Global Exclusions not working for Insider Risk within Purview Settings for Insider Risk
Long time reader, first time writer for a Purview issue, so try not to belittle me right out the gate here Internet.
We're dabbling in world of "Insider Risk" with Purview and the issue I'm running into is it is marking thousands of .txt files from our Cisco AnyConnect program (which for those of you that aren't familiar handles VPN, Umbrella, Secure Connect, etc)
These "Alerts" get flagged for "File Deleted on Endpoint" and absolutely FLOOD the platform and makes parsing through potential problem users a real PITA. I'm sure I could filter it out but the Global Exclusion SHOULD work.
-----
The file path that these .txt files reside at is:
C:\Users\<username>\.cisco\vpn\log\UIHistory_20260419_192709_log.txt (the number part changes obviously).
-----
Inside Purview: "Settings" > "Insider Risk Management" > "Global Exclusions" > "File Paths" is where I am operating out of.
Microsoft has some default exclusions already in here that are structured like this:
\Users\*\AppData\Local\Temp (username wildcarded to cover all users, easy stuff)
\Users\*\AppData\Roaming
\Users\*\AppData\Local
\Users\*\AppData
----
So I made exclusions:
\Users\*\.cisco\vpn\log\* (didn't work)
\Users\*\.cisco\vpn\log\*.txt (didn't work)
\Users\*\.cisco\vpn\* (didn't work)
----
So I'm at a loss for this, perhaps it's just omitting it from scoring and still showing it, I can't find any info that states how this mechanic should fully work. The tool tip above the Default file paths states "These file paths are automatically excluded because activity in these paths is typically expected and including them could potentially increase the volume of non-actionable alerts."
To me that reads that they shouldn't be there in the alerts list at all, but perhaps I'm wrong -- BUT I've not seen any appdata related Alerts in the list so that further substantiates my thinking that I shouldn't see stuff related to Globally Excluded Paths.
----
I've got a ticket open with Microsoft, they've been useless thus far, now I have to get on a call with them tomorrow and it'll be a waste of time as usual with Microsoft support.