M365 Archive

MC1384427 - Microsoft Purview | Data Security Investigations: Investigation templates for common data security scenarios

Message Center

Summary

Microsoft Purview Data Security Investigations now includes pre-configured search templates for common data security scenarios, enabling faster, standardized investigations with minimal inputs. This feature is generally available worldwide, requires no admin action, and helps reduce setup time for security analysts using the solution.

Message ID

MC1384427

View in Message Center

Published

Jun 8, 2026

Service

Microsoft Purview

Tag

New feature
User impact
Admin impact

Roadmap ID

560326

View roadmap details

Platforms

Web

More information

What and Why

We’re adding search templates to Microsoft Purview Data Security Investigations to provide pre-configured search queries for common data security scenarios such as data exfiltration, compromised mailboxes, personal data exposure, and risky AI interactions. These templates help investigators quickly and consistently scope investigations in just a few clicks instead of manually building queries, reducing setup time and lowering the barrier for less-experienced analysts. Users can select a template, provide minimal inputs (such as a user or site), and begin their investigation.

This message is associated with Microsoft 365 Roadmap ID 560326.

Rollout Schedule

General Availability (Worldwide): Available now

Impact on Your Organization

Who is affected

Security analysts and investigators using Microsoft Purview Data Security Investigations

Platforms/Services

  • Microsoft Purview (web)
  • Data Security Investigations solution

What will happen

  • Investigators can start a new investigation using prebuilt templates instead of creating search queries from scratch.
  • Templates cover common data security scenarios and require only minimal inputs (for example, user, mailbox, or SharePoint site) to start an investigation.
  • Investigations are automatically scoped and ready to run once inputs are provided.
  • This reduces manual setup time and helps standardize investigation workflows.
  • Existing investigations and custom queries are not affected.
  • The feature will be available by default where Data Security Investigations is enabled.

Screenshot - Creating an investigation from a template in Data Security Investigations: 

user settings

Typical workflow:

  1. Create a new investigation in Data Security Investigations.
  2. Select a template that matches your scenario.
  3. Provide the required inputs.
  4. Run the query to open a scoped investigation.

Action Required/Recommendations

No admin action is required.

Recommended actions:

  • Inform your security and investigation teams about this capability
  • Encourage teams to use templates to standardize investigation workflows
  • Review internal investigation procedures and update documentation if needed

Learn more:

Compliance considerations

No compliance considerations identified. Review as appropriate for your organization.