MC1137606: Streaming API support for Data Security tables in Microsoft Defender XDR Advanced Hunting

As part of the integration between Microsoft Purview Insider Risk Management and Microsoft Defender XDR, we’re enabling Streaming API support for two Advanced Hunting tables: DataSecurityEvents and DataSecurityBehaviors. These tables contain insider risk alert data, and this enhancement allows organizations to receive data in real time via event hubs. We invite your organization to explore this feature and share feedback.

When this will happen:

• Public Preview: Rollout will begin in late August 2025 and is expected to complete by mid-September 2025.

How this affects your organization:

With Streaming API support, your organization can receive insider risk alert data as soon as it’s available in the DataSecurityEvents and DataSecurityBehaviors tables. This push-based model eliminates the need for repeated polling, unlike the Graph API, which requires pull-based requests. This enhancement improves data timeliness and reduces overhead for security operations teams.

This feature is off by default and requires configuration to begin streaming data.

What you can do to prepare:

• Set up an event hub or storage location to stream data.
• Follow the setup guidance here: https://learn.microsoft.com/en-us/defender-endpoint/api/raw-data-export

Compliance considerations: