Manage security alerts and respond to threats
Security teams need tools to detect suspicious activity and respond before small issues become major incidents. Contoso uses security alerts and investigation tools across Microsoft Purview and Microsoft Defender to monitor policy violations, investigate potential data leaks, and take corrective actions.
Security alerts in Microsoft Purview
Microsoft Purview generates alerts when policies detect activity that might put sensitive data at risk. These alerts help identify issues like:
- Policy violations from data loss prevention (DLP) policies.
- Insider risk management policy triggers based on user activities.
Security teams can review alert details, examine user activity, and take follow-up actions as needed.
Investigations and response actions
After reviewing an alert, security teams can:
- Review user activity timelines and access details.
- Determine whether the activity was authorized, accidental, or intentional.
- Use Microsoft Purview Audit to review detailed user activity logs that support incident analysis.
- Use Activity explorer to review data access, movement, and sharing activities.
- Use Content explorer and Data explorer to validate how sensitive data is classified and labeled across Microsoft 365 services.
These investigation tools help security teams analyze incidents, verify policy effectiveness, and support ongoing risk management.