Get started with Data Security Investigations (preview)

Use Data Security Investigations (preview) to identify, investigate, and mitigate data risk either reactively when an incident occurs, or proactively to improve data security hygiene for your organization. Complete the following steps in the workflow to set up prerequisites and configure Data Security Investigations (preview).

For more information about how Data Security Investigations (preview) can help you with security incidents in your organization, see Learn about Data Security Investigations (preview).

Step 1: Read and agree to terms

The first time you access Data Security Investigations (preview) in the Microsoft Purview portal, you must read and agree to the terms of the Privacy Statement.

Confirm that you accept the terms and select Get started.

Step 2: Billing and usage

To get started with Data Security Investigations (preview), you must configure billing and usage settings for data storage and AI analysis features. Data Security Investigations (preview) uses a payment model based on how much data is added to investigations and how much AI capacity is used for analysis of that data.

For step-by-step guidance, see Billing models in Data Security Investigations (preview).

Step 3. Configure permissions

To allow users to access to Data Security Investigations (preview) tools in the Microsoft Purview portal, you must assign the users the appropriate permissions. The easiest way to assign roles is to use the setup task or add the user the appropriate role group on the Role groups page in the Microsoft Purview portal.

For step-by-step guidance, see Assign permissions in Data Security Investigations (preview).

Step 4. Create an investigation

To get started with Data Security Investigations (preview), you must create an investigation and configure investigation settings.

Investigations are created in several ways. Choose from the following methods to create a new investigation:

• Manually with search templates.
• From a Microsoft Defender XDR incident.
• From an Insider Risk Management case.
• Manually using the full draft mode.

The user who creates the case is automatically added as a member. Members of the case can access the investigation in the Microsoft Purview portal and perform Data Security Investigation (preview) tasks.

To configure user access and permissions for specific investigations, see Configure investigation access and permission settings in Data Security Investigations (preview)

Step 5: Search and evaluate results

After creating an investigation, use search tools to identify content such as email, documents, and instant messaging conversations in your organization that are relevant to a data security incident.

Search tools allow you to:

• Define custom data sources
• Create custom searches with the query builder
• View scope and sample dashboards for search result items

Step 6: Add items to an investigation scope

After adding data items from your search queries to the scope of the investigation, you're ready to start working with your data and validate items before preparing for AI analysis.

You can group and view items in the investigation scope, including file detail views for each data item. Use filters to identify nonrelevant items and mark them to be excluded. After you narrow the items in the investigation scope, you're ready to prepare the data for AI processing and advanced analysis.

Step 7: Investigate items

Use generative AI processing to help you quickly identify and review data items in the investigation scope. These tools help you decide which items need closer examination and if they should be added to the mitigation plan.

• Vector search
• Categorization
• Examination

Step 8: Take mitigation actions

Create detailed examinations and review risk examinations and recommendations for items in the investigation scope:

• Review mitigation recommendations
• Review credentials examinations
• Review risk examinations
• Use the mitigation plan