Learn about Microsoft Sentinel in Microsoft Purview (preview)

Microsoft Sentinel is a scalable, cloud-native security information and event management (SIEM) solution that delivers cost-efficient security across multicloud and multiplatform environments with built-in AI, automation, threat intelligence, and a modern data lake and graph architecture. The Microsoft Sentinel data lake and graph is a tenant-wide repository for collecting, storing, and managing large volumes of security-related data from various sources. These solutions are integrated with Microsoft Purview solutions and support data risk graphs.

Data risk graph (preview) capabilities are available in the following Microsoft Purview solutions:

• Microsoft Purview Data Security Investigations (preview)
• Microsoft Purview Insider Risk Management

Data risk graph (preview)

Powered by Microsoft Sentinel graph, data risk graphs (preview) in Microsoft Purview solutions allow you to view connections between impacted assets, users, and their activities in an interactive graph experience. Microsoft Sentinel graph is a unified graph analytics capability within Microsoft Sentinel which powers graph-based experiences across Microsoft Purview solutions. For more information about Microsoft Sentinel data graph, see What is Microsoft Sentinel graph?

Data risk graphs natively represent the real-world web of users, devices, cloud resources, data flows, activities, and attacker actions associated with activities identified in Microsoft Purview solutions. Connecting activities to assets helps analysts:

1. Understand context: View a user's role and file locations to assess whether behavior is typical or suspicious.
2. Assess impact: Visualize which assets might be impacted by tracing activity paths within sensitive sites.
3. Collaborate effectively: Use the data risk graph to communicate findings with stakeholders by showing connections between users, actions, and assets.

Data risk graph controls

Data risk graphs in Microsoft Purview solutions have the following controls to help you discover and work with information about item relationships and connected nodes:

• Movable nodes: Change the presentation of the graph by moving nodes to customize the view of nodes, relationships, and connections.
• Layers: The Vulnerability layer is presented as the default Insights layer in a data risk graph. To change layers, select the Layers control in the bottom left corner of a graph.
• Maximize the graph view: To quickly maximize a graph, select the Zoom to fit control in the bottom left corner of a graph.
• Scale the graph to any size: To enlarge or reduce the size of the graph, select the + or - controls in the bottom left corner of a graph. Select the Settings control in the bottom left corner of a graph to enable or disable the Zoom slider control.

Data risk graph features

Data risk graphs in Microsoft Purview solutions have the following features to help you discover and work with information about item relationships and connected nodes:

• Nodes: Nodes include users, sites, files, and IP addresses associated with each other.
• Relationships: Connections between nodes describing how they interact with each other. Badges on each relationship describe actions and meanings. For example, badges might include Signed in from, Downloaded, Uploaded, and more.

Prerequisites and onboarding changes

To use the data risk graph in Data Security Investigations and Insider Risk Management, you must onboard to the Microsoft Sentinel data lake and graph and meet specific requirements. Additionally, when you onboard to data lake and graph, the process makes changes in several areas and services in your organization. This process includes your existing data lake, primary and other connected workspaces in Microsoft Defender, and more.

Data risk graphs use a pay-as-you-go billing model to ingest and store data, but data risk graph usage doesn't incur any extra charges. If data needed to populate the data risk graph is already enabled or stored, no extra charges are billed.

For step-by-step guidance for all prerequisties, billing information, and changes made in your onboarding process, see the following articles:

• Prerequisites for Microsoft Sentinel data lake and Microsoft Sentinel graph
• Changes made when onboarding to Microsoft Sentinel data lake and Microsoft Sentinel graph

Configure data risk graph

After you meet the prerequisites for Microsoft Sentinel data lake and Microsoft Sentinel graph and understand the changes made during the onboarding process, you're ready to configure data risk graph (preview) in Microsoft Purview solutions. All activity and asset data from Microsoft Purview data risk graphs are stored in the data lake for your organization.

See the following articles to configure data risk graph in Microsoft Purview solutions:

• Configure data risk graph (preview) in Data Security Investigations (preview)
• Configure data risk graph (preview) in Insider Risk Management