It takes an average of 292 days – almost a year – to identify and contain data breaches involving stolen credentials.[1] During those critical months, organizations struggle to understand their overall risk as a result of the data breach. Investigating a data security incident is daunting, and includes inefficient workflows across multiple tools, labor-intensive reviews of impacted data, further complexity and manual work as the investigation scope grows, and increased costs. In addition, there is a greater risk of exposing or leaking sensitive data when moving the impacted data for analysis or sharing evidence with stakeholders to remediate a breach.
To streamline and simplify this process, organizations have shared their need for a unified, purpose-built solution that enables them to rapidly identify and mitigate risks from sensitive data exposure. Today, we are excited to announce Microsoft Purview Data Security Investigations (DSI) – a new solution that enables data security teams to identify incident-related data, investigate that data with generative AI-powered deep content analysis, and mitigate risk within one unified solution.
DSI builds on and extends Microsoft Purview’s existing best-of-breed Data Security portfolio. Our information protection, data loss prevention, and insider risk management solutions have provided customers with a strong foundation to protect their crown jewels, their data. Data is at the center of cyberattacks, and now DSI will use AI to reimagine how customers investigate and mitigate data security incidents, accelerating the process dramatically. Most organizations we spoke to (77%) believe that AI will accelerate data security detection and response, and 76% think AI will improve the accuracy of data security detection and response strategies.[2] With its cutting edge, generative AI-powered investigative capabilities, DSI will transform and scale how data security admins analyze incident-related data. DSI uncovers key security and sensitive data risks and facilitates secure collaboration between partner teams to mitigate those identified risks. This simplifies previously complex, time-consuming tasks – what once took months, can now be done in a fraction of the time.
A closer look
Picture your data security team is made aware of a massive data breach and needs to quickly determine the risk present within the impacted data. With DSI, you can search your Microsoft 365 data estate to locate incident-relevant emails, Teams messages, Copilot prompts and responses, and documents. DSI enables you to efficiently locate the impacted data, eliminating the need for multiple team handoffs or moving the data.
Once the investigation is scoped, you can use DSI’s generative AI capabilities to rapidly and efficiently sift through mountains of data to pinpoint the major risks to your organization. AI can categorize the impacted data to help you get an initial understanding of incident severity and narrow your focus to highest risk assets. Next, DSI enables you to easily address the number one priority during a data security investigation, finding security risks buried within impacted data. With a few clicks, you can use AI to examine impacted data for security risks and promptly find credentials, network risks, or evidence of threat actor discussion, for example. DSI allows you to evaluate sensitive data risk, like what intellectual property, financial information, and personally identifiable information were exposed using AI. These probing capabilities can also be used to proactively improve data hygiene by examining datasets for sensitive information or security risks, helping your organization prevent a data security incident. To query impacted data and discover assets related to a specific subject, you can leverage vector-based semantic search, which uses embeddings and advanced orchestration to understand context and meaning – even if keywords are missing.
Figure 2: Categorize impacted data to focus on highest risk assets.Figure 3: Examine impacted data to find key security risks.DSI can uniquely visualize correlations between impacted data, users, and their activities, providing critical context to guide mitigation and next steps. For example, upon uncovering a highly sensitive document, DSI gives you visibility into which users downloaded it or if it was accessed from a risky IP address. This lets you uncover new nodes to a data security incident, like additional users or new content that requires investigation. Enriching DSI analysis with activity insights can help you resolve your data security incidents faster, and with greater confidence.
Figure 4: View users and activities related to impacted data.
Since security is a team sport, DSI facilitates secure collaboration between partner teams to mitigate identified risks. For instance, if you discover credentials within impacted data, an Entra admin can join the investigation to securely view the extracted credentials and take necessary next steps to reset the accounts. You can use investigation learnings to refine existing policies to strengthen your organization's security practices. In the future, DSI will include features like the ability to purge overshared risky files and more.
We’ve integrated DSI with the products you already use today, allowing you to launch pre-scoped data security investigations from Microsoft Defender XDR and Microsoft Purview Insider Risk Management. When reviewing a security incident in Defender XDR, you can start a data security investigation directly from the incident graph to gain insight into the impacted content. DSI findings equip the SOC with much-needed visibility into a security incident’s impact on data so they can prioritize their incidents based on the sensitivity and severity of data loss. When evaluating a risky user with Insider Risk Management, you can now launch a Data Security Investigation and analyze data at scale with AI-powered deep content analysis. DSI’s distinctive investigative capabilities enhance cross-product protection across Microsoft Security.
With AI at its core, DSI is designed to tackle the most complex, high volume, and time-sensitive data security incidents, redefining how data security teams investigate and mitigate risk. DSI offers pay-as-you-go billing giving you the flexibility, scalability and cost efficiency you need. DSI will be available in public preview in late April. This is another key step in our journey to secure and govern your data – we look forward to hearing your feedback and continuing to invest in DSI.
Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9.
Get started
- Try DSI: Your Global Admin can begin using DSI by activating Purview pay-as-you-go billing and provision Security Compute Units when rollout of public preview begins in late April 2025.
- Learn more: Tune into our Microsoft Mechanics episode for a full demo.
- Share feedback: We’d love to hear from you! Email DSIfeedback@microsoft.com with feedback about DSI.
Microsoft