![Microsoft Purview: Data Security Investigations – analyze files tied to audit log activities [MC1259827]](https://mwpro.co.uk/wp-content/uploads/2024/08/pexels-hngstrm-1983924-1024x683.webp "Microsoft Purview: Data Security Investigations – analyze files tied to audit log activities [MC1259827] 1")
[Introduction]
We’re introducing a new audit log querying experience in Data Security Investigations (DSI) in Microsoft Purview. This update allows administrators and investigators to build audit log queries directly within DSI by specifying criteria such as date range, users, activities, and keywords. DSI will then automatically surface files associated with those activities. This removes the previous manual process of exporting and reviewing large audit log datasets and makes investigations faster and more accurate.
This message is associated with Microsoft 365 Roadmap ID 558548.
[When this will happen]
- Public Preview: Rollout will begin in early April 2026 and is expected to complete by late April 2026.
- General Availability (Worldwide): Rollout will begin in early May 2026 and is expected to complete by early May 2026.
[How this affects your organization]
Who is affected
- Admins and investigators who use Data Security Investigations in the Microsoft Purview compliance portal.
What will happen
- A new Audit tab will appear in the DSI search experience alongside the existing Query Builder tab:
- Admins and investigators will be able to enter audit search criteria (date range, users, activities, keywords) directly within DSI.
- Users can view estimated audit query results or add them directly to the investigation scope.
- Associated files identified through the audit query will automatically appear in the investigation.
- This feature is enabled by default and requires no configuration.
- The previous CSV upload option is being removed.
[What you can do to prepare]
No action is required before rollout.
To prepare, you may want to:
- Update internal documentation for investigation and incident response workflows.
- Inform security teams and administrators who use DSI about this new capability and the removal of CSV upload support.
- Review DSI investigation processes to incorporate audit-based file enrichment.
Learn more:
- Audit log activities | Microsoft Purview | Microsoft Learn
- Learn about Data Security Investigations | Microsoft Purview | Microsoft Learn
[Compliance considerations]
No compliance considerations identified. Review as appropriate for your organization.
Source: Microsoft
Latest Posts
- GCP Release Notes: March 25, 2026
- (Updated) Microsoft OneNote | Sensitivity labels now available on desktop, web, iOS, Android, and Mac [MC1157712]
- (Updated) Microsoft 365: Modern Access Request and Access Denied web page [MC1188599]
- Microsoft Teams town halls now support backup Real-Time Messaging Protocol (RTMP) streams [MC1261595]
![Microsoft Purview: Data Security Investigations – role-based access simplification [MC1259826]](https://mwpro.co.uk/wp-content/uploads/2025/06/pexels-atahandemir-28779687-96x96.webp "Microsoft Purview: Data Security Investigations – role-based access simplification [MC1259826] 7")
![SharePoint Advanced Management: Site admin control for restricted content discovery [MC1259825]](https://mwpro.co.uk/wp-content/uploads/2024/08/pexels-pixabay-162140-150x150.webp "SharePoint Advanced Management: Site admin control for restricted content discovery [MC1259825] 8")