Review Data Disclosure and Notification Decision Evidence
Post-Incident ReviewP290 min
Assemble the evidence used for disclosure and notification decisions, including exact datasets accessed, exfiltration channels confirmed, and residual uncertainty.
Actions
- 1.Create a source-backed inventory of data that was confirmed accessed, staged, or exfiltrated. Distinguish evidence-backed facts from assumptions.
- 2.Correlate DLP, eDiscovery, proxy, and mailbox evidence into a single disclosure worksheet that maps datasets to affected users, systems, and timeframes.
- 3.Document uncertainty explicitly: missing logs, retention gaps, and third-party blind spots that affect the confidence of notification scoping.
- 4.Package the evidence bundle so legal, privacy, and regulators can trace each disclosure decision back to concrete artifacts.
Queries
OfficeActivity | where TimeGenerated > ago(30d) | where Operation in ("FileDownloaded", "FileAccessed", "MailItemsAccessed") | summarize count() by UserId, Operation, bin(TimeGenerated, 1h)CommonSecurityLog | where TimeGenerated > ago(30d) | where SentBytes > 10000000 | summarize TotalBytes=sum(SentBytes) by SourceIP, DestinationHostName, ApplicationProtocol
Notes
- Disclosure decisions should be evidence-backed and reproducible. Uncertainty should be documented, not hidden.
- For mixed insider and external-access cases, preserve both HR-sensitive and regulator-facing evidence trails separately if required by counsel.
Where to Go Next
Related Artifacts
SRUM Database (SRUDB.dat)
C:\Windows\System32\sru\SRUDB.dat
eDiscovery Content Search Results
Microsoft Purview > eDiscovery > Content search
Microsoft Purview DLP & Insider Risk Logs
Microsoft Purview > Data Loss Prevention > Activity explorer and Insider Risk Management > Cases
Proxy / Web Filter Logs
Web proxy appliance logs (Zscaler, Squid, Blue Coat/Symantec, McAfee Web Gateway)