|
| 1 | +--- |
| 2 | +title: Create investigations in Data Security Investigations (preview) from the Microsoft Defender portal |
| 3 | +description: Learn how to create investigations in the Microsoft Defender portal with the Microsoft Purview Data Security Investigations (preview) integration. |
| 4 | +ms.service: defender-xdr |
| 5 | +f1.keywords: |
| 6 | + - NOCSH |
| 7 | +ms.author: diannegali |
| 8 | +author: diannegali |
| 9 | +ms.localizationpriority: medium |
| 10 | +manager: deniseb |
| 11 | +audience: ITPro |
| 12 | +ms.collection: |
| 13 | + - m365-security |
| 14 | + - tier1 |
| 15 | +ms.topic: how-to |
| 16 | +search.appverid: |
| 17 | + - MOE150 |
| 18 | + - MET150 |
| 19 | +ms.date: 04/23/2025 |
| 20 | +appliesto: |
| 21 | +- ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> |
| 22 | +#customer intent: As a security administrator, I want to create data security investigations from the Microsoft Defender portal. |
| 23 | +--- |
| 24 | + |
| 25 | +# Create investigations in Data Security Investigations (preview) from the Microsoft Defender portal |
| 26 | + |
| 27 | +[!INCLUDE [Microsoft Defender XDR rebranding](../includes/microsoft-defender.md)] |
| 28 | + |
| 29 | +[!INCLUDE [Prerelease](../includes/prerelease.md)] |
| 30 | + |
| 31 | +You can now start an investigation on data security incidents from the Microsoft Defender portal with the integration of [Microsoft Purview Data Security Investigations (preview)](/purview/data-security-investigations) and Microsoft Defender XDR. |
| 32 | + |
| 33 | +Security operations center (SOC) teams can take advantage of this integration to enhance their investigation and response to potential data security incidents like data breaches or data leaks. Data Security Investigations (preview) uses generative AI to analyze impacted data, draws connections to identify risks, and provide actionable insights to protect the organization. |
| 34 | + |
| 35 | +SOC teams can start an investigation in Data Security Investigations (preview) from an incident page where a potentially affected data set is in the Microsoft Defender portal. |
| 36 | + |
| 37 | +## Prerequisites |
| 38 | + |
| 39 | +To create investigations in Data Security Investigations (preview) in the Microsoft Defender portal, you must have the following permissions: |
| 40 | + |
| 41 | +- Security Administrator |
| 42 | +- Security Operator |
| 43 | + |
| 44 | +To view and access the investigation in Data Security Investigations (preview) in the Microsoft Purview portal, the *Data Security Investigations Administrator* [permission](/purview/data-security-investigations-permissions) is required. |
| 45 | + |
| 46 | +## Create a data security investigation |
| 47 | + |
| 48 | +Microsoft Defender XDR identifies possibly impacted sensitive data in incidents, where you can start creating an investigation in Data Security Investigations (preview). Investigations support mailboxes, files, and mail messages as the scope of the investigation. |
| 49 | + |
| 50 | +To create an investigation in Data Security Investigations (preview) in the Microsoft Defender portal, follow these steps: |
| 51 | + |
| 52 | +1. Sign in to the Microsoft Defender portal at [security.microsoft.com](https://security.microsoft.com). |
| 53 | +2. In the navigation pane, select **Investigation & response** > **Incidents & alerts** > **Incidents** to open the incident queue. Select an incident from the queue to open the incident page. |
| 54 | +3. When the selected incident contains potentially impacted data, the option to create a Data Security investigation appears on the incident page message banner. Choose **Investigate this incident**. |
| 55 | + :::image type="content" source="/defender-xdr/media/xdr-dsi/xdr-dsi-banner-small.png" alt-text="Screenshot of the incident page highlighting the create investigation message banner" lightbox="/defender-xdr/media/xdr-dsi/xdr-dsi-banner.png"::: |
| 56 | +4. In the pop-up window, provide a name and description for the investigation. Investigation names must be unique. |
| 57 | + :::image type="content" source="/defender-xdr/media/xdr-dsi/xdr-dsi-popup-small.png" alt-text="Screenshot of the Data Security investigations pop-up window" lightbox="/defender-xdr/media/xdr-dsi/xdr-dsi-popup.png"::: |
| 58 | +5. In the Investigation scope, attach mailboxes or files and mail messages to the investigation. |
| 59 | + > [!NOTE] |
| 60 | + > You can attach either mailboxes or files and mail messages in an investigation, but not both at the same time. If an incident involves both mailboxes and files or mail messages, you need to create separate investigations. For example, create one investigation for all mailboxes and another for all files and mail messages. Files and mail messages can be attached in one investigation. |
| 61 | +6. Select **Create investigation** to finish creating the data security investigation. |
| 62 | + |
| 63 | +Once the investigation in Data Security Investigations (preview) is created, a link to the Microsoft Purview portal appears on the message banner in the incident page. Here’s an example. |
| 64 | + |
| 65 | +:::image type="content" source="/defender-xdr/media/xdr-dsi/xdr-dsi-success-link-small.png" alt-text="Screenshot highlighting the link to Microsoft Purview portal after successful creation" lightbox="/defender-xdr/media/xdr-dsi/xdr-dsi-success-link.png"::: |
| 66 | + |
| 67 | +You can also create an investigation in Data Security Investigations (preview) from the incident page in the following ways: |
| 68 | + |
| 69 | +- From the **Incidents** page, select the **More actions** ellipsis to see the options, then choose **Investigate data security with AI**. |
| 70 | + |
| 71 | + :::image type="content" source="/defender-xdr/media/xdr-dsi/xdr-dsi-create-action-small.png" alt-text="Screenshot highlighting the Create Data Security investigation option from the more actions ellipsis" lightbox="/defender-xdr/media/xdr-dsi/xdr-dsi-create-action.png"::: |
| 72 | + |
| 73 | +- When you select an entity like an email in the incident graph, choose **Investigate data security with AI** from the entity context menu. |
| 74 | + |
| 75 | + :::image type="content" source="/defender-xdr/media/xdr-dsi/xdr-dsi-create-entity-small.png" alt-text="Screenshot highlighting the Create Data Security investigation option from an entity in the incident graph" lightbox="/defender-xdr/media/xdr-dsi/xdr-dsi-create-entity.png"::: |
| 76 | + |
| 77 | +Each investigation in Data Security Investigations (preview) created is recorded in the Microsoft Defender portal activity log. The activity log entry also includes the relevant link to the investigation created in the Microsoft Purview portal. |
| 78 | + |
| 79 | +:::image type="content" source="/defender-xdr/media/xdr-dsi/xdr-dsi-activity-log-small.png" alt-text="Screenshot highlighting the link to Microsoft Purview portal in the activity log" lightbox="/defender-xdr/media/xdr-dsi/xdr-dsi-activity-log.png"::: |
| 80 | + |
| 81 | +## Next step |
| 82 | + |
| 83 | +> [!div class="nextstepaction"] |
| 84 | +> [Manage the investigation scope in Microsoft Purview Data Security Investigations (preview)](/purview/data-security-investigations-scope) |
0 commit comments