check before: 2025-04-01
Product:
Defender, Defender for Endpoint, Defender XDR, Microsoft Graph, Purview Communication Compliance, Purview Information Protection, Purview Insider Risk Management
Platform:
Developer, Web, World tenant
Status:
In development
Change type:
Links:
Details:
With this feature, IRM alerts and other supporting data will be available in the following Microsoft Defender XDR experiences: 1. IRM alerts will be surfaced in unified alert and Incident queue in Microsoft Defender XDR. 2. IRM alerts, Indicators, and enriched events will be available in Microsoft Defender XDR advanced hunting. Analysts can leverage KQL queries to identify potentially hidden risky patterns in data security related user activity. 3. IRM alert, Indicators, and enriched events will be exposed through Graph API. This feature can be enabled through “Share data with Microsoft Defender XDR” within Microsoft Insider Risk Management settings. To ensure privacy of the data, all IRM data in Microsoft Defender XDR can only be accessed by users with Insider risk analyst or Insider risk investigator permissions in Purview. Existing analysts accessing IRM data in purview will continue to access IRM data in Microsoft Defender XDR. IRM data in Microsoft Defender XDR does not honor anonymization. This is to enable effective correlation of IRM alerts with alerts from other solutions in Microsoft Defender XDR platform (such as Defender for Endpoint, Defender for Cloud apps, etc.). Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies based on their own internal policies, governance, and organizational requirements. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
General Availability, Preview
Created:
2024-11-05
updated:
2024-11-05
Public Preview Start Date
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
IRM Alerts Integration with XDR
Without proper preparation, the integration of IRM alerts into Microsoft Defender XDR may lead to confusion among analysts due to the influx of alerts, potentially overwhelming their ability to respond effectively. This could result in delayed incident response times and increased risk of overlooking critical alerts.
- roles: Security Analysts, Incident Response Team
- references: https://techcommunity.microsoft.com/t5/security-compliance-identity/insider-risk-management-in-microsoft-defender-xdr/ba-p/3651230
Data Privacy Concerns
The exposure of IRM data in Microsoft Defender XDR without adequate preparation may raise privacy concerns among users, as the data does not honor anonymization. This could lead to mistrust in the system and reluctance to report incidents, ultimately affecting the organization's security posture.
- roles: Compliance Officers, Data Protection Officers
- references: https://www.microsoft.com/en-us/security/blog/2021/06/15/insider-risk-management-in-microsoft-purview/
Configutation Options**
XXXXXXX ... paid membership only
Data Protection**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.