Module 3: Mitigate Threats Using Microsoft Purview
Modules 1 and 2 taught you to investigate threats that target endpoints and identities — malware execution, credential theft, lateral movement. But attackers do not compromise systems for the sake of compromise. They compromise systems to access data. The email containing the quarterly financial forecast. The SharePoint folder with merger documents. The customer database export. The intellectual property repository.
Microsoft Purview is where you investigate the data side of the attack chain. When a compromised account downloads 2,000 files from SharePoint in 30 minutes, Purview’s audit log records every access event. When a disgruntled employee copies customer data to a USB drive before their last day, Purview’s insider risk management detects the behavioral pattern. When sensitive documents are emailed to a personal Gmail account, Purview’s DLP policies fire alerts that land in your Defender XDR incident queue.
This module teaches you the complete Purview investigation toolkit from a SOC analyst’s perspective — not from a compliance officer’s perspective. The distinction matters: compliance teams configure policies and review trend reports. SOC analysts investigate specific alerts, trace data access patterns during active incidents, collect evidence for incident reports, and coordinate remediation when data has been exposed. This module focuses exclusively on the investigation and response skills that the SC-200 exam tests.
Complete Module 1 (Defender XDR) and Module 6 (KQL) before starting this module. Module 1 provides the incident queue context — Purview alerts appear in the same unified queue as endpoint and identity alerts. Module 6 provides the KQL skills — audit log investigation uses the same query language you already know, applied to different tables (CloudAppEvents, OfficeActivity, InformationProtectionLogs_CL).
What you will be able to do after completing this module
After completing this module, you will be able to investigate DLP alerts in the Defender portal and determine whether sensitive data was actually exfiltrated or merely triggered a policy match on benign activity. You will investigate insider risk alerts by examining user activity sequences, risk score escalation patterns, and the behavioral indicators that distinguish a genuine insider threat from a false positive. You will search the unified audit log to reconstruct exactly what a compromised account accessed, when, from where, and how much data was involved. You will use eDiscovery content search to locate specific messages, files, and conversations relevant to a security investigation. And you will combine Purview data with Defender XDR and Sentinel data to build complete investigation timelines that trace an attack from initial compromise through data access and exfiltration.
How this module is structured
3.1 — Microsoft Purview for Security Operations. The architecture and scope of Purview from a SOC analyst’s perspective. What Purview does, which components are relevant to security operations, how Purview data flows into the Defender XDR portal, and the licensing that determines which audit and investigation capabilities are available.
3.2 — Data Loss Prevention: Policy Architecture and Alert Pipeline. How DLP policies are structured, what they detect, how alerts are generated and scored, and where they appear in the investigation workflow. The configuration context you need to interpret DLP alerts correctly.
3.3 — Investigating DLP Alerts in the Defender Portal. The hands-on investigation workflow: triaging DLP alerts, examining matched content, determining whether data was actually exfiltrated, taking remediation actions, and documenting findings. Includes KQL queries for DLP alert investigation.
3.4 — Insider Risk Management: Policies, Indicators, and Risk Signals. How insider risk policies work, the behavioral indicators they monitor, how risk scores are calculated, and the triggering events that escalate a user from low to high risk. The investigative context you need to assess insider risk alerts.
3.5 — Investigating Insider Risk Alerts and Managing Cases. The investigation workflow for insider risk: reviewing user activity timelines, assessing risk score escalation, managing cases, coordinating with HR and legal, and the evidence handling requirements that distinguish insider risk investigations from standard security incidents.
3.6 — Microsoft Purview Audit: Standard vs Premium. The audit log architecture, the difference between Standard and Premium audit, what activities are captured at each tier, retention periods, and the MailItemsAccessed event that is critical for investigating compromised mailbox access.
3.7 — Investigating with Audit Log Search. The hands-on investigation workflow: building effective audit log searches, interpreting results, reconstructing user activity timelines, correlating audit events with Defender alerts, and the KQL queries that make audit data investigation-ready.
3.8 — eDiscovery: Content Search for Security Investigations. Using eDiscovery as a security investigation tool: creating cases, building search queries, locating specific messages and files, previewing results, and the legal hold implications that SOC analysts must understand when evidence preservation is required.
3.9 — Cross-Product Investigation: Purview + Defender XDR + Sentinel. Our addition. How to combine Purview audit data with Defender XDR telemetry and Sentinel analytics to build complete investigation narratives. Worked example: tracing a BEC attack from initial phishing (Defender for Office 365) through account compromise (Entra ID) to data exfiltration (Purview audit log) in a single cross-product timeline.
3.10 — Module Summary. Key takeaways, skills checklist, SC-200 exam objectives covered.
3.11 — Check My Knowledge. 20 scenario-based questions.