Azure-Sentinel/Solutions/InsiderRiskManagement

Overview

The Azure Sentinel: Insider Risk Management Workbook demonstrates the “better together” story between Microsoft 365 Insider Risk Management and Azure Sentinel. This workbook integrates telemetry from 25+ Microsoft security products to provide actionable insights into insider risk management. Reporting tools provide “Go to Alert” links to provide deeper integration between products and a simplified user experience for exploring alerts. A filter set provides custom reporting for Guide, Subscription, Workspace, and Time. The workbook can be exported as a PDF or print report via the Print Workbooks feature. Content sections include Overviews, Insider Risk Management, Watchlist, and User Forensics. The Overview tab provides recommendations for building insider risk program architectures. The Insider Risk tab provides alert reporting by both insider risk scenarios such as Sensitive Data Leaks, Security Violations, and MITRE ATT&CK tactics. The Watchlist tab provides filtering by Azure Sentinel Watchlists and the User Forensics tab collects logging telemetry by user. The user experience includes designing insider risk management architectures and streamlining telemetry from all users > watchlist > specific users while transitioning to M365 Insider Risk Management to investigate/resolve activity of interest.

Disclaimer: The Microsoft 365 insider risk management workbook provides a tenant level option to help customers facilitate internal governance at the user level. Tenant level administrators can set up permissions to provide access to this solution for members of your organization and set up data connectors in the Microsoft 365 compliance center to import relevant data to support user level identification of potentially risky activity. Customers acknowledge insights related to the individual user's behavior, character, or performance materially related to employment can be calculated by the administrator and made available to others in the organization. In addition, customers acknowledge that they must conduct their own full investigation related to the individual user's behavior, character, or performance materially related to employment, and not just rely on insights from the insider risk management service. Customers are solely responsible for using the Microsoft 365 insider risk management service, and any associated feature or service in compliance with all applicable laws, including laws relating to individual user identification and any remediation actions. This workbook provides visibility and situational awareness for insider risk management delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation.

Basics

Insider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and act on cases including the ability to escalate cases to Microsoft Advanced eDiscovery. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards. Insider risks come in various forms including both witting (intentional) and unwitting (unintentional).This workbook provides an automated visualization of Insider risk behavior cross walked to Microsoft security offerings.

This solution is enhanced when integrated with complimentary Microsoft Offerings such as💡 Microsoft 365 Insider Risk Management, 💡 Communications Compliance, 💡 Microsoft Information Protection, 💡 Advanced eDiscovery, and 💡 Azure Sentinel Notebooks. This workbook enables Insider Risk Teams, SecOps Analysts, and MSSPs to gain situational awareness for insider risk management, UEBA, device indicators, physical access, and HR signals. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query/alerting generation, and visualizations. For more information, see 💡 Microsoft 365 Insider Risk Management.

Workbooks

Preview Pre-Requisites & Requirements

1. Onboard Azure Sentinel and Microsoft 365 Insider Risk Management
2. Enable the Microsoft 365 Insider Risk Management Export alerts feature
3. Enable the Azure Sentinel IRM Connector Preview via feature flag
4. Enable the Azure Sentinel IRM Connector • Navigate to Azure Sentinel > Connectors > Microsoft 365 Insider Risk Management (Preview) > Open Connector Page > Connect
5. Enable Azure Sentinel UEBA
6. Configure an Azure Sentinel Watchlist via SearchKey Columns
7. This workbook leverages 25+ Microsoft Security products. Only Azure Sentinel and Microsoft 365 Insider Risk Management are mandatory for this content, but Microsoft 365 Communications Compliance, Advanced eDiscovery, Microsoft Infromation Protection, Azure Security Center, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Cloud App Security, Microsoft 365 Defender, Microsoft Defender for Office, Azure Lighthouse, Azure Active Directory and many more offerings enhance this workbook with alignment to insider risk management.