Microsoft Purview compliance portal: Insider Risk Management - IRM alerts in XDR

🚨 The Signal: Insider Risk Management (IRM) alerts are now integrated into Microsoft Defender XDR, enabling unified security incident management and advanced hunting. This centralises insider threat detection with broader security operations, improving correlation and response capabilities.

The Impact

Security teams are affected by enhanced visibility into insider risks, improving threat detection and response capabilities.

• Security Analysts: Gain unified view of insider risk alerts within Defender XDR.
• Incident Responders: Improved correlation of insider threats with other security incidents.
• Forensic Investigators: Enhanced hunting capabilities for insider risk indicators via KQL.
• Data Protection Officers: Better oversight of potential data exfiltration and policy violations.

The Action

1. Navigate to Microsoft Purview compliance portal > Insider Risk Management > Settings.
2. Enable 'Share data with Microsoft Defender XDR' option.
3. Verify that Insider Risk Analyst or Investigator roles are assigned to appropriate security personnel in Purview.
4. Familiarise security operations centre (SOC) staff with IRM alert types and data available in Defender XDR unified queue and advanced hunting.
5. Review and update existing incident response playbooks to incorporate IRM alerts from Defender XDR.

Impact: high · Workload: Microsoft Purview