Share via

Learn about the Data Security Investigations (preview) workflow

The Data Security Investigations (preview) workflow helps you quickly identify, investigate, and take action on data associated with security and data breach incidents. This workflow isn't a linear process, it includes significant iteration requirements for several of the steps to fine tune searches, evidence gathering, classification, and investigation using AI and activities.

Identifying and taking action on data and access uses the following workflow:

Data Security Investigations (preview) workflow diagram.

Step 1: Identify and escalate incidents

Identify a data security incident

Data breaches and other data security incidents require quick action to identify and contain potential risks to your organization. It's critical that you quickly identify these incidents and streamline an integrated response. Investigating a data security incident is daunting, and might include inefficient workflows across multiple tools, manual work, and extra complexity as the investigation grows in size, labor-intensive reviews of impacted data, and increased costs.

Data Security Investigations (preview) helps you investigate and mitigate data security incident and accelerate the time to resolution dramatically. After identifying a data security incident, you'll create a new investigation to enable your data security team to identify incident-related data, conduct deep content analysis, and mitigate risk within one unified solution.

Escalate a data security incident from Microsoft Defender XDR

If you're already using Microsoft Defender XDR in your organization, the integration with Data Security Investigations (preview) allows you to quickly and seamlessly create a new investigation. The investigation automatically includes all incident-related data items from the Defender XDR incident node.

Step 2: Create an investigation and find impacted data

Creating an investigation in Data Security Investigations (preview) is quick and easy. Depending on the scenario, investigations are created from:

  • Microsoft Defender XDR incidents: Create an investigation from a Defender XDR incident.
  • Manually with a search template: Quickly create an investigation using predefined search templates.
  • Manually with full draft mode: Create an investigation using the full draft mode option to configure specific data sources and search conditions.

Step 3: Search, evaluate results, and review

After creating an investigation, you can review and update data sources and use search tools to identify items related to the data security incident. This review includes items from the following Microsoft 365 services:

  • Exchange Online mailboxes
  • SharePoint sites
  • OneDrive accounts
  • Microsoft Copilot prompts and responses
  • Microsoft Teams

You can create and run different searches that are associated with an investigation. You use conditions (such as keywords, file types, incidents, etc.) in the query builder to create custom search queries that return results with the data that's most likely relevant to the data security incident.

Step 4: Add data to the investigation scope

After you review and refine your search query, you add all relevant data items to the investigation scope. This step is where you filter and review specific data items and identify any items you don't want to review with AI tools in Data Security Investigations (preview).

Step 5 (a): Investigate items

After adding data items to the investigation scope, you're ready to start refining and narrowing the data to the most relevant items for your investigation. Narrowing the items to the smallest amount of applicable data helps increase the speed and costs associated later with AI processing.

In this step, you perform the following actions:

  • Select specific items to add directly to your mitigation plan if applicable.
  • Identify or exclude specific items from AI processing.
  • Prepare the data for AI processing. All items not excluded are vectorized to enable semantic searches and categorization of data.

Step 5 (b): Investigate with AI

After preparing data items for AI processing and the processing is complete, you're ready to start using AI-related tools to help narrow the focus of your investigation to only the most impactful and critical items.

Use the following tools and actions in your review to identify and take action on specific data items:

Important

There are storage and AI capacity cost considerations associated with the usage of each of the AI tools in Data Security Investigations (preview). For more information, see Billing models in Data Security Investigations (preview) and Use AI analysis in Data Security Investigations (preview).

Step 6: Take actions to mitigate

Once you've identify the most relevant and impactful items associated to the date security incident, it's time to take specific action to help mitigate risks.

  • Review mitigation recommendations: Mitigation recommendations are created when you select items for examination and choose Mitigation as the focus area. Automated AI processing identifies related threats and recommends mitigation steps.
  • Review credentials examinations: Credentials and other access asset examinations are identified when you select items for examination and choose Credentials as the focus area. Credential details, type, and specific recommendations are automatically identified and generated by AI analysis processing.
  • Review risk examinations: A security risk score and examination is automatically created when you select items for examination and choose Risks as the focus area. The risk score helps you prioritize mitigation actions for the most impactful and risky data items.
  • Use the mitigation plan: After reviewing examinations and recommendations, add specific data items from the investigation scope to the mitigation plan. This plan helps you manage and track the mitigation status for each data item.

Ready to get started?