Microsoft Purview | Data Security Investigations: Investigation templates for common data security scenarios

Microsoft Purview Data Security Investigations now includes pre-configured search templates for common data security scenarios, enabling faster, standardized investigations with minimal inputs. This feature is generally available worldwide, requires no admin action, and helps reduce setup time for security analysts using the solution.

[What and Why]

We’re adding search templates to Microsoft Purview Data Security Investigations to provide pre-configured search queries for common data security scenarios such as data exfiltration, compromised mailboxes, personal data exposure, and risky AI interactions. These templates help investigators quickly and consistently scope investigations in just a few clicks instead of manually building queries, reducing setup time and lowering the barrier for less-experienced analysts. Users can select a template, provide minimal inputs (such as a user or site), and begin their investigation.

This message is associated with Microsoft 365 Roadmap ID 560326.

[Rollout Schedule]

General Availability (Worldwide): Available now

[Impact on Your Organization]

Who is affected

Security analysts and investigators using Microsoft Purview Data Security Investigations

Platforms/Services

• Microsoft Purview (web)
• Data Security Investigations solution

What will happen

• Investigators can start a new investigation using prebuilt templates instead of creating search queries from scratch.
• Templates cover common data security scenarios and require only minimal inputs (for example, user, mailbox, or SharePoint site) to start an investigation.
• Investigations are automatically scoped and ready to run once inputs are provided.
• This reduces manual setup time and helps standardize investigation workflows.
• Existing investigations and custom queries are not affected.
• The feature will be available by default where Data Security Investigations is enabled.

Screenshot - Creating an investigation from a template in Data Security Investigations: 

Typical workflow:

1. Create a new investigation in Data Security Investigations.
2. Select a template that matches your scenario.
3. Provide the required inputs.
4. Run the query to open a scoped investigation.

[Action Required/Recommendations]

No admin action is required.

Recommended actions:

• Inform your security and investigation teams about this capability
• Encourage teams to use templates to standardize investigation workflows
• Review internal investigation procedures and update documentation if needed

Learn more:

• Data Security Investigations | Microsoft Purview
• Learn about Data Security Investigations | Microsoft Purview | Microsoft Learn

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.