Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Join us for an expert-led overview of the tools and concepts you'll need to become a Certified Power BI Data Analyst and pass exam PL-300. Register now.

Reply
NMerino
New Member

Defender API data not populating in PowerBI

‎04-28-2025 02:15 PM

Hello,

 

My team is trying to create a PowerBI dashboard utilizing microsoft defender incident data (security.microsoft.com) .

 

We created an API connection through the OData feed source:  OData.Feed("https://api.security.microsoft.com/api/incidents", null, [Implementation="2.0"])

 

Most of the incidents I see on the defender portal are ingested into PowerBI, however, it is missing insidents from the Insider Risk Management source, and I am only able to see DLP incidents for some reason. We have tried numerous troubleshootings with no success, any help would be appreciated.

 

Below I have attached screenshots of what the power BI raw data that we're getting from defender looks like vs what the microsoft defender protal is showing.

 

Defender Portal:

DefenderPortal.png

 

PowerBI Source Data:

PowerBI Data.png

 

Message 1 of 5
281 Views
0
1 ACCEPTED SOLUTION
v-shamiliv
Community Support
Community Support

‎05-02-2025 05:12 AM

Hi @NMerino
Thank you for reaching out microsoft fabric community forum.

  • The Microsoft Defender API (https://api.security.microsoft.com/api/incidents) does not include Insider Risk Management (IRM) incidents.
  • IRM incidents are managed under Microsoft Purview and are separated due to privacy and compliance boundaries.
  • DLP incidents appear because they are shared between Microsoft Defender and Microsoft Purview.
  • To access IRM data, you need to use Microsoft Graph API under the Purview (compliance) umbrella, such as https://graph.microsoft.com/beta/security/insiderRiskCases.
  • Microsoft Graph API access requires appropriate Azure AD app registration and permissions like InsiderRiskManagement.Read.All.
  • Manual export from the Insider Risk Management portal (CSV) can be used as a workaround if API access isn't feasible.
  • Accessing IRM data requires Microsoft 365 E5 Compliance or E5 Security licensing.
  • The user accessing the data must have roles such as Insider Risk Management Admin or Compliance Admin.
  • Document this limitation in your Power BI dashboard so stakeholders are aware that IRM incidents are excluded due to API constraints.
  • Use a custom connector or a Graph API query to bring IRM data into Power BI if automation is required

If this solution helps, please consider giving us Kudos and accepting it as the solution so that it may assist other members in the community
Thank you.

 

View solution in original post

Message 2 of 5
188 Views
0
4 REPLIES 4
v-shamiliv
Community Support
Community Support

‎05-13-2025 05:24 AM

Hi @NMerino 

I hope this information is helpful. Please let me know if you have any further questions or if you'd like to discuss this further. If this answers your question, please Accept it as a solution and give it a 'Kudos' so others can find it easily.
Thank you.

 

Message 5 of 5
125 Views
0
v-shamiliv
Community Support
Community Support

‎05-09-2025 02:42 AM

Hi @NMerino 
I wanted to check if you had the opportunity to review the information provided. Please feel free to contact us if you have any further questions. If my response has addressed your query, please accept it as a solution and give a 'Kudos' so other members can easily find it.
Thank you.

Message 4 of 5
146 Views
0
v-shamiliv
Community Support
Community Support

‎05-04-2025 11:28 PM

Hi @NMerino 

May I ask if you have resolved this issue? If so, please mark the helpful reply and accept it as the solution. This will be helpful for other community members who have similar problems to solve it faster.

Thank you.

Message 3 of 5
172 Views
0
v-shamiliv
Community Support
Community Support

‎05-02-2025 05:12 AM

Hi @NMerino
Thank you for reaching out microsoft fabric community forum.

  • The Microsoft Defender API (https://api.security.microsoft.com/api/incidents) does not include Insider Risk Management (IRM) incidents.
  • IRM incidents are managed under Microsoft Purview and are separated due to privacy and compliance boundaries.
  • DLP incidents appear because they are shared between Microsoft Defender and Microsoft Purview.
  • To access IRM data, you need to use Microsoft Graph API under the Purview (compliance) umbrella, such as https://graph.microsoft.com/beta/security/insiderRiskCases.
  • Microsoft Graph API access requires appropriate Azure AD app registration and permissions like InsiderRiskManagement.Read.All.
  • Manual export from the Insider Risk Management portal (CSV) can be used as a workaround if API access isn't feasible.
  • Accessing IRM data requires Microsoft 365 E5 Compliance or E5 Security licensing.
  • The user accessing the data must have roles such as Insider Risk Management Admin or Compliance Admin.
  • Document this limitation in your Power BI dashboard so stakeholders are aware that IRM incidents are excluded due to API constraints.
  • Use a custom connector or a Graph API query to bring IRM data into Power BI if automation is required

If this solution helps, please consider giving us Kudos and accepting it as the solution so that it may assist other members in the community
Thank you.

 

Message 2 of 5
189 Views
0

Helpful resources

Announcements
Join our Fabric User Panel

Join our Fabric User Panel

This is your chance to engage directly with the engineering team behind Fabric and Power BI. Share your experiences and shape the future.

June 2025 Power BI Update Carousel

Power BI Monthly Update - June 2025

Check out the June 2025 Power BI update to learn about new features.

June 2025 community update carousel

Fabric Community Update - June 2025

Find out what's new and trending in the Fabric community.

View All