Prioritize Security Incidents Based on Data Importance | Microsoft Defender with Microsoft Purview

Mechanics Team
7 min readMay 16, 2024

Prioritize incidents based on data significance, detect insider risks, and adapt protections in real-time with Microsoft Defender XDR and Microsoft Purview. Customize thresholds and risk indicators to detect anomalous behavior and prevent potential breaches with Adaptive Protection. Receive real-time DLP alerts triggered by policy matches, ensuring immediate action to safeguard sensitive data. Gain comprehensive visibility into threats and enforce policies across all devices and applications.

Sravan Kumar Mera, Principal Product Manager for Microsoft Purview shares how to stay ahead of evolving threats and maintain data integrity.

Identify and protect sensitive data.

Prioritize and contain incidents based on insider risks and the importance of the data. Check out Microsoft Defender XDR with Microsoft Purview context.

Automate blocks to resources for elevated risk insiders or compromised accounts.

Use the new Conditional Access policies that now assess Insider Risk from Microsoft Purview. And see it all within your Microsoft Defender incidents.

Define labels and policies for sensitive information.

Enable automatic enforcement across apps and devices that can also be analyzed in Microsoft Defender incidents. Set up a data security foundation with Microsoft Purview.

Watch our full video here:


00:00 — Prioritize security incidents based on data importance
00:42 — High severity multistage incident
01:29 — DLP alerts
02:24 — Insider risk activity summary
03:30 — Set up data security foundation
04:47 — Adaptive Protection
05:50 — DLP policy & Conditional Access
06:33 — Wrap up

Link References

Get started at

Watch our data security playlist at

Unfamiliar with Microsoft Mechanics?

As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

Keep getting this insider knowledge, join us on social:

Video Transcript:

-Your data is the primary target in most security incidents, but when an incident occurs, do you have the information you need to prioritize incidents and contain them based on the importance of the data itself?

-Well, this hasn’t been an easy problem to solve for, which is why we are making this easier with the fusion of Microsoft Defender XDR to detect and respond to security incidents with signals infused from Microsoft Purview for the identification and protection of your sensitive data.

-This native integration first helps you to quickly prioritize active incidents, based on the importance of compromised data, and display that detail in context, as you investigate and contain threats in Microsoft Defender. Let me show you an example from Microsoft Defender of how these natively integrated solutions work in action.

-Here in the Incidents view, I’ll dig into this high severity multi-stage incident involving initial access and data exfiltration. One of the best ways to follow a multi-stage attack is by using the Attack Story timeline on the left.

-And here we can see from these first couple of email alerts that Megan Bowen was phished and most likely her Contoso credentials were stolen by an external attacker. Importantly, here the integrated signal from Microsoft Purview has triggered multiple data loss prevention, or DLP, alerts for sharing payment cards, then a few PowerPoint presentations. You might notice that this attack spans over a couple of days, and these actions therefore could be considered normal use for Megan. Let’s dig into this DLP alert.

-We can see that the attacker is actually using Megan’s credentials to access her managed Cloud PC in Windows 365 to remain undetected. And you can see that a ZIP file was uploaded to a personal cloud storage location. And there’s even more to it.

-If I head over to the details on the right, and scroll all the way down to the bottom, the incident has been flagged with high insider risk severity. And by the way, on the back end in Microsoft Purview, Megan’s insider risk level is now elevated, but more on that in a second.

-This is important because, if you’re new to Insider Risk Management in Microsoft Purview, this can be set up to flag potentially risky activities either by users inside your organization, or, as in the case of persistent attacks where someone’s identity may have been hijacked, it can flag a sequence of potentially risky activities that may lead to a data security incident. I’ll show you the controls for setting that up in a moment.

-For now, still in Microsoft Defender, let’s drill into Megan’s insider risk activity summary And we can see the story unfold. The user utilizing Megan’s credentials began by downgrading labels in files on a SharePoint site. This is interesting because it shows one of the techniques the attacker is using to stay under the radar and out of sight.

-For example, a file might be labeled as Confidential and manually downgraded to General to bypass the protections scoped to Confidential files. In fact, going back to the Activity timeline view in Defender, we can see, files were then downloaded to a managed device, which, in our case, is the Windows 365 Cloud PC. These sensitive files were zipped and then uploaded onto personal cloud storage outside of our management boundary.

-And because on the back end Megan’s insider risk level is elevated, and based on configured protections, further activities are now blocked outright. So, I’ve shown how the fusion between Microsoft Defender XDR and the data security solutions in Microsoft Purview automatically contained the attack while providing full visibility into the sensitive data involved in the incident.

-Now let me show you how sensitive data signals and their protections from Microsoft Purview are established, so that they can be surfaced in Microsoft Defender XDR. If you’re new to this, it all starts with setting up your data security foundation in Microsoft Purview. Here labels and classifications for your data can be configured in the Microsoft Purview portal.

-I have labels defined for everything from personal to highly confidential information Protection policies can then be automatically triggered and enforced based on these labels and more than 300 sensitive information types, spanning account numbers, addresses, ID numbers, and more.

-Additionally, these policies can also leverage automatic file classifications, which leverage AI to determine the type of content within the files, like source code, financial information, healthcare, legal files, and others.

-In fact, the policies you set in Microsoft Purview can be enforced on your managed devices, while using Microsoft 365 apps, even third-party apps like Adobe Acrobat for PDFs, and as you work with files in the browser. And with everything set up, the signals derived from policy matches will flow directly into Microsoft Defender.

-And by the way, to learn more about data security and your options, we’ve created an entire playlist with deep dives at Now let’s look at what made it possible to trigger the protections based on Megan’s elevated insider risk level. This was made possible by a capability in Microsoft Purview, known as Adaptive Protection, where protections automatically adapt according to a user’s changing risk profile, based on signals from Insider Risk Management, which are assessed in real-time.

-To set up Adaptive Protection, you will establish the thresholds at each risk level. For example, you have a threshold that you can establish for minor risk, another for moderate risk, and, finally, elevated risk. These thresholds align with the risk indicators you define. And there are dozens that you can choose from, and you can also create custom ones.

-For example, when the attacker downgraded the file labels to make them appear less sensitive, this is the risk indicator that was triggered. In fact, there are many risk indicators that you can define as part of Insider Risk Management policies for assessing risky behavior. These even include machine learning-based comparisons of a user’s activity versus their peers to flag any unusual behaviors.

-And as risky activities meet your defined threshold levels, the protections can adapt with DLP policy enforcement or with Conditional Access controls. For example, access was blocked to resources once Megan’s insider risk level shifted to elevated.

-What made this possible is a new Insider Risk condition in Microsoft Entra Conditional Access, which checks insider risk level in real time during authentication. This policy will apply to any user with elevated insider risk. And if it finds a match, like in our case, under Grant, it’s been configured to block access to corporate resources.

-So, even though we haven’t yet reset Megan’s credentials, if the attacker tries to use them, they’ll get this message and be blocked. Importantly, the policy protections you set and its corresponding signal from Microsoft Purview flows directly into Microsoft Defender XDR to help you assess the value of compromised data and even contain attacks using Conditional Access controls.

-To get started, head over to And subscribe to Microsoft Mechanics for the latest updates. Thanks for watching!