Share via

Get started with the Microsoft Purview Agents

  • Article

Use these procedures to roll out the Microsoft Purview agents.

Before you begin

If you're new to Security Copilot Agents in Microsoft Purview, you should read these articles.

SKU/subscriptions licensing

The Microsoft Purview agents require both the standard per seat licensing model and the pay-as-you-go billing model. Your organization must be licensed for:

  • Microsoft Purview Data Loss Prevention ( Purview DLP) to use the Purview DLP triage agent.
  • Microsoft Purview Insider Risk Management to use the Insider Risk Management triage agent.

The Microsoft Purview triage agents consume security compute units (SCUs) as they perform their tasks. You must have SCUs provisioned for the triage agents to work. The number of SCUs consumed depends on the number and type of alerts that are processed. For more information about SCUs, see Security compute units (SCUs). You can track your SCU consumption in the usage monitoring tool. For more information about onboarding into Microsoft Security Copilot, see Get started with Microsoft Security Copilot.

For information on licensing, see

Permissions and Roles

There are different permissions and roles needed to perform different functions with the Microsoft Purview agents. For more information, see Permissions in the Microsoft Purview portal, and Roles and role groups in the Microsoft Purview portals.

Important

Agents run in the security context of the last user that saved the agent configuration. This authentication is good for 90 days. After 90 days, the agent will stop running until the configuration is manually saved again.

Permissions for Enabling and managing the Purview DLP agent

The account you use to enable and manage the Purview DLP agent must have:

  • Data Loss Prevention Analyst role OR Data Loss Prevention Investigator role
  • Purview Content Analyst
  • Security Workspace Contributor role OR Security Workspace Owner role

Permissions for enabling the managing the Inside Risk Management agent

The account you use to enable and manage the Insider Risk Management agent have all of these roles:

  • Insider Risk Management analyst role OR Insider Risk Management Investigation role
  • Purview Content Analyst
  • Security Copilot Workspace Contributor OR Security Workspace Owner role

Permissions for viewing triaged Purview DLP alerts

The account that you use to view the Purview DLP triage agent alert activity must be able to access Purview DLP alerts, which is granted by being in one of these role groups:

  • Information Protection Analysts role group
  • Information Protection Investigators role group
  • Information Protection role group
  • Compliance Administrator role group
  • Data Security Management role group

Permissions for viewing triaged Insider Risk Management alerts

The account that you use to view the Insider Risk Management triage agent alert activity must be in:

  • Security Copilot Workspace Contributor role group

and be able to access Insider Risk Management alerts, which is granted by being in one of these role groups:

  • Insider Risk Management Analysts role group
  • Insider Risk Management Investigators role group
  • Insider Risk Management role group
  • Data Security Management role group

Deployment and configuration roadmap

Implementing the Microsoft Purview agents involves several phases:

  1. Infrastructure prerequisites
  2. Enabling agents
  3. Setup agents
  4. Pausing agents
  5. Removing agents

Infrastructure prerequisites

Microsoft Purview triage agents run on Microsoft Security Copilot.

  1. Your tenant must be onboarded to Microsoft Security Copilot. For more information on how to onboard, see Get started with Microsoft Security Copilot.
  2. You must enable Microsoft 365 data sharing in Security Copilot. For more information, see Accessing data from Microsoft 365 services .
  3. You must enable the Microsoft Purview plug-in in Microsoft Security Copilot. For more information, see Enable the Microsoft Purview source in Microsoft Security Copilot.

Enabling agents

This procedure is for organizations that haven't enabled any of the Microsoft Purview agents or have removed agents and you want to enable them again. Once you enable the agents, they're available for use in Microsoft Purview. There can be only one instance of each agent in a tenant. This procedure works for both the Purview DLP triage agent and the Insider Risk Management triage agent.

  1. Sign in to the Microsoft Purview portal with an account that has the required permissions.
  2. In the left hand navigation pane, select Agents.
  3. Select Explore agents.
  4. Select the agent that you want to enable and select Add. This opens a page that shows the requirements to enable the agent.
  5. Select Setup, this opens the Deploy agent global configuration page. You can:
    1. Choose to Run automatically based on a set schedule. If you don't choose this option, you must run the agent manually one at a time. The scheduled is set by Microsoft and isn't configurable by organizations. You can change this setting later when you edit the agent.
    2. Select the alert timeframe, which is how far back the agent looks for alerts to triage. Analysts can shorten the timeframe when they edit the agent but not lengthen it. For more information, see Select Alert timeframe.
  6. Select Deploy. You see the Alert Triage Agent in <solution> is deployed message when the agent is successfully deployed.

Setup agents

Once an agent is enabled, you need to set specific triggers for the agent. The triggers are used to determine which alerts the agent triages. You can do this either in the Agents page or, for first run experience on the Alerts page for the solution. For this procedure, we'll use the first run experience Alerts page method. This procedure assumes that you still have the Microsoft Purview portal open to the Explore agents page from the previous procedure.

Important

The most recent agent configuration is always used.

  1. Select Go to <solution>. This opens the Alerts page for the solution.

  2. Because you are in the first run experience, you see dialog box that with a Customize button which, when selected, opens the Customize Alert Triage Agent flyout.

  3. Here, choose either to accept the default global setting for Select alert timeframe or change it to be shorter than what was configured during agent deployment.

  4. Choose Select policies to select the policies whose alerts will be triaged by the agent. In preview, all policies are selected by default, you can change that here.

    Important

    At public preview, the Purview DLP agent will only triage alerts from policies scoped to Exchange, Teams, OneDrive, and SharePoint locations. Also, the triage agents only support policies that use Microsoft provided sensitive information types (SITs) and trainable classifiers. If you want to triage alerts from Devices, Evidence collection for file activities on devices must be enabled.

  5. Choose Select policies.

  6. Select Review.

  7. Select Start agent.

Allow up to 2 hours for the agent to complete triaging the in scope alerts from this initial setup.

Pausing agents

  1. Sign in to the Microsoft Purview portal with an account that has the required permissions.
  2. In the left hand navigation pane, select Agents.
  3. Select Explore agents.
  4. Select View agent for the agent you want to pause. This opens the agent overview page.
  5. On the far right upper right hand corner of the agent overview page, select the ellipses (three dots) that are located next to the Edit agent button.
  6. Select Deactivate agent. Pausing the agent stops the agent from triaging alerts. It doesn't remove the agent and it doesn't reset the Select alert timeframe reference point in time.

Removing agents

  1. Sign in to the Microsoft Purview portal with an account that has the required permissions.
  2. In the left hand navigation pane, select Agents.
  3. Select Explore agents.
  4. Select View agent for the agent you want to pause. This opens the agent overview page.
  5. On the far right upper right hand corner of the agent overview page, select the ellipses (three dots) that are located next to the Edit agent button.
  6. Select Remove agent. Removing the agent deletes it from Microsoft Purview. If you want to use it again you must go through the Enable the Agents, and Setup agents procedures again. Removing the agent resets Select Alert timeframe reference point in time.

Editing agents

  1. Sign in to the Microsoft Purview portal with an account that has the required permissions.
  2. In the left hand navigation pane, select Agents.
  3. Select Explore agents.
  4. Select View agent for agent you want to edit. This opens the agent overview page.
  5. Select Edit agent. This opens the Edit agent page.
  6. Select Triggers.
  7. Here you can change when the agent runs, either Agent will run manually on one alert at a time or Agent will run automatically based on a set schedule.
  8. Select Edit to change the Select alert timeframe value and the policies that the agent will triage alerts from.
  9. If you select Agent will run manually on one alert at a time, you can select a single alert in the Alerts page for the solution. Set the toggle to Alert Triage Agent Preview and select Run Agent.

Monitoring SCU usage

  1. Sign in to the Microsoft Purview portal with an account that has the required permissions.
  2. In the left hand navigation pane, select Agents.
  3. Select Explore agents.
  4. Select View agent for agent you want to edit. This opens the agent overview page.
  5. Select Edit agent. This opens the Edit agent page.
  6. Select Usage monitoring.
  7. You can track your SCU consumption in the usage monitoring tool.

Alerts page overview

  1. Sign in to the Microsoft Purview portal with an account that has the required permissions.
  2. Open the solution you want to view the triaged alerts for.
  3. Open the Alerts page for the solution.
  4. In the top right hand area of the page, there's a new toggle that lets you choose between the Standard view of the alerts page and a Alert Triage Agent (preview) view of the alerts page. Set the toggle to the Alert Triage Agent (preview) view. This view shows the alerts that have been triaged by the agent. The alerts are grouped by the agent into four categories:
    • All
    • Needs attention
    • Less Urgent
    • Not categorized

Next steps

Refer to solution specific articles for information on reviewing the triaged alerts.