Captures clips of key security-related user activities
This requirement refers to recording and surfacing evidence of risky user behavior (e.g., copying sensitive files to USB, uploading to cloud storage, or exfiltrating data).
In Microsoft Purview Insider Risk Management, this is achieved through Forensic evidence, which allows capturing screenshots/clips of user activities on endpoints when a policy is triggered.
Ref: Microsoft Learn – Insider risk forensic evidence
Integrates DLP capabilities with insider risk management
Microsoft introduced Adaptive Protection as part of Purview Insider Risk.
Adaptive Protection uses insider risk signals and DLP together, dynamically adjusting DLP controls (block, restrict, monitor) based on the user’s risk level.
This integration reduces false positives and ensures risky users are monitored more strictly while low-risk users are less impacted.
Ref: Microsoft Learn – Adaptive Protection in Microsoft Purview
Other options ruled out:
Adaptive scopes: Used for defining policy targeting groups dynamically, not capturing activities.
Classifiers/Trainable classifiers: Used for content classification, not exfiltration capture or DLP integration.
eDiscovery (Premium): For legal investigations, not insider risk + DLP integration.
Records management: Lifecycle retention, not related to insider risk.
Submit