Insider Risk: Policies & Indicators
Choose the right policy template, configure which activities to monitor, and create Insider Risk policies that detect data theft, leaks, and security violations — without overwhelming your team with noise.
Policy templates — choosing the right one
Think of security camera presets. You could manually aim each camera, but presets make it easier: “entrance monitoring” points cameras at doors, “loading dock” watches deliveries, “car park” covers vehicles. Each preset knows what to watch for in that context.
Insider Risk policy templates are the same — each template is pre-configured to detect specific threat patterns. “Departing employee” watches for data hoarding before departure. “Data leaks” watches for unusual sharing. You choose the template that matches your risk scenario.
Available policy templates
| Template | What It Detects | Trigger |
|---|---|---|
| Data theft by departing users | Users downloading, copying, or sharing large volumes before departure | HR connector: resignation/termination signal |
| Data leaks | Unusual data sharing — external emails, cloud uploads, large downloads | Activity anomaly (no HR trigger needed) |
| Data leaks by priority users | Same as data leaks but focused on high-risk users (executives, admins) | Activity anomaly for priority user group |
| Data leaks by disgruntled users | Risky activity after negative HR events (demotion, poor review) | HR connector: performance improvement plan signal |
| Security policy violations | Bypassing security controls — disabling antivirus, installing unapproved software | Defender for Endpoint signals |
| Patient data misuse | Accessing patient records without clinical justification | Healthcare connector signals |
| Risky browser usage | Visiting risky websites, downloading from untrusted sources | Defender for Endpoint browser signals |
Policy indicators
Indicators are the individual activities that IRM monitors. They are configured globally (in settings) and then selected per policy.
Indicator categories
| Category | Examples |
|---|---|
| Office indicators | Downloading files from SharePoint, sending emails with attachments, sharing with external users |
| Device indicators | Copying to USB, printing, uploading via browser, clipboard to external app |
| Cumulative exfiltration | Total volume of data moved outside the organisation over time |
| Risk score boosters | Activity from departing users, priority users, or users with previous alerts |
| Sequence detection | Multiple indicators occurring in sequence (e.g., download → rename → upload to personal cloud) |
| Healthcare indicators | Accessing patient records outside normal patterns |
Configuring indicators
| Setting | What It Controls |
|---|---|
| Enable/disable per category | Turn on/off entire indicator categories globally |
| Threshold customisation | Set minimum activity volumes before alerting (e.g., “10+ files downloaded per day”) |
| Sequence detection | Enable detection of multi-step exfiltration patterns |
| Cumulative thresholds | Alert when total data movement exceeds a threshold over days/weeks |
Scenario: Zara configures indicators at Atlas Global
Zara’s indicator configuration:
Enabled: Office indicators (email, SharePoint, OneDrive), Device indicators (USB, print, browser upload), Cumulative exfiltration, Sequence detection
Thresholds adjusted:
- File downloads: Threshold raised from 5 to 20 per day (consultants regularly download many files)
- External email volume: Threshold raised from 10 to 30 (client-facing teams email externally frequently)
- USB copy: Threshold kept at 1 (zero tolerance for removable media data transfer)
These adjustments reduce false positives while catching genuine anomalies.
Creating a policy
| Step | What You Configure |
|---|---|
| 1. Choose template | Select from the available policy templates |
| 2. Name and describe | Policy name and admin description |
| 3. Users and groups | All users, specific groups, or adaptive scope (priority user groups) |
| 4. Content to prioritise | Optionally focus on content matching specific SITs, sensitivity labels, or file types |
| 5. Policy indicators | Select which indicators this policy uses (from globally enabled indicators) |
| 6. Indicator thresholds | Use default, customise, or use recommended thresholds |
| 7. Review and create | Review settings and activate |
Content prioritisation
You can focus a policy on specific types of content:
| Prioritisation | Example |
|---|---|
| Sensitivity labels | Only alert when users interact with “Confidential” or “Highly Confidential” content |
| Sensitive info types | Only alert when activity involves content matching patient data SITs |
| File extensions | Only alert for specific file types (.xlsx, .pdf, .pst) |
| SharePoint sites | Only alert for activity involving specific high-value sites |
Exam tip: template selection logic
The exam tests whether you can match scenarios to the right template:
- Employee resigned + downloading files → “Data theft by departing users”
- No HR signal, just unusual external sharing → “Data leaks”
- Employee on performance improvement plan → “Data leaks by disgruntled users”
- Executive with high-sensitivity access → “Data leaks by priority users”
- User disabling antivirus → “Security policy violations”
- Nurse accessing celebrity patient records → “Patient data misuse”
If the question mentions an HR signal (resignation, termination, PIP), the answer involves an HR-triggered template. If there’s no HR signal, use the general “Data leaks” template.
An employee at Atlas Global received a poor performance review and is now downloading large numbers of client files to their personal OneDrive. Zara wants to detect this behaviour. Which policy template should she use?
Marcus at NovaTech's IRM policy is generating 50+ alerts per day, most of which are false positives. Developers regularly download large codebases from SharePoint. What should Marcus do?
🎬 Video coming soon
Next up: Insider Risk: Investigate & Close Cases — when alerts fire, learn how to investigate, manage cases, capture forensic evidence, and close out with appropriate action.