Domain 4 of 4 · Chapter 4 of 4

Insider Risk, eDiscovery, and Audit

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Security, Compliance, and Identity Fundamentals premium course — no separate purchase.

14-day money-back guarantee — no questions asked.

Included in this chapter:

  • Three questions about people and evidence
  • Insider risk management: detect risk early
  • eDiscovery: find, preserve, and cull evidence
  • Legal hold versus retention policy
  • Audit: the record of what happened
  • Exam-pattern recognition: confusable pairs

Detect, discover, prove: which solution answers which question

DimensionInsider risk management (detect)eDiscovery (discover)Audit (prove)
Question it answersIs someone behaving riskily before an incident?What evidence exists for this matter, and is it preserved?Who did what, and when?
Time orientationForward-looking, before an incidentA specific investigation in progressAfter the fact, a durable record
Core working unitPolicy template, then alert, then caseCase, then search, hold, and review setUnified audit log record
Privacy and accessPseudonymized by default, role-based access controlCase membership plus role-based access controlRole-based access to the audit search tool
What the premium tier addsForensic evidence and analytics (E5)Review sets, custodian management, analytics (E5)1-year to 10-year retention, retention policies, intelligent insights (Audit Premium)

Decision tree

Spot risky behaviorbefore an incident?Preserve and collectevidence for a matter?Prove who did what,after the fact?Insider risk managementeDiscoveryplace a legal holdAuditunified audit logYesYesYesNoNoAll three sit under Risk and Compliance in the Microsoft Purview portal

Cheat sheet

  • Match the scenario to detect, discover, or prove
  • Insider risk management scores behavior, not content at rest
  • Build insider risk policies from templates, not from scratch
  • Insider risk management pseudonymizes users by default
  • Insider risk flows from alert to triage to case
  • Escalate an insider risk case to eDiscovery for legal review
  • eDiscovery finds and delivers ESI as evidence for a matter
  • A legal hold preserves content in place against deletion
  • Today's eDiscovery is one unified experience, not Standard and Premium
  • Review sets and analytics are premium eDiscovery, needing E5
  • A review set is a static Azure Storage copy for review
  • When a hold and retention conflict, preservation wins
  • Use retention for lifecycle, a hold for a legal matter
  • The unified audit log is the searchable record of activity
  • Audit (Standard) is on by default with 180-day retention
  • Audit (Premium) extends retention to a year, or ten with an add-on
  • Audit (Premium) adds intelligent insights into high-value events
  • MailItemsAccessed proves a mailbox read and is in Audit (Standard)
  • The audit log tracks user actions; Activity explorer tracks labeled content
  • Insider risk management previews risk with analytics, then scores users only after a trigger

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. Describe the data compliance solutions of Microsoft Purview (SC-900 module)
  2. Learn about Insider Risk Management in Microsoft Purview
  3. Learn about eDiscovery in the Microsoft Purview portal
  4. Describe eDiscovery (SC-900 module unit)
  5. Microsoft Purview eDiscovery legacy solutions (classic retirement notice)
  6. Learn about retention policies and labels, including the principles of retention
  7. Learn about auditing solutions in Microsoft Purview
  8. Describe audit in Microsoft Purview (SC-900 module unit)
  9. Investigate compromised accounts with Microsoft Purview Audit (MailItemsAccessed)