Microsoft 365 Message Center Archive

MC1255406 - Microsoft Purview | Data Security Triage Agent Summaries for DLP Alerts in Microsoft Defender XDR

Message ID

MC1255406

View in Message Center

Service

Microsoft Defender XDR
Microsoft Purview

Published

Mar 18, 2026

Tag

Major change
New feature
Admin impact

Roadmap ID

558860

View in M365 Roadmap

Platforms

Web

Summary

Microsoft Defender XDR will integrate AI-generated summaries and categorizations for DLP alerts via the Microsoft Purview Data Security Triage Agent, improving alert triage. Deployment starts April 2026 (preview) and August 2026 (general). Agent management remains in Purview; DLP policies and user impact remain unchanged.

More information

Introduction

We’re introducing Data Security Triage Agent summaries and categorizations for Data Loss Prevention (DLP) alerts directly within the Microsoft Defender XDR portal. This update helps security analysts triage DLP alerts more efficiently by surfacing AI-generated summaries and categorizations created by the Microsoft Purview Data Security Triage Agent.

Screenshot 1: Data Security Triage Agent outputs and summaries now available in DLP alerts in Microsoft Defender XDR

user settings

This message is associated with Roadmap ID 558860.

When this will happen:

  • Public Preview: We will begin rolling out early April 2026 and expect to complete by mid-April 2026.
  • General Availability (Worldwide): We will begin rolling out mid-August 2026 and expect to complete by late August 2026.

How this affects your organization:

Who is affected:

  • Security analysts and admins triaging DLP alerts in Microsoft Defender XDR
  • Organizations using Microsoft Purview Data Security Triage Agent

What will happen:

  • DLP alerts in Defender XDR will display AI-generated summaries and categorizations when the Agent is deployed.

    • Screenshot 2: Security Analysts and Admins triaging DLP alerts in Defenders will be able to deploy the Data Security Triage Agent from the Microsoft Defender XDR portal

    user settings

  • If the Agent is not deployed, eligible analysts can deploy it from the DLP alert page in Defender XDR.
  • Agent management (instructions, pause/deactivate, usage monitoring) remains in Microsoft Purview.
  • Existing DLP policies and enforcement are not changed.
  • There is no impact to users.

What you can do to prepare:

  • Deploy the Data Security Triage Agent in Microsoft Purview to enable summaries in Defender XDR.
  • Review role assignments to ensure analysts who triage DLP alerts have the appropriate permissions.
  • Update internal security operations documentation to reflect the new triage experience.
  • Familiarize security teams with where Agent deployment can occur (Defender XDR) and where ongoing management is performed (Purview).

Learn more: Before rollout, we will update this post with new documentation.

Compliance considerations:

Compliance area Explanation
AI/ML or agent capabilities interacting with customer data This change introduces AI-generated summaries and categorizations for DLP alerts using the Microsoft Purview Data Security Triage Agent, which processes existing DLP alert data to assist analysts during triage.
Admin controls Admins can deploy the Data Security Triage Agent from the Microsoft Defender XDR portal. Ongoing agent management, including custom instructions, pausing or deactivating the agent, and monitoring usage, remains available in the Microsoft Purview portal.
Admin monitoring and compliance reporting The update enhances DLP alert investigations by adding AI-generated context, improving how admins monitor and assess data security incidents without changing underlying DLP policy enforcement or audit logging.