Merge pull request #53125 from MicrosoftDocs/NEW-purview-data-security-investigations-understand

New purview data security investigations understand

Author: JamesJBarnett

learn-pr/wwl-sci/purview-data-security-investigations-understand/data-security-investigation-clarification.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-data-security-investigations-understand.data-security-investigation-clarification
+title: What data security investigations are and are not
+metadata:
+  title: What data security investigations are and are not
+  description: "What data security investigations are and are not"
+  ms.date: 01/15/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 3
+content: |
+  [!include[](includes/data-security-investigation-clarification.md)]

learn-pr/wwl-sci/purview-data-security-investigations-understand/data-security-investigation-differentiation.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-data-security-investigations-understand.data-security-investigation-differentiation
+title: How data security investigations differ from alerts, cases, and audit
+metadata:
+  title: How data security investigations differ from alerts, cases, and audit
+  description: "How data security investigations differ from alerts, cases, and audit"
+  ms.date: 01/15/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 3
+content: |
+  [!include[](includes/data-security-investigation-differentiation.md)]

learn-pr/wwl-sci/purview-data-security-investigations-understand/data-security-investigation-need.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-data-security-investigations-understand.data-security-investigation-need
+title: Why data security investigations matter
+metadata:
+  title: Why data security investigations matter
+  description: "Why data security investigations matter"
+  ms.date: 01/15/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 3
+content: |
+  [!include[](includes/data-security-investigation-need.md)]

learn-pr/wwl-sci/purview-data-security-investigations-understand/data-security-investigation-understand.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-data-security-investigations-understand.data-security-investigation-understand
+title: What is a data security investigation?
+metadata:
+  title: What is a data security investigation?
+  description: "What is a data security investigation?"
+  ms.date: 01/15/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 4
+content: |
+  [!include[](includes/data-security-investigation-understand.md)]

learn-pr/wwl-sci/purview-data-security-investigations-understand/data-security-investigations-integration.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-data-security-investigations-understand.data-security-investigations-integration
+title: How data security investigations integrate with Microsoft security tools
+metadata:
+  title: How data security investigations integrate with Microsoft security tools
+  description: "How data security investigations integrate with Microsoft security tools"
+  ms.date: 01/15/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 3
+content: |
+  [!include[](includes/data-security-investigations-integration.md)]

learn-pr/wwl-sci/purview-data-security-investigations-understand/deeper-investigation-value.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-data-security-investigations-understand.deeper-investigation-value
+title: When deeper investigation adds value
+metadata:
+  title: When deeper investigation adds value
+  description: "When deeper investigation adds value"
+  ms.date: 01/15/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 3
+content: |
+  [!include[](includes/deeper-investigation-value.md)]

learn-pr/wwl-sci/purview-data-security-investigations-understand/includes/data-security-investigation-clarification.md

@@ -0,0 +1,36 @@
+Data security investigations are designed to answer specific questions about data risk. Understanding what data security investigations are designed to do, and what they aren't meant to replace, helps ensure they're used intentionally.
+
+## What a data security investigation is
+
+A data security investigation is a **data-centric investigation approach**. It brings together data context, activity signals, and analysis to help determine whether sensitive or high-value data is at risk, and to what extent.
+
+Rather than focusing only on events, a data security investigation emphasizes:
+
+- The type and sensitivity of the data involved
+- Where that data lives and how it's accessed
+- How activity affects data exposure and risk
+
+**Microsoft Purview Data Security Investigations** provides this capability by correlating data and activity information so investigations can focus on understanding risk, not just tracking actions.
+
+## What a data security investigation isn't
+
+A data security investigation isn't designed to replace existing security or compliance tools. It doesn't function as:
+
+- An alerting system that detects suspicious activity
+- An incident response workflow for containment and remediation
+- A case management solution for legal or regulatory review
+- A substitute for audit logs or activity tracking
+
+Those tools remain essential. Data security investigations complement them by providing depth when understanding data exposure and sensitivity is critical.
+
+## Why these boundaries matter
+
+Without clear boundaries, investigations can become inefficient or misleading. Using a data security investigation when simpler tools are sufficient can slow response time. Relying only on alerts when deeper analysis is needed can lead to decisions based on incomplete information.
+
+Data security investigations are most effective when used:
+
+- After activity has been identified and requires validation
+- When the scope or sensitivity of data is unclear
+- When decisions depend on confidence rather than speed alone
+
+Recognizing what the tool is designed to do helps ensure it's applied where it adds the most value.

learn-pr/wwl-sci/purview-data-security-investigations-understand/includes/data-security-investigation-differentiation.md

@@ -0,0 +1,55 @@
+Security teams use several tools to investigate activity and assess risk. Each serves a distinct purpose. Each serves a different purpose, and understanding those differences helps determine when a data security investigation is the right choice.
+
+Data security investigations don't replace alerts, cases, or audit. They fill a specific gap when decisions depend on understanding **data exposure and sensitivity**, not just activity.
+
+### Alerts focus on activity signals
+
+Alerts are designed to surface activity that might require attention. They're effective for identifying:
+
+- Unusual behavior
+- Policy violations
+- Potential security events
+
+Alerts answer questions like:
+
+- What happened?
+- Who performed the action?
+- When did it occur?
+
+What alerts often don't provide is enough data context to assess risk. An alert can confirm that activity occurred without showing whether sensitive data was involved or exposed.
+
+### Cases organize investigation work
+
+Cases help group related alerts, evidence, and actions into a single investigation record. They're useful for:
+
+- Tracking investigation progress
+- Coordinating work across teams
+- Documenting decisions and outcomes
+
+Cases improve organization, but they don't inherently add data insight. Understanding data sensitivity and exposure often still requires investigation outside the case structure.
+
+### Audit provides detailed activity records
+
+Audit logs capture detailed records of actions taken across services and workloads. They're valuable for:
+
+- Reviewing historical activity
+- Verifying who did what and when
+- Supporting compliance and review requirements
+
+Audit data is comprehensive, but it's activity-centric. It typically requires manual effort to correlate events with data sensitivity, scope, and risk.
+
+### Where data security investigations fit
+
+Data security investigations focus on **data context**, not just events. They bring together:
+
+- Information about the data itself
+- Activity associated with that data
+- Analysis that helps assess exposure and risk
+
+This approach is most useful when:
+
+- Alerts identify activity but don't provide enough confidence to act
+- Audit logs show behavior without clarifying data sensitivity
+- Decisions require validation before remediation or escalation
+
+Now that you understand how data security investigations differ from alerts, cases, and audit, you can look at how investigations can be used in both reactive and proactive ways.

learn-pr/wwl-sci/purview-data-security-investigations-understand/includes/data-security-investigation-need.md

@@ -0,0 +1,40 @@
+Detecting activity is only the first step in understanding data risk. Modern environments generate large volumes of alerts, signals, and logs, but those signals rarely provide enough context to make confident decisions about sensitive data.
+
+An alert can show that something happened. It doesn't always explain whether that activity mattered.
+
+## The gap between activity and risk
+
+Most security tooling is designed to surface activity quickly. That works well for identifying unusual behavior, but it often leaves important questions unanswered when sensitive data is involved.
+
+For example:
+
+- An alert might confirm that a file was downloaded, but not whether the file contained sensitive data.
+- Activity logs might show who accessed content, but not how exposed that data became afterward.
+- A case might group related events, but still require manual effort to understand data scope and sensitivity.
+
+When decisions depend on data risk rather than activity alone, these gaps slow investigations and increase uncertainty.
+
+## Why data context changes decisions
+
+Not all data carries the same level of risk, and not all data activity requires action. The same behavior can be acceptable in one situation and concerning in another, depending on the data involved.
+
+Understanding data context helps answer questions such as:
+
+- Whether the data involved is sensitive or high value
+- Whether exposure was limited or widespread
+- Whether the activity represents an isolated event or a broader pattern
+
+Without this context, teams are forced to make decisions based on partial information, which can lead to unnecessary escalation or missed risk.
+
+## When deeper investigation becomes necessary
+
+Organizations need data security investigations when:
+
+- Alerts lack enough context to support a decision
+- The scope of potential exposure is unclear
+- Decisions require validation before remediation or escalation
+- Data sensitivity and organizational risk must be weighed carefully
+
+In these situations, deeper investigation supports more accurate outcomes and reduces reliance on assumptions.
+
+This need becomes more pronounced as data environments grow in size and complexity, and as sensitive data is distributed across more locations and workloads.

learn-pr/wwl-sci/purview-data-security-investigations-understand/includes/data-security-investigation-understand.md

@@ -0,0 +1,39 @@
+A data security investigation focuses on understanding **what data is involved in a security concern**, **how that data was used**, and **what risk it presents**. The goal isn't to detect activity or generate alerts, but to determine the **actual scope and risk** of a potential data security issue.
+
+For example, an alert might show a file was downloaded. An activity-based investigation asks who downloaded it and when. A data security investigation asks: Was the file sensitive? Where did it come from? Did the activity create risk, or was it expected behavior?
+
+A data security investigation exists to close that gap.
+
+## How data security investigations differ from activity-based investigation
+
+Traditional security investigation often starts with activity. An alert fires, a user performs an action, or a signal indicates something unusual. From there, the investigation focuses on timelines, indicators, and behavior.
+
+A data security investigation starts from a different place. It centers on **the data itself**.
+
+Instead of asking only what happened, a data security investigation asks:
+
+- What data was involved?
+- Where does that data live?
+- How sensitive is it?
+- Who accessed or handled it?
+- Does the data create risk in this context?
+
+This shift matters because not all activity involving data is risky, and not all risky data activity is obvious from alerts alone.
+
+## What a data security investigation helps you understand
+
+A data security investigation is designed to help answer questions such as:
+
+- Whether sensitive or high-value data was exposed
+- Whether the scope of exposure is small and contained or broad and systemic
+- Whether the situation requires remediation, escalation, or no action at all
+
+These answers support informed decisions. They help avoid both under-reacting to real risk and over-reacting to noise.
+
+## Where Data Security Investigations fits
+
+**Microsoft Purview Data Security Investigations** provides a dedicated investigation experience for this kind of analysis. It brings together data context, activity signals, and AI-assisted analysis so investigations can focus on **data impact**, not just events.
+
+Rather than replacing existing security tools, it complements them by adding depth where understanding data exposure and sensitivity is critical.
+
+In the next unit, you’ll look at **why organizations need this type of investigation**, and why traditional alert-driven approaches often fall short when sensitive data is involved.