Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Purview Data Security Investigations (preview) helps cybersecurity teams in your organization harness generative artificial intelligence (AI) to analyze and respond to data security incidents, risky insiders, and data breaches. Investigations help you quickly identify risks from sensitive data exposure and more effectively collaborate with your partner teams to remediate the issues and simplify tasks that traditionally are time consuming and complex.
Analysts can use Data Security Investigations (preview) features in your organization to:
- Quickly and efficiently search, discover, and identify impacted data.
- Use deep content AI analysis to discover exact data risks hidden in data.
- Take action to reduce the impact of data security incidents and quickly mitigate ongoing risks.
- Collaborate with internal and external stakeholders on investigation details.
Check out the Microsoft Mechanics video and the blog post announcement to learn about how Data Security Investigations (preview) can help you respond to data security incidents.
AI integration
Data Security Investigations (preview) uses generative AI to conduct deep content analysis and uncover key security and sensitive data risks for data included in investigations. AI helps analysts quickly analyze large volumes of data with high accuracy, saving critical time for triage, review, and mitigation actions.
There are three main AI-related investigative capabilities:
- Vector search: Vector-based semantic search enables similarity-based information retrieval and understands user intent beyond literal words. Analysts query impacted data to find all assets related to a particular subject, even if keywords are missing.
- Categorization: To get an initial understanding of incident severity, analysts can use AI to categorize impacted data, narrowing focus to high-risk assets. Data Security Investigations (preview) automatically sorts data into default, custom, or AI-suggested categories. Categorized items also including grouping by subject matter and risk level.
- Examination: Data Security Investigations (preview) enables analysts to easily address the number one priority for most data security incidents - finding security risks buried within impacted data. By examining impacted data for security risks, analysts can find compromised credentials, network risks, or evidence of threat actor discussions associated with security incidents.
For more information about AI integration and these tools, see Learn about AI analysis in Data Security Investigations (preview).
Common data breach actions
Most organizations are concerned with the increasing risks and impact related to internal and external data security breaches. Your cyber security team is responsible for identifying impacted data during a data breach scenario and how they can reduce the time required to mitigate the risk associated to vulnerabilities exposed within a data breach scenario. When a data breach occurs, it's critical to respond quickly and effectively to mitigate risks and protect sensitive information.
Your cyber security team needs to:
- Assess the data breach: Analysts must understand the scope and impact of the data breach. This understanding includes identifying all affected systems, the data impacted, and any external and internal users associated with the data breach.
- Containment and communication: Analysts must isolate affected systems to minimize and prevent further damage. Additionally, internal stakeholders and departments in your organization (IT, Legal, Executive Management) need notification and the details about the data breach.
- Forensics and evidence preservation: Analysts might need support when engaging with data forensics experts. System and status details must be retained (logs, system snapshots, network traffic) for potential legal and regulatory requirements.
- Risk assessment and mitigation: Analysts must evaluate potential risks and prioritize mitigation actions based on risk severity. This information helps with implementing configuration and policy updates, including implementing applicable security patches.
- Data purge and protection: Analysts might need to remove unnecessary or compromised data and delete redundant copies. Other tasks might include strengthing access controls, data encryption, and monitoring.
- Reporting and compliance: Depending on the nature of the data involved and the jurisdictions affected, analysts might need to comply with regulatory requirements for breach notification. These requirements might include informing affected individuals, regulatory bodies, and other stakeholders about the nature of the breach and the steps taken to address it.
Common scenarios
Investigate a data breach
After a data security incident, it's often difficult to know what you don’t know and it might be struggle to understand the impact of sensitive data exposure. As part of your mitigation strategy, you need to understand and identify the intellectual property, personal data, and financial information that might be compromised. Additionally, some organizations are tasked with building and maintaining custom tools to investigate these issues.
Using Microsoft Defender XDR to investigate data security incidents, you discover that a document containing unfiled patents is uncovered. By creating an investigation from the incident in Data Security Investigations (preview), further analysis indicates which users downloaded the document and if it was accessed from a risky IP address. This information gives you critical context to take mitigation steps, such as protecting or purging the sensitive document from your organization.
Confidential data leak
In scenarios where confidential, sensitive, or protected information is intentionally or unintentionally exposed outside its intended environment. To further investigate a potential data leak, you can use Data Security Investigations (preview) to better understand incident impact and take necessary next steps.
Proactive data security assessment
Data Security Investigations (preview) can also be used to proactively assess your data estate for data risk. You can analyze a sample of high value data sources and users for data risk or run proactive scans of specific high value data sources or a broader organization-wide scope. The assessment helps to identify opportunities for refining policies or organizational changes to strengthen security practices and potentially prevent or reduce the impact of future data security incidents.
Integration with other Microsoft platforms and solutions
Data Security Investigations (preview) is a unified, purpose-built solution designed to be tightly integrated with other Microsoft security services. Integrated with our Microsoft Graph-enabled approach to security, Data Security Investigations (preview) draws correlations between impacted data, users, and activities. This integration helps you quickly identify impacted data, investigate incidents using generative AI, and securely collaborate with other members of your security team to mitigate risk.
Microsoft Defender XDR
Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. Using built-in integration with Data Security Investigations (preview), you can extend the analysis of threat signals and dive deeper into data associated with attacks and security incidents.
Using the Microsoft Defender portal, you can assess alerts and quickly open an investigation in Data Security Investigations (preview) for deeper insights about the data and users associated with the incident. The investigation helps you analyze the alert details, understand what they mean, and collect and examine data for deeper review and mitigation efforts.
To learn more about Microsoft Defender XDR features, see Get started with Microsoft Defender XDR.
Unified audit log
Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft services and solutions are captured, recorded, and retained in your organization's unified audit log.
Data Security Investigations (preview) provides powerful investigation tools that may require the ability to audit activities taken to ensure secure and approved use of the solution. To meet these requirements, Data Security Investigations (preview) activities are automatically logged in the unified audit log.
To learn more about these activities, see the Data security investigations (preview) activities section in the Audit log activities article.
Billing models
Data Security Investigations (preview) helps you identify data risks for breached content using Large Language Models (LLMs) and Microsoft Copilot for Security. Because Data Security Investigations (preview) provides on-demand AI analysis and integrating with other Microsoft Purview solutions, it uses pay-as-you-go and capacity billing models. This means that there are costs associated with using storage and AI capacity features in the solution, but you don't need a dedicated enterprise plan or license to use Data Security Investigations (preview).
For more information on billing, see Billing models in Data Security Investigations (preview).