Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Security Copilot agents are AI powered processes that are designed to help you with specific role based tasks. Microsoft Purview offers a Microsoft Purview Data Loss Prevention (DLP) triage agent in preview. Thise agent provides an agent-managed alert queue where the alerts about the highest risk activities are identified and prioritized. The agent analyzes the content and potential intent involved in the activity based on the organization’s chosen parameters and level of risk tolerance. The agent offers a comprehensive explanation for the logic behind the categorization.
The agent is available in the Microsoft Purview embedded experiences. For more information, see embedded experiences.
Triaging and assigning a priority to alerts can be complex and time consuming. When you have an agent triage and prioritize alerts, according to the parameters that you set, the amount of time required to complete the task is reduced. The agent helps you focus on the most important alerts by sifting them out from the noise of lower risk alerts. This improves your response time and helps increase the efficiency and effectiveness of your team.
For information on deploying, configuring, and using the agents, see Get started with the Microsoft Purview Agents.
Before you begin
If you're new to Security Copilot or Security Copilot agents, you should familiarize yourself with the information in these articles:
- Microsoft Security Copilot agents overview
- What is Microsoft Security Copilot?
- Microsoft Security Copilot experiences
- Get started with Microsoft Security Copilot
- Understand authentication in Microsoft Security Copilot
- Prompting in Microsoft Security Copilot
- Configure Owner settings
Security Copilot agent concepts
The Microsoft Purview Triage Agents run on Security Compute Units (SCU). Your organization must have SCUs provisioned for the agents to run. For more information, see SKU/subscriptions licensing.
Triggers
Triggers are groupings of parameters whose values must be met in order for the agent to triage any given alert. Triggers include:
- Time frame: You can define the time scope that alerts are generated in for triaging. See, Select Alert timeframe.
- Policies: You can configure the agent to triage alerts from policies you select. See, Setup agents.
Important
Agents aren't Administrative unit aware. However, if the agent is running in the context of an administrative unit restricted admin, and there are policies that are administrative unit scoped to that admin, the agent will only see alerts from the policies that are scoped to the admin unit.
Run automatically or manually
When you deploy an agent, and when you edit triggers, you can select whether the agent will run automatically based on a set schedule or Agent will run manually on one alert at a time . If you select Run automatically based on a set schedule, the agent will triage the alerts that are included in the Select Alert timeframe setting.
Select alert timeframe
When you deploy an agent, and when you edit an agent’s triggers, you can pick the timeframe that the agent will use to scope which alerts to triage. The options are:
- Only triage new alerts
- Last 24 hours
- Last 48 hours
- Last 72 hours
- Last 7 days
- Last 14 days
- Last 21 days
- Last 30 days
If you select Only triage new alerts, the agent only triages alerts that are generated after the agent is deployed. The agent won't triage any alerts that were generated before the agent was deployed. This means that all the Last # hours or days options are ignored.
If you select any of the Last # hours or days options, the agent triages alerts that were generated in the selected timeframe. This allows you to triage all that were generated before the agent was deployed. All newly generated alerts are also triaged.
Important
The time frame scope for alerts to be triaged is anchored to the moment of successful agent enablement. Essentially, the clock starts ticking then when the agent is enabled. So, Last number of hours or days refers to the time period prior to agent deployment. This is not a rolling time frame.
Security context
Agents run in the security context of the user that last configured them. The security context must be renewed every 90 days. The agent stops running if the user is removed or deleted from the tenant or if the user is disabled.
Triaged alerts
The agent will triage alerts based on the trigger configuration. The agent will triage alerts that are generated in the timeframe you selected and are from the policies you selected. Not all alerts are triaged. For more information, see Setup agents.
Triaged alerts are grouped into four categories:
All: This category includes all the alerts that the agent has triaged. The count indicated in the category may not accurately reflect the true number of alerts until you go into that view and scroll down to load all the alerts. If the conditions that caused the alert to be raised in the first place have changed, or if the alert hasn't been triaged yet, you can select the alert and then select Run agent to manually run the agent on the alert.
Needs attention: These are the alerts that the agent has reasoned over and determined that they pose the greatest risk to your organization. When you select one of these alerts, the details flyout opens to show a summary of the alert and other details.
Less Urgent: These are the alerts that the agent has reasoned over and determined that they pose a lower risk to your organization. When you select one of these alerts, the details flyout opens to show a summary of the alert and other details.
Not categorized: These are the alerts that the agent wasn't able to successfully triage. This can happen for a number of reasons, including: - Server error - In process of reviewing - other error - Unsupported error for alerts that contain activities which the agent doesn't support.
Agents triage files up to two MB in size.
How agents prioritize
The DLP triage agent prioritizes alerts based these risk factors:
- Content Risk: This is the primary risk factor used during agent triage, it covers sensitive content based on Microsoft provided SITs, trainable classifiers, and default sensitivity labels.
- Exfiltration Risk: Exfiltration of sensitive data shared externally.
- Policy Risk: Policy mode and rules with actions impact the prioritization of alerts.
- Content Risk: Label removed or downgraded.
- Exfiltration Risk: Exfiltration of sensitive data to unapproved ___domain. For more information, see Configure endpoint data loss prevention settings.
Alert Triage details
Important
The DLP triage agent only supports alerts from policies that are in active mode. The DLP alert triage agent doesn't triage alerts from DLP policies that are running in simulation mode.
Agents are able to review alerts that were generated up to 30 days prior to the enablement of the agent if the tenant has sufficient SCUs. Alerts that were generated more than 30 days prior to agent enablement are out of scope.
The DLP triage agent triages alerts from Exchange, SharePoint, OneDrive, Teams.
In DLP, the agent doesn't triage alerts that are triggered by custom sensitive information types (SIT) and custom trainable classifier conditions only. Alerts triggered by non-SITs/non-trainable classifier policy conditions only such as Email subject match aren't triaged.
You should perform manual analysis on alerts that can't be fully evaluated by the agent.
Partially triaged alerts
Here are some examples of situation where alerts may be partially triaged.
- DLP rule contains some conditions which aren't supported such as
The user accessed a sensitive site from Edge - The DLP rule includes certain conditions, but the system is unable to retrieve the corresponding properties of the email or files such as
Document couldn't be scanned.
Content Analysis
There are some situations where content analysis may be limited.
The content risk prioritization of an alert is based on Microsoft provided SITs, trainable classifiers, and sensitivity labels in content. When an agent evaluates content risk, it only looks for Microsoft provided SITs, and trainable classifiers that are defined in the policy.
When a DLP alert is associated zero to nine files, all the files are scanned by the agent and used in the content summary. When an alert has more than 10 or more files, the potentially top 10 files are used to generate the file risk summary. In DLP, the triage agent picks the top 10 risky files based the number of policy classifier hits, the file size, and the last time the file was accessed. When this happens the agent provides a note stating that all the files in the alert weren't included in the content summary.