Microsoft Purview · Data Security Investigations
Data Security Investigations Investigators
[Preview] Conduct assigned data security investigations. Create searches, analyze results, manage investigation scope, and develop mitigation plans for assigned cases.
Scope: Access limited to assigned Data Security Investigations only
Permissions
- Create and manage assigned investigations only (not all investigations)
- Create searches and add items to assigned investigations
- Estimate and preview search results for assigned investigations
- Manage investigation scope for assigned cases
- Add, delete, and manage items for mitigation plans
- Run categorization activities on investigated data
- Run examination activities for detailed data analysis
- Run vector searches for AI-powered investigation
- View and interact with data risk graphs
- Export investigation results and evidence for assigned cases
- Access case management capabilities for assigned investigations
- Use compliance search within assigned investigation scope
- Preview file content and communications in search results
- Collaborate with administrators and reviewers on investigations
Common use cases
- Security analyst investigating assigned data security incidents
- Incident response specialist conducting detailed forensic analysis
- Compliance analyst investigating potential data breach or exfiltration
- Data protection analyst examining unauthorized access events
- SOC analyst responding to data security alerts and creating investigations
- Security operations engineer performing root cause analysis
- Threat intelligence analyst investigating data-related threats
- Privacy analyst investigating privacy incident reports
- Regional security coordinator managing investigations for business unit
- Information security specialist conducting targeted data investigations
Best practices
- Focus on assigned investigations - coordinate with Administrators for access
- Use targeted searches to minimize scope and performance impact
- Document all investigation steps and findings thoroughly
- Leverage data risk graphs to uncover related users and data
- Use categorization activities to organize large result sets efficiently
- Run vector searches to identify similar patterns or threats
- Develop detailed mitigation plans with actionable remediation steps
- Coordinate with Administrators before expanding investigation scope
- Export and preserve evidence for long-term retention
- Use examination activities to drill into specific high-risk items
- Collaborate with Reviewers to get additional analysis perspectives
- Regular status updates to Administrators on investigation progress
- Close investigations promptly once resolved to maintain clean case list
Security considerations
- Can view sensitive data within assigned investigations
- Search and preview permissions allow access to file content and communications
- All activities logged in Microsoft 365 unified audit log
- Limited to assigned investigations - cannot create organization-wide investigations
- Must coordinate with legal/HR when investigating employee activities
- Preview access may expose confidential or privileged information
- Requires secure handling of exported investigation evidence
- Maintain confidentiality of investigation details and findings
- Use compliant devices and MFA for accessing investigation data