MC961761 – Microsoft Purview | Insider Risk Management: IRM alerts in Microsoft Defender XDR

cloudscout.one Icon

check before: 2025-01-15

Product:

Defender, Defender for Endpoint, Defender XDR, Microsoft Graph, Purview Communication Compliance, Purview Information Protection, Purview Insider Risk Management

Platform:

Developer, Online, US Instances, Web, World tenant

Status:

In development

Change type:

New feature, Admin impact

Links:

422730

Details:

Summary:
Microsoft Purview's Insider Risk Management (IRM) data will soon integrate with Microsoft Defender XDR, providing alerts, indicators, and events for comprehensive investigation and correlation. This includes a unified alert queue, advanced hunting, access via Microsoft Graph API, and availability in Microsoft Sentinel. Public Preview begins mid-January 2025, with General Availability in early May 2025. Admins need to enable data sharing and assign permissions to access this feature.

Details:
Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences:
Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation.
Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data.
Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications.
Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata.
This message is associated with Microsoft 365 Roadmap ID 422730.
[When this will happen:]
Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025.
General Availability (WW, GCC, GCC High, DoD): We will begin rolling out early May 2025 and expect to complete by mid-May 2025.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:
General Availability, Preview

Created:
2024-12-20

updated:
2025-01-15

Public Preview Start Date

XXXXXXX ... free basic plan only

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

linked item details

XXXXXXX ... free basic plan only

Pictures

XXXXXXX ... free basic plan only

summary for non-techies**

Microsoft Purview's Insider Risk Management (IRM) will now share its alerts and data with Microsoft Defender XDR, enabling advanced threat detection and investigation, with integration facilitated through the Microsoft Graph API and accessible via Microsoft Sentinel, requiring administrators to enable data sharing and manage access permissions.

Direct effects for Operations**

Data Access and Permissions
Without proper preparation, users may not have the necessary permissions to access the new IRM data in Defender XDR, leading to potential delays in incident response and investigation.
   - roles: Security Analysts, IT Administrators
   - references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730

Alert Correlation and Investigation
The integration of IRM alerts into Defender XDR without prior configuration may result in confusion and inefficiencies in alert management, as analysts may struggle to correlate new alerts with existing ones.
   - roles: Security Analysts, Incident Response Teams
   - references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730

Data Privacy and Compliance
The lack of preparation for the non-pseudonymized nature of IRM data in Defender XDR could lead to compliance issues, as sensitive user data may be exposed without adequate controls.
   - roles: Compliance Officers, Data Protection Officers
   - references: https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration?tabs=azure-portal, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=422730

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

XXXXXXX ... free basic plan only

Potentional Risks**

XXXXXXX ... paid membership only

Data Protection**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

Hypothetical Work Council Statement**

XXXXXXX ... paid membership only

DPIA Draft**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only

** AI generated content. This information must be reviewed before use.

a free basic plan is required to see more details. Sign up here


A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.



change history

DatePropertyoldnew

Last updated 1 week ago

Share to MS Teams

Login to your account

Welcome Back, We Missed You!