Skip to main content
🦉
Message CenterMicrosoft 365 Updates
HomePermissionsTenant FinderPortfolio
🦉
M365 Message Centerby Cengiz YILMAZ

Track the latest updates, features, and announcements for Microsoft 365 services. Comprehensive archive of service updates and important changes.

Quick Links

HomePermissionsTenant FinderPortfolio

Connect

© 2026 M365 Message Center. Created with ❤️ by Cengiz YILMAZ

Data sourced from Microsoft 365 Message Center • Not affiliated with Microsoft

  1. Home
  2. /
  3. MC1137606

Streaming API support for Data Security tables in Microsoft Defender XDR Advanced Hunting

Informational

Message ID

MC1137606
View in Admin Center

Services

Microsoft Defender XDR
Microsoft Purview

Summary

Microsoft Defender XDR will support Streaming API for DataSecurityEvents and DataSecurityBehaviors tables starting late August 2025, enabling real-time insider risk alert data delivery via event hubs. This push-based feature is off by default, requires setup, and allows integration with external platforms while offering admin control through Entra ID.

Details

As part of the integration between Microsoft Purview Insider Risk Management and Microsoft Defender XDR, we’re enabling Streaming API support for two Advanced Hunting tables: DataSecurityEvents and DataSecurityBehaviors. These tables contain insider risk alert data, and this enhancement allows organizations to receive data in real time via event hubs. We invite your organization to explore this feature and share feedback.

When this will happen:

  • Public Preview: Rollout will begin in late August 2025 and is expected to complete by mid-September 2025.
How this affects your organization:

With Streaming API support, your organization can receive insider risk alert data as soon as it’s available in the DataSecurityEvents and DataSecurityBehaviors tables. This push-based model eliminates the need for repeated polling, unlike the Graph API, which requires pull-based requests. This enhancement improves data timeliness and reduces overhead for security operations teams.

This feature is off by default and requires configuration to begin streaming data.

What you can do to prepare:

  • Set up an event hub or storage location to stream data.
  • Follow the setup guidance here: https://learn.microsoft.com/en-us/defender-endpoint/api/raw-data-export

Compliance considerations:

Alters how existing customer data is processed, stored, or accessedYes – Insider risk alert data is now streamed in real time to customer-defined event hubs, changing how data is accessed.
Adds integration to 3rd party software productsYes – Streaming API enables integration with external SIEM and data platforms via event hubs.
Includes an admin control and can be controlled through Entra ID group membershipYes – Admins can configure access and streaming endpoints, and control permissions via Entra ID.

Timeline

📅
Published
Aug 18, 2025
Message published to Message Center
✏️
Updated
Aug 18, 2025
Message content updated
🏁
End Date
Nov 3, 2025
Message timeline ends

Tags

#New feature#Admin impact

Category

📖Stay Informed

Related Messages

Similar updates

MC1187672

Get ready for security agents: Microsoft Security Copilot will be included in Microsoft 365 E5

Nov 18, 2025
MC1148532

Microsoft Purview |eDiscovery - Graph APIs for Standard eDiscovery

Sep 5, 2025
MC1148526

Microsoft Purview | Data Loss Prevention - UX improvements to the DLP Alerts in Purview Portal

Sep 5, 2025
MC1147984

Microsoft Teams: User reporting for incorrectly identified security concerns

Sep 4, 2025
MC1147383

Microsoft Purview | Export download with pre-authorized link support

Sep 3, 2025