Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
You can set up a connector to extend the Microsoft Purview Insider Risk Management solution to include third-party (non-Microsoft) detections. For example, you might want to extend your detections to include Salesforce and Dropbox activities and use them alongside the built-in detections provided by insider risk management, which focuses on Microsoft services like SharePoint Online and Exchange Online.
To bring your own detections to the insider risk management solution, import preprocessed, aggregated detections from security information and event management (SIEM) solutions such as Microsoft Sentinel or Splunk. Import a sample file into the Insider Risk Indicators connector workflow. The connector workflow analyzes the sample file and configures the required schema for insider risk management.
Note
Currently, you can't import "raw" detection signals into insider risk management. You can only import preprocessed aggregations as a file.
Overall process
Bringing your own detections to insider risk management is a three-step process:
- In Microsoft Purview, create the Insider Risk Indicators (preview) connector as described in this article.
- In the insider risk management solution, create custom indicators.
- In the insider risk management solution, use the custom indicators in policies as triggers or indicators and define thresholds.
When user activity crosses the threshold value that you specify for the policy, the user is brought into scope of the insider risk management policy and is scored for risk. An alert is generated and analysts can investigate the alert using custom indicator details.
Note
You can only use custom indicators with the Data theft and Data leaks templates.
Before you begin
- Determine the scenarios and data you want to import to Microsoft 365. This determination helps you decide how many CSV files and Insider Risk Indicator connectors you need to create and how to structure the CSV files. The types of triggers and indicators you want to create determine the imported data. See Determining how many CSV files to prepare for indicator data.
- Determine how to retrieve or export the data from your internal system and add it to the CSV files that you prepare in Step 2. The script that you run in Step 4 uploads the data in the CSV files to the insider risk management solution.
- Assign the Data Connector Admin role. This role is required to add connectors on the Data connectors page in the Microsoft Purview portal, so assign this role to the user who creates the connector in Step 3. Multiple role groups include this role by default. For a list of these role groups, see Roles in Microsoft Defender for Office 365 and Microsoft Purview compliance. Alternatively, an admin in your organization can create a custom role group, assign the Data Connector Admin role to the custom role group, and then add the appropriate users as members. For guidance, see Create a custom Microsoft Purview role group.
- Add the webhook.ingestion.office.com domain to your firewall allowlist for your organization. The script that you run in Step 4 doesn't work if you don't add this domain to the allowlist.
Important
The sample script that you run in Step 4 uploads your data to the Microsoft cloud so that the insider risk management solution can use it. This sample script isn't supported under any Microsoft standard support program or service. The sample script is provided AS IS without warranty. Microsoft disclaims all implied warranties, including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising from the use or performance of the sample script and documentation remains with you. In no event is Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts liable for any damages, including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss arising from the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
Determining how many CSV files to prepare for indicator data
In Step 3, you can prepare separate CSV files that contain data for each indicator or prepare a single CSV file that contains data for two or more indicators.
Here are some guidelines to help you determine how many CSV files to prepare:
- If the insider risk management policy you want to implement requires multiple indicators, consider using a single CSV file that contains the data for all the indicators. As a general rule, the number of connectors that you need to create is determined by the services in a CSV file. For example, if a CSV file contains all the services required to support your insider risk management implementation, you only need one connector. Having fewer CSV files allows you to have fewer connectors to create and manage. If you have two separate CSV files that each contain a single service, you need to create two connectors. 
- The method for generating or collecting the data might determine the number of CSV files. For example, if the different types of data used to configure a connector are located in a single system in your organization, you might be able to export the data to a single CSV file. But if data is distributed across different systems, it might be easier to export data to different CSV files. How you retrieve or export data from your systems might determine the number of CSV files you need. 
Step 1: Create an app in Microsoft Entra ID
First, create and register a new app in Microsoft Entra ID for the connector that you create in Step 3. When you create this app, Microsoft Entra ID can authenticate the connector when it runs and attempts to access your organization. Use this app to authenticate the script that you run in Step 4 to upload your data to the Microsoft cloud. When you create the Microsoft Entra app, save the following information:
- Microsoft Entra application ID (app ID or client ID)
- Microsoft Entra application secret (client secret)
- Tenant ID (directory ID)
Use these values in Steps 3 and 4. For step-by-step instructions on creating an app in Microsoft Entra ID, see Register an application with the Microsoft identity platform.
Step 2: Prepare CSV file(s) with your insider risk indicators data
Next, prepare a CSV file that contains the indicator data that the connector imports to Microsoft 365. The insider risk management solution uses this data. You can import data for the following scenarios:
- Create a trigger that, when activated, brings a user into scope for a policy. Example 1 below shows how to prepare a CSV file for a 'home-grown' trigger that predicts the probability of an employee leaving an organization.
- Create a policy indicator that monitors user activities. Example 2 below shows how to prepare a single CSV file for multiple indicators (one for Dropbox and one for Salesforce).
For each scenario, provide the corresponding indicator data in one or more CSV files. See Determining how many CSV files to use for indicator data.
After you create the CSV file with the required indicator data, store it on the local computer that you run the script on in Step 4. Implement an update strategy to make sure that the CSV file always contains the most current information so that whenever you run the script, the most current indicator data is uploaded to the Microsoft cloud and accessible to the insider risk management solution.
Important
The column names described in the following sections are examples, not required parameters. You can use any column names in your CSV files. However, the column names that you use in a CSV file must be mapped to a data type when you create the connector in Step 3. Also note that the sample CSV files in the following sections are shown in NotePad. It's much easier to view and edit CSV files in Microsoft Excel.
Example 1: Prepare a CSV file for a simple trigger that brings a user into scope for a policy
This example shows how to structure a CSV file to create a 'home-grown' trigger that could be used to predict the probability of an employee leaving an organization. This example uses the following sample data:
UserPrincipalName,PredictionTime,PredictionScore,ModelInfo
sarad@contoso.com,2023-04-20T05:52:56.962686Z,6,Model accuracy: 67%, Model name: LeaverPrediction_M1
sarad@contoso.com,2023-04-24T05:52:56.962686Z,9,Model accuracy: 67%, Model name: LeaverPrediction_M1
sarad@contoso.com,2023-04-24T05:52:56.962686Z,3,Model accuracy: 67%, Model name: LeaverPrediction_M1
The following table describes each column in the CSV file.
| Column | Description | 
|---|---|
| UserPrincipalName | The Microsoft Entra UserPrincipalName (UPN) used to identify the user. | 
| Prediction Time | Mandatory field that displays the date/time that the activity occurred. Use the following date format: yyyy-mm-ddThh:mm:ss.nnnnnn+|-hh:mm, which is the ISO 8601 date and time format | 
| Prediction Score | Risky activity score. This field is used for the trigger threshold setting. Only Number fields can be used for threshold settings. | 
| Model Info | Extra field used to track information about the prediction model. | 
Note
Only the UserPrincipalName and date/time fields are mandatory. All other fields are optional but can be helpful for the analyst or investigator in decision making when they triage alerts (these fields appear in the Activity explorer and in alerts and cases).
When you create the connector in Step 3, you'll use the data in the PredictionScore field as a threshold value for the trigger. If a user crosses the threshold value that you set later in the policy, the user is brought into the scope of the policy.
Example 2: Prepare a single CSV file to create multiple policy indicators
This example shows how to create multiple policy indicators (one for Dropbox and one for Salesforce) from a single CSV file. This example uses the following sample data:
User_Principal_Name,Display_Name,Alert_Severity,Alert_Count,Aggregation_Date,Source_Workload,AdditionalInfo_Salesforce,AdditionalInfo_Dropbox
sarad@contoso.com,Salesforce - Sensitive report downloaded and emailed externally,High,10,2023-04-24T05:52:56.962686Z,Salesforce,text,text
sarad@contoso.com,Salesforce - Anomalous download of sales lead reports,Medium,6,2023-04-24T05:52:56.962686Z,Salesforce,text,text
bradh@contoso.com,Salesforce - Printing sales reports,Low,50,2023-04-24T05:52:56.962686Z,Salesforce,text,text
bradh@contoso.com,Salesforce - Excessive modifications to sensitive reports,Medium,3,2023-04-24T05:52:56.962686Z,Salesforce,text,text
sarad@contoso.com,Dropbox - Sensitive files saved to personal Dropbox,High,14,2023-04-24T05:52:56.962686Z,Dropbox,text,text
bradh@contoso.com,Dropbox - Anomalous file copy activity,Medium,5,2023-04-24T05:52:56.962686Z,Dropbox,text,text
The following table describes each column in the CSV file.
| Column | Description | 
|---|---|
| UserPrincipalName | The Microsoft Entra UserPrincipalName (UPN) used to identify the user. | 
| Display Name | Name of the risky activity. | 
| Alert Severity | Severity categories: Low, Medium, and High. | 
| Alert Count | Number of incidences of each activity. Data in this field is used for the indicator threshold setting. | 
| Aggregation Date | Mandatory field that displays the date/time that the activity occurred. Use the following date format: yyyy-mm-ddThh:mm:ss.nnnnnn+|-hh:mm, which is the ISO 8601 date and time format | 
| Source Workload | This is the key field for the multiple indicators scenario. Select this field for the Source column field when you create the connector, and use the values in this field (Dropbox and Salesforce) in the Related values in source column field in the connector. | 
| Additional Info Salesforce | Any additional info that you want to note about the Salesforce indicator | 
| Additional Info Dropbox | Any additional info that you want to note about the Dropbox indicator | 
See the following example to see how you use this CSV file when creating the data connector.
Step 3: Create the Insider Risk Indicators connector
Create a connector in the Microsoft Purview portal. After you run the script in Step 4, the connector imports the data from the CSV file and uploads it to your Microsoft 365 organization.
Note
Before you create a connector, make sure that you have a list of the scenarios and the corresponding CSV column names for each scenario.
Example 1: Create a connector file for a simple trigger
- Sign in to the Microsoft Purview portal. 
- Select Settings > Data connectors. 
- Select My connectors, then select Add connector. 
- From the list, choose Insider Risk Indicators (preview). 
- Review the terms of service, then select Accept if you want to continue creating the connector. 
- On the Authentication page, complete the following steps: - Enter a name for the connector.
- Paste the Microsoft Entra application ID for the Azure app that you created in Step 1.
- Select Next.
 
- On the Sample file page: - Select Upload sample file, then select the CSV file that you want to upload.
- In the Source column list, select None (Single source).
- In the Verify sample data and data type section, review each field to make sure that the right data types are assigned to each field. If a field is used later as a threshold value, make sure that it has a Number data type. For example, in this scenario, the PredictionScorefield is used as a threshold value and the data type is set appropriately to Number.
 
- Select Next. 
- On the Data mapping page: - Enter the values for Event time (UTC time) and Microsoft 365 user email address based on the appropriate values from the CSV file. These fields are mandatory for the connector.
- In the Default field, use the list to select each field you want to include from the CSV file. For example, select a Number field to use later as a threshold value for the indicator or select other fields to use as supporting information.
 
- Select Next. 
- On the Finish page, review all the information, and if everything looks correct, select Finish. 
- Copy the job ID for the connector. You need it for the next step. 
- Go to Step 4 to run the script that uploads the data to Microsoft 365. 
Example 2: Create a connector that includes multiple policy indicators
This example shows how to set up a single connector to create multiple policy indicators for Salesforce and Dropbox. You could create two separate connectors, but creating a single connector that works for both can reduce overall file maintenance.
- Sign in to the Microsoft Purview portal. 
- Select Settings > Data connectors. 
- Select My connectors, then select Add connector. 
- From the list, choose Insider Risk Indicators (preview). 
- Review the terms of service, then select Accept if you want to continue creating the connector. 
- On the Authentication page, enter the following information: - Enter a name for the connector.
- Paste the Microsoft Entra application ID for the Azure app that you created in Step 2.
- Select Next.
 
- On the Sample file page: - Select Upload sample file, then select the CSV file that you want to upload.
- In the Source column list, select the column to use as the source. In the example CSV file, the source column is SourceWorkload, since it stores the values for the two separate workloads (Salesforce and Dropbox).
- In the Related values in source column field, enter the related values. For this example, enter Salesforce,Dropbox. Don't include spaces between values.
 - Important - Make sure that the values you enter in the Related values in source column field match the values in the Source column list. The connector fails if the column values don't match. - In the Verify sample data and data type section, review each field to make sure that the right data types are assigned for each field. If a field is used later as a threshold value, make sure that it has a Number data type. For example, in this example scenario, the AlertCountfield is used as a threshold value and the data type is set appropriately to Number.
- Select Next.
 
- On the Data mapping page: - Enter the values for Event time (UTC time) and Microsoft 365 user email address based on the appropriate values from the CSV file. These fields are mandatory and common to both indicators you're creating for this example.
- Select the columns from your sample file that you want to map to the two workloads, Salesforce and Dropbox.
 - Tip - You can use the same process described previously to create multiple policy indicators based on severity levels. For example, you can use a single connector to create separate Low, Medium, and High indicators. In the Source column list, select the field that holds the values for the separate workloads (Low, Medium, High). Enter those workload values in the Related values in source column field. Map the appropriate fields in the Data mapping page. 
- Select Next. 
- On the Finish page, review all the information, and if everything looks correct, select Finish. 
- Copy the job ID for the connector. You need it for the next step. 
- Go to the next step (Step 4) to run the script that uploads the data to Microsoft 365. 
Step 4: Run the sample script to upload your data
The last step in setting up a connector is running a sample script that uploads the data in the CSV file. When you run the script, the connector you created in Step 3 imports the data to your Microsoft 365 organization where the insider risk management solution can access it. After you run the script, consider scheduling a task to run it automatically on a daily basis so the most current data is uploaded to the Microsoft cloud. For more information, see Schedule the script to run automatically.
Before running the script
- Make sure to add the webhook.ingestion.office.com domain to your firewall allowlist for your organization. If this domain is blocked, the script doesn't run.
- Make sure to wait 24 hours before uploading the data after you update the custom indicators and the associated policies. This waiting period ensures all components sync. If you immediately upload the data while the updates are syncing, some data might not be scored for risk.
- Make sure that all combinations of UPN and timestamp to be imported are unique. If any record in the uploaded CSV file contains the same timestamp and UPN as other records in the file, the record is dropped.
Run the sample script
- Go to the window that you left open from the previous step to access the GitHub site with the sample script. Alternatively, open the bookmarked site or use the URL that you copied. You can also access the script at https://github.com/microsoft/m365-compliance-connector-sample-scripts/blob/main/sample_script.ps1. 
- Select the Raw button to display the script in text view. 
- Copy all the lines in the sample script, and save them to a text file. 
- Modify the sample script for your organization, if necessary. 
- Save the text file as a Windows PowerShell script file by using a filename suffix of - .ps1; for example,- HRConnector.ps1. Alternatively, you can use the GitHub filename for the script, which is- upload_termination_records.ps1.
- Open a command prompt on your local computer, and then go to the directory where you saved the script. 
- Run the following command to upload the data in the CSV file to the Microsoft cloud; for example: - .\HRConnector.ps1 -tenantId <tenantId> -appId <appId> -appSecret <appSecret> -jobId <jobId> -filePath '<filePath>'- The following table describes the parameters to use with this script and their required values. The information you obtained in the previous steps is used in the values for these parameters. - Parameter - Description - tenantId- This is the ID for your Microsoft 365 organization that you obtained in Step 1. You can also obtain the tenant ID for your organization on the Overview blade in the Microsoft Entra admin center. This value identifies your organization. - appId- This is the Microsoft Entra application ID for the app that you created in Microsoft Entra ID in Step 1. This value is used by Microsoft Entra ID for authentication when the script attempts to access your Microsoft 365 organization. - appSecret- This is the Microsoft Entra application secret for the app that you created in Microsoft Entra ID in Step 1. This value is also used for authentication. - jobId- This is the job ID for the connector that you created in Step 3. This value associates the data that is uploaded to the Microsoft cloud with the connector. - filePath- This is the file path for the file (stored on the same system as the script) that you created in Step 1. Try to avoid spaces in the file path; otherwise use single quotation marks. - Here's an example of the syntax for the connector script using actual values for each parameter: - .\HRConnector.ps1 -tenantId d5723623-11cf-4e2e-b5a5-01d1506273g9 -appId 29ee526e-f9a7-4e98-a682-67f41bfd643e -appSecret MNubVGbcQDkGCnn -jobId b8be4a7d-e338-43eb-a69e-c513cd458eba -filePath 'C:\Users\contosoadmin\Desktop\Data\insider_risk_indicator_data.csv'- If the upload is successful, the script displays the Upload Successful message. - Note - If you have problems running the previous command because of execution policies, see About Execution Policies and Set-ExecutionPolicy for guidance about setting execution policies. 
Step 5: Monitor the connector
After you create the connector and run the script to upload your data, view the connector and upload status in the Microsoft Purview portal. If you schedule the script to run automatically on a regular basis, you can view the current status after the last time the script runs.
- Sign in to the Microsoft Purview portal. 
- Select Settings > Data connectors. 
- Select My connectors, then select the HR connector that you created to display the flyout page. This page contains the properties and information about the connector. 
- Under Progress, select the Download log link to open (or save) the status log for the connector. This log contains information about each time the script runs and uploads the data from the CSV file to the Microsoft cloud. - The - RecordsSavedfield indicates the number of rows in the CSV file that uploaded. For example, if the CSV file contains four rows, the value of the- RecordsSavedfield is 4 if the script successfully uploads all the rows in the CSV file.
If you don't run the script in Step 4, a link to download the script is displayed under Last import. You can download the script and then follow the steps to run the script.
(Optional) Step 6: Schedule the script to run automatically
To make sure the insider risk management solution always has the latest data from your organization, schedule the script to run automatically on a recurring basis, such as once a day. This schedule requires updating the data in the CSV file on a similar (if not the same) schedule so that it contains the latest information. The goal is to upload the most current data so that the connector can make it available to the insider risk management solution.
Use the Task Scheduler app in Windows to automatically run the script every day.
- On your local computer, select the Windows Start button and type Task Scheduler. 
- Select the Task Scheduler app. 
- In the Actions section, select Create Task. 
- On the General tab, enter a descriptive name for the scheduled task. For example, HR Connector Script. You can also add an optional description. 
- Under Security options, complete the following steps: - Decide whether to run the script only when you're logged on to the computer or when you're logged on or not.
- Make sure that the Run with the highest privileges check box is selected.
 
- Select the Triggers tab, select New, and complete the following steps: - Under Settings, select the Daily option, and choose a date and time to run the script for the first time. The script runs every day at the same specified time.
- Under Advanced settings, make sure that the Enabled check box is selected.
- Select OK.
 
- Select the Actions tab, select New, and complete the following steps: - In the Action dropdown list, make sure that Start a program is selected. 
- In the Program/script box, select Browse, then go to the following location and select it so the path is displayed in the box: - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.
- In the Add arguments (optional) box, paste the same script command that you ran in Step 4. For example, - .\HRConnector.ps1 -tenantId "d5723623-11cf-4e2e-b5a5-01d1506273g9" -appId "c12823b7-b55a-4989-faba-02de41bb97c3" -appSecret "MNubVGbcQDkGCnn" -jobId "e081f4f4-3831-48d6-7bb3-fcfab1581458" -filePath "C:\Users\contosoadmin\Desktop\Data\insider_risk_indicator_data.csv"
- In the Start in (optional) box, paste the folder location of the script that you ran in Step 4. For example, - C:\Users\contosoadmin\Desktop\Scripts.
- Select OK to save the settings for the new action. 
 
- In the Create Task window, select OK to save the scheduled task. You might be prompted to enter your user account credentials. - The new task appears in the Task Scheduler Library. You see the last time the script ran and the next time it's scheduled to run. Double-click the task to edit it. - You can also verify the last time the script ran on the flyout page of the corresponding connector in the Microsoft Purview portal. 
(Optional) Step 7: Upload data using Power Automate templates
You can upload the CSV data by using Power Automate templates and define triggers. For example, you can configure a Power Automate template to trigger when new connector files are available in SharePoint or OneDrive locations. You can also streamline this process by storing confidential information like the Microsoft Entra application secret (created in Step 1) in Azure Key Vault and use it with Power Automate for authentication.
Complete the following steps to automatically upload data when new files become available on OneDrive for Business:
- Download the ImportHRDataforIRM.zip package from the GitHub site.
- In Power Automate, go to My flows.
- Select Import and upload the ImportHRDataforIRM.zip package.
- After the package is uploaded, update the content (name and OneDrive for Business connection) and select Import.
- Select Open flow and update the parameters. The following table describes the parameters to use in this Power Automate flow and their required values. The information you obtained in the previous steps is used in the values for these parameters.
| Parameter | Description | 
|---|---|
| appId | This is the Microsoft Entra application ID for the app that you created in Microsoft Entra ID in Step 1. This value is used by Microsoft Entra ID for authentication when the script attempts to access your Microsoft 365 organization. | 
| appSecret | This is the Microsoft Entra application secret for the app that you created in Microsoft Entra ID in Step 1. This secret is used for authentication. | 
| fileLocation | This is the OneDrive for Business location where Power Automate monitors for 'new file created' activities to trigger this flow. | 
| jobId | Identifier for the connector created in Step 3. This identifier associates the data uploaded to the Microsoft cloud with the connector. | 
| tenantId | Identifier for your Microsoft 365 organization obtained in Step 1. You can also obtain the tenant ID for your organization on the Overview blade in the Microsoft Entra admin center. Microsoft uses this tenant ID to identify your organization. | 
| URI | Verify that the value for this parameter is https://webhook.ingestion.office.com/api/signals | 
- Select Save.
- Go to Flow overview and select Turn on.
- Test the flow manually by uploading a new file to your OneDrive for Business folder and verify that it runs successfully. This process might take a few minutes after the upload before the flow is triggered.
- You can now monitor the connector as described in Step 5.
If needed, you can update the flow to create triggers based on file availability and modification events on SharePoint and other data sources supported by Power Automate flows.