MC961761 - Microsoft Purview | Insider Risk Management: IRM alerts in Microsoft Defender XDR

Updated January 23, 2025: We have updated the rollout timeline below. Thank you for your patience.

Coming soon to Microsoft Purview: Insider Risk Management (IRM) data including alerts, indicators and events will be available in these Microsoft Defender XDR experiences:

• Unified alert queue: IRM alerts will appear in the unified alert and incident queue in Defender XDR for comprehensive investigation and correlation.
• Advanced Hunting: IRM data will be available for advanced hunting in Defender XDR, allowing analysts to identify hidden risk patterns using KQL queries. Analytics can also create custom detections on the top of IRM data.
• Graph API: IRM data will be accessible through the Microsoft Graph API, supporting bidirectional integrations with external applications.
• Microsoft Sentinel: IRM alerts will be available in Microsoft Sentinel through the XDR-Sentinel connector, providing richer metadata.

This message is associated with Microsoft 365 Roadmap ID 422730.

When this will happen:

Public Preview: We will begin rolling out mid-January 2025 and expect to complete by end of January 2025.

General Availability (WW, GCC, GCC High, DoD): We will begin rolling out late June 2025 (previously early May) and expect to complete by mid-July 2025 (previously mid-May).

How this will affect your organization:

Enable this feature by turning on Share data with other security solutions in the IRM global settings.

Only users with Insider risk analysis or investigation roles in the Microsoft Purview portal can access IRM data in Defender XDR.

To access alerts, incidents, and events from Defender XDR via API, you need to provision apps with the necessary permissions. IRM data is accessible via Microsoft Security Graph APIs, allowing for reading and updating alert or incident statuses. Permissions are set at the application level, without solution-specific scoping. Any existing apps pulling data from these APIs will also access IRM data. So, if you integrate XDR alerts into external ticketing systems, IRM alerts will show up, unless you specifically filter out the alerts.

IRM alerts will appear in Sentinel if your tenant has the Defender XDR connector enabled in Microsoft Sentinel.

In Defender XDR, IRM data is not pseudonymized to allow effective correlation of IRM alerts with alerts from other solutions within the platform, such as Defender for Endpoint and Defender for Cloud apps.

These changes will be available by default for admins to configure in IRM global settings.

Admins will be able to view Insider Risk Management alerts in Defender XDR:

Harness the power of Advanced Hunting queries with two new tables that contain Insider Risk Management data: DataSecurityBehaviors and DataSecurityEvents. In this query, 54 confidential files were exfiltrated through mail.google.com by 2 unique users:

What you need to do to prepare:

• Opt-in to data sharing settings in IRM global settings page.
• Assign necessary permissions to analysts
• Review existing apps accessing Defender XDR data through Graph APIs.
• If your organization is using Microsoft Defender XDR connector, please review the list of users who will gain access to this data through Sentinel.

This rollout will happen automatically by the specified date with no admin action required before the rollout. Review your current configuration in IRM global settings to determine the impact for your organization. You may want to notify your admins about this change and update any relevant documentation.