Credential Exposure Risk & Response Workbook

How to set up the Workbook

Use the steps outlined in the Identify and Remediate Credentials article to get the right rules in place to start capturing credential data. You may choose to use custom regex patterns or more specific SITs that align with your scenario. This workbook will help you once that is done. 

This workbook transforms credential leakage detection into a measurable, executive-ready capability.

• End‑to‑end situational awareness: Correlates alerts across workloads, departments, credential types, and users to surface material exposure quickly.
• Actionable triage & forensics: Drill from trends to the artifact (message/file/URL), accelerating containment and root‑cause analysis.
• Risk‑aligned decisions: Quantifies exposure and response performance (creation vs. resolution trends) to guide investment and policy changes.
• Audit‑ready governance: Captures decisions, timelines, and outcomes for PCI/PII controls, identity hygiene, and secrets management.

Prerequisites

• License requirements for Microsoft Purview Information Protection depend on the scenarios and features you use. To understand your licensing requirements and options for Microsoft Purview Information Protection, see the Information Protection sections from Microsoft 365 guidance for security & compliance and the related PDF download for feature-level licensing requirements.
• Before you start, all endpoint interaction with Sensitive content is already being included in the audit logging with Endpoint DLP enabled (Endpoint DLP must be enabled). For Microsoft 365 SharePoint, OneDrive Exchange, and Teams you can enable policies that generate events but not incidents for important sensitive information types.
• Install Power BI Desktop to make use of the templates Downloads - Microsoft Power BI

Step-by-step guided walkthrough

In this guide, we will provide high-level steps to get started using the new tooling.

1. Get the latest version of the report that you are interested in. In this case, we will show the Board report.
2. Open the report. If Power BI Desktop is installed, it should look like this:

    3. You must authenticate with the https://api.security.microsoft.com, select Organizational account, and sign in. Then click Connect.

   4. You will also have to authenticate with httpps://api.security.microsoft.com/api/advancedhunting, select Organizational account, and sign in. Then           click Connect.

What the Workbook Delivers

The workbook moves programs to something that is measurable. Combined with customers' outcome‑based metrics (operational risk, control risk, end‑user impact), it enables an executive‑level, data‑driven narrative for investment and policy decisions.

• End‑to‑end situational awareness: Correlates alerts across workloads, departments, credential types, and users to surface material exposure quickly.
• Actionable triage & forensics: Drill from trends to the artifact (message/file/URL), accelerating containment and root‑cause analysis.
• Risk‑aligned decisions: Quantifies exposure and response performance (creation vs. resolution trends) to guide investment and policy changes.
• Audit‑ready governance: Captures decisions, timelines, and outcomes for PCI/PII controls, identity hygiene, and secrets management.

Troubleshooting tips:

If you are receiving a (400): Bad request error, it is likely that you do not have the necessary tables from the endpoint in Advanced Hunting. Those errors may also show if there are empty values passed from the left-hand side of the KQL queries. 

Detection trend

Apply filtering to this view based on the DLP policies that monitor credentials.

• Trend Analysis Over Time
  Displays daily detection counts, helping identify spikes in credential leakage activity and enabling proactive investigation.
• Workload and Credential Type Breakdown
  Shows which workloads (e.g., Endpoint, Exchange, OneDrive) and credential types are most affected, guiding targeted security measures.
• Detection Source Visibility
  Highlight which security tools (Sentinel, Cloud App Security, Defender) are catching leaks, ensuring monitoring coverage, and identifying gaps.
• Detailed Credential Exposure
  Lists exposed credentials for quick validation and remediation, reducing the risk of misuse or compromise. (This part is dependent on the AI component)
• Supports Incident Response
  Enables rapid triage by correlating detection trends with specific credentials and sources, improving response times.
• Compliance and Audit Readiness
  Provides clear evidence of credential monitoring and leakage detection for regulatory and governance reporting.

Credential incident trends

• Lifecycle Tracking of Credential Alerts
  Visualizes creation and resolution trends over time, helping teams measure response efficiency and identify periods of heightened risk.
• Workload and Credential Type Breakdown
  Shows which workloads (Endpoint, Exchange, OneDrive) and credential types are most impacted, enabling targeted mitigation strategies.
• Incident Type Analysis
  Highlights the distribution of alerts by category (e.g., CredRisk, Agent), supporting prioritization of critical incidents.
• Detailed Alert Context
  Provides message IDs and associated credentials for precise investigation and remediation, reducing time to contain threats.
• Performance and SLA Monitoring
  Tracks resolution timelines to ensure compliance with internal security SLAs and regulatory requirements.
• Audit and Governance Support
  Offers clear evidence of alert handling and closure, strengthening accountability and reporting.

Content view

• Workload-Level Risk Visibility
  Highlights which workloads (e.g., SharePoint, Endpoint) have the highest credential exposure, enabling targeted security hardening.
• Departmental Risk Breakdown
  Shows which departments (Security, Logistics, Sales) are most impacted, helping prioritise remediation for critical business areas.
• Credential Type Analysis
  Identifies exposed credential types such as API keys, shared access keys, and tokens, guiding policy enforcement and rotation strategies.
• User and Document Correlation
  Links exposed credentials to specific users and documents, supporting rapid investigation and containment of leaks.
• Comprehensive Drill-Down
  Enables navigation from department → credential type → user → document for precise root cause analysis.
• Governance and Compliance Support
  Provides auditable evidence of credential exposure across workloads and departments, strengthening regulatory reporting.

For endpoint, this view is an excellent way to catch applications that are not treating secrets in a safe way and expose them in temporary files.

Force-directed graph

• Visual Alert Correlation
  Displays a force-directed graph linking users to alert categories, making it easy to identify patterns and clusters of credential-related risks.
• High-Risk User Identification
  Highlights users with multiple or severe alerts, enabling prioritisation for investigation and remediation.
• Credential Type and Department Context
  Shows which credential types and departments are most associated with alerts, supporting targeted security measures.
• Alert Severity and Details
  Provides a detailed table of alerts with severity and category, helping analysts quickly assess impact and urgency.
• Improved Threat Hunting
  Enables analysts to trace relationships between users, alert types, and credential exposure for deeper root cause analysis.
• Compliance and Reporting
  Offers clear evidence of monitoring and categorisation of credential-related alerts for governance and audit purposes.

Security incidents correlated to credential leakage

• Focused on Credential Leakage
  Provides a dedicated view of alerts related to exposed credentials, enabling quick detection and response.
• Role-Based Risk Analysis
  Breaks down incidents by department and role, helping prioritise remediation for high-risk groups such as developers and security teams.
• User-Level Investigation
  Allows drill-down to individual users involved in credential-related alerts for rapid containment and corrective action.
• Credential Type Insights
  Highlight which types of credentials (e.g., API keys, passwords) are most vulnerable, guiding policy improvements and rotation strategies.
• Alert Source Correlation
  Displays which security tools (Sentinel, MCAS, Defender) are detecting leaks, ensuring coverage and identifying monitoring gaps.
• Compliance and Governance Support
  Offers auditable evidence of credential monitoring, supporting regulatory and internal security requirements.

App and Network correlated to credential leakage

For network detection, adjust the query in production to remove standard applications if they are too noisy. We have seen cases where Word and other commonly used applications make calls using FTP services as an example. While other applications may add too much noise. 

• Token Detection Event Traceability
  Shows detected Token credentials events linked directly to individual User IDs and Device IDs for investigation.
• Application Usage Context
  Identifies that the detected activity is associated with the application ms‑teams.exe as an example.
• External URL Association
  Displays the Remote URL connected to the token detection event.
• Remote IP Visibility
  Lists the Remote IP addresses associated with the activity.
• Entity-Level Correlation
  Links UserId, DeviceId, Application, Remote URL, and Remote IP within a single event flow. You can select port used or how Apps are linked as well.
• Detection Count Aggregation
  Summarises the number of credential events tied to each correlated entity path.

Turn detection into decisions. Deploy the workbook today to get measurable insights, accelerate triage, and deliver audit-ready governance. Start driving risk-aligned investment and policy changes with confidence.

The PBI report is located here.

Based on what you identify, you may be using tools such as Data Security Investigations to go deeper. We are also working on surfacing the AI triaging in a context that will enrich the DLP analyst experience.