check before: 2025-01-15
Product:
Defender, Defender for Endpoint, Defender XDR, Microsoft Graph, Purview Communication Compliance, Purview Information Protection, Purview Insider Risk Management
Platform:
Developer, Online, US Instances, Web, World tenant
Status:
In development
Change type:
New feature, Admin impact
Links:
Details:
Summary:
Microsoft Purview's Insider Risk Management (IRM) data will soon integrate with Microsoft Defender XDR, providing alerts, indicators, and events for comprehensive investigation and correlation. This includes a unified alert queue, advanced hunting, access via Microsoft Graph API, and availability in Microsoft Sentinel. Public Preview begins mid-January 2025, with General Availability in early May 2025. Admins need to enable data sharing and assign permissions to access this feature.
Details:
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences:
Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation.
Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data.
Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications.
Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata.
This message is associated with Microsoft 365 Roadmap ID 422730.
[When this will happen:]
Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025.
General Availability (WW, GCC, GCC High, DoD): We will begin rolling out early May 2025 and expect to complete by mid-May 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
General Availability, Preview
Created:
2024-12-20
updated:
2025-01-15
Public Preview Start Date
XXXXXXX ... free basic plan only
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
linked item details
XXXXXXX ... free basic plan only
Pictures
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft Purview's Insider Risk Management (IRM) will now share its alerts and data with Microsoft Defender XDR, enabling advanced threat detection and investigation, with integration facilitated through the Microsoft Graph API and accessible via Microsoft Sentinel, requiring administrators to enable data sharing and manage access permissions.
Direct effects for Operations**
Data Access and Permissions
Without proper preparation, users may not have the necessary permissions to access the new IRM data in Defender XDR, leading to potential delays in incident response and investigation.
- roles: Security Analysts, IT Administrators
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Alert Correlation and Investigation
The integration of IRM alerts into Defender XDR without prior configuration may result in confusion and inefficiencies in alert management, as analysts may struggle to correlate new alerts with existing ones.
- roles: Security Analysts, Incident Response Teams
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Data Privacy and Compliance
The lack of preparation for the non-pseudonymized nature of IRM data in Defender XDR could lead to compliance issues, as sensitive user data may be exposed without adequate controls.
- roles: Compliance Officers, Data Protection Officers
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
Data Protection**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
Hypothetical Work Council Statement**
XXXXXXX ... paid membership only
DPIA Draft**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
Date | Property | old | new |
Last updated 1 week ago