Microsoft is expanding its use of AI technology to protect corporate data estates and, more specifically, make security investigations more scalable and efficient.
The latest example of the company pushing AI deeper into its security portfolio is Microsoft Purview Data Security Investigations, which identifies data about risks, uses AI to conduct deep content analysis, and empowers security admins to mitigate risk. The software is intended to help customers address risks such as exposed credentials in files and systems across their software stack and sensitive documents being shared to a large group of users.
How It Works
Using Purview Data Security Investigations, data security admins can search their Microsoft 365 data estate to locate data from a range of apps and systems — emails, Teams messages, Copilot prompts — for data that could pose risk. They can also launch pre-scoped investigations from a Microsoft Defender XDR incident, a Microsoft Purview Insider Risk Management case, or from Microsoft Purview Data Security Posture Management.
Once that data or risk is identified, GenAI built into Purview Data Security Investigations conducts analysis across nearly 100 languages. Security teams can use this insight to determine what security risks exist, the specific level of risk they pose, and steps that can be taken to mitigate them. The objective: enable analysts to quickly analyze large volumes of data while saving critical time for triage, review, and mitigation.
Specific features designed to accelerate investigative results include:
AI Search that finds risks using keywords and metadata to locate content that’s relevant to an investigation across the data estate.
Categorization for automatically classifying investigation data to enable understanding of incident severity, types of content and risk, and trends. Data is automatically sorted into default, custom, or AI-suggested categories. Categorized items are grouped by subject matter and risk level.
Vector search to find and retrieve contextually related content even in the absence of matching keywords.
Risk examination that leverages deep content analysis to isolate sensitive data and security risk, assigns a risk score, and recommends mitigation steps. Analysts can find compromised credentials, network risks, or evidence of threat actor discussions associated with security incidents.
AI context input to add investigation-specific content before analysis for high-quality insights tailored to the specific incident.
Security teams can leverage Data Security Investigations’ integration with the Microsoft Sentinel graph to visualize correlations between investigation data, users, and their activities. It automatically combines unified audit logs, Entra (identity and access management) audit logs, and threat intelligence, which would otherwise need to be manually correlated. One specific mitigation action, known as purge, can be used to quickly delete sensitive or overshared content directly within the investigation workflow to keep incidents from escalating or recurring.
The software also includes a cost estimator to help analysts model and forecast both storage and compute unit costs based on their use cases for more accurate budget planning. A usage dashboard breaks down billed storage and compute unit usage, so admins can identify cost-saving opportunities and optimize resource allocation.
Where It Works
Data Security Investigations can be applied for activities ranging from reactive incident response to proactive risk assessment. While the product is now generally available, top use cases that emerged from customers in preview mode included:
- Understanding the severity and sensitivity of data breaches and leaks
- Scanning large SharePoint installations to identify files containing credentials such as passwords
- Uncovering suspicious communications tied to vendor payments or client interactions that could indicate internal fraud or bribery
- Determining who accessed classified documents after accidental sharing — and whether sensitive data was further distributed.
- Executing investigations into inappropriate content to find what was posted, where, and by whom.
Customers can learn more about Data Security Investigations here.
More Microsoft Security and AI Insights:
- Microsoft Outlines Way to Fight AI-Powered Attacks — With AI
- With Agent 365 and Security Tools, Microsoft Equips Customers to Govern AI Agent Estates
- With Agentic AI Infusion, Microsoft Positions Sentinel as Unifying Security Platform
- Microsoft Advances AI Agents to Address the Scale of Phishing, Malware Threats
AI Agent & Copilot Summit is an AI-first event to define opportunities, impact, and outcomes with Microsoft Copilot and agents. Building on its 2025 success, the 2026 event takes place March 17-19 in San Diego. Get more details.
Tom Smith
Analyst
Cloud Wars, Agent and Copilot
Related Posts
