Microsoft Purview | Insider Risk Management: IRM alerts in Microsoft Defender XDR

Microsoft Purview’s Insider Risk Management (IRM) data will soon integrate with Microsoft Defender XDR, providing alerts, indicators, and events for comprehensive investigation and correlation. This includes a unified alert queue, advanced hunting, access via Microsoft Graph API, and availability in Microsoft Sentinel. Public Preview begins mid-January 2025, with General Availability in early May 2025. Admins need to enable data sharing and assign permissions to access this feature. Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences: Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation. Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data. Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications. Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata. This message is associated with Microsoft 365 Roadmap ID 422730. When this will happen: Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025. General Availability (WW, GCC, GCC High, DoD): We will begin rolling out early May 2025 and expect to complete by mid-May 2025. How this will affect your organization: Enable this feature by turning on Share data with other security solutions in the IRM global settings. Only users with Insider risk analysis or investigation roles in the Microsoft Purview portal can access IRM data in Defender XDR. To access alerts, incidents, and events from Defender XDR via API, you need to provision apps with the necessary permissions. IRM data is accessible via Microsoft Security Graph APIs, allowing for reading and updating alert or incident statuses. Permissions are set at the application level, without solution-specific scoping. Any existing apps pulling data from these APIs will also access IRM data. So, if you integrate XDR alerts into external […]

The post Microsoft Purview | Insider Risk Management: IRM alerts in Microsoft Defender XDR appeared first on M365 Admin.