{"id":3895,"date":"2026-06-08T21:36:37","date_gmt":"2026-06-08T20:36:37","guid":{"rendered":"https:\/\/www.ituziast.com\/?p=3895"},"modified":"2026-06-08T21:37:12","modified_gmt":"2026-06-08T20:37:12","slug":"graph-based-investigations-for-data-incidents","status":"publish","type":"post","link":"https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/","title":{"rendered":"Graph-based investigations for data incidents"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This post is intended for Microsoft 365 security engineers, Purview administrators, and incident responders who need faster, clearer ways to investigate data incidents and understand who interacted with data and how it moved. It focuses on the data risk graph capabilities in <a href=\"https:\/\/learn.microsoft.com\/purview\/purview?WT.mc_id=AZ-MVP-5002880\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Purview<\/a>, particularly <a href=\"https:\/\/learn.microsoft.com\/purview\/data-security-investigations?WT.mc_id=AZ-MVP-5002880\" target=\"_blank\" rel=\"noreferrer noopener\">Data Security Investigations (DSI)<\/a> and <a href=\"https:\/\/learn.microsoft.com\/purview\/insider-risk-management-solution-overview?WT.mc_id=AZ-MVP-5002880\" target=\"_blank\" rel=\"noreferrer noopener\">Insider Risk Management<\/a>. I will explains how they are powered by Microsoft Sentinel integration and Microsoft Sentinel graph. Furthermore, it includes some operational recommendations as general guidance.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">Note:<br>I covered the topic of Data Security investigations in earlier article on LinkedIn, than can be found <a href=\"https:\/\/www.linkedin.com\/pulse\/data-security-investigations-dimitar-grozdanov-6dn9f\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.<br>Additional insights on embedded AI functionalities in Microsoft Purview can be viewed in this ITuziast article <a href=\"https:\/\/www.ituziast.com\/index.php\/2026\/05\/25\/cap-of-seccopilot-in-mspurview\/\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">Why a graph changes data incident investigation?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Traditional investigations often rely on timelines and isolated artifacts, such as alerts, audit events, and file lists. Data risk graphs take a different approach by showing how assets, users, and activities connect, making it easier to understand context, assess impact, and explain findings. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Why the graph matters:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Shows relationships between impacted assets, users, and their actions in a single visual view.<\/li>\n\n\n\n<li>Helps investigators move beyond raw logs to see context and likely paths of activity.<\/li>\n\n\n\n<li>Improves communication by making findings easier to explain visually.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"1005\" height=\"815\" src=\"https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_1.png\" alt=\"\" class=\"wp-image-3940 no-lazyload\" srcset=\"https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_1.png 1005w, https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_1-300x243.png 300w, https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_1-768x623.png 768w\" sizes=\"(max-width: 1005px) 100vw, 1005px\" \/><figcaption class=\"wp-element-caption\">Linear time events, without context (left) and with context (right)<\/figcaption><\/figure>\n<\/div>\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><strong>Pattern:<\/strong><br>Use the graph to answer &#8220;What\u2019s connected?&#8221; early, then use other tools to answer &#8220;What exactly is in the content?&#8221; later.<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Don\u2019t try to make the graph your only evidence source. Treat it as a context layer that helps you target deeper review. Both Data Security Investigations and Insider Risk Management describe the data risk graph as a visual investigation experience combining asset and activity data into a single view. Powered by Microsoft Sentinel integration, summarizing activity over the past 30 days in their respective contexts.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The data risk graph in both Data Security Investigations and Insider Risk Management currently focuses on a defined set of exfiltration-related activities.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Supported activity types<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Anonymous links created\/used (SharePoint\/OneDrive)<\/li>\n\n\n\n<li>Company links created (SharePoint\/OneDrive)<\/li>\n\n\n\n<li>File downloads\/renamed (SharePoint\/OneDrive)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This scope shows the kinds of investigation questions the graph is designed to answer primarily link and download-focused exfiltration patterns. It also helps set expectations by making clear which incident paths the graph does not currently claim to cover.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"1024\" height=\"539\" src=\"https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_2.png\" alt=\"\" class=\"wp-image-3943 no-lazyload\" srcset=\"https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_2.png 1024w, https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_2-300x158.png 300w, https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_2-768x404.png 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Where graph appears (both powered by Microsoft Sentinel)<\/figcaption><\/figure>\n<\/div>\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><strong>Pattern:<\/strong> <br>Use the graph to triage exfiltration hypotheses (links\/downloads\/renames), and then pivot to investigations and examinations for content impact and remediation.<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Expecting the graph to explain every incident path will frustrate You, start from the supported activity set and work outward.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What must be true before graphs work?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">To use either graph experience, you must understand Microsoft Sentinel pay-as-you-go billing, complete the prerequisites for Microsoft Sentinel data lake and Microsoft Sentinel graph, and review the on-boarding changes for connecting to them.<br>Both experiences also follow an important operational rule: you have only one data lake. If some other service on-boarded it, then Microsoft Purview will use that one.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"540\" src=\"https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_3-1024x540.png\" alt=\"\" class=\"wp-image-3945 no-lazyload\" srcset=\"https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_3-1024x540.png 1024w, https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_3-300x158.png 300w, https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_3-768x405.png 768w, https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_3.png 1187w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Steps to enable Microsoft Sentinel and Purview graph solution<\/figcaption><\/figure>\n<\/div>\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><strong>Pattern: <\/strong><br>Treat Sentinel data lake\/graph on-boarding as shared infrastructure. On-board once, then reuse across supported Microsoft Purview solutions.<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Trying to troubleshoot graph &#8220;no data&#8221; symptoms without validating Microsoft Sentinel on-boarding prerequisites first leads to wasted cycles.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Critical limitations and \u201cgotchas\u201d that affect real deployments<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Both the Data Security Investigations and Insider Risk Management data risk graph pages state that Administrative Units are not supported. If an administrator is scoped to an Administrative Unit, data will not appear in the data risk graph.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">This is a deployment-critical limitation. If you use administrative units to delegate administration, scoped admins should expect the graph to appear incomplete or show no data.<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">The Insider Risk data risk graph page explicitly says you cannot use this feature with anonymized usernames enabled. If usernames are anonymized, the graph will not load. This is a direct tradeoff between privacy configuration and graph utility that must be decided intentionally.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><strong>Pattern:<\/strong> <br>Document graph prerequisites and exclusions (Administrative Units, anonymized usernames), so &#8220;no graph data&#8221; is recognized as configuration, not a bug.<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Data Security Investigations includes risk examinations that explain why items received their risk scores and provide recommended mitigation steps. Microsoft also advises filtering out data that is not relevant so processing stays focused and efficient. How to use this with the graph:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use the data risk graph to identify the most relevant evidence, such as the file involved and the user interactions around it.<\/li>\n\n\n\n<li>Use risk examinations to interpret that evidence more deeply and frame the appropriate mitigation response.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" width=\"1024\" height=\"189\" src=\"https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_4-1024x189.png\" alt=\"\" class=\"wp-image-3949 no-lazyload\" srcset=\"https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_4-1024x189.png 1024w, https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_4-300x55.png 300w, https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_4-768x141.png 768w, https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_4.png 1433w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Investigation playbook step-by-step flow<\/figcaption><\/figure>\n<\/div>\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><strong>Pattern:<\/strong> <br>Graph first for &#8220;relationship triage&#8221;, examinations next for &#8220;risk reasoning&#8221;, and only then decide mitigation steps.<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Jumping straight to remediation without understanding the relationship context (who shared, who downloaded, which link type) increases false positives and disruption.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Data risk graphs bring relationship-first investigation to Purview by connecting files, users, and exfiltration activity into a single visual view, powered by Microsoft Sentinel graph.<br>They work best for triaging supported exfiltration patterns in SharePoint\/OneDrive, such as links, downloads, and renames. Furthermore, they should be paired with deeper investigation tools for risk assessment and mitigation.<br><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Success also depends on correct Sentinel data lake and graph on-boarding, along with a clear understanding of key limitations, especially administrative unit scoping and anonymized usernames in Insider Risk.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you\u2019re already pursuing a unified SecOps model, treating Sentinel graph as shared analytics infrastructure helps avoid siloed investigation tooling.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Additional information<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/purview\/purview-sentinel?WT.mc_id=AZ-MVP-5002880\" target=\"_blank\" rel=\"noreferrer noopener\">Learn about Microsoft Sentinel in Microsoft Purview<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/purview\/data-security-investigations-data-risk-graph?WT.mc_id=AZ-MVP-5002880\" target=\"_blank\" rel=\"noreferrer noopener\">Data risk graph in Data Security Investigations<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/purview\/insider-risk-management-data-risk-graph?WT.mc_id=AZ-MVP-5002880\" target=\"_blank\" rel=\"noreferrer noopener\">Data risk graph in Insider Risk Management<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/purview\/data-security-investigations-workflow?WT.mc_id=AZ-MVP-5002880\" target=\"_blank\" rel=\"noreferrer noopener\">Learn about the Data Security Investigations workflow<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/purview\/data-security-investigations-risks?WT.mc_id=AZ-MVP-5002880\" target=\"_blank\" rel=\"noreferrer noopener\">Review risk examinations in Data Security Investigations<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\">Use Microsoft Sentinel graphs, powered data risk graphs in Microsoft Purview to connect users, files, and exfiltration activity for faster incident triage.<\/div>\n<p> <a class=\"mh-excerpt-more\" href=\"https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/\" title=\"Graph-based investigations for data incidents\">[&#8230;]<\/a><\/p>\n","protected":false},"author":2,"featured_media":3950,"comment_status":"open","ping_status":"closed","sticky":true,"template":"","format":"standard","meta":{"footnotes":""},"categories":[268],"tags":[204,80,105,270,256,269,15],"coauthors":[235],"class_list":["post-3895","post","type-post","status-publish","format-standard","has-post-thumbnail","category-sec","tag-governance","tag-microsoft","tag-microsoft-365","tag-microsoft-graph","tag-microsoft-pureview","tag-microsoft-sentinel","tag-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\r\n<title>Graph-based investigations for data incidents - ITuziast<\/title>\r\n<meta name=\"description\" content=\"Use Microsoft Sentinel graphs, powered data risk graphs in Microsoft Purview to connect users, files, and exfiltration activity for faster incident triage.\" \/>\r\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\r\n<link rel=\"canonical\" href=\"https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/\" \/>\r\n<meta property=\"og:locale\" content=\"en_US\" \/>\r\n<meta property=\"og:type\" content=\"article\" \/>\r\n<meta property=\"og:title\" content=\"Graph-based investigations for data incidents - ITuziast\" \/>\r\n<meta property=\"og:description\" content=\"Use Microsoft Sentinel graphs, powered data risk graphs in Microsoft Purview to connect users, files, and exfiltration activity for faster incident triage.\" \/>\r\n<meta property=\"og:url\" content=\"https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/\" \/>\r\n<meta property=\"og:site_name\" content=\"ITuziast\" \/>\r\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ITuziast\" \/>\r\n<meta property=\"article:author\" content=\"https:\/\/bsky.app\/profile\/grozdanovd.bsky.social\" \/>\r\n<meta property=\"article:published_time\" content=\"2026-06-08T20:36:37+00:00\" \/>\r\n<meta property=\"article:modified_time\" content=\"2026-06-08T20:37:12+00:00\" \/>\r\n<meta property=\"og:image\" content=\"https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_cover1.png\" \/>\r\n\t<meta property=\"og:image:width\" content=\"1196\" \/>\r\n\t<meta property=\"og:image:height\" content=\"673\" \/>\r\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\r\n<meta name=\"author\" content=\"Dimitar Grozdanov\" \/>\r\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\r\n<meta name=\"twitter:creator\" content=\"@grozdanovd\" \/>\r\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Dimitar Grozdanov\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\r\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/index.php\\\/2026\\\/06\\\/08\\\/graph-based-investigations-for-data-incidents\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/index.php\\\/2026\\\/06\\\/08\\\/graph-based-investigations-for-data-incidents\\\/\"},\"author\":{\"name\":\"Dimitar Grozdanov\",\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/#\\\/schema\\\/person\\\/8596bb127b83987935c0355c8ed6130c\"},\"headline\":\"Graph-based investigations for data incidents\",\"datePublished\":\"2026-06-08T20:36:37+00:00\",\"dateModified\":\"2026-06-08T20:37:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/index.php\\\/2026\\\/06\\\/08\\\/graph-based-investigations-for-data-incidents\\\/\"},\"wordCount\":952,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/index.php\\\/2026\\\/06\\\/08\\\/graph-based-investigations-for-data-incidents\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.ituziast.com\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/DataRiskGraphMSFTSentinel_cover1.png\",\"keywords\":[\"Governance\",\"Microsoft\",\"Microsoft 365\",\"Microsoft Graph\",\"Microsoft Pureview\",\"Microsoft Sentinel\",\"Security\"],\"articleSection\":[\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.ituziast.com\\\/index.php\\\/2026\\\/06\\\/08\\\/graph-based-investigations-for-data-incidents\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/index.php\\\/2026\\\/06\\\/08\\\/graph-based-investigations-for-data-incidents\\\/\",\"url\":\"https:\\\/\\\/www.ituziast.com\\\/index.php\\\/2026\\\/06\\\/08\\\/graph-based-investigations-for-data-incidents\\\/\",\"name\":\"Graph-based investigations for data incidents - ITuziast\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/index.php\\\/2026\\\/06\\\/08\\\/graph-based-investigations-for-data-incidents\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/index.php\\\/2026\\\/06\\\/08\\\/graph-based-investigations-for-data-incidents\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.ituziast.com\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/DataRiskGraphMSFTSentinel_cover1.png\",\"datePublished\":\"2026-06-08T20:36:37+00:00\",\"dateModified\":\"2026-06-08T20:37:12+00:00\",\"description\":\"Use Microsoft Sentinel graphs, powered data risk graphs in Microsoft Purview to connect users, files, and exfiltration activity for faster incident triage.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/index.php\\\/2026\\\/06\\\/08\\\/graph-based-investigations-for-data-incidents\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.ituziast.com\\\/index.php\\\/2026\\\/06\\\/08\\\/graph-based-investigations-for-data-incidents\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/index.php\\\/2026\\\/06\\\/08\\\/graph-based-investigations-for-data-incidents\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.ituziast.com\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/DataRiskGraphMSFTSentinel_cover1.png\",\"contentUrl\":\"https:\\\/\\\/www.ituziast.com\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/DataRiskGraphMSFTSentinel_cover1.png\",\"width\":1196,\"height\":673},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/index.php\\\/2026\\\/06\\\/08\\\/graph-based-investigations-for-data-incidents\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.ituziast.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Graph-based investigations for data incidents\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/#website\",\"url\":\"https:\\\/\\\/www.ituziast.com\\\/\",\"name\":\"ITuziast\",\"description\":\"Bits and Bytes of Technology\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.ituziast.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/#organization\",\"name\":\"ITuziast\",\"url\":\"https:\\\/\\\/www.ituziast.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.ituziast.com\\\/wp-content\\\/uploads\\\/2020\\\/09\\\/ituziast-logo.png\",\"contentUrl\":\"https:\\\/\\\/www.ituziast.com\\\/wp-content\\\/uploads\\\/2020\\\/09\\\/ituziast-logo.png\",\"width\":512,\"height\":512,\"caption\":\"ITuziast\"},\"image\":{\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/ITuziast\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.ituziast.com\\\/#\\\/schema\\\/person\\\/8596bb127b83987935c0355c8ed6130c\",\"name\":\"Dimitar Grozdanov\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/970f950d69334bef706f381f8022be295b3e85d8d3214f8b5cd6fcc0e7cad338?s=96&d=mm&r=gb1156e7caf65275f1df79df9ad892041\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/970f950d69334bef706f381f8022be295b3e85d8d3214f8b5cd6fcc0e7cad338?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/970f950d69334bef706f381f8022be295b3e85d8d3214f8b5cd6fcc0e7cad338?s=96&d=mm&r=g\",\"caption\":\"Dimitar Grozdanov\"},\"description\":\"Engineer. 25+ years \u201cin the field\u201d. Cloud Solution Architect. Microsoft 365 MVP. Trainer. Co-founder\\\/Supporter of Tech Communities. Speaker. Blogger. Parent. Passionate about craft beer and hanging out with family and friends.\",\"sameAs\":[\"https:\\\/\\\/mvp.microsoft.com\\\/en-us\\\/PublicProfile\\\/5002880?fullName=Dimitar%20Grozdanov\",\"https:\\\/\\\/bsky.app\\\/profile\\\/grozdanovd.bsky.social\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/dimitar-grozdanov\\\/\",\"https:\\\/\\\/x.com\\\/grozdanovd\",\"https:\\\/\\\/www.youtube.com\\\/@dimitargrozdanov\"],\"url\":\"https:\\\/\\\/www.ituziast.com\\\/index.php\\\/author\\\/grozdanovd\\\/\"}]}<\/script>\r\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Graph-based investigations for data incidents - ITuziast","description":"Use Microsoft Sentinel graphs, powered data risk graphs in Microsoft Purview to connect users, files, and exfiltration activity for faster incident triage.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/","og_locale":"en_US","og_type":"article","og_title":"Graph-based investigations for data incidents - ITuziast","og_description":"Use Microsoft Sentinel graphs, powered data risk graphs in Microsoft Purview to connect users, files, and exfiltration activity for faster incident triage.","og_url":"https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/","og_site_name":"ITuziast","article_publisher":"https:\/\/www.facebook.com\/ITuziast","article_author":"https:\/\/bsky.app\/profile\/grozdanovd.bsky.social","article_published_time":"2026-06-08T20:36:37+00:00","article_modified_time":"2026-06-08T20:37:12+00:00","og_image":[{"width":1196,"height":673,"url":"https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_cover1.png","type":"image\/png"}],"author":"Dimitar Grozdanov","twitter_card":"summary_large_image","twitter_creator":"@grozdanovd","twitter_misc":{"Written by":"Dimitar Grozdanov","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/#article","isPartOf":{"@id":"https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/"},"author":{"name":"Dimitar Grozdanov","@id":"https:\/\/www.ituziast.com\/#\/schema\/person\/8596bb127b83987935c0355c8ed6130c"},"headline":"Graph-based investigations for data incidents","datePublished":"2026-06-08T20:36:37+00:00","dateModified":"2026-06-08T20:37:12+00:00","mainEntityOfPage":{"@id":"https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/"},"wordCount":952,"commentCount":0,"publisher":{"@id":"https:\/\/www.ituziast.com\/#organization"},"image":{"@id":"https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_cover1.png","keywords":["Governance","Microsoft","Microsoft 365","Microsoft Graph","Microsoft Pureview","Microsoft Sentinel","Security"],"articleSection":["Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/","url":"https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/","name":"Graph-based investigations for data incidents - ITuziast","isPartOf":{"@id":"https:\/\/www.ituziast.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/#primaryimage"},"image":{"@id":"https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_cover1.png","datePublished":"2026-06-08T20:36:37+00:00","dateModified":"2026-06-08T20:37:12+00:00","description":"Use Microsoft Sentinel graphs, powered data risk graphs in Microsoft Purview to connect users, files, and exfiltration activity for faster incident triage.","breadcrumb":{"@id":"https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/#primaryimage","url":"https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_cover1.png","contentUrl":"https:\/\/www.ituziast.com\/wp-content\/uploads\/2026\/06\/DataRiskGraphMSFTSentinel_cover1.png","width":1196,"height":673},{"@type":"BreadcrumbList","@id":"https:\/\/www.ituziast.com\/index.php\/2026\/06\/08\/graph-based-investigations-for-data-incidents\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.ituziast.com\/"},{"@type":"ListItem","position":2,"name":"Graph-based investigations for data incidents"}]},{"@type":"WebSite","@id":"https:\/\/www.ituziast.com\/#website","url":"https:\/\/www.ituziast.com\/","name":"ITuziast","description":"Bits and Bytes of Technology","publisher":{"@id":"https:\/\/www.ituziast.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.ituziast.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.ituziast.com\/#organization","name":"ITuziast","url":"https:\/\/www.ituziast.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ituziast.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.ituziast.com\/wp-content\/uploads\/2020\/09\/ituziast-logo.png","contentUrl":"https:\/\/www.ituziast.com\/wp-content\/uploads\/2020\/09\/ituziast-logo.png","width":512,"height":512,"caption":"ITuziast"},"image":{"@id":"https:\/\/www.ituziast.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/ITuziast"]},{"@type":"Person","@id":"https:\/\/www.ituziast.com\/#\/schema\/person\/8596bb127b83987935c0355c8ed6130c","name":"Dimitar Grozdanov","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/970f950d69334bef706f381f8022be295b3e85d8d3214f8b5cd6fcc0e7cad338?s=96&d=mm&r=gb1156e7caf65275f1df79df9ad892041","url":"https:\/\/secure.gravatar.com\/avatar\/970f950d69334bef706f381f8022be295b3e85d8d3214f8b5cd6fcc0e7cad338?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/970f950d69334bef706f381f8022be295b3e85d8d3214f8b5cd6fcc0e7cad338?s=96&d=mm&r=g","caption":"Dimitar Grozdanov"},"description":"Engineer. 25+ years \u201cin the field\u201d. Cloud Solution Architect. Microsoft 365 MVP. Trainer. Co-founder\/Supporter of Tech Communities. Speaker. Blogger. Parent. Passionate about craft beer and hanging out with family and friends.","sameAs":["https:\/\/mvp.microsoft.com\/en-us\/PublicProfile\/5002880?fullName=Dimitar%20Grozdanov","https:\/\/bsky.app\/profile\/grozdanovd.bsky.social","https:\/\/www.linkedin.com\/in\/dimitar-grozdanov\/","https:\/\/x.com\/grozdanovd","https:\/\/www.youtube.com\/@dimitargrozdanov"],"url":"https:\/\/www.ituziast.com\/index.php\/author\/grozdanovd\/"}]}},"_links":{"self":[{"href":"https:\/\/www.ituziast.com\/index.php\/wp-json\/wp\/v2\/posts\/3895","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ituziast.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ituziast.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ituziast.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ituziast.com\/index.php\/wp-json\/wp\/v2\/comments?post=3895"}],"version-history":[{"count":11,"href":"https:\/\/www.ituziast.com\/index.php\/wp-json\/wp\/v2\/posts\/3895\/revisions"}],"predecessor-version":[{"id":3954,"href":"https:\/\/www.ituziast.com\/index.php\/wp-json\/wp\/v2\/posts\/3895\/revisions\/3954"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ituziast.com\/index.php\/wp-json\/wp\/v2\/media\/3950"}],"wp:attachment":[{"href":"https:\/\/www.ituziast.com\/index.php\/wp-json\/wp\/v2\/media?parent=3895"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ituziast.com\/index.php\/wp-json\/wp\/v2\/categories?post=3895"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ituziast.com\/index.php\/wp-json\/wp\/v2\/tags?post=3895"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.ituziast.com\/index.php\/wp-json\/wp\/v2\/coauthors?post=3895"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}