Create an investigation in Data Security Investigations (preview)

After configuring billing and usage options for Data Security Investigations (preview) and assigning permissions to analysts in your organization that manage investigations, the next step is to create and manage an investigation for collection and analysis activities.

Investigations dashboard

Depending on your permissions, investigations in your organization are displayed on the Investigations dashboard in the Microsoft Purview portal. If you're not assigned in the Data Security Investigations Admin role group, you can only view investigations you're assigned to as an investigator or reviewer.

The Investigations dashboard allows you to quickly see the investigations in your organization that you have access to, the description of the investigations, and important information associated with each investigation.

• Name: The name of the investigation. The investigations name must be unique in your organization.
• Description: The description of the investigation entered when the case was created.
• Created on: The date and time in Coordinated Universal Time (UTC) when the investigation was created.
• Last modified: The date and time in Coordinated Universal Time (UTC) when the investigation was last modified.

You can customize the displayed columns and the order of the columns in the Investigations dashboard by selecting Edit columns. Choose the columns to display or drag and drop columns to reorder.

Investigation templates

Investigation templates allow you to quickly create an investigation based on common data characteristics, data types, and using natural language queries. Only one template per investigation is supported. For the keyword, unique identifier, sensitive information types, and sensitivity labels, you also define the date range, users, and tenant source for the investigation.

The following investigation templates are available:

• Keyword: Choose specific keywords for the investigation. Separate each keyword with a comma when using multiple keywords. For example, to include the keywords confidential and Project Contoso, enter confidential, project contoso.
• Unique identifier: Choose specific unique identifiers for the investigation. Unique identifiers associated with items and activities included in the Microsoft 365 audit log are supported. For example, the MessageID for an email message is a supported identifier. Separate each identifier with a comma when using multiple identifiers.
• Sensitive information types: Choose a value from available sensitive information types and define the minimum and maximum confidence ranges. The confidence range is the level of confidence that the detected sensitive type is actually a match.
• Sensitivity labels: Choose one or more sensitivity labels for the investigation.
• Natural language: Create a query by describing what you need for the investigation. Include details about users, data sources, and content.

Create an investigation

Depending on the scenario, investigations are created in each of the following methods:

• From Microsoft Defender XDR incidents: Create an investigation from a Defender XDR incident.
• Manually with a search template: Quickly create an investigation using predefined search templates.
• Manually with full draft mode: Create an investigation using the full draft mode option to configure specific data sources and search conditions.

Create an investigation from Defender XDR

With the integration with the Microsoft Defender XDR solution, you can quickly open an investigation in Data Security Investigations (preview) as part of your response to data breach incidents. You can create an investigation from Defender XDR incidents containing mailbox, email message, or file nodes. To create investigations in Data Security Investigations (preview) in the Microsoft Defender portal, you must have the following roles assigned:

• Security Administrator
• Security Operator

Create a new investigation from a Defender XDR incident using one of the following methods:

• Select Create investigation from the Data Security Investigations (preview) banner at the top of any incident in Defender XDR. This banner is automatically displayed if the incident might contain sensitive information. The new investigation contains all nodes included in the Defender XDR incident.
• Select Create Data Security Investigation from the ellipsis control in the top right of an incident page. The new investigation contains all nodes included in the Defender XDR incident.
• Select any individual mailbox, email message, or file node in the Defender XDR incident to display the node menu and select Create Data Security Incident. The investigation contains only the selected node from the Defender XDR incident.

After you select one of the previous options, the Create a data security investigation dialog is displayed. Complete the following steps:

1. In the Name field, give the investigation a name (required). The investigation name must be unique in your organization. If the name you enter isn't unique, you're notified when you select Create.
2. In Description field, add an optional description to help others understand this investigation.
3. In the Scope field, choose the items from the incident to include in the investigation.

Important

You can't include mailboxes in the scope of an investigation and also include files or email messages. Investigations created from incidents including mailboxes must be standalone investigations. Select either mailboxes in the scope area OR email messages and files. Both email messages and files from an incident can be included in the same investigation.

1. Select Create to create the investigation.

The items included in the scope of the investigation are automatically included as data sources and you're ready to start reviewing and adding these items to the investigation scope in Data Security Investigations (preview).

Note

Sometimes the data sources for SharePoint site or files might not autopopulate in an investigation. If this situation occurs, manually add the data sources and use the suggested query.

Create an investigation using a search template

Complete the following steps to quickly create an investigation and configure the investigation scope with predefined templates. The user who creates the investigation is automatically added as a member. Members of the investigation can access the investigation in the Microsoft Purview portal and perform Data Security Investigations (preview) tasks.

1. Go to the Microsoft Purview portal and sign in using the credentials for a user account assigned Data Security Investigations (preview) permissions. Members of the Organization Management role group can also create investigations.

2. Select the Data Security Investigations (preview) solution card and then select Investigations in the left nav.

3. Select Create new.

4. On the Create a investigation dialog, complete the following fields:

   • Title: Give the investigation a name (required). The investigation name must be unique in your organization.
   • Description: Add an optional description to help others understand this investigation.

5. Select Start with search to configure a search query using templates. Select View investigation to open an investigation and to configure a search query later.

6. Select an investigation template. Choose from Keyword, Unique identifier, Sensitive information types, Sensitivity labels, or Natural language.

7. Complete the required fields for the selected template.

8. Select estimate to run a query based on the search template values. The estimate helps you understand the results from the query before you add associated items to scope of the investigation scope.

Important

Adding items to an investigation scope automatically adds these items to the data storage meter for your organization. Items can't be removed from an investigation scope and the billing rates for this data storage remain in effect until the investigation is deleted. We recommend you carefully review the items in the estimate before adding these items to the scope of an investigation scope.

1. On the Search tab for the investigation, review the summary statistics for the estimate. If you need to update the query to refine the results, select the Refine search tab and use the data sources and query builder controls to update the conditions for query.
2. When you refine and finalize your query and are satisfied with the results, select Add to scope to add the items to the investigation scope.

Create an investigation using full draft mode

In some scenarios, you might prefer to create a new investigation without using any of the search templates and that isn't associated with a Microsoft Defender XDR incident. Use full draft mode to create a new investigation to begin with new data sources and queries.

Manage investigation settings

Investigation settings include investigation information and access permissions. You can access settings for a specific investigation by selecting Investigation settings after selecting an investigation.

For more information about investigation settings, see:

• Investigation settings
• Access and permissions settings