Microsoft 365 Message Center Archive

MC1259827 - Microsoft Purview: Data Security Investigations – analyze files tied to audit log activities

Message ID

MC1259827

View in Message Center

Service

Microsoft Purview

Published

Mar 23, 2026

Tag

New feature
User impact
Admin impact

Roadmap ID

558548

View in M365 Roadmap

Platforms

Web

Summary

Microsoft Purview's Data Security Investigations will add a new Audit tab for building audit log queries directly within DSI, automatically surfacing related files. This feature, replacing CSV uploads, rolls out April-May 2026, enabling faster, more accurate investigations for admins and investigators without requiring prior configuration.

More information

Introduction

We’re introducing a new audit log querying experience in Data Security Investigations (DSI) in Microsoft Purview. This update allows administrators and investigators to build audit log queries directly within DSI by specifying criteria such as date range, users, activities, and keywords. DSI will then automatically surface files associated with those activities. This removes the previous manual process of exporting and reviewing large audit log datasets and makes investigations faster and more accurate.

This message is associated with Microsoft 365 Roadmap ID 558548.

When this will happen

  • Public Preview: Rollout will begin in early April 2026 and is expected to complete by late April 2026.
  • General Availability (Worldwide): Rollout will begin in early May 2026 and is expected to complete by early May 2026.

How this affects your organization

Who is affected

  • Admins and investigators who use Data Security Investigations in the Microsoft Purview compliance portal.

What will happen

  • A new Audit tab will appear in the DSI search experience alongside the existing Query Builder tab:

     user settings

  • Admins and investigators will be able to enter audit search criteria (date range, users, activities, keywords) directly within DSI.
  • Users can view estimated audit query results or add them directly to the investigation scope.
  • Associated files identified through the audit query will automatically appear in the investigation.
  • This feature is enabled by default and requires no configuration.
  • The previous CSV upload option is being removed.

What you can do to prepare

No action is required before rollout.

To prepare, you may want to:

  • Update internal documentation for investigation and incident response workflows.
  • Inform security teams and administrators who use DSI about this new capability and the removal of CSV upload support.
  • Review DSI investigation processes to incorporate audit-based file enrichment.

Learn more:

Compliance considerations

No compliance considerations identified. Review as appropriate for your organization.