Microsoft Purview Insider Risk Management
Solution: MicrosoftPurviewInsiderRiskManagement
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.5 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2021-10-20 |
| Solution Folder | MicrosoftPurviewInsiderRiskManagement |
| Marketplace | Azure Marketplace · Popularity: 🟢 High (87%) |
This solution enables insider risk management teams to investigate risk-based behavior across 25+ Microsoft products. This solution is a better-together story between Microsoft Sentinel and Microsoft Purview Insider Risk Management. The solution includes the Insider Risk Management Workbook, (5) Hunting Queries, (1) Data Connector, (5) Analytics Rules, (1) Playbook automation and the Microsoft Purview Insider Risk Management connector. While only Microsoft Sentinel is required to get started, the solution is enhanced with numerous Microsoft offerings, including, but not limited to:
- Microsoft Purview Insider Risk Management
- Microsoft Purview Communications Compliance
- Microsoft Purview Advanced eDiscovery
- Microsoft Purview Defender
- Microsoft Information Protection
- Microsoft Entra ID
- Microsoft Defender for Cloud
- Microsoft Sentinel Notebooks (Bring Your Own Machine Learning)
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Microsoft Defender for Cloud Apps
- Microsoft Defender for Office 365
Microsoft Sentinel Solutions provide a consolidated way to acquire Microsoft Sentinel content like data connectors, workbooks, analytics, and automations in your workspace with a single deployment step.
Learn more about Microsoft Sentinel | Learn more about Solutions
Contents
Data Connectors
This solution provides 1 data connector(s):
Tables Used
This solution uses 14 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
AADNonInteractiveUserSignInLogs |
- | Workbooks |
AADUserRiskEvents |
- | Workbooks |
AuditLogs |
- | Workbooks |
AzureActivity |
- | Hunting, Workbooks |
EmailEvents |
- | Workbooks |
InformationProtectionLogs_CL 🔶 |
- | Analytics, Hunting |
LAQueryLogs |
- | Workbooks |
MicrosoftPurviewInformationProtection |
- | Workbooks |
OfficeActivity |
- | Workbooks |
Operation |
- | Workbooks |
SecurityEvent |
- | Workbooks |
SigninLogs |
- | Analytics, Hunting, Workbooks |
Syslog |
- | Workbooks |
Update |
- | Workbooks |
Internal Tables
The following 6 table(s) are used internally by this solution's content items:
| Table | Used By Connectors | Used By Content |
|---|---|---|
Anomalies |
- | Workbooks |
BehaviorAnalytics |
- | Hunting, Workbooks |
IdentityInfo |
- | Workbooks |
SecurityAlert |
Microsoft 365 Insider Risk Management | Analytics, Hunting, Workbooks |
SecurityIncident |
- | Analytics, Workbooks |
Watchlist |
- | Workbooks |
🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g.
_s,_d,_b,_t,_g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.
Content Items
This solution includes 12 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 5 |
| Hunting Queries | 5 |
| Workbooks | 1 |
| Playbooks | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| Insider Risk_High User Security Alert Correlations | Medium | Execution | Internal use:SecurityAlertSecurityIncident |
| Insider Risk_High User Security Incidents Correlation | High | Execution | Internal use:SecurityIncident |
| Insider Risk_Microsoft Purview Insider Risk Management Alert Observed | High | Execution | Internal use:SecurityAlert |
| Insider Risk_Risky User Access By Application | Medium | Execution | SigninLogs |
| Insider Risk_Sensitive Data Access Outside Organizational Geo-location | High | Exfiltration | InformationProtectionLogs_CL |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| Insider Risk_Entity Anomaly Followed by IRM Alert | PrivilegeEscalation | Internal use:SecurityAlert |
| Insider Risk_ISP Anomaly to Exfil | Exfiltration | Internal use:BehaviorAnalyticsSecurityAlert |
| Insider Risk_Multiple Entity-Based Anomalies | PrivilegeEscalation | Internal use:BehaviorAnalytics |
| Insider Risk_Possible Sabotage | Impact | AzureActivityInternal use: SecurityAlert |
| Insider Risk_Sign In Risk Followed By Sensitive Data Access | Exfiltration | InformationProtectionLogs_CLSigninLogs |
Workbooks
Playbooks
| Name | Description | Tables Used |
|---|---|---|
| Notify-InsiderRiskTeam | This playbook should be configured as an automation action with the Insider Risk Management Analytic... | - |
Additional Documentation
Overview
The Microsoft Sentinel: Insider Risk Management Solution demonstrates the “better together” story between Microsoft Purview Insider Risk Management and Microsoft Sentinel. The solution includes (1) Workbook, (5) Hunting Queries, (5) Analytics Rules, and (1) Playbook. Insider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and act on cases including the ability to escalate cases to Microsoft Advanced eDiscovery. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards. Insider risks come in various forms including both witting (intentional) and unwitting (unintentional).This workbook provides an automated visualization of Insider risk behavior cross walked to Microsoft security offerings. This solution is enhanced when integrated with complimentary Microsoft Offerings such as💡 Microsoft Purview Insider Risk Management, 💡 Communications Compliance, 💡 Microsoft Information Protection, 💡 Advanced eDiscovery, and 💡 Microsoft Sentinel Notebooks. This workbook enables Insider Risk Teams, SecOps Analysts, and MSSPs to gain situational awareness for insider risk management, UEBA, device indicators, physical access, and HR signals. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query/alerting generation, and visualizations. For more information, see 💡 Microsoft Purview Insider Risk Management.
Try on Portal
You can deploy the solution by clicking on the buttons below:
[Content truncated...]
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.6 | 07-04-2025 | Updated ConnectivityCriteria Type in Data Connector. |
| 3.0.5 | 10-04-2024 | Updated Entity Mappings InsiderRiskyAccessByApplication.yaml |
| 3.0.4 | 07-11-2023 | Modified text as there is rebranding from Azure Active Directory to Microsoft Entra ID. |
| 3.0.3 | 10-10-2023 | Updated Workbook template to replace the datatype InformationProtectionLogs_CL to MicrosoftPurviewInformationProtection |
| 3.0.2 | 04-10-2023 | Updated Workbook template to fix Signinlogs datatype |
| 3.0.1 | 20-09-2023 | Updated Workbook template to fix the invaild json issue |
| 3.0.0 | 17-07-2023 | Updating Analytic Rules with grouping configuration(Single Alert) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊