check before: 2026-04-01
Product:
Purview, Purview Communication Compliance, Purview compliance portal, Purview Data Loss Prevention
Platform:
Online, Web, World tenant
Status:
In development
Change type:
Admin impact, New feature, Updated message, User impact
Links:
Details:
Summary:
Microsoft Purview’s Data Security Investigations now includes endpoint Data Loss Prevention (DLP) events as a queryable source, enabling admins to analyze related files automatically. This update, rolling out June 2026, enhances investigation efficiency with AI tools and requires no user action.
Details:
Updated June 15, 2026: We have updated the timeline. Thank you for your patience.
[Introduction]
We're introducing endpoint Data Loss Prevention (DLP) events as a queryable data source in Data Security Investigations (DSI) in Microsoft Purview. With this update, administrators can build endpoint DLP queries directly in DSI using filters such as date range, and DSI will automatically pull files associated with those events into the investigation for analysis. This integration helps security teams examine endpoint DLP activity at scale, reducing time and effort spent triaging individual alerts and improving the ability to identify patterns and potential data exfiltration scenarios.
This message is associated with Microsoft 365 Roadmap ID 558547.
[When this will happen]
Public Preview: Rollout begins in early June 2026 (previously late April) and completes in early June 2026 (previously mid-May).
General Availability (Worldwide): Rollout begins in mid-June 2026 (previously mid-May) and completes in mid-June 2026 (previously mid-May).
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
General Availability, Preview
Created:
2026-03-22
updated:
2026-06-16
Public Preview Start Date
XXXXXXX ... free basic plan only
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
linked item details
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Integration of Endpoint DLP Events
The integration of endpoint DLP events into Data Security Investigations (DSI) may lead to an initial learning curve for admins and security investigators as they adapt to the new query capabilities and AI tools, potentially causing temporary inefficiencies in investigations until users become familiar with the new features.
- roles: Admins, Security Investigators
- references: https://learn.microsoft.com/purview/data-security-investigations, https://learn.microsoft.com/purview/endpoint-dlp-learn-about
AI-Assisted Investigation Tools
The introduction of AI-assisted tools for analyzing files associated with endpoint DLP events may lead to over-reliance on automated analysis, which could result in missed nuances or context in investigations if not properly monitored by human investigators.
- roles: Admins, Security Investigators
- references: https://learn.microsoft.com/purview/data-security-investigations, https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=558547
Configutation Options**
XXXXXXX ... paid membership only
Data Protection**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2026-06-16 | MC Messages | Updated May 18, 2026: We have updated the timeline. Thank you for your patience.
[Introduction] We're introducing endpoint Data Loss Prevention (DLP) events as a queryable data source in Data Security Investigations (DSI) in Microsoft Purview. With this update, administrators can build endpoint DLP queries directly in DSI using filters such as date range, and DSI will automatically pull files associated with those events into the investigation for analysis. This integration helps security teams examine endpoint DLP activity at scale, reducing time and effort spent triaging individual alerts and improving the ability to identify patterns and potential data exfiltration scenarios. This message is associated with Microsoft 365 Roadmap ID 558547. [When this will happen] Public Preview: Rollout begins in early June 2026 (previously late April) and completes in early June 2026 (previously mid-May). General Availability (Worldwide): Rollout begins in mid-June 2026 (previously mid-May) and completes in mid-June 2026 (previously mid-May). | Updated June 15, 2026: We have updated the timeline. Thank you for your patience.
[Introduction] We're introducing endpoint Data Loss Prevention (DLP) events as a queryable data source in Data Security Investigations (DSI) in Microsoft Purview. With this update, administrators can build endpoint DLP queries directly in DSI using filters such as date range, and DSI will automatically pull files associated with those events into the investigation for analysis. This integration helps security teams examine endpoint DLP activity at scale, reducing time and effort spent triaging individual alerts and improving the ability to identify patterns and potential data exfiltration scenarios. This message is associated with Microsoft 365 Roadmap ID 558547. [When this will happen] Public Preview: Rollout begins in early June 2026 (previously late April) and completes in early June 2026 (previously mid-May). General Availability (Worldwide): Rollout begins in mid-June 2026 (previously mid-May) and completes in mid-June 2026 (previously mid-May). |
| 2026-06-16 | MC Last Updated | 05/19/2026 00:43:48 | 2026-06-16T01:06:26Z |
| 2026-06-16 | MC Summary | Microsoft Purview’s Data Security Investigations (DSI) will integrate endpoint Data Loss Prevention (DLP) events as a queryable data source, enabling admins to analyze associated files automatically. Rollout begins early June 2026 with no user impact or required admin action. This enhances investigation efficiency using AI tools. | Microsoft Purview’s Data Security Investigations now includes endpoint Data Loss Prevention (DLP) events as a queryable source, enabling admins to analyze related files automatically. This update, rolling out June 2026, enhances investigation efficiency with AI tools and requires no user action. |
| 2026-05-19 | MC MessageTagNames | New feature, User impact, Admin impact | Updated message, New feature, User impact, Admin impact |
| 2026-05-19 | MC Summary | Microsoft Purview’s Data Security Investigations will include endpoint Data Loss Prevention (DLP) events as a queryable source, enabling admins to analyze related files automatically. Rolling out April–May 2026, this feature enhances investigation efficiency using AI tools without user impact or required admin action. | Microsoft Purview’s Data Security Investigations (DSI) will integrate endpoint Data Loss Prevention (DLP) events as a queryable data source, enabling admins to analyze associated files automatically. Rollout begins early June 2026 with no user impact or required admin action. This enhances investigation efficiency using AI tools. |
| 2026-05-19 | MC Last Updated | 03/21/2026 17:18:50 | 2026-05-19T00:43:48Z |
| 2026-05-19 | MC Messages | [Introduction]
We're introducing endpoint Data Loss Prevention (DLP) events as a queryable data source in Data Security Investigations (DSI) in Microsoft Purview. With this update, administrators can build endpoint DLP queries directly in DSI using filters such as date range, and DSI will automatically pull files associated with those events into the investigation for analysis. This integration helps security teams examine endpoint DLP activity at scale, reducing time and effort spent triaging individual alerts and improving the ability to identify patterns and potential data exfiltration scenarios. This message is associated with Microsoft 365 Roadmap ID 558547. [When this will happen] Public Preview: Rollout begins in late April 2026 and completes in mid-May 2026. General Availability (Worldwide): Rollout begins in mid-May 2026 and completes in mid-May 2026. | Updated May 18, 2026: We have updated the timeline. Thank you for your patience.
[Introduction] We're introducing endpoint Data Loss Prevention (DLP) events as a queryable data source in Data Security Investigations (DSI) in Microsoft Purview. With this update, administrators can build endpoint DLP queries directly in DSI using filters such as date range, and DSI will automatically pull files associated with those events into the investigation for analysis. This integration helps security teams examine endpoint DLP activity at scale, reducing time and effort spent triaging individual alerts and improving the ability to identify patterns and potential data exfiltration scenarios. This message is associated with Microsoft 365 Roadmap ID 558547. [When this will happen] Public Preview: Rollout begins in early June 2026 (previously late April) and completes in early June 2026 (previously mid-May). General Availability (Worldwide): Rollout begins in mid-June 2026 (previously mid-May) and completes in mid-June 2026 (previously mid-May). |
| 2026-05-19 | MC Title | Microsoft Purview: Data Security Investigations – analyze files tied to endpoint DLP alerts | (Updated) Microsoft Purview: Data Security Investigations – analyze files tied to endpoint DLP alerts |
| 2026-05-19 | MC End Time | 06/19/2026 09:00:00 | 2026-07-20T09:00:00Z |
Last updated 1 day ago ago
