💡 Our Technical Review in summary
Microsoft is integrating endpoint Data Loss Prevention (DLP) events as a native queryable data source within Data Security Investigations (DSI) in Microsoft Purview. This update allows security administrators to build targeted queries for endpoint activities using specific filters like date ranges. When a query is executed, DSI will automatically pull the files associated with those endpoint DLP events into the investigation scope, enabling deep analysis through AI-powered forensic tools. The goal of this integration is to streamline the triage process and help security teams identify large-scale data exfiltration patterns more efficiently.
#### Impact
- Enhanced Tooling: A new “Endpoint DLP” tab will be added to the DSI search interface, sitting alongside the existing Query Builder and Audit tabs.
- Automated Data Collection: Files involved in endpoint DLP alerts will be automatically ingested into investigations, eliminating the manual effort previously required to gather evidence from distributed endpoints.
- AI-Assisted Analysis: Once files are pulled into DSI, administrators can leverage existing AI-powered investigation tools to analyze the content and context of the potential security breach.
- Administrative Efficiency: Security teams can now analyze endpoint signals at scale rather than investigating individual alerts in isolation.
- Timeline: Public Preview is scheduled to begin in late April 2026, with General Availability (GA) expected by mid-May 2026.
- User Impact: This change is strictly administrative; there is no impact on end-user experience or endpoint performance.
#### Action Required
- No Immediate Activation: This feature will be enabled automatically for all eligible tenants upon rollout. No manual configuration is required to surface the new tab.
- Update Internal Documentation: Update your organization’s Standard Operating Procedures (SOPs) for security investigations and alert triaging to include the new endpoint DLP query workflow.
- Training: Brief your security operations center (SOC) analysts and Purview administrators on how to use the “Endpoint DLP” tab to correlate endpoint events with broader data security investigations.
- Review Permissions: Ensure that investigators have the appropriate roles (such as Data Security Investigator) to access the DSI module and the new endpoint query capabilities.
- Reference Documentation: Review the Microsoft Purview documentation for Data Security Investigations and Endpoint DLP to understand the underlying requirements for event logging and file metadata collection.
Microsoft Official Update
Service: N/A
Category: stayInformed
Severity: normal
[Introduction]
We’re introducing endpoint Data Loss Prevention (DLP) events as a queryable data source in Data Security Investigations (DSI) in Microsoft Purview. With this update, administrators can build endpoint DLP queries directly in DSI using filters such as date range, and DSI will automatically pull files associated with those events into the investigation for analysis. This integration helps security teams examine endpoint DLP activity at scale, reducing time and effort spent triaging individual alerts and improving the ability to identify patterns and potential data exfiltration scenarios.
This message is associated with Microsoft 365 Roadmap ID 558547.
[When this will happen]
- Public Preview: Rollout begins in late April 2026 and completes in mid‑May 2026.
- General Availability (Worldwide): Rollout begins in mid‑May 2026 and completes in mid‑May 2026.
[How this will affect your organization]
Who is affected
Admins and security investigators using Data Security Investigations (DSI) and endpoint Data Loss Prevention (DLP) in the Microsoft Purview compliance portal.
What will happen
- A new Endpoint DLP tab will appear in the DSI search experience, alongside the existing Query Builder and Audit tabs.
- Admins and investigators can query endpoint DLP events using date range filters (additional filters coming soon).
- Files associated with matching endpoint DLP events will be automatically added to the investigation scope for analysis using DSI’s AI‑powered tools.
- This feature will appear automatically for eligible tenants when rollout completes. No admin action is required to enable it.
- There is no user impact.
[What you can do to prepare]
No action is required. Optionally, you may:
- Review how endpoint DLP query capabilities work within DSI.
- Update internal documentation for alert triage and investigation workflows, if applicable.
- Inform security teams and endpoint DLP administrators about this new capability.
Learn more:
- Learn about Data Security Investigations | Microsoft Purview | Microsoft Learn
- Learn about Endpoint data loss prevention | Microsoft Purview | Microsoft Learn
[Compliance considerations]
| Question | Answer |
| Does the change alter how existing customer data is processed, stored, or accessed? | Yes. Endpoint DLP event data becomes queryable in DSI, and associated files are automatically collected into investigations for analysis. |
| Does the change introduce or significantly modify AI/ML capabilities that interact with customer data? | Yes. DSI’s existing AI‑assisted investigation tools will now analyze files gathered through endpoint DLP queries. |
| Does the change modify how admins can monitor, report on, or demonstrate compliance activities? | Yes. Admins gain new ways to surface, query, and analyze endpoint DLP signals within DSI. |
