Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In preview, Microsoft Security Copilot agents are available in Microsoft Purview to help triage Microsoft Purview Data Loss Prevention (DLP) and Microsoft Purview Insider Risk Management alerts. These Microsoft Purview agents are AI-powered assistants that can help you triage alerts by working seamlessly with Microsoft security products.
Available agents
Triage Agent in Insider Risk Management
The Triage Agent in Insider Risk Management helps security teams by evaluating alerts based on user risk, file risk, and activity risk. The agent then sorts the triaged alerts into four categories. These categories are presented in the insider risk management solution on the Alerts tab.
| Attribute | Description |
|---|---|
| Identity | Runs as the administrator who turned on the agent. Agent authentication expires after 90 days and must be renewed. |
| License | Both the standard per seat licensing model and the pay-as-you-go billing model Microsoft Purview Insider Risk Management with Microsoft 365 E3/E5/A5/F5/G5. For information on Security Copilot licensing in E5 see, Learn about Security Copilot in Microsoft 365 E5. |
| Permissions | Access policy configurations and settings in Insider Risk Management Read activities and events in Microsoft Purview Read file content and metadata involved in Insider Risk Management alerts Store user feedback and apply feedback when evaluating Insider Risk Management alerts |
| Plugins | Microsoft Purview |
| Products | Security Copilot Insider Risk Management |
| Role-based access | View activity: Insider Risk Management Analysts, Insider Risk Management Investigators, or Insider Risk Management role group Manage: All roles needed to view activity, plus the Purview Content Analyst role in the Purview Agent Management role group |
| Trigger | Runs on a selected schedule or on one alert at a time |
Alert Triage Agent in Data Loss Prevention (preview)
The Alert Triage Agent in Data Loss Prevention (DLP) helps security teams by evaluating alerts based on the sensitivity risk, exfiltration risk, and policy risk. The agent then sorts the triaged alerts into four categories. These categories are presented in the DLP solution on the Alerts page.
For devices, you must set up evidence collection for file activities on devices and enable evidence collection in the DLP policy rule configuration.
| Attribute | Description |
|---|---|
| Identity | Runs as the administrator who turned on the agent. Agent authentication expires after 90 days and must be renewed. |
| License | Both the standard per seat licensing model and the pay-as-you-go billing model Microsoft Purview Data Loss Prevention with Microsoft 365 E3/E5/A5/F5/G5 |
| Permissions | Access policy configurations and settings in DLP Read activities and events in Microsoft Purview Read file content and metadata involved in DLP alerts Store user feedback and apply feedback when evaluating DLP alerts Read file content and metadata involved in DLP alerts Store user feedback and apply feedback when evaluating DLP alerts |
| Plugins | Microsoft Purview |
| Products | Security Copilot Data Loss Prevention |
| Role-based access | View activity: Insider Risk Management Analysts, Insider Risk Management Investigators, or Insider Risk Management role group Manage: All roles needed to view activity, plus must be assigned the Purview Content Analyst role in the Purview Agent Management role group |
| Trigger | Runs on a selected schedule or on one alert at a time |