Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Microsoft Purview Insider Risk Management correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage, and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.
Data risk graphs (preview) in Insider Risk Management provide a visual investigation experience that combines asset and activity data into a single view. Powered by Microsoft Sentinel integration, it summarizes alert-related activity by a potential insider over the past 30 days, helping analysts triage alerts by revealing hidden contextual connections.
For more information about Microsoft Sentinel integration, see Learn about Microsoft Sentinel in Microsoft Purview.
Important
You cannot use this feature with the anonymized usernames privacy setting enabled. If you have anonymized user names, the graph will not load.
Note
Admin units aren't supported in the data risk graph. If you're scoped to an admin unit, data doesn't appear in data risk graphs.
Supported activities in data risk graph
The data risk graph currently supports the following exfiltration activities:
- Anonymous links created in SharePoint or OneDrive
- Anonymous links used via SharePoint or OneDrive
- Company links created in SharePoint or OneDrive
- File downloads from SharePoint and OneDrive
- Files renamed in SharePoint and OneDrive
For more information about exfiltration detection indicators, see Configure policy indicators in Insider Risk Management.
Before you begin
Before you can use data risk graphs in Insider Risk Management, complete the following steps:
- Learn about pay-as-you-go billing in Microsoft Sentinel for your organization.
- Configure the prerequisites for Microsoft Sentinel data lake and Microsoft Sentinel graph
- Review the changes made when onboarding to Microsoft Sentinel data lake and Microsoft Sentinel graph
- Configure at least one Insider Risk Management policy for supported data exfiltration activities.
Configure data risk graph
Important
You always have one data lake. If you already onboarded to the data lake with another Microsoft service, your existing data lake is used. If you never onboarded to the data lake, onboarding in Insider Risk Management enables Microsoft Sentinel data lake and graph in the Defender portal.
After you complete the prerequisites and understand the changes that Microsoft Sentinel data lake and graph make to your organization, complete the following steps to configure data risk graph in Insider Risk Management:
Important
Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.
Go to the Microsoft Purview portal with an account assigned the Global Administrator or Security Administrator role.
Select the Insider Risk Management solution card, then select Recommended actions in the left nav.
In the Comprehensive protection section, select Set up data lake and data risk graph (preview).
If you don't have the correct permissions to set up the data lake, a notification appears to contact a global or billing administrator in your organization.
On the Setup tab on Set up data lake & risk graph (preview), configure the following settings:
- Subscription: Enter the Azure subscription you want to use. Your selected subscription must be valid and accessible and you must be the subscription owner.
- Resource group: Enter the resource group you want to use. Your selected resource group must be valid and accessible.
Important
After the data lake is provisioned for a specific Azure subscription and resource group, you can't migrate it to a different subscription or resource group.
Select Setup.
The set up process begins and onboarding might take up to 60 minutes to complete. You can close the setup panel while the process is running. After the onboarding process completes, you see Complete on Set up data lake & risk graph (preview). The data risk graph shows events that occur after your Microsoft Sentinel data lake was created or onboarded.
Initial processing of data and data risk graph availability for an investigations can take 24-48 hours.
Important
When the data risk graph is first created, it includes the most recent seven days of data. As the data risk graph refreshes over time, the look-back window expands up to a maximum of 30 days. It might take some time for the data risk graph to reach the full 30-day window, so expect gradual growth after initial setup.
Use data risk graph
Data risk graph (preview) in Insider Risk Management uniquely visualizes correlations between impacted data, users, and their activities. It provides critical context to guide mitigation and next steps. For example, when you uncover an alert related to a highly sensitive document, data risk graphs give you visibility into which users downloaded it or if they accessed it from a risky IP address. This visibility lets you uncover new nodes to a data security incident, like additional users or new content related to an alert.
To view the data risk graph for an alert, you must be assigned the Insider Risk Management Graph Reader role. This role is included by default in several Insider Risk Management built-in role groups. For more information, see Assign permissions in Insider Risk Management.
Important
All user names are visible in data risk graph, even if pseudonymization is enabled in Insider Risk Management privacy settings.
To use the data risk graph in Insider Risk Management, complete the following steps:
- Go to the Microsoft Purview portal with an account assigned the Insider Risk Management Graph Reader role.
- Select the Insider Risk Management solution card, then select Alerts in the left nav.
- Select an alert to review, then select the Data risk graph (preview) tab.
- Filter the time as applicable and select individual data risk graph nodes for more information about each connection during triage.
- Expand relationships in the graph by selecting the + icon on users or assets.
The data risk graph contains several nodes. Selecting a node shows details about the node:
- User details: Shows information about users associated with the alert. This information includes organization information for each user, including User Principal Name (UPN), labels, location, job title, and more.
- Data details: Shows information about files and sites. This information includes the object location, type, labels, and more.
You can view data risk graph information for users based on the last 30 days of activity. This fixed duration isn't extendable.