This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Some information in this article relates to a prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties expressed or implied, with respect to the information provided here.
Microsoft Purview Insider Risk Management alerts in the Microsoft Defender portal are vital for protecting an organization's sensitive information and maintaining security. These alerts and insights from Microsoft Purview Insider Risk Management help identify and mitigate internal threats like data leaks and intellectual property theft by employees or contractors. Monitoring these alerts allows organizations to address security incidents proactively, ensuring sensitive data remains protected and compliance requirements are met.
One key benefit of monitoring insider risk alerts is the unified view of all alerts related to a user, allowing security operations center (SOC) analysts to correlate alerts from Microsoft Purview Insider Risk Management with other Microsoft security solutions. Additionally, having these alerts in the Microsoft Defender portal enables seamless integration with advanced hunting capabilities, enhancing the ability to investigate and respond to incidents effectively.
Another advantage is the automatic synchronization of alert updates between Microsoft Purview and the Defender portals, ensuring real-time visibility and reducing the chances of oversight. This integration strengthens an organization's ability to detect, investigate, and respond to insider threats, thereby enhancing overall security posture.
You can manage insider risk management alerts in the Microsoft Defender portal by navigating to Incidents & alerts, where you can:
If you're new to Microsoft Purview and insider risk management, consider reading the following articles:
To investigate insider risk management alerts in the Microsoft Defender portal, you need to do the following:
Data sharing with other security solutions must be turned on in the Data sharing settings in Microsoft Purview Insider Risk Management. Turning on Share user risk details with other security solutions in the Microsoft Purview portal enables users with the correct permissions to review user risk details in the user entity pages in the Microsoft Defender portal.
See Share alert severity levels with other Microsoft security solutions for more information.
The following permissions are essential to access insider risk management alerts in the Microsoft Defender portal:
For more information about Microsoft Defender XDR roles, see Manage access to Microsoft Defender XDR with Microsoft Entra global roles.
You must also be a member of one of the following insider risk management role groups to view and manage insider risk management alerts in the Microsoft Defender portal:
For more information on these role groups, see Enable permissions for insider risk management.
Customers integrating insider risk management alerts with other security information and events management (SIEM) tools using the Microsoft Graph security API must have the following permissions to successfully access the relevant Microsoft Defender data through APIs:
| App permissions | Incidents | Alerts | Behaviors & events | Advanced hunting |
|---|---|---|---|---|
| SecurityIncident.Read.All | Read | Read | Read | |
| SecurityIncident.ReadWrite.All | Read/Write | Read/Write | Read | |
| SecurityIAlert.Read.All | Read | Read | ||
| SecurityAlert.ReadWrite.All | Read/Write | Read | ||
| SecurityEvents.Read.All | Read | |||
| SecurityEvents.ReadWrite.All | Read | |||
| ThreatHunting.Read.All | Read |
More information about integrating data using the Microsoft Graph security API in Integrate insider risk management data with Microsoft Graph security API.
Insider risk management alerts related to a user are correlated to a single incident to ensure a holistic approach to incident response. This correlation allows SOC analysts to have a unified view of all alerts about a user coming from Microsoft Purview Insider Risk Management and various Defender products. Unifying all alerts also allows SOC analysts to view the details of devices involved in the alerts.
You can filter incidents by choosing Microsoft Purview Insider Risk Management under Service source.
All insider risk management alerts are also visible in the Microsoft Defender portal's alert queue. Filter these alerts by choosing Microsoft Purview Insider Risk Management under Service source.
Here's an example of an insider risk management alert in the Microsoft Defender portal:
Microsoft Defender XDR and Microsoft Purview Insider Risk Management follow different alert status and classification frameworks. The following alert mapping is used to sync alert statuses between the two solutions:
| Microsoft Defender alert status | Microsoft Purview Insider Risk Management alert status |
|---|---|
| New | Needs review |
| In progress | Needs review |
| Resolved | Classification dependent. If classification is not available, the alert status is set to Dismissed by default. |
The following alert classification mapping is used to sync the alert classification between the two solutions:
| Microsoft Defender alert classification | Microsoft Purview Insider Risk Management alert classification |
|---|---|
| True positive Includes multi-staged attack, phishing, etc. |
Confirmed |
| Information, expected activity (benign positive) Includes security testing, confirmed activity, etc. |
Dismissed |
| False positive Includes not malicious, not enough data to validate, etc. |
Dismissed |
For more information about alert statuses and classifications in Microsoft Defender XDR, see Manage alerts in Microsoft Defender.
Any updates made to an insider risk management alert in the Microsoft Purview or the Microsoft Defender portals are automatically reflected in both portals. These updates might include:
The updates are reflected in both portals within 30 minutes of the alert generation or update.
Note
Alerts created from custom detections or link query results to incidents are not available in the Microsoft Purview portal.
The following insider risk management data are not yet available in this integration:
Use advanced hunting to further investigate insider risk events and behaviors. Refer to the table below for a summary of insider risk management data available in advanced hunting.
| Table name | Description |
|---|---|
| AlertInfo | Insider risk management alerts are available as part the AlertInfo table, which contains information about alerts from various Microsoft security solutions. |
| AlertEvidence | Insider risk management alerts are available as part of the AlertEvidence table, which contains information about entities associated with alerts from various Microsoft security solutions. |
| DataSecurityBehaviors | This table contains insights into potentially suspicious user behavior that violates the default or customer-defined policies in Microsoft Purview. |
| DataSecurityEvents | This table contains enriched events about user activities that violate the default or customer-defined policies in Microsoft Purview. |
In the example below, we use the DataSecurityEvents table to investigate potentially suspicious user behavior. In this case, the user uploaded a file to Google Drive, which can be viewed as suspicious behavior if a company doesn't support file uploads to Google Drive.
To access insider risk data in advanced hunting, users must have the following Microsoft Purview Insider Risk Management roles:
Use the Microsoft Graph security API to integrate insider risk management alerts, insights, and indicators with other SIEM tools like like Microsoft Sentinel, ServiceNow, or Splunk. You can also use the security API to integrate insider risk management data to data lakes, ticketing systems, and the like.
To learn how to set up the Microsoft Graph API, see Use the Microsoft Graph API.
Refer to the table below to find insider risk management data in specific APIs.
| Table name | Description | Mode |
|---|---|---|
| Incidents | Includes all insider risk incidents in the Defender XDR unified incident queue | Read/Write |
| Alerts | Includes all insider risk alerts shared with Defender XDR unified alert queue | Read/Write |
| Advanced hunting | Includes all insider risk management data in advanced hunting including Alerts, Behaviors, and Events | Read |
The insider risk alert metadata is part of the alert resource type in Microsoft Graph security API. See the complete information in alert resource type.
Note
Insider risk alert information can be accessed in both the Alerts and Advanced hunting graph namespace. The alerts namespace provides more metadata.
Insider risk behaviors and events in advanced hunting can be accessed in the Graph API by passing KQL queries in the API. Use this method to pull supporting data for specific alerts or investigations.
For customers using Office 365 Management Activity API, we recommend migrating to Microsoft Security Graph API to ensure richer metadata and bi-directional support for IRM data.
We recommend Microsoft Sentinel customers to use the Microsoft Purview Insider Risk Management – Microsoft Sentinel data connector to get insider risk management alerts in Microsoft Sentinel.
If you are using automation on Microsoft Sentinel incidents, note that automation risks failure due to insider risk management incidents having no alert content. To mitigate this, turn off data sharing in insider risk management settings.
After investigating an insider risk incident or alert, you can do any of the following:
Training
Module
Investigate insider risk alerts and related activity - Training
Investigate insider risk alerts and related activity.
Certification
Microsoft Certified: Security Operations Analyst Associate - Certifications
Investigate, search for, and mitigate threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender.