The Incident Insights tab provides details for these types of incidents:

• Login violations
• Geoanomalies
• Activity anomalies
• Malware
• DLP violations
• DRM violations

• External sharing

  Each violation type is labeled in the outer circle of a graph showing the tenant’s name in the center. The label for each type shows the number of incidents for that type. For example, DLP Violations (189) indicates 189 occurrences of DLP violations.

  For more precise search results, you can filter this information by date (today, last 4 hours, last 24 hours, week, month, or year. (The default is Last 24 Hours.)

  You can search for incidents using the Search and Add buttons. These buttons enable you to conduct more precise searches for the data you need. For example, you can add a query that specifies user AND location AND application. You can include only one user in a search query.

  For incident types that have no violations (count of zero), their labels are not highlighted.

  For incident types that have violations, a table to the right shows additional details about each violation. The information in the table varies for each incident type. Click the violation label to see the list of incidents for that violation. The following table lists DRM violations.

  For DLP Violations, the table shows the following information for up to 100 records.

  You can click the binocular icon in the first column of the table row to view a popup with additional details about a violation.