Create an investigation in Data Security Investigations (preview)

After configuring billing and usage options for Data Security Investigations (preview) and assigning permissions to analysts in your organization that manage investigations, create and manage an investigation for collection and analysis activities.

Investigations dashboard

Depending on your permissions, the Investigations dashboard in the Microsoft Purview portal displays investigations in your organization. If you aren't assigned to the Data Security Investigations Admin role group, you can only view investigations you're assigned to as an investigator or reviewer.

The Investigations dashboard lets you quickly see the investigations in your organization that you have access to, the description of the investigations, and important information associated with each investigation.

• Name: The name of the investigation. The investigation name must be unique in your organization.
• Description: The description of the investigation entered when the case was created.
• Created on: The date and time in Coordinated Universal Time (UTC) when the investigation was created.
• Last modified: The date and time in Coordinated Universal Time (UTC) when the investigation was last modified.

Select Edit columns to customize the displayed columns and the order of the columns in the Investigations dashboard. Choose the columns to display or drag and drop columns to reorder.

AI context for investigations (preview)

Additional context for AI (preview) helps focus AI-provided results in an investigation to specific areas, subjects, and issues to help eliminate noise and decrease the time it takes to discover and mitigate relevant items. Without additional context, AI analysis might return nonrelated categories and risk examinations results for data prepared for AI in your investigation. By providing detailed context for an investigation, categorization and risk examination results more accurately represent the areas you need to investigate.

For example, if you want an investigation to focus primarily on bribery issues, consider including Find instances of bribery in the Additional context for AI field on the Create an investigation dialog when creating new investigations in full-draft mode, from Defender XDR, or from Insider Risk Management. The more details that you provide as the context for the investigation, the more focused the AI analysis results are in the investigation.

Tip

Use natural language to provide the context and details you're looking for in the investigation. The context is automatically processed to remove typos, incorrect grammar or punctuation, symbols, and more to help improve clarity and readability for backend AI processing. This context review doesn't change the original intent of the provided context.

Any AI-related analysis for an investigation includes the context you provide for a new or existing investigation. Context-related categories are automatically included in AI-suggest categories and risk examinations for investigations including a custom context statement. You can add or edit context for an investigation at any time, but you must rerun categorization and risk examinations after any context changes. All changes to context statements are automatically recorded as extended properties for an investigation.

Create an investigation

Depending on your scenario, you can create investigations in each of the following methods:

• From Microsoft Defender XDR incidents: Create an investigation from a Defender XDR incident.
• From Microsoft Insider Risk Management cases: Create an investigation from an Insider Risk Management case.
• Manually with full draft mode: Create an investigation by using the full draft mode option to configure specific data sources and search conditions.

Create an investigation from Defender XDR

With the integration with the Microsoft Defender XDR solution, you can quickly open an investigation in Data Security Investigations (preview) as part of your response to data breach incidents. You can create an investigation from Defender XDR incidents containing mailbox, email message, or file nodes. To create investigations in Data Security Investigations (preview) in the Microsoft Defender portal, you must have the following roles assigned:

• Security Administrator
• Security Operator

Create a new investigation from a Defender XDR incident by using one of the following methods:

• Select Create investigation from the Data Security Investigations (preview) banner at the top of any incident in Defender XDR. This banner automatically displays if the incident might contain sensitive information. The new investigation contains all nodes included in the Defender XDR incident.
• Select Create Data Security Investigation from the ellipsis control in the top right of an incident page. The new investigation contains all nodes included in the Defender XDR incident.
• Select any individual mailbox, email message, or file node in the Defender XDR incident to display the node menu and select Create Data Security Incident. The investigation contains only the selected node from the Defender XDR incident.

After you select one of the previous options, the Create a data security investigation dialog is displayed. Complete the following steps:

1. In the Name field, give the investigation a name (required). The investigation name must be unique in your organization. If the name you enter isn't unique, you're notified when you select Create.
2. In the Description field, add an optional description to help others understand this investigation.
3. In the Scope field, choose the items from the incident to include in the investigation.
4. In the Additional context for AI field, enter additional context to help AI focus your investigation on specific areas and issues.

Important

You can't include mailboxes in the scope of an investigation and also include files or email messages. Investigations created from incidents including mailboxes must be standalone investigations. Select either mailboxes in the scope area OR email messages and files. Both email messages and files from an incident can be included in the same investigation.

1. Select Create to create the investigation.

The items included in the scope of the investigation are automatically included as data sources and you're ready to start reviewing and adding these items to the investigation scope in Data Security Investigations (preview).

Note

Sometimes the data sources for SharePoint site or files might not autopopulate in an investigation. If this situation occurs, manually add the data sources and use the suggested query.

Create an investigation from Insider Risk Management

With the integration of Microsoft Purview Insider Risk Management, you can quickly open an investigation in Data Security Investigations (preview) from a case and for potentially risky activities. To create investigations in Data Security Investigations (preview) in Insider Risk Management, you must have at least one of the following roles assigned:

• Insider Risk Management
• Insider Risk Management Investigator

To create a new investigation from an Insider Risk Management case, complete the following steps:

1. In the Microsoft Purview portal, go to Insider Risk Management > Cases and select a case.

2. On the Cases page, select Case actions.

3. Select Investigate data security with AI.

4. In the Create a data security investigations dialog box, complete the following fields:

   1. In the Name field, enter a name for the investigation (required). The investigation name must be unique in your organization. If the name you enter isn't unique, you're notified when you select Create investigation.
   2. In the Description field, add an optional description to help others understand this investigation.
   3. In the Investigation scope field, choose the items from the case to include in the investigation.
   4. In the Additional context for AI field, enter additional context to help AI focus your investigation on specific areas and issues.

5. Select Create investigation to create the investigation.

The items included in the case are automatically included as data sources. You're ready to start reviewing and adding these items to the investigation scope in Data Security Investigations (preview).

Create an investigation using full draft mode

In some scenarios, you might prefer to create a new investigation that isn't associated with a Microsoft Purview Insider Risk Management or Microsoft Defender XDR incident. Use full draft mode to create a new investigation to begin with new data sources and queries.

Manage investigation settings

Investigation settings include investigation information and access permissions. You can access settings for a specific investigation by selecting Investigation settings after selecting an investigation.

For more information about investigation settings, see:

• Investigation settings
• Access and permissions settings