Share insider risk management data with other solutions
Important
Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider risk management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
You can share data from insider risk management in either of the following ways:
- Export alert information to SIEM solutions
- Share user risk severity levels with Microsoft Defender and Microsoft Purview data loss prevention (DLP) alerts
Export alert information to SIEM solutions
Microsoft Purview Insider Risk Management alert information is exportable to security information and event management (SIEM) and security orchestration automated response (SOAR) solutions by using the Office 365 Management Activity API schema. You can use the Office 365 Management Activity APIs to export alert information to other applications your organization may use to manage or aggregate insider risk information. Alert information is exported and available every 60 minutes via the Office 365 Management Activity APIs.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
If your organization uses Microsoft Sentinel, you can also use the out-of-the-box insider risk management data connector to import insider risk alert information to Sentinel. For more information, see Insider Risk Management (IRM) (preview) in the Microsoft Sentinel article.
Important
To maintain referential integrity for users who have insider risk alerts or cases in Microsoft 365 or other systems, anonymization of usernames isn't preserved for exported alerts when using the exporting API or when exporting to Microsoft Purview eDiscovery solutions. Exported alerts will display usernames for each alert in this case. If you're exporting to CSV files from alerts or cases, anonymization is preserved.
Use the APIs to review insider risk alert information
Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.
- Sign in to the Microsoft Purview portal using credentials for an admin account in your Microsoft 365 organization.
- Select the Settings button in the upper-right corner of the page.
- Select Insider Risk Management to go to the insider risk management settings.
- Select Export alerts. By default, this setting is disabled for your Microsoft 365 organization.
- Turn the setting to On.
- Filter the common Office 365 audit activities by SecurityComplianceAlerts.
- Filter SecurityComplianceAlerts by the InsiderRiskManagement category.
Alert information contains information from the Security and Compliance Alerts schema and the Office 365 Management Activity API common schema.
The following fields and values are exported for insider risk management alerts for the Security and Compliance Alerts schema:
| Alert parameter | Description |
|---|---|
| AlertType | Type of the alert is Custom. |
| AlertId | The GUID of the alert. Insider risk management alerts are mutable. As alert status changes, a new log with the same AlertID is generated. This AlertID can be used to correlate updates for an alert. |
| Category | The category of the alert is InsiderRiskManagement. This category can be used to distinguish from these alerts from other security and compliance alerts. |
| Comments | Default comments for the alert. Values are New Alert (logged when an alert is created) and Alert Updated (logged when there's an update to an alert). Use the AlertID to correlate updates for an alert. |
| Data | The data for the alert, includes the unique user ID, user principal name, and date and time (UTC) when user was triggered into a policy. |
| Name | Policy name for insider risk management policy that generated the alert. |
| PolicyId | The GUID of the insider risk management policy that triggered the alert. |
| Severity | The severity of the alert. Values are High, Medium, or Low. |
| Source | The source of the alert. The value is Office 365 Security & Compliance. |
| Status | The status of the alert. Values are Active (Needs Review in insider risk), Investigating (Confirmed in insider risk), Resolved (Resolved in insider risk), Dismissed (Dismissed in insider risk). |
| Version | The version of the Security and Compliance Alerts schema. |
The following fields and values are exported for insider risk management alerts for the Office 365 Management Activity API common schema.
- UserId
- Id
- RecordType
- CreationTime
- Operation
- OrganizationId
- UserType
- UserKey
Share user risk severity levels with Microsoft Defender and DLP alerts
You can share user risk severity levels from insider risk management to bring unique user context to Microsoft Defender and Microsoft Purview data loss prevention (DLP) alerts. Insider risk management analyzes user activities over a period of 90-120 days and looks for anomalous behavior over that period of time. Adding this data to Microsoft Defender and DLP alerts enhances the data available in those solutions to help analysts prioritize alerts.
What happens when you share insider risk management user risk severity levels?
In Microsoft Defender
An Insider risk severity field is added to the Impacted assets section of the Microsoft Defender DLP Incidents page for users that have a High or Medium risk level in insider risk management. If the user has a Low risk level, nothing is added to the Incidents page. This keeps distractions to a minimum for analysts so they can focus on the riskiest user activities.
You can select the risk level in the Impacted assets section to see an insider risk activity summary and activity timeline for that user. Having up to 120 days of analysis can help the analyst determine the overall riskiness of the user's activities.
If you select the DLP event in the DLP policy match page, an Impacted entities section appears in the DLP policy match section that shows all users that match the policy.
In DLP alerts
For the insider risk management policy that's associated with the DLP alert, an Insider risk severity column with values of High, Medium, Low, or None is added to the DLP alerts queue. If there are multiple users that have activities that match the policy, the user with the highest risk level is displayed.
A value of None can mean either of the following:
The user is not part of any insider risk management policy.
The user is part of an insider risk management policy, but they haven't done risky activities to bring themselves into the scope of the policy (there's no exfiltration data).
You can select the risk level in the DLP alerts queue to access the User activity summary tab, which shows a timeline of all exfiltration activities for that user for the past 90-120 days. Like the DLP alerts queue, the User activity summary tab shows the user with the highest risk level. This deep context into what a user has done over the past 90 to 120 days provides a wider view of the risks presented by that user.
Only data from exfiltration indicators are shown in the user activity summary. Data from other sensitive indicators, such as HR, browsing, and so on, are not shared with DLP alerts.
An Actor details section is added to the DLP Alert details page. You can use this page to see all users involved in the specific DLP alert. For each user involved in the DLP alert, you can view all the exfiltration activities for the past 90 to 120 days.
If you select the Get a summary from Copilot for Security button in a DLP alert, the alert summary provided by Microsoft Copilot for Security includes the insider risk management severity level in addition to the DLP summary info, if the user is in scope of an insider risk management policy.
Tip
You can also use Copilot for Security to investigate DLP alerts. If the insider risk management Data sharing setting is turned on, you can then do a combined DLP/insider risk management investigation. For example, you might want to start by asking Copilot to summarize a DLP alert, and then ask Copilot to show the user risk level associated with the user flagged in the alert. Or you might want to ask why the user is considered a high-risk user. The user risk information in this case comes from insider risk management. Copilot for Security seamlessly integrates insider risk management with DLP to assist with investigations. Learn more about using the standalone version of Copilot for combined DLP/insider risk management investigations
Prerequisites
To share insider risk management user risk levels with Microsoft Defender and DLP alerts, the user:
- Must be part of an insider risk management policy.
- Must have performed exfiltration activities that bring the user into the scope of the policy.
Note
If you have access to DLP alerts in Microsoft Purview and/or Microsoft Defender, you can view user context from insider risk management shared with those solutions.
Share data with Microsoft Defender and DLP alerts
You can share insider risk management user risk severity levels with both Microsoft Defender and DLP alerts by turning on a single setting.
- In insider risk management settings, select the Data sharing setting.
- Under the Sharing data with Microsoft Defender XDR (preview) section, turn the setting on.
Note
If you don't turn this setting on, the value displayed in the DLP alerts Insider risk severity column is "User data is not available".
See also
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for