(Updated) Microsoft Purview: Data Security Investigations – analyze files tied to endpoint DLP alerts

Microsoft Purview’s Data Security Investigations now includes endpoint Data Loss Prevention (DLP) events as a queryable source, enabling admins to analyze related files automatically. This update, rolling out June 2026, enhances investigation efficiency with AI tools and requires no user action.

2026-06-15T23:06:26.517Z

<p>Updated June 15, 2026: We have updated the timeline. Thank you for your patience.&nbsp;</p><p><b>[Introduction]</b></p><p>We’re introducing <b>endpoint Data Loss Prevention (DLP) events</b> as a <b>queryable data source</b> in <i>Data Security Investigations (DSI) in Microsoft Purview</i>. With this update, administrators can build endpoint DLP queries directly in DSI using filters such as date range, and DSI will automatically pull files associated with those events into the investigation for analysis. This integration helps security teams examine endpoint DLP activity at scale, reducing time and effort spent triaging individual alerts and improving the ability to identify patterns and potential data exfiltration scenarios.</p><p>This message is associated with <b>Microsoft 365 Roadmap ID <a href="https://www.microsoft.com/microsoft-365/roadmap?filters=&amp;searchterms=558547" target="_blank">558547</a></b>.</p><p><b>[When this will happen]</b></p><ul><li><b>Public Preview:</b> Rollout begins in <b>early June 2026</b> (previously&nbsp;late April)&nbsp;and completes in<b> early June 2026</b> (previously&nbsp;mid‑May)<b>.</b></li><li><b>General Availability (Worldwide): </b>Rollout begins in <b>mid-June 2026</b> (previously&nbsp;mid‑May)<b>&nbsp;</b>and completes in <b>mid-June 2026</b> (previously&nbsp;mid‑May).</li></ul><p><b>[How this will affect your organization]</b></p><p><i>Who is affected</i></p><p>Admins and security investigators using<b> Data Security Investigations (DSI) </b>and<b> endpoint Data Loss Prevention (DLP)</b> in the <i>Microsoft Purview compliance portal</i>.</p><p><i>What will happen</i></p><ul><li>A<b> new Endpoint DLP tab</b> will appear in the <i>DSI search experience</i>, alongside the existing Query Builder and Audit tabs. </li><li>Admins and investigators can query endpoint DLP events using date range filters (additional filters coming soon). </li><li>Files associated with matching endpoint DLP events will be automatically added to the investigation scope for analysis using DSI’s AI‑powered tools. </li><li>This feature will appear automatically for eligible tenants when rollout completes. No admin action is required to enable it.</li><li>There is no user impact.</li></ul><p><b>[What you can do to prepare]</b></p><p>No action is required. Optionally, you may:</p><ul><li>Review how endpoint DLP query capabilities work within DSI.</li><li>Update internal documentation for alert triage and investigation workflows, if applicable.</li><li>Inform security teams and endpoint DLP administrators about this new capability.</li></ul><p><b>Learn more:&nbsp;</b></p><ul><li><a href="https://learn.microsoft.com/purview/data-security-investigations" target="_blank">Learn about Data Security Investigations | Microsoft Purview | Microsoft Learn</a><br></li><li><a href="https://learn.microsoft.com/purview/endpoint-dlp-learn-about" target="_blank">Learn about Endpoint data loss prevention | Microsoft Purview | Microsoft Learn</a></li></ul><p><b>[Compliance considerations]</b></p><table class="table table-bordered"><tbody><tr><td><b>Question</b></td><td><b>Answer</b></td></tr><tr><td><b>Does the change alter how existing customer data is processed, stored, or accessed?</b></td><td><b>Yes. </b>Endpoint DLP event data becomes queryable in DSI, and associated files are automatically collected into investigations for analysis.</td></tr><tr><td><b>Does the change introduce or significantly modify AI/ML capabilities that interact with customer data?</b></td><td><b>Yes. </b>DSI’s existing AI‑assisted investigation tools will now analyze files gathered through endpoint DLP queries.</td></tr><tr><td><b>Does the change modify how admins can monitor, report on, or demonstrate compliance activities?</b></td><td><b>Yes. </b>Admins gain new ways to surface, query, and analyze endpoint DLP signals within DSI.</td></tr></tbody></table><p><b></b></p><p></p>

Microsoft Purview’s Data Security Investigations (DSI) will integrate endpoint Data Loss Prevention (DLP) events as a queryable data source, enabling admins to analyze associated files automatically. Rollout begins early June 2026 with no user impact or required admin action. This enhances investigation efficiency using AI tools.

2026-05-18T22:43:48.933Z

<p>Updated May 18, 2026: We have updated the timeline. Thank you for your patience.&nbsp;</p><p><b>[Introduction]</b></p><p>We’re introducing <b>endpoint Data Loss Prevention (DLP) events</b> as a <b>queryable data source</b> in <i>Data Security Investigations (DSI) in Microsoft Purview</i>. With this update, administrators can build endpoint DLP queries directly in DSI using filters such as date range, and DSI will automatically pull files associated with those events into the investigation for analysis. This integration helps security teams examine endpoint DLP activity at scale, reducing time and effort spent triaging individual alerts and improving the ability to identify patterns and potential data exfiltration scenarios.</p><p>This message is associated with <b>Microsoft 365 Roadmap ID <a href="https://www.microsoft.com/microsoft-365/roadmap?filters=&amp;searchterms=558547" target="_blank">558547</a></b>.</p><p><b>[When this will happen]</b></p><ul><li><b>Public Preview:</b> Rollout begins in <b>early June 2026</b> (previously&nbsp;late April)&nbsp;and completes in<b> early June 2026</b> (previously&nbsp;mid‑May)<b>.</b></li><li><b>General Availability (Worldwide): </b>Rollout begins in <b>mid-June 2026</b> (previously&nbsp;mid‑May)<b>&nbsp;</b>and completes in <b>mid-June 2026</b> (previously&nbsp;mid‑May).</li></ul><p><b>[How this will affect your organization]</b></p><p><i>Who is affected</i></p><p>Admins and security investigators using<b> Data Security Investigations (DSI) </b>and<b> endpoint Data Loss Prevention (DLP)</b> in the <i>Microsoft Purview compliance portal</i>.</p><p><i>What will happen</i></p><ul><li>A<b> new Endpoint DLP tab</b> will appear in the <i>DSI search experience</i>, alongside the existing Query Builder and Audit tabs. </li><li>Admins and investigators can query endpoint DLP events using date range filters (additional filters coming soon). </li><li>Files associated with matching endpoint DLP events will be automatically added to the investigation scope for analysis using DSI’s AI‑powered tools. </li><li>This feature will appear automatically for eligible tenants when rollout completes. No admin action is required to enable it.</li><li>There is no user impact.</li></ul><p><b>[What you can do to prepare]</b></p><p>No action is required. Optionally, you may:</p><ul><li>Review how endpoint DLP query capabilities work within DSI.</li><li>Update internal documentation for alert triage and investigation workflows, if applicable.</li><li>Inform security teams and endpoint DLP administrators about this new capability.</li></ul><p><b>Learn more:&nbsp;</b></p><ul><li><a href="https://learn.microsoft.com/purview/data-security-investigations" target="_blank">Learn about Data Security Investigations | Microsoft Purview | Microsoft Learn</a><br></li><li><a href="https://learn.microsoft.com/purview/endpoint-dlp-learn-about" target="_blank">Learn about Endpoint data loss prevention | Microsoft Purview | Microsoft Learn</a></li></ul><p><b>[Compliance considerations]</b></p><table class="table table-bordered"><tbody><tr><td><b>Question</b></td><td><b>Answer</b></td></tr><tr><td><b>Does the change alter how existing customer data is processed, stored, or accessed?</b></td><td><b>Yes. </b>Endpoint DLP event data becomes queryable in DSI, and associated files are automatically collected into investigations for analysis.</td></tr><tr><td><b>Does the change introduce or significantly modify AI/ML capabilities that interact with customer data?</b></td><td><b>Yes. </b>DSI’s existing AI‑assisted investigation tools will now analyze files gathered through endpoint DLP queries.</td></tr><tr><td><b>Does the change modify how admins can monitor, report on, or demonstrate compliance activities?</b></td><td><b>Yes. </b>Admins gain new ways to surface, query, and analyze endpoint DLP signals within DSI.</td></tr></tbody></table><p><b></b></p><p></p>

Microsoft Purview: Data Security Investigations – analyze files tied to endpoint DLP alerts

Microsoft Purview’s Data Security Investigations will include endpoint Data Loss Prevention (DLP) events as a queryable source, enabling admins to analyze related files automatically. Rolling out April–May 2026, this feature enhances investigation efficiency using AI tools without user impact or required admin action.

2026-03-21T16:18:50.843Z

New feature,User impact,Admin impact

<p><b>[Introduction]</b></p><p>We’re introducing <b>endpoint Data Loss Prevention (DLP) events</b> as a <b>queryable data source</b> in <i>Data Security Investigations (DSI) in Microsoft Purview</i>. With this update, administrators can build endpoint DLP queries directly in DSI using filters such as date range, and DSI will automatically pull files associated with those events into the investigation for analysis. This integration helps security teams examine endpoint DLP activity at scale, reducing time and effort spent triaging individual alerts and improving the ability to identify patterns and potential data exfiltration scenarios.</p><p>This message is associated with <b>Microsoft 365 Roadmap ID <a href="https://www.microsoft.com/microsoft-365/roadmap?filters=&amp;searchterms=558547" target="_blank">558547</a></b>.</p><p><b>[When this will happen]</b></p><ul><li><b>Public Preview:</b> Rollout begins in <b>late April 2026</b> and completes in <b>mid‑May 2026.</b></li><li><b>General Availability (Worldwide): </b>Rollout begins in <b>mid‑May 2026 </b>and completes in <b>mid‑May 2026</b>.</li></ul><p><b>[How this will affect your organization]</b></p><p><i>Who is affected</i></p><p>Admins and security investigators using<b> Data Security Investigations (DSI) </b>and<b> endpoint Data Loss Prevention (DLP)</b> in the <i>Microsoft Purview compliance portal</i>.</p><p><i>What will happen</i></p><ul><li>A<b> new Endpoint DLP tab</b> will appear in the <i>DSI search experience</i>, alongside the existing Query Builder and Audit tabs. </li><li>Admins and investigators can query endpoint DLP events using date range filters (additional filters coming soon). </li><li>Files associated with matching endpoint DLP events will be automatically added to the investigation scope for analysis using DSI’s AI‑powered tools. </li><li>This feature will appear automatically for eligible tenants when rollout completes. No admin action is required to enable it.</li><li>There is no user impact.</li></ul><p><b>[What you can do to prepare]</b></p><p>No action is required. Optionally, you may:</p><ul><li>Review how endpoint DLP query capabilities work within DSI.</li><li>Update internal documentation for alert triage and investigation workflows, if applicable.</li><li>Inform security teams and endpoint DLP administrators about this new capability.</li></ul><p><b>Learn more:&nbsp;</b></p><ul><li><a href="https://learn.microsoft.com/purview/data-security-investigations" target="_blank">Learn about Data Security Investigations | Microsoft Purview | Microsoft Learn</a><br></li><li><a href="https://learn.microsoft.com/purview/endpoint-dlp-learn-about" target="_blank">Learn about Endpoint data loss prevention | Microsoft Purview | Microsoft Learn</a></li></ul><p><b>[Compliance considerations]</b></p><table class="table table-bordered"><tbody><tr><td><b>Question</b></td><td><b>Answer</b></td></tr><tr><td><b>Does the change alter how existing customer data is processed, stored, or accessed?</b></td><td><b>Yes. </b>Endpoint DLP event data becomes queryable in DSI, and associated files are automatically collected into investigations for analysis.</td></tr><tr><td><b>Does the change introduce or significantly modify AI/ML capabilities that interact with customer data?</b></td><td><b>Yes. </b>DSI’s existing AI‑assisted investigation tools will now analyze files gathered through endpoint DLP queries.</td></tr><tr><td><b>Does the change modify how admins can monitor, report on, or demonstrate compliance activities?</b></td><td><b>Yes. </b>Admins gain new ways to surface, query, and analyze endpoint DLP signals within DSI.</td></tr></tbody></table><p><b></b></p><p></p>