Microsoft Purview · Purview Agents (Preview)
Data Security IRM Triage Agent
Combined role requirements for setting up, configuring, and viewing results from the Insider Risk Management Triage Agent. This agent automatically triages IRM alerts, helping analysts focus on high-priority insider threats.
Scope: Insider risk alert triage automation for all IRM policy types
Permissions
- Enable IRM Triage Agent - Set up agent using user identity (requires Insider Risk Management Analysis/Investigation + Purview Content Analyst)
- Configure Agent - Customize triage rules and agent behavior (requires Purview Agent Analysis role)
- View Triaged Alerts - Access agent-categorized IRM alerts and justifications (requires Purview Agent Analysis)
- Security Copilot Contributor - Required for agent interaction and customization
Common use cases
- Automating initial insider risk alert triage to reduce analyst workload
- Prioritizing high-severity insider threats for immediate investigation
- Reducing false positive fatigue for insider risk reviewers
- Providing consistent risk categorization across IRM policies
- Accelerating insider risk incident response and case creation
Best practices
- Use agent identity (recommended) instead of user identity when possible
- Review triage accuracy regularly and adjust agent configuration
- Ensure investigators still review high-priority alerts manually
- Coordinate with IRM team for triage rule customization
- Monitor SCU consumption — high alert volumes increase costs
- Start with a subset of IRM policies before expanding scope
Security considerations
- Agent accesses insider risk alert data which may contain sensitive behavioral information
- IRM data is among the most sensitive in the organization — limit access carefully
- Triage categorizations should be verified by human analysts before escalation
- Security Copilot Contributor provides access to all SCU-based features
- Monitor agent activity through audit logs for compliance
- Ensure IRM privacy settings align with agent data access