Julian Kusenberg IT Beratung

Microsoft Purview · Compliance · AI Governance

in

Microsoft Purview · Compliance · Data Security

DATA SECURITY INVESTIGATIONS – A first look

·

Julian Kusenberg

Microsoft Purview Data Security Data Security Investigations: When the Alert Is No Longer the Real Question Ein Alert ist selten die Antwort. Er ist der Ausgangspunkt. Die eigentliche Frage lautet: Welche Daten waren wirklich…

Microsoft Purview
Data Security

Data Security Investigations: When the Alert Is No Longer the Real Question

Ein Alert ist selten die Antwort. Er ist der Ausgangspunkt. Die eigentliche Frage lautet: Welche Daten waren wirklich betroffen?





From Security Signal to Content Understanding
Von Security Signal über DSI zu Content Understanding

A user downloads an unusual number of files.
A DLP event shows a suspicious share.
A Defender incident points to a compromised account.
An Insider Risk case is opened because a user’s behavior suddenly looks very different from normal activity.

And then the real question appears:
Which data was actually affected?

Not in theory. Not just as a file list. Not just as a number of search hits.

But in terms of content. Were customer records involved? Did the files contain credentials? Were confidential project documents in scope? Were financial records, HR information, or personal data affected? And what does that mean for Security, Privacy, Legal, and Management?

This is where many organizations still struggle. Security tools can detect that something happened. Compliance tools can search, preserve, and review content. But between a technical signal and a reliable understanding of the affected data, there is often a lot of manual work.

What is Data Security Investigations?

Data Security Investigations (DSI) is a Microsoft Purview capability for data-focused security investigations. It helps organizations investigate data in the context of security incidents, insider risks, possible data exposure, or potential data loss. The goal is to identify affected content faster, understand the risk behind it, and support the next steps for mitigation and response.

At first glance, that may sound like another investigation tool. But the important part is the perspective.

DSI does not primarily start with the question: Which documents do I need for a legal matter?

It starts with: Which data was affected by a security event, and how serious is that?

That is a meaningful shift.

In many incidents, it is not enough to know that a user shared a file. You need to understand what was inside that file. DSI tries to close the gap between signal and content.

Why Do We Need a Separate Capability for This?

Because data-related investigations can become messy very quickly. An incident may start in Defender XDR. The trail then leads to emails, files, SharePoint, OneDrive, Teams, user activity, and audit logs.

Security
Was data exfiltrated?

Legal
What are our obligations and the evidence?

Privacy
Was personal data affected?

Management
What is the business risk?

Compliance
Did existing controls work?

DSI supports the more iterative nature of real investigations, where the goal is not just to collect results, but to understand risk:

Search

Narrow scope

Classify

Review

Reassess

Decide

What Does DSI Have to Do with eDiscovery?

If you know Microsoft Purview eDiscovery, parts of DSI will feel familiar. There are data sources, searches, content, review, relevance, and a need for traceability. But DSI is not simply eDiscovery with a new name.

eDiscovery

Built around legal, regulatory, and internal investigation scenarios.

Helps identify, preserve, collect, review, and export electronically stored information relevant to a case.

Primary question: Which content is relevant to a legal matter?

Data Security Investigations

Focused on data security incident response.

Helps understand which sensitive or risky data was affected and what action is needed right now.

Primary question: Which data was affected, how critical is it, and what should we do?




DSI vs eDiscovery comparison
Driver, Frage, Workflow, Output: die vier Hauptachsen im Vergleich

Same universe. Different center of gravity.
eDiscovery helps you find content that may be relevant to a case. DSI helps you understand which data is risky in the context of a security incident.

A Simple Example

Imagine a user account is compromised. Defender XDR detects suspicious activity. The incident shows emails and file activity. There are signs that the user accessed or downloaded content from OneDrive and SharePoint and was a member of several Teams containing sensitive project information.

At this point, the technical incident view is no longer enough. The important questions become:


  • What data did this account have access to?

  • Which files were opened, shared, or downloaded?

  • Did those files contain sensitive information or credentials?

  • Were customer records or personal data affected?

  • Do Privacy, Legal, or customers need to be informed?

Without a dedicated workflow, teams fall back to manual searches, exports, spreadsheets, samples, and many meetings. DSI is designed to support exactly this phase.

What Makes DSI Different?

The most important difference is the focus on meaning and content. DSI includes capabilities such as semantic search, categorization, and deeper examination of content. Instead of relying only on exact keyword matches, it can identify content based on meaning, context, and risk.

In a data security incident, the situation is often much less clear than in an eDiscovery case:

The Gap

You may know a user was involved, but not which files matter. You know data was accessed, but not whether it was sensitive.

DSI’s Role

Semantic search and AI-assisted categorization help structure large volumes of data more quickly and surface high-risk content first.

The Outcome

Faster focus. Not a replacement for human judgment, but a way to get the investigation to the right content faster.

DSI Is Not a Magic Button

This part is important. DSI does not replace investigation work. It supports it.

AI-assisted analysis can help identify patterns, prioritize content, and surface potential risks. But results still need to be reviewed and validated by people who understand the context. That is especially important in Security, Privacy, Legal, and Compliance.

Important

An AI-generated finding should not automatically become the final truth. It can be a lead. It can be a strong indication. It can help analysts move faster. But it still needs verification. DSI is not there to remove responsibility from analysts. It is there to make their work more focused.

Why DSI Is Interesting




DSI in the Microsoft Purview ecosystem
DSI als Investigation Layer im Microsoft Purview und Security Stack

DSI sits exactly between several worlds that are often still too disconnected. It integrates naturally with the rest of the Microsoft Purview and Microsoft Security ecosystem:

Risky behavior without content context only tells half the story. DSI adds the data layer.

DLP
A policy match does not automatically explain how critical the affected content really is.

A technical incident only becomes a business risk when you understand the data involved.

Data exposure should not only be visible. It should also be investigable.

Some mechanics are familiar, while the purpose is different. A security investigation may later become an eDiscovery matter.

What Organizations Should Consider Before Using DSI

DSI is not something organizations should treat as just another portal feature. It needs governance.

Who can start an investigation?
Which data can be examined?
How are findings documented?
When does Legal need to be involved?
When does DSI become an eDiscovery matter?

A tool that can investigate sensitive organizational content needs clear rules, permissions, processes, and accountability. That is also why DSI should not be looked at in isolation.

Sensitivity Labels, DLP, Insider Risk Management, Audit, Defender XDR, Data Security Posture Management, and eDiscovery all play different roles. DSI adds an investigation layer on top of data security events. It does not replace the foundation.

Conclusion

Many organizations already have more signals than ever before. More alerts. More logs. More policies. More dashboards. More portals. But more signals do not automatically create more clarity.

Data Security Investigations tries to turn a data-related security event into a clearer, content-based assessment.

Not only: What happened?

Which data was affected, how critical is it,
and what should we do now?

Not hype. Not an AI magic box. A practical capability for one of the most important questions in any data-related incident.

#MicrosoftPurview
#DataSecurity
#DSI
#Compliance
#InsiderRisk
#eDiscovery

Autor

  • Julian Kusenberg

    Julian Kusenberg ist Senior Consultant bei SoftwareOne und unterstützt Unternehmen bei der Implementierung von Microsoft Purview, insbesondere in den Bereichen Information Governance, Datenschutz und Insider Risk Management. Mit langjähriger Erfahrung in der Umsetzung von Compliance- und Datenschutzlösungen hilft er Organisationen, regulatorische Anforderungen in Microsoft-365-Umgebungen effizient zu erfüllen. Seine Expertise umfasst komplex eDiscovery- und Forensikprojekte, bei denen er technisches Know-how mit strategischer Beratung kombiniert.

Tags

Kommentare

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

About Julian

Microsoft MVP für Purview, Senior Consultant bei SoftwareOne und Speaker rund um Microsoft 365 Compliance, eDiscovery, Insider Risk Management, Data Security und AI Governance.

Auf LinkedIn folgen

Topics

  • Microsoft Purview
  • eDiscovery
  • Insider Risk Management
  • DLP und Data Security
  • Copilot und AI Governance