Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Data Security Investigations uses generative artificial intelligence (AI), large language models, and orchestration in the analysis of data in your organization. Results generated by AI might not always be accurate or complete. While we strive to provide reliable and helpful information, AI systems can produce incorrect or false results. It is important to verify the information and use it with caution. Microsoft makes no warranties, express, implied, or statutory, as to the information provided by AI systems.
The Data Security Posture agent (preview) in Data Security Investigations helps your organization proactively surface credentials buried in data across your organization at scale. Rather than manually investigating individual items, the Posture agent automates credential scanning across Microsoft 365 data locations, including SharePoint sites, OneDrive accounts, Exchange mailboxes, and Teams content. After the agent completes scanning, it produces AI-generated risk assessments with confidence scores and supporting reasoning to help your security team quickly prioritize and remediate credential exposure risks.
Important
The Posture agent in Data Security Investigations is currently in preview. Features and functionality might change before general availability.
How the Posture agent works
The Posture agent in Data Security Investigations uses the same agent as Data Security Posture Management (DSPM) (preview). When you enable the Posture agent, you make it available in both DSPM and Data Security Investigations. If you already enabled the Posture agent in DSPM, you don't need to onboard again to use it in Data Security Investigations.
By using the Posture agent in Data Security Investigations, you can:
- Scan for credentials at scale: Run tenant-wide or scoped credential scanning tasks to discover exposed credentials across your organization's Microsoft 365 data.
- Track tasks on a task board: Monitor the progress of scanning tasks through a Kanban-style task board with statuses like In progress and Ready for review.
- Review AI-generated risk assessments: Examine AI-produced risk scores, confidence levels, and reasoning for flagged items to help prioritize remediation efforts.
- Explore data with KQL queries: Use the Data Explorer to run Kusto Query Language (KQL) queries against credential findings for advanced analysis and investigation.
- Download reports: Generate and download reports of credential scan results for offline review and compliance reporting.
Prerequisites
Before you can use the Posture agent in Data Security Investigations, confirm the following prerequisites are in place:
- Permissions: You must be assigned to one of the role groups that includes Posture agent access. For more information, see Permissions for deploying, running and viewing results from the Posture Agent.
- Agent enabled: You must enable the Posture agent in the Microsoft Purview portal. For more information, see Enable the Posture agent.
- Security Compute Units (SCUs): Your organization must have Security Copilot SCUs provisioned for the Posture agent to run.
Tip
You don't need to configure or enable Data Security Investigations to use the Posture agent. The Posture agent is independent of the Data Security Investigations solution and doesn't require Data Security Investigations billing, permissions, or setup to be completed. As long as the Posture agent is enabled and your organization has SCUs provisioned, the Posture agent experience is available in the Data Security Investigations navigation. Other Data Security Investigations features, such as creating investigations and AI analysis, still require separate Data Security Investigations configuration and billing.
Enable the Posture agent
If your organization hasn't already enabled the Posture agent, use the following steps to enable it:
- Go to the Microsoft Purview portal and sign in by using the credentials for a user account assigned the appropriate permissions.
- Select Agents in the left navigation.
- Select Explore agents, and then select View details for the Posture agent in Data Security Investigations.
- Select Set up to enable the agent for your organization.
After you enable the Posture agent, it appears in Agents, DSPM, and Data Security Investigations. In Data Security Investigations, you can access the agent by selecting Posture agent in the left navigation.
Note
If you already enabled the Posture agent in DSPM, you don't need to complete these steps. The agent is automatically available in Data Security Investigations.
Create a credential scanning task
Create a credential scanning task so the Posture agent can scan your organization's data for exposed credentials. You can scope the scan to your entire tenant or narrow it to specific users, sites, or groups.
Complete the following steps to create a credential scanning task:
- Go to Data Security Investigations in the Microsoft Purview portal and sign in by using the credentials for a user account assigned Data Security Investigations permissions.
- Select Posture agent in the left navigation.
- Select Assign to agent to create a credential scanning task.
- For the Credential Scanning Task, enter a name for the task in the Task name field.
- Configure the data sources for the scan. You can select a tenant-wide scan or narrow the scope to your organization, specific sites, users, mailboxes, or groups.
- Select Save.
- In the Additional context for AI, use natural language guidance to help AI scope the agents to applicable areas.
- Select Create to start the task.
After you create the task, it appears in the In progress column on the task board.
Tip
If you realize you scoped a task incorrectly after it starts, you can stop the task and create a new one with the correct scope.
Monitor tasks on the task board
The Posture agent uses a Kanban-style task board to help you track the progress of credential scanning tasks. Each task appears in one of the following columns:
- In progress: The agent actively scans the specified data locations and analyzes content.
- Ready for review: The agent finished scanning and the results are ready for a human reviewer to examine.
- Closed: A human reviewer has marked a tasked as completed.
The task board displays key information for each task, including the scan scope, the number of locations scanned, and the number of items analyzed. You can also assign a security operations center (SOC) administrator to review the results for a specific task.
Review scan results
After a credential scanning task finishes and moves to the Ready for review column, you can review the results to identify and prioritize credential exposure risks.
Summary view
The summary view provides a high-level overview of the credential scan results. In the summary view, you can:
- Sort by risk level: View results sorted by High, Medium, or Low risk to prioritize the most critical findings.
- Group by credential category: Organize results by credential type to understand the distribution of exposed credentials.
- Review AI reasoning: For each flagged item, the AI provides its reasoning for the assigned risk level, helping you understand why a specific item is flagged as high, medium, or low risk.
- Download reports: Generate a report of the scan results for offline review, compliance reporting, or sharing with stakeholders.
Item details
Select a specific item in the scan results to view detailed information, including:
- The detected credential type.
- The data location where the credential was found.
- The AI-generated risk and confidence scores.
- The reasoning behind the risk classification.
Explore data with Data Explorer
Data Explorer provides advanced analysis capabilities by allowing you to run Kusto Query Language (KQL) queries against the credential findings from the Posture agent scans. This experience is similar to advanced hunting in Microsoft Defender XDR and provides a schema-based metadata framework for querying credential data.
To use Data Explorer, complete the following steps:
- Go to Data Security Investigations in the Microsoft Purview portal.
- Select Posture agent in the left navigation.
- Select a completed task, and then select the Data Explorer tab.
- Write and run KQL queries against the credential findings schema.
Tip
If you're new to KQL, see Kusto Query Language overview to learn the basics of writing queries.