Merge pull request #53133 from riswinto/main

updates to reduce redundancy and change level

Author: JillGrant615

learn-pr/wwl-sci/.openpublishing.redirection.wwl-sci.json

@@ -647,6 +647,11 @@
     "source_path_from_root": "/learn-pr/achievements/learn.wwl.case-study-design-security-operations-identity-compliance-capabilities.badge.yml",
     "redirect_url": "https://learn.microsoft.com/training/modules/case-study-identity-data-security/",
     "redirect_document_id": false
+    },
+    {
+    "source_path_from_root": "/learn-pr/wwl-sci/purview-data-security-investigations-understand/data-security-investigation-clarification.md",
+    "redirect_url": "https://learn.microsoft.com/training/modules/purview-data-security-investigations-understand/data-security-investigation-differentiation",
+    "redirect_document_id": false
     }
     ]
 }

learn-pr/wwl-sci/purview-data-security-investigations-understand/data-security-investigation-clarification.yml

@@ -10,6 +10,6 @@ metadata:
   ms.topic: unit
 azureSandbox: false
 labModal: false
-durationInMinutes: 3
+durationInMinutes: 5
 content: |
   [!include[](includes/data-security-investigation-differentiation.md)]

learn-pr/wwl-sci/purview-data-security-investigations-understand/data-security-investigation-differentiation.yml

@@ -1,8 +1,8 @@
-Security teams use several tools to investigate activity and assess risk. Each serves a distinct purpose. Each serves a different purpose, and understanding those differences helps determine when a data security investigation is the right choice.
+Security teams use several tools to investigate activity and assess risk. Each serves a distinct purpose, and understanding those differences helps determine when a data security investigation is the right choice.
 
 Data security investigations don't replace alerts, cases, or audit. They fill a specific gap when decisions depend on understanding **data exposure and sensitivity**, not just activity.
 
-### Alerts focus on activity signals
+## Alerts focus on activity signals
 
 Alerts are designed to surface activity that might require attention. They're effective for identifying:
 
@@ -18,7 +18,7 @@ Alerts answer questions like:
 
 What alerts often don't provide is enough data context to assess risk. An alert can confirm that activity occurred without showing whether sensitive data was involved or exposed.
 
-### Cases organize investigation work
+## Cases organize investigation work
 
 Cases help group related alerts, evidence, and actions into a single investigation record. They're useful for:
 
@@ -28,7 +28,7 @@ Cases help group related alerts, evidence, and actions into a single investigati
 
 Cases improve organization, but they don't inherently add data insight. Understanding data sensitivity and exposure often still requires investigation outside the case structure.
 
-### Audit provides detailed activity records
+## Audit provides detailed activity records
 
 Audit logs capture detailed records of actions taken across services and workloads. They're valuable for:
 
@@ -38,7 +38,7 @@ Audit logs capture detailed records of actions taken across services and workloa
 
 Audit data is comprehensive, but it's activity-centric. It typically requires manual effort to correlate events with data sensitivity, scope, and risk.
 
-### Where data security investigations fit
+## Where data security investigations fit
 
 Data security investigations focus on **data context**, not just events. They bring together:
 
@@ -52,4 +52,23 @@ This approach is most useful when:
 - Audit logs show behavior without clarifying data sensitivity
 - Decisions require validation before remediation or escalation
 
-Now that you understand how data security investigations differ from alerts, cases, and audit, you can look at how investigations can be used in both reactive and proactive ways.
+### Use data security investigations intentionally
+
+Understanding where data security investigations fit also means knowing when not to use them. A data security investigation isn't designed to replace existing security or compliance tools. It doesn't function as:
+
+- An alerting system that detects suspicious activity
+- An incident response workflow for containment and remediation
+- A case management solution for legal or regulatory review
+- A substitute for audit logs or activity tracking
+
+Those tools remain essential. Data security investigations complement them by adding data context when understanding exposure and sensitivity is critical.
+
+Without clear boundaries, investigations can become inefficient or misleading. Using a data security investigation when simpler tools are sufficient can slow response time. Relying only on alerts when deeper analysis is needed can lead to decisions based on incomplete information.
+
+Data security investigations are most effective when used:
+
+- After activity has been identified and requires validation
+- When the scope or sensitivity of data is unclear
+- When decisions depend on confidence rather than speed alone
+
+You now understand how data security investigations differ from alerts, cases, and audit. This distinction helps explain how investigations can be used in reactive and proactive ways.

learn-pr/wwl-sci/purview-data-security-investigations-understand/includes/data-security-investigation-clarification.md

@@ -1,8 +1,8 @@
-Security teams investigate activity every day, but understanding **what happened to the data** is often harder than detecting the activity itself. Alerts, cases, and audit logs can show who did something and when, but they don't always answer more important questions. Was the data sensitive? How exposed was it? Did the activity create real risk, or was it expected behavior?
+Security teams investigate activity every day. Alerts, cases, and audit logs can show who did something and when it happened. What's often harder to determine is **what happened to the data itself**.
 
-Data security investigations focus on answering those questions. Instead of centering on events alone, they examine data context, sensitivity, and exposure to help teams make informed decisions about response and prevention. This approach supports both reactive investigations, where activity has already occurred, and proactive investigations, where potential risk needs validation before an incident happens.
+When sensitive or high-value data is involved, activity alone doesn't always provide enough information to make confident decisions. Teams might see that an action occurred without knowing whether the data was sensitive, how exposed it became, or whether the situation represents real risk. Data security investigations exist to close that gap by focusing on data context, sensitivity, and exposure.
 
-Understanding when and how to use data security investigations helps avoid unnecessary escalation, reduces guesswork, and ensures deeper analysis is applied only when it adds value. It also clarifies how this capability fits alongside existing security tools rather than replacing them.
+By understanding when and how to use data security investigations, teams can apply deeper analysis where it adds value and rely on simpler investigation paths when appropriate.
 
 By the end of this module, you'll be able to:
 

learn-pr/wwl-sci/purview-data-security-investigations-understand/includes/data-security-investigation-differentiation.md

@@ -27,7 +27,7 @@ prerequisites: |
 
 iconUrl: /training/achievements/generic-badge.svg
 levels:
-- beginner
+- intermediate
 roles:
 - administrator
 - risk-practitioner
@@ -41,7 +41,6 @@ units:
 - learn.wwl.purview-data-security-investigations-understand.introduction
 - learn.wwl.purview-data-security-investigations-understand.data-security-investigation-understand
 - learn.wwl.purview-data-security-investigations-understand.data-security-investigation-need
-- learn.wwl.purview-data-security-investigations-understand.data-security-investigation-clarification
 - learn.wwl.purview-data-security-investigations-understand.data-security-investigation-differentiation
 - learn.wwl.purview-data-security-investigations-understand.reactive-proactive-investigations
 - learn.wwl.purview-data-security-investigations-understand.deeper-investigation-value