Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Understanding how credentials and other asset access information is associated with a data security incident is an important part of identifying and mitigation risks.
For example, if you discover credentials within impacted data associated with the data security incident, a Microsoft Entra admin in your organization can join the investigation, securely view the extracted credentials, and take necessary next steps to reset the accounts. You can also use investigation learnings to refine existing account management policies to strengthen your organization's security practices.
Analyze data for credentials and asset access information
Complete the following steps to identify credentials and asset access data in items included in the investigation scope:
Important
You must prepare data for AI analysis before configuring examinations.
- Go to the Microsoft Purview portal and sign in using the credentials for a user account assigned Data Security Investigations (preview) permissions.
- Select the Data Security Investigations (preview) solution card and then select Investigations in the left nav.
- Select an investigation, then select Analysis on the navigation bar.
- Use vector search or categorization tools to identify data for credentials examination.
- Select one or more items, then select Examine on the command bar.
- In the Examine with AI dialog, enter name for your examination process in the Job name field.
- Enter a description for the examination process in the Job description field.
- Select Credentials: Extract credentials and access assets in the selected items in the Choose a focus area field.
- Select Examine to start the AI analysis.
Note
The time estimates for the process to complete is based on the amount and size of the selected data. To reduce processing time, filter and exclude data not applicable to the investigation.
Credentials examinations
After the AI processing is completed for the selected data items, you can review credentials examinations to identify credential and asset access details for each item.
The credentials examinations include the following information for each item:
- Subject/Title: The subject or title of the data item.
- Extracted credentials: The credential details included in the data item. This information includes user names, passwords, and more.
- Credential type: The credential type. Might include user credentials, API tokens, MFA backup codes, and more.
- Surrounding snippet: The text or string values surrounding the credential details. This helps with determining the context in which the credential is used in the data item.
- Thought process: A summary of the reasoning as to why the credentials associated with the item are important.
- Errors: A summary of any processing errors encountered when the AI process was run.