check before: 2025-01-15
Product:
Defender, Defender for Endpoint, Defender XDR, Microsoft Graph, Purview Communication Compliance, Purview Information Protection, Purview Insider Risk Management
Platform:
Developer, Online, US Instances, Web, World tenant
Status:
In development
Change type:
Admin impact, New feature, Updated message
Links:
Details:
Summary:
Microsoft Purview's Insider Risk Management (IRM) data will soon integrate with Microsoft Defender XDR, providing alerts, indicators, and events for comprehensive investigation and correlation. This includes a unified alert queue, advanced hunting, access via Microsoft Graph API, and availability in Microsoft Sentinel. Public Preview begins mid-January 2025, with General Availability in late June 2025. Admins need to enable data sharing and assign permissions to access this feature.
Details:
Updated January 23, 2025: We have updated the rollout timeline below. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences:
Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation.
Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data.
Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications.
Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata.
This message is associated with Microsoft 365 Roadmap ID 422730.
[When this will happen:]
Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025.
General Availability (WW, GCC, GCC High, DoD): We will begin rolling out late June 2025 (previously early May) and expect to complete by mid-July 2025 (previously mid-May).
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
General Availability, Preview
Created:
2024-12-20
updated:
2025-01-25
Public Preview Start Date
XXXXXXX ... free basic plan only
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
linked item details
XXXXXXX ... free basic plan only
Pictures
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Data Access and Permissions
If the change occurs without preparation, there may be unauthorized access to sensitive IRM data due to misconfigured permissions, leading to potential data breaches.
- roles: Admins, Insider Risk Analysts
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Alert Overload
The integration may result in an overwhelming number of alerts in the unified alert queue, causing analysts to miss critical incidents due to alert fatigue.
- roles: Security Analysts, Incident Responders
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Ineffective Incident Response
Without proper training and preparation, analysts may struggle to effectively utilize the advanced hunting features, leading to delayed or ineffective incident response.
- roles: Security Analysts, Incident Responders
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Enhanced Security Incident Response
The integration of IRM data with Defender XDR allows for a unified alert system that can streamline incident response processes. Analysts can quickly correlate IRM alerts with other security alerts, leading to faster identification and resolution of potential insider threats.
- next-steps: Train security analysts on the new unified alert system and advanced hunting capabilities. Review and update incident response protocols to incorporate insights from IRM data.
- roles: Security Analysts, Incident Response Teams, IT Security Managers
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Advanced Threat Detection Capabilities
With the availability of IRM data for advanced hunting using KQL queries, organizations can proactively identify hidden risk patterns. This allows for more effective detection of potential insider threats and data exfiltration attempts.
- next-steps: Develop custom KQL queries tailored to the organization's specific risk profile. Conduct workshops for analysts to enhance their skills in advanced hunting techniques.
- roles: Data Analysts, Security Operations Center (SOC) Analysts, Compliance Officers
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Improved Data Integration and Reporting
The accessibility of IRM data through Microsoft Graph API enables seamless integration with external applications and reporting tools. This can enhance data visibility and facilitate better decision-making based on comprehensive security insights.
- next-steps: Identify key external applications that could benefit from IRM data integration. Plan for the necessary API provisioning and permissions setup for these applications.
- roles: IT Administrators, Business Intelligence Analysts, Compliance Managers
- references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730
Potentional Risks**
XXXXXXX ... paid membership only
Data Protection**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
Hypothetical Work Council Statement**
XXXXXXX ... paid membership only
DPIA Draft**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-01-25 | MC Last Updated | 12/20/2024 00:16:49 | 2025-01-24T21:46:51Z |
| 2025-01-25 | MC Messages | Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences:
Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW, GCC, GCC High, DoD): We will begin rolling out early May 2025 and expect to complete by mid-May 2025. | Updated January 23, 2025: We have updated the rollout timeline below. Thank you for your patience.
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. [When this will happen:] Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW, GCC, GCC High, DoD): We will begin rolling out late June 2025 (previously early May) and expect to complete by mid-July 2025 (previously mid-May). |
| 2025-01-25 | MC MessageTagNames | New feature, Admin impact | Updated message, New feature, Admin impact |
| 2025-01-25 | MC Summary | Microsoft Purview's Insider Risk Management (IRM) data will soon integrate with Microsoft Defender XDR, providing alerts, indicators, and events for comprehensive investigation and correlation. This includes a unified alert queue, advanced hunting, access via Microsoft Graph API, and availability in Microsoft Sentinel. Public Preview begins mid-January 2025, with General Availability in early May 2025. Admins need to enable data sharing and assign permissions to access this feature. | Microsoft Purview's Insider Risk Management (IRM) data will soon integrate with Microsoft Defender XDR, providing alerts, indicators, and events for comprehensive investigation and correlation. This includes a unified alert queue, advanced hunting, access via Microsoft Graph API, and availability in Microsoft Sentinel. Public Preview begins mid-January 2025, with General Availability in late June 2025. Admins need to enable data sharing and assign permissions to access this feature. |
Last updated 4 months ago
