Microsoft Purview Compliance Portal: Changes to case creation process in Purview portal when confirming alerts from Defender XDR portal and content retention periods in cases

🚨 The Signal: Purview Insider Risk Management cases are no longer automatically created from Defender XDR alerts. Analysts must manually create cases, and content retention in cases is now limited to 30 days for new content, potentially impacting investigations.

The Impact

Security and Insider Risk teams are affected by manual case creation and limited content retention, increasing investigation effort and potential evidence gaps.

• Security Teams: Increased manual effort to initiate insider risk investigations.
• Insider Risk Analysts: Potential for delayed evidence collection due to manual case creation.
• Investigators: Risk of missing new content after 30 days if cases are not re-created.
• Compliance Officers: Challenges in demonstrating continuous monitoring and evidence retention for insider threats.

The Action

1. Review existing Insider Risk Management playbooks to incorporate manual case creation from Defender XDR alerts.
2. Educate Insider Risk Management analysts on the new 'Confirm all alerts & create case' workflow in Purview.
3. Establish a process for regularly reviewing and re-creating Purview cases for ongoing investigations requiring content beyond 30 days.
4. Assess the impact on long-running insider risk investigations and adjust retention policies or export strategies as needed.

Domain: Purview · Impact: medium · Workload: Microsoft Purview