Merge pull request #2779 from MicrosoftDocs/diannegali-updatesirm

diannegali · web-flow · commit f8932cf58cad · 2025-02-17T10:00:10.000Z
Updates to IRM integration
diff --git a/defender-xdr/irm-investigate-alerts-defender.md b/defender-xdr/irm-investigate-alerts-defender.md
@@ -16,7 +16,7 @@ ms.topic: conceptual
 search.appverid: 
   - MOE150
   - MET150
-ms.date: 01/17/2025
+ms.date: 02/17/2025
 appliesto:
 - ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>
 - <a href="https://learn.microsoft.com/unified-secops-platform/" target="_blank">Microsoft's unified security operations platform</a>
@@ -58,7 +58,9 @@ To investigate insider risk management alerts in the Microsoft Defender portal,
 - Confirm your Microsoft 365 subscription supports insider risk management access. Know more about [subscription and licensing](/purview/insider-risk-management-configure#subscriptions-and-licensing).
 - Confirm your access to Microsoft Defender XDR. See [Microsoft Defender XDR licensing requirements](prerequisites.md#licensing-requirements).
 
-Data sharing with other security solutions must be turned on in the **Data sharing** settings in Microsoft Purview Insider Risk Management. Turning on **Share user risk details with other security solutions** in the Microsoft Purview portal enables users with the correct permissions to review user risk details in the user entity pages in the Microsoft Defender portal. See [Share alert severity levels with other Microsoft security solutions](/purview/insider-risk-management-settings-dlp-sync#share-alert-severity-levels-with-other-microsoft-security-solutions) for more information.
+Data sharing with other security solutions must be turned on in the **Data sharing** settings in Microsoft Purview Insider Risk Management. Turning on **Share user risk details with other security solutions** in the Microsoft Purview portal enables users with the correct permissions to review user risk details in the user entity pages in the Microsoft Defender portal. 
+
+See [Share alert severity levels with other Microsoft security solutions](/purview/insider-risk-management-settings-dlp-sync#share-alert-severity-levels-with-other-microsoft-security-solutions) for more information.
 
 :::image type="content" source="/defender-xdr/media/insider-risk-alerts/irm-toggle-settings-small.png" alt-text="Highlighting the setting in the Microsoft Purview portal required for insider risk alerts to show in Defender XDR.":::
 
@@ -83,6 +85,22 @@ You must also be a member of one of the following insider risk management role g
 
 For more information on these role groups, see [Enable permissions for insider risk management](/purview/insider-risk-management-configure#step-1-required-enable-permissions-for-insider-risk-management).
 
+### Microsoft Graph API roles
+
+Customers integrating insider risk management alerts with other security information and events management (SIEM) tools using the Microsoft Graph security API must have the following permissions to successfully access the relevant Microsoft Defender data through APIs:
+
+|App permissions|Incidents|Alerts|Behaviors & events|Advanced hunting|
+|:---|:---:|:---:|:---:|:---:|
+|SecurityIncident.Read.All|Read|Read|Read||
+|SecurityIncident.ReadWrite.All|Read/Write|Read/Write|Read||
+|SecurityIAlert.Read.All||Read|Read||
+|SecurityAlert.ReadWrite.All||Read/Write|Read||
+|SecurityEvents.Read.All|||Read||
+|SecurityEvents.ReadWrite.All|||Read||
+|ThreatHunting.Read.All||||Read|
+
+More information about integrating data using the Microsoft Graph security API in [Integrate insider risk management data with Microsoft Graph security API](#integrate-insider-risk-management-data-with-microsoft-graph-security-api).
+
 ## Investigation experience in the Microsoft Defender portal
 
 ### Incidents
@@ -101,6 +119,24 @@ Here's an example of an insider risk management alert in the Microsoft Defender
 
 :::image type="content" source="/defender-xdr/media/insider-risk-alerts/xdr-irm-alert-small.png" alt-text="Sample of an insider risk alerts from Microsoft Purview Insider Risk Management." lightbox="/defender-xdr/media/insider-risk-alerts/xdr-irm-alert.png":::
 
+Microsoft Defender XDR and Microsoft Purview Insider Risk Management follow different alert status and classification frameworks. The following alert mapping is used to sync alert statuses between the two solutions:
+
+|Microsoft Defender alert status|Microsoft Purview Insider Risk Management alert status|
+|:---|:---|
+|New|Needs review|
+|In progress|Needs review|
+|Resolved|Classification dependent. If classification is not available, the alert status is set to *Dismissed* by default.|
+
+The following alert classification mapping is used to sync the alert classification between the two solutions:
+
+|Microsoft Defender alert classification|Microsoft Purview Insider Risk Management alert classification|
+|:---|:---|
+|True positive </br> Includes multi-staged attack, phishing, etc.|Confirmed|
+|Information, expected activity (benign positive) </br> Includes Ssecurity testing, confirmed activity, etc.|Dismissed|
+|False positive </br> Includes not malicious, not enough data to validate, etc.|Dismissed|
+
+For more information about alert statuses and classifications in Microsoft Defender XDR, see [Manage alerts in Microsoft Defender](investigate-alerts.md#manage-alerts).
+
 Any updates made to an insider risk management alert in the Microsoft Purview or the Microsoft Defender portals are automatically reflected in both portals. These updates might include:
 
 - Alert status
@@ -111,6 +147,18 @@ Any updates made to an insider risk management alert in the Microsoft Purview or
 
 The updates are reflected in both portals within 30 minutes of the alert generation or update.
 
+> [!NOTE]
+> Alerts created from custom detections or link query results to incidents are not available in the Microsoft Purview portal.
+
+The following insider risk management data are not yet available in this integration:
+
+- Exfiltration through email events
+- Risky AI usage events
+- Third-party cloud apps events
+- Events that occurred before an alert was generated
+- Exclusions to events defined by the administrator
+- Insider risk management incidents don't contain alerts currently, impacting Microsoft Sentinel users. For more information, see [Impact to Microsoft Sentinel users](#impact-to-microsoft-sentinel-users).
+
 ### Advanced hunting
 
 Use advanced hunting to further investigate insider risk events and behaviors. Refer to the table below for a summary of insider risk management data available in advanced hunting.
@@ -126,9 +174,16 @@ In the example below, we use the **DataSecurityEvents** table to investigate pot
 
 :::image type="content" source="/defender-xdr/media/insider-risk-alerts/irm-adv-hunting-small.png" alt-text="Advanced hunting page showing a query using the tables related to insider risk behaviors and events." lightbox="/defender-xdr/media/insider-risk-alerts/irm-adv-hunting.png":::
 
-## Integrate insider risk management data through Graph API
+To access insider risk data in advanced hunting, users must have the following Microsoft Purview Insider Risk Management roles:
+
+- Insider Risk Management Analyst
+- Insider Risk Management Investigator
+
+## Integrate insider risk management data with Microsoft Graph security API
 
-You can use Microsoft Security Graph API to integrate insider risk management alerts, insights, and indicators with other SIEM tools, data lakes, ticketing systems, and the like.
+Use the [Microsoft Graph security API](/graph/api/resources/security-api-overview) to integrate insider risk management alerts, insights, and indicators with other SIEM tools like like Microsoft Sentinel, ServiceNow, or Splunk. You can also use the security API to integrate insider risk management data to data lakes, ticketing systems, and the like.
+
+To learn how to set up the Microsoft Graph API, see [Use the Microsoft Graph API](/graph/use-the-api).
 
 Refer to the table below to find insider risk management data in specific APIs.
 
@@ -138,21 +193,20 @@ Refer to the table below to find insider risk management data in specific APIs.
 |[Alerts](/graph/api/resources/security-alert)|Includes all insider risk alerts shared with Defender XDR unified alert queue|Read/Write|
 |[Advanced hunting](/graph/api/security-security-runhuntingquery)|Includes all insider risk management data in advanced hunting including Alerts, Behaviors, and Events|Read|
 
+The insider risk alert metadata is part of the alert resource type in Microsoft Graph security API. See the complete information in [alert resource type](/graph/api/resources/security-alert).
+
 > [!NOTE]
-> Insider risk alert information can be accessed in both the Alerts and Advanced hunting graph namespace. Insider risk behaviors and events in advanced hunting can be accessed in the Graph API by [passing KQL queries in the API](/graph/api/security-security-runhuntingquery).
+> Insider risk alert information can be accessed in both the Alerts and Advanced hunting graph namespace. The alerts namespace provides more metadata. 
+>
+> Insider risk behaviors and events in advanced hunting can be accessed in the Graph API by [passing KQL queries in the API](/graph/api/security-security-runhuntingquery). Use this method to pull supporting data for specific alerts or investigations.
 
 For customers using [Office 365 Management Activity API](/office/office-365-management-api/office-365-management-activity-api-reference), we recommend migrating to Microsoft Security Graph API to ensure richer metadata and bi-directional support for IRM data.
 
 ## Impact to Microsoft Sentinel users
 
-Microsoft Sentinel customers [exporting Microsoft Purview Insider Risk Management alert information](/purview/insider-risk-management-settings-dlp-sync#export-alert-information-to-siem-solutions) to integrate insider risk alert data are advised to migrate to the [Microsoft Defender XDR-Microsoft Sentinel connector](/azure/sentinel/connect-microsoft-365-defender?tabs=MDE).
-
-If the Defender XDR-Microsoft Sentinel connector is turned on, insider risk management alerts are automatically integrated into Microsoft Sentinel. The schema for alerts is the same schema exposed in Graph API. The alert schema exposed through the Defender XDR-Microsoft Sentinel connector covers all existing fields exported and provides additional metadata for insider risk management alerts.
-
-> [!NOTE]
-> When the Defender XDR-Microsoft Sentinel connector is turned on, Microsoft Purview Insider Risk Management data becomes accessible in Microsoft Sentinel regardless of role-based access control settings.
+We recommend Microsoft Sentinel customers to use the [Microsoft Purview Insider Risk Management – Microsoft Sentinel data connector](/azure/sentinel/connect-services-api-based) to get insider risk management alerts in Microsoft Sentinel.
 
-To integrate additional insider risk management data like behaviors and events into Microsoft Sentinel, we recommend onboarding Microsoft Sentinel to Microsoft Defender to get a unified view of your entire security operations center. Onboarding helps you bring insider risk management alerts and other data from Microsoft Sentinel into Microsoft Defender, allowing cross-table hunting and other powerful workflows. To onboard, see [Connect Microsoft Sentinel to Microsoft Defender](/unified-secops-platform/microsoft-sentinel-onboard).
+If you are using automation on Microsoft Sentinel incidents, note that automation risks failure due to insider risk management incidents having no alert content. To mitigate this, [turn off data sharing in insider risk management settings](/purview/insider-risk-management-settings-share-data#use-the-apis-to-review-insider-risk-alert-information).
 
 ## Next steps
 
