3.10 Module Summary
Module 3 Summary: Mitigate Threats Using Microsoft Purview
What you learned in this module
This module taught you the data protection and compliance investigation skills that complete your SOC analyst toolkit. Modules 1 and 2 taught you to investigate threats that target endpoints and identities. This module taught you to investigate what happens to data when those threats succeed — the exfiltration, the exposure, the access patterns that determine the true impact of a security incident.
In subsection 3.1, you learned the four Purview components a SOC analyst uses: DLP (detects sensitive data crossing policy boundaries), Insider Risk Management (detects anomalous user data access patterns), Audit (records every user and admin action in M365), and eDiscovery (locates and preserves specific content for evidence). You learned how Purview data flows into the Defender XDR portal and Sentinel, the licensing differences that determine investigation capability (particularly the critical MailItemsAccessed event requiring E5), and the role boundaries between security operations and compliance teams.
In subsection 3.2, you learned DLP policy architecture: the four policy components (scope, conditions, actions, notifications), how content classification works (Sensitive Information Types, sensitivity labels, trainable classifiers, Exact Data Match), the alert pipeline from content match to incident queue, the distinction between policy tips, alerts, and incidents, and how endpoint DLP extends protection to device-level actions.
In subsection 3.3, you learned the hands-on DLP alert investigation workflow: the five-step process (triage, content review, exposure check, context check, remediate and document), KQL queries for DLP alert investigation and correlation with identity events, the documentation requirements for DLP incidents with potential regulatory notification implications, and the GDPR 72-hour notification deadline.
In subsection 3.4, you learned Insider Risk Management policies: the five policy types (data theft, data leaks, security violations, patient data misuse, risky browser use), triggering events and the HR connector, behavioral indicators and sequence detection, risk score calculation and escalation, and the privacy-by-design architecture (pseudonymization, scoped access, audit logging).
In subsection 3.5, you learned the IRM investigation workflow: the six-step process (triage, de-anonymize, deep review, create case, investigate, resolve), the privacy controls that govern IRM data access, evidence handling for employee investigations, coordination with HR and legal counsel, and the case resolution outcomes (benign, policy violation, data theft confirmed, account compromise).
In subsection 3.6, you learned the audit log architecture: Standard vs Premium capabilities, the critical difference in retention (180 vs 365 days), the three Premium-only events that transform security investigations (MailItemsAccessed, Send, SearchQueryInitiated), audit log search methods (Purview portal vs Sentinel KQL), and the investigation scenarios where audit data is the primary evidence source.
In subsection 3.7, you learned hands-on audit log investigation: building effective searches, the five essential post-compromise audit queries (email access, inbox rules, file downloads, admin changes, search queries), reconstructing complete user activity timelines from audit data, and correlating audit events with Defender XDR alerts.
In subsection 3.8, you learned eDiscovery as a security investigation tool: when to use eDiscovery vs audit log search, creating cases and building content searches, searching across mailboxes, SharePoint, and Teams, previewing and exporting evidence, and legal hold fundamentals for evidence preservation.
In subsection 3.9, you built a complete cross-product investigation that combined email delivery analysis (Defender for Office 365), credential compromise analysis (Entra ID sign-in logs), post-compromise audit analysis (Purview audit log), data exposure assessment (DLP + eDiscovery), and remediation documentation — all traced through a single BEC scenario that produced a unified investigation timeline.
Skills checklist
After completing this module, you should be able to confirm:
I can investigate DLP alerts in the Defender portal and determine whether data was actually exfiltrated or merely matched a policy condition. I can interpret DLP alert details: SIT type, confidence level, instance count, action taken, and destination. I understand the difference between DLP and IRM and when each detects threats the other cannot. I can navigate the IRM investigation workflow including pseudonymization, de-anonymization, case creation, and HR/legal coordination. I can search the unified audit log using both the Purview portal and Sentinel KQL. I can run the five essential post-compromise audit queries and reconstruct a complete user activity timeline. I understand the Standard vs Premium audit distinction and the investigation impact of MailItemsAccessed availability. I can use eDiscovery Content Search to locate specific content for security investigations and coordinate legal hold when required. I can build a cross-product investigation timeline that traces an attack from initial phishing through data exfiltration using evidence from five different data sources.
SC-200 exam objectives covered
Domain 1 — Manage a SOC Environment: Investigate threats by using audit features in Microsoft Defender XDR and Microsoft Purview Standard. Investigate threats using audit in Microsoft Defender XDR and Microsoft Purview (Premium). Investigate threats with Content search in Microsoft Purview.
Domain 3 — Manage Incident Response: Investigate and remediate compromised entities identified by Microsoft Purview data loss prevention (DLP) policies. Investigate and remediate threats identified by Microsoft Purview insider risk policies. Investigate complex attacks, such as multi-stage, multi-domain, and lateral movement.
What comes next
Module 3 completes your investigation toolkit across the three pillars: endpoints and devices (Module 2), identities (Module 1), and data (Module 3). The next modules build the SIEM infrastructure that connects these pillars. Module 7 (Configure Your Microsoft Sentinel Environment) creates the workspace where all three data streams converge. Module 8 (Connect Logs to Microsoft Sentinel) connects the data sources. The cross-product investigation methodology from subsection 3.9 is the exact approach used in Modules 11-15 for the real-world investigation scenarios — the only difference is the specific attack type.