🎙️ New podcast episode just dropped!
DSI Investigation Templates for Common Data Security Scenarios with Pip & Mara
▶️ Watch now on YouTube
Stay tuned…
Podcast Episode: DSI Investigation templates for common data security scenarios
Tag Archives: security operations
Data Security Investigations: Investigation templates for common data security scenarios
Microsoft just made investigations in Purview Data Security a lot simpler and faster. You can now use ready‑made search templates designed for common data security scenarios, so you don’t have to start from scratch every time.
These built‑in templates help standardize the way investigations are run and reduce the amount of manual setup, meaning security analysts can jump straight into the work with minimal input.
The best part? This feature is already available worldwide, requires no administrative setup, and is ready to use out of the box saving valuable time and streamlining the overall investigation process.
What’s new and why it matters
Microsoft is making investigations in Purview Data Security much more approachable by introducing built‑in search templates. These templates are designed for the scenarios analysts deal with most often—like data exfiltration, compromised mailboxes, exposure of personal data, or even risky AI interactions.
Instead of building queries from scratch every time, investigators can now choose a ready‑made template, enter a few basic details (such as a user or site), and get started immediately. This not only speeds things up but also ensures investigations are more consistent across teams. It’s especially helpful for less-experienced analysts, lowering the learning curve and reducing the time needed to get value from the solution.
(This update is tracked under Microsoft 365 Roadmap ID 560326.)
Rollout timeline
- General Availability (Worldwide): Available now
What this means for your organization
Who it impacts
- Security analysts and investigators working with Microsoft Purview Data Security Investigations
Where you’ll see it
- Microsoft Purview (web portal)
- Data Security Investigations solution
In short, this update removes a lot of the friction from starting an investigation helping teams move faster, stay consistent, and focus on what actually matters: understanding and responding to risks.
Microsoft Purview DLP Gets Smarter Troubleshooting with Guided Diagnostics
If you’ve ever tried to troubleshoot why a Data Loss Prevention (DLP) policy behaved the way it did, you’ll know it’s not always obvious what happened behind the scenes. Microsoft is looking to change that.
Microsoft is rolling out a new guided diagnostics experience in Microsoft Purview Data Loss Prevention (DLP), designed to help administrators quickly understand, diagnose, and resolve DLP policy issues. The goal is simple: make DLP behavior easier to explain, easier to fix, and easier to optimize.
This update is tracked under Microsoft 365 Roadmap ID 561032.
When is this coming?
- Public Preview: Mid‑May 2026 to Mid‑June 2026
- General Availability (Worldwide): Late June 2026 to July 2026
Who does this affect?
This update is primarily aimed at:
- Microsoft 365 administrators managing DLP policies in Microsoft Purview
- Commercial Microsoft 365 tenants
If your organization has Microsoft 365 E5 and Copilot licensing, you’ll also benefit from Security Copilot‑powered insights, which add intelligent recommendations during troubleshooting.
What’s changing?
A new guided diagnostics experience will appear directly in the Microsoft Purview portal, making it much easier to understand what your DLP policies are doing and why.
With this experience, admins can:
- See the order in which DLP policies are evaluated
- Understand which conditions were matched
- Clearly identify what action was taken (allow, block, or audit)
In other words, instead of guessing or piecing together logs, you’ll get a clearer, step‑by‑step explanation of how a DLP decision was made.
Security Copilot‑powered insights (for eligible tenants)
For organizations with the right licensing, Microsoft brings Copilot into the experience to help:
- Spot potential policy misconfigurations
- Speed up DLP troubleshooting
- Get recommendations for improving and optimizing policies
What’s not changing?
- Existing DLP policies continue to work exactly as they do today
- Enforcement behavior is unchanged
- There is no impact on end‑user workflows
This update is purely about visibility and diagnostics, not policy enforcement.
That said, you may want to:
- Update internal DLP troubleshooting documentation to reference the new guided diagnostics experience
- Make sure your security and compliance teams are aware of the new diagnostics flow in the Purview portal
- Review your Copilot and E5 licensing to understand whether Security Copilot‑powered insights will be available in your tenant
Data Security Investigations introduces new soft purge mitigation action
Microsoft is introducing a new soft purge action in Data Security Investigations (DSI), giving admins a quick and safe way to remove sensitive or overshared files during an investigation. With soft purge, items can be deleted immediately but still recovered later as long as they’re within their deleted‑item retention period, so admins get speed without risking permanent data loss.
This builds on DSI’s growing set of AI‑powered tools like intelligent categorization, AI search, and automated risk insights making it easier than ever for organizations to spot issues and take action fast.
New update coming to Microsoft 365 Roadmap ID 558109. A soft purge action will soon be available in Data Security Investigations (DSI), giving admins a safer and more flexible way to remove sensitive or overshared content during an investigation.
When it’s rolling out
- General Availability (Worldwide): Begins early April 2026
- Expected completion: late May 2026
What this means for your organization
Who is affected?
Admins who use Data Security Investigations (DSI) in the Microsoft Purview compliance portal.
What’s changing
A new soft purge option will appear in DSI. With this action, admins can:
- Remove items that match an investigation query
- Keep those items recoverable until the retention period expires
- Act quickly without risking accidental permanent deletion
And the best part:
- The feature is on by default
- No configuration needed
- No changes to existing DLP, labeling, or retention policies
- End users will not see any changes in their workflows
Once the rollout finishes, the feature simply appears for eligible tenants.
How to prepare
There is nothing you need to do in advance.
If you want to get ahead, you may consider:
- Reviewing how soft purge works in DSI
- Updating any internal guidance on investigation processes
- Informing your security or compliance teams about the new action
Overall, this update gives organizations a safer and more controlled way to remove sensitive content during investigations—without adding extra steps or complexity.
Enhancing AI Analysis in Data Security Investigations: What’s Coming Next
Microsoft Purview is rolling out a series of improvements designed to make AI analysis in Data Security Investigations (DSI) faster, smoother, and easier for analysts to use.
With these updates, items added to an investigation will now be automatically prepared for AI analysis—removing a repetitive manual step and helping analysts get to insights sooner. Purview is also introducing a new standard categorization option, giving organizations a quicker and more cost‑efficient way to group and review investigation items. For deeper insights, advanced categorization, including AI‑generated topics, will continue to be available.
These changes are part of Microsoft 365 Roadmap ID 557556.
Rollout Timeline
- Public Preview: Mid‑March 2026 → Mid‑April 2026
- General Availability (Worldwide): Mid‑April 2026 → Mid‑May 2026
What This Means for Your Organization
Who will notice the changes?
- Microsoft Purview administrators
- Analysts and security teams using Data Security Investigations
- Any Microsoft 365 tenant with access to DSI capabilities
What’s changing?
- Automatic AI preparation:
Items added to an investigation will automatically get ready for AI analysis. No extra clicks or steps required. - New standard categorization option:
A streamlined way to categorize items, ideal for scenarios where speed and simplicity matter. - Advanced categorization remains:
Organizations can still use richer AI‑powered topic grouping when deeper analysis is needed. - No configuration changes needed:
Everything is enabled by default—no admin setup required.
What users may see
- Faster time from “item added” to “item ready for analysis”
- A refreshed UI for choosing between standard and advanced categorization
How to Prepare
There’s nothing you need to configure ahead of time. However, it’s helpful to:
- Inform analysts and SOC teams about the new categorization options and automatic AI preparation.
- Update internal documentation if you maintain guides or SOPs that describe DSI workflows.
- Review training materials so teams know when to choose standard vs. advanced categorization.