Merge pull request #54531 from MicrosoftDocs/main

Auto Publish – main to live - 2026-05-01 23:00 UTC

Author: learn-build-service-prod[bot]

learn-pr/paths/get-started-fabric/index.yml

@@ -3,7 +3,7 @@ uid: learn.wwl.get-started-fabric
 metadata:
   title: Get started with Microsoft Fabric
   description: Explore how to implement data analytics solutions on a single platform with Microsoft Fabric. Integrate, transform, and store data to train AI models and create insightful reports.
-  ms.date: 02/26/2025
+  ms.date: 05/01/2026
   author: AngieRudduck
   ms.author: anrudduc
   ms.topic: learning-path
@@ -25,21 +25,15 @@ subjects:
 - data-analytics
 - data-engineering
 - data-integration
-- data-management
-- data-modeling
-- information-protection-governance
 - data-storage
-- data-visualization
 modules:
 - learn.wwl.introduction-end-analytics-use-microsoft-fabric
 - learn.wwl.get-started-lakehouses
-- learn.wwl.use-apache-spark-work-files-lakehouse
-- learn.wwl.work-delta-lake-tables-fabric
-- learn.wwl.use-data-factory-pipelines-fabric
-- learn.wwl.ingest-dataflows-gen2-fabric
 - learn.wwl.get-started-data-warehouse
 - learn.wwl.get-started-kusto-fabric
 - learn.wwl.get-started-data-science-fabric
-- learn.wwl.administer-fabric
+- learn-wwl.get-started-sql-database-microsoft-fabric
+- learn.wwl.design-semantic-models-scale
+- learn.wwl.understand-fabric-iq-fundamentals
 trophy:
   uid: learn.wwl.get-started-fabric.trophy

learn-pr/paths/purview-data-security-posture-management/index.yml

@@ -32,6 +32,8 @@ modules:
 - learn.wwl.purview-data-security-posture-management-understand
 - learn.wwl.purview-dspm-assess-data-security-posture
 - learn.wwl.purview-data-security-posture-management-protect-remediate
+- learn.wwl.purview-data-security-posture-management-investigate-risks
+
 
 trophy:
   uid: learn.wwl.purview-data-security-posture-management.trophy

learn-pr/wwl-sci/purview-data-security-posture-management-investigate-risks/analyze-sensitive-data-activity.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-data-security-posture-management-investigate-risks.analyze-sensitive-data-activity
+title: Analyze sensitive data activity with DSPM investigation surfaces
+metadata:
+  title: Analyze Sensitive Data Activity with DSPM Investigation Surfaces
+  description: "Analyze sensitive data activity across activity explorer, AI activities, audit logs, and reports to identify risky patterns."
+  ms.date: 04/30/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+durationInMinutes: 9
+content: |
+  [!include[](includes/analyze-sensitive-data-activity.md)]

learn-pr/wwl-sci/purview-data-security-posture-management-investigate-risks/includes/analyze-sensitive-data-activity.md

@@ -0,0 +1,85 @@
+When a data loss prevention (DLP) alert fires or sensitive data activity raises concern, you need to determine what happened and whether it requires action. Data Security Posture Management (DSPM) provides four investigation surfaces for this. Each answers a different investigation question.
+
+## Investigation surfaces in Data Security Posture Management
+
+Without DSPM, answering investigation questions means switching between audit log search, activity reports, DLP alert queues, and Insider Risk Management (IRM) dashboards independently. DSPM brings these starting points together so you can move between surfaces without losing context.
+
+| Surface | What it answers | When to use it |
+| --- | --- | --- |
+| Activity explorer | What specific events occurred involving sensitive data? | Tracing individual events for specific users, time windows, or labels |
+| AI activities tab | What happened during AI interactions with sensitive data? | Investigating prompts, responses, and DLP matches in AI contexts |
+| Audit logs | What's the authoritative chronological record? | Reconstructing event sequences, building compliance records, tracing agent activity |
+| Reports | What patterns exist across many events over time? | Identifying trends, comparing periods, spotting behavioral shifts |
+
+A typical investigation might start in reports because a trend catches your attention, move to activity explorer to filter for the specific condition, then consult the audit log to get the authoritative record for a specific event.
+
+### Activity explorer
+
+Use activity explorer when you need to investigate a specific event involving sensitive data. It's accessible from **DSPM (preview)** > **Discover** > **Activity explorer** and shows activity related to content that contains sensitive information or has sensitivity labels applied.
+
+You filter activities by:
+
+- **Activity type**: File access, file copy, print, email send, cloud upload, sharing link creation
+- **Workload**: SharePoint, OneDrive, Exchange, Teams, Endpoint devices
+- **User**: Specific user principal name (UPN) or user groups
+- **Time range**: Narrow to the period around a suspected event
+- **Sensitivity labels**: Activities involving specific labels
+
+A DLP alert about sensitive data shared externally becomes an investigation when you filter to that user, that time window, and that label. You then see not just the flagged event but the full sequence of events surrounding it.
+
+:::image type="content" source="../media/activity-explorer-all-activity-types.png" alt-text="Screenshot showing activity explorer with the All activity types tab, filters, and a bar chart of sensitive data events." lightbox="../media/activity-explorer-all-activity-types.png":::
+
+### AI activities tab
+
+The **AI activities** tab within activity explorer shows events specific to AI interactions. AI interactions include prompts, data retrieval, responses, and DLP evaluation, all of which matter when reconstructing what happened.
+
+If a DLP alert fires during a Copilot session, this tab shows the full interaction context including which sensitive data the AI accessed and what it returned.
+
+:::image type="content" source="../media/activity-explorer-ai-activities.png" alt-text="Screenshot showing the AI activities tab in activity explorer with AI-specific filters and a bar chart of AI interactions." lightbox="../media/activity-explorer-ai-activities.png":::
+
+> [!NOTE]
+> Activity explorer in DSPM (preview) is distinct from activity explorer in DSPM for AI (classic). Events in the AI activities tab originate from the preview version specifically. If you're investigating AI-related activity, confirm you're working in DSPM (preview) rather than the classic version.
+
+### Audit logs
+
+The unified audit log captures a chronological record of user and agent interactions. Each entry includes timestamps, user identity, the exact operation performed, and the result. Where activity explorer shows you filtered views of events, the audit log provides the authoritative compliance-grade record.
+
+For Agent 365 specifically, the audit log captures agent-to-human, human-to-agent, agent-to-tools, and agent-to-agent interactions. This is the only surface that provides the full sequence of what an agent did during a specific time window.
+
+Use audit logs when you need:
+
+- A chronological reconstruction of events for formal reporting
+- The authoritative record for compliance or legal purposes
+- Details about agent interactions not visible in activity explorer
+- Correlation between multiple related events across services
+
+### Reports
+
+DSPM reports provide aggregated views across sensitive data usage and posture trends. Navigate to **DSPM (preview)** > **Reports** to access:
+
+- Sensitive data usage patterns over time
+- Labeling progress and gaps
+- Policy usage and match frequency
+- Risky behavior patterns for users and AI agents
+
+Reports answer "is this getting better or worse?" and "where is risk concentrating?" A rising DLP match rate for a specific sensitive information type might be concentrated in one workload or spread across many. Reports show you that distribution before you drill into individual events.
+
+A behavioral shift in reports gives you the filter criteria to take into activity explorer.
+
+## Escalating to Data Security Investigations
+
+Escalate when filtering and correlation don't explain the pattern or when deeper analysis is required. Data Security Investigations provides deeper analysis and collaborative remediation beyond what DSPM surfaces offer.
+
+To escalate from DSPM:
+
+1. Navigate to **DSPM (preview)** > **Objectives**.
+1. Select the **Prevent exfiltration to risky destinations** objective.
+1. Select **View objective** to view exfiltration details and proactive insights.
+1. On the **Exfiltration risk patterns** card, select **Create investigation**.
+1. Provide a name, optional description, and optional AI context.
+1. Select **Create investigation** to open the case in Data Security Investigations.
+
+The investigation is automatically scoped to all sensitive data exfiltrated from your organization in the last 30 days.
+
+> [!NOTE]
+> Data Security Investigations is a separate Purview solution with its own workflows. The escalation from DSPM creates the starting point. The investigation itself continues in that solution.

learn-pr/wwl-sci/purview-data-security-posture-management-investigate-risks/includes/introduction.md

@@ -0,0 +1,16 @@
+Organizations with sensitivity labels, data loss prevention (DLP) policies, and insider risk controls in place generate hundreds of signals daily. Alerts fire, policy matches trigger, AI agents interact with content. The challenge isn't the absence of signals. It's determining which ones represent actual risk, reconstructing what happened, and deciding whether to escalate.
+
+Data Security Posture Management (DSPM) in Microsoft Purview provides investigation surfaces that bring these signals together. You can investigate activity, use Security Copilot to synthesize patterns, and examine AI agent behavior from a connected set of tools.
+
+## Learning objectives
+
+After completing this module, you'll be able to:
+
+- Analyze sensitive data activity across activity explorer, audit logs, and DSPM reports
+- Investigate data security events using Security Copilot in DSPM
+- Investigate risky AI agent behavior through AI observability
+
+## Prerequisites
+
+- Familiarity with the Microsoft Purview portal and its navigation
+- Working knowledge of sensitivity labels, DLP policies, and Insider Risk Management concepts

learn-pr/wwl-sci/purview-data-security-posture-management-investigate-risks/includes/investigate-risky-ai-agent-behavior.md

@@ -0,0 +1,54 @@
+AI agents access sensitive data at scale across workloads. When their behavior deviates from intended use or scope, you need to determine whether it's a misconfiguration, a policy gap, or an active security risk.
+
+AI observability in Data Security Posture Management (DSPM) is the surface for this. It shows which agents are active, which are flagged as high risk, and what risky activity categories apply to each.
+
+## AI observability for investigation
+
+AI observability is accessible from **DSPM (preview)** > **AI observability**. The page shows all AI apps and agents with activity in the last 30 days, how many are classified as high risk by Insider Risk Management, and a breakdown of individual agents with the policies governing them.
+
+Discovery asks "what agents exist?" Investigation asks "what is this specific agent doing that concerns me, and is it a problem?"
+
+:::image type="content" source="../media/ai-observability-metrics.png" alt-text="Screenshot showing the AI observability landing page with key metrics for total agents, high risk agents, and agents with sensitive interactions." lightbox="../media/ai-observability-metrics.png":::
+
+## Drilling into a specific agent
+
+When you select a specific agent from the AI observability page, you see:
+
+- **Agent details**: Entra-enabled status, name, created date, owner, agent user ID, policies applied, and which agent it's an instance of
+- **Agent activities**: The risk level determined by Insider Risk Management, active insider risk alerts, and a count of risky activities from agent interactions
+- **Recommendations**: Remediation suggestions based on identified risks
+
+An agent with zero policies applied and no owner listed is a different risk conversation than one with 17 data protection policies and a known team behind it. The details section tells you which conversation you're having.
+
+From the activities section, you can navigate directly to the insider risk alerts driving the agent's risk score. This lets you see whether triage agents have already categorized those alerts and whether their categorization matches what you're observing in the agent's behavior patterns.
+
+:::image type="content" source="../media/ai-observability-app-detail.png" alt-text="Screenshot showing the agent detail page in AI observability with agent details, risk level, active insider risk alerts, and risky activities count." lightbox="../media/ai-observability-app-detail.png":::
+
+## Interpreting agent risk signals
+
+Insider Risk Management determines a risk level for agents based on their interaction patterns. The top risky activity categories are:
+
+- **Oversharing**: The agent shared sensitive data more broadly than appropriate, such as surfacing content to users who shouldn't have access
+- **Exfiltration**: The agent moved sensitive data outside the organization's boundaries through unauthorized channels
+- **Unethical behavior**: The agent's interactions violated organizational policies or produced outputs that conflict with data security requirements
+
+Each category leads to a different investigation path. Oversharing means examining access scope and audience. Exfiltration means tracing where data went. Unethical behavior means reviewing outputs and policy configuration.
+
+## Agent-specific signals vs. human user signals
+
+Agents process more interactions per hour, have broader data access, and act without real-time human approval. This means you can't apply human-investigation patterns directly. A spike for a human is unusual, but the same spike for an agent might be normal operation.
+
+Agents also have a dual identity: the agent itself and its owner. Risk can originate from the agent's configuration, from the owner's decisions, or from the systems the agent accesses. An agent doing what it's designed to do but with overly broad access is a policy gap. An agent doing things it wasn't designed to do is a configuration or security issue. Identifying which you're looking at determines the response.
+
+> [!NOTE]
+> AI observability includes Agent 365 activity. The **Apps and agents** page doesn't. Use AI observability when investigating agent behavior.
+
+## Investigation workflow for a risky agent
+
+When AI observability flags an agent as high risk, a typical investigation follows this pattern:
+
+1. Review the agent's risk level and risky activity categories in AI observability.
+1. Examine the agent details to understand its purpose, owner, and configuration context.
+1. Check sensitive interactions to see what data the agent accessed and whether those interactions are consistent with its intended function.
+1. Cross-reference with the audit log for the chronological record of the agent's activities.
+1. Evaluate whether the behavior represents a configuration issue, an access scope issue, or a security risk. The answer determines whether the owner fixes it, a policy needs adjustment, or immediate response is required.

learn-pr/wwl-sci/purview-data-security-posture-management-investigate-risks/includes/investigate-with-security-copilot.md

@@ -0,0 +1,53 @@
+An investigation typically involves multiple questions in sequence. You identify a user, check their recent activity, look for exfiltration patterns, assess whether alerts are related, and decide whether to escalate. Each of those steps can mean switching between surfaces, adjusting filters, and interpreting raw event data.
+
+Security Copilot in Data Security Posture Management (DSPM) compresses that sequence. You describe what you're investigating in natural language. Security Copilot then correlates activity data, alerts, and risk signals into a synthesized answer.
+
+## Use the Copilot Prompt Gallery for investigation
+
+The Copilot Prompt Gallery for DSPM is accessible from suggested prompts on the DSPM posture page and from the **Copilot prompts** button on data security objective cards. The gallery has two tabs: **Prompts** for individual queries and **Promptbooks** for multi-step sequences.
+
+### Filtering for investigation
+
+The Prompts tab includes category filters that scope results to either investigation or assessment. For investigation, you can use:
+
+- **Potentially Risky Users**
+- **Potentially Suspicious Activity**
+- **Alerts and Policies**
+
+:::image type="content" source="../media/security-copilot-prompt-gallery.png" alt-text="Screenshot of the Copilot Prompt Gallery for DSPM with the category filter dropdown expanded." lightbox="../media/security-copilot-prompt-gallery.png":::
+
+These filters return prompts scoped to users, timeframes, and behaviors. Filters like "Sensitive Data" and "Data at Risk" are scoped to data types, locations, and policy coverage, which serves posture assessment.
+
+### The Risky user investigation Promptbook
+
+The Risky user investigation Promptbook takes a user principal name and a timeframe of up to 30 days. It runs six prompts in sequence that cover sensitive data activity, exfiltration patterns, alert history, and recommended risk-reduction actions.
+
+:::image type="content" source="../media/security-copilot-risky-user-investigation-prompt-book.png" alt-text="Screenshot of the Risky user investigation Promptbook showing input fields and the six prompts." lightbox="../media/security-copilot-risky-user-investigation-prompt-book.png":::
+
+Each step builds on the previous results, correlating activity summaries, anomalies, and alerts into a single view.
+
+If the results indicate a risk, validate through activity explorer or the audit log where you can see the authoritative event records.
+
+### The Sensitive data protection Promptbook
+
+This Promptbook takes a sensitive information type, trainable classifier, or sensitivity label name and a timeframe of up to 30 days. It maps where that data is stored, who interacts with it, whether it's leaving the organization, and who's responsible for the most exfiltration.
+
+Use this Promptbook when an alert or report finding indicates a specific data type might be at risk. It answers whether the concern is real and identifies the users and paths involved. If you're using it without a specific triggering concern, you're doing assessment work rather than investigation.
+
+## Constraints that affect investigation results
+
+- **30-day maximum**: Time-based queries cover at most 30 days. Investigations spanning longer periods need direct analysis through activity explorer or audit logs.
+- **Input specificity matters**: Use full user principal names, the exact name of sensitivity labels, and full names of sensitive information types or trainable classifiers. Partial names produce incomplete or wrong results.
+- **Iterative refinement**: If the first response is too broad, add specificity. If too narrow, widen the time window or remove constraints. Security Copilot maintains conversation context across follow-up prompts.
+
+## When to validate with direct investigation
+
+Security Copilot synthesizes and summarizes. That synthesis can occasionally be incomplete, miss relevant context, or present partial data. Validate through direct investigation when:
+
+- The results seem inconsistent with what you know about the user or scenario
+- You need the authoritative audit record for compliance or legal purposes
+- The 30-day limit doesn't cover the period you need to investigate
+- The investigation requires correlation with data outside DSPM, like endpoint signals or network logs
+- You're making a high-consequence decision like escalation, disciplinary action, or policy change based on the findings
+
+Security Copilot helps you identify what requires deeper investigation. It doesn’t replace the need for direct analysis.