Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Creating an investigation in full draft mode in Data Security Investigations (preview) provides the most flexibility and options for analysts investigating a data security incident. This process allows you to fully customize the data sources and query in your investigation.
Using full draft mode
Complete the following steps to create an investigation and configure the investigation scope using the full draft mode. The user who creates the investigation is automatically added as a member. Members of the investigation can access the investigation in the Microsoft Purview portal and perform Data Security Investigations (preview) tasks.
Go to the Microsoft Purview portal and sign in using the credentials for a user account assigned Data Security Investigations (preview) permissions. Members of the Organization Management role group can also create investigations.
Select the Data Security Investigations (preview) solution card and then select Investigations in the left nav.
Select Create investigation.
On the Create a investigation dialog, complete the following fields:
- Title: Give the investigation a name (required). The investigation name must be unique in your organization.
- Description: Add an optional description to help others understand this investigation.
Select Switch to full draft mode.
Select Add data sources
On the Manage data sources flyout pane, search and add data sources for your investigation query. You can filter to scope data sources to help you choose one or more users or group sources to add to the investigation.
Use one or more of the following options in the Search for people, groups, locations, or tenant locations field to select from the following default filters:
- All people and groups (default)
- All apps
- All public folders
If needed, enter specific people, groups, locations, or tenant locations to reduce the scope of sources to specific resources in your organization.
Select Save.
Use the query builder to create a new search query for the investigation.
Select Review scope to review statistics about the results from the query
Select Add to scope to add data items to the investigation scope.
Next steps
After you create your investigation and add the data items to the investigation scope, you're ready to review the data items and prepare the data items for AI analysis.