization are covered but exclude users from outside your organization.
Combine trainable classifiers
Consider combining two or more Microsoft provided trainable classifiers together. For example, combine the Threat and Profanity classifiers or the Targeted harassment and Profanity classifiers to raise the threshold for messages captured.
Lower the percentage of reviewed communications
To sample a subset of all the messages that trigger alerts, specify a percentage of communications to review.