🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-401 Domain 3
Domain 3 — Module 6 of 9 67%
22 of 25 overall

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring

SC-401 Study Guide

Domain 1: Implement Information Protection

  • Know Your Data: Sensitive Info Types Free
  • Custom Sensitive Info Types: Build Your Own Free
  • EDM & Fingerprinting: Detect Exact Data
  • Trainable Classifiers: AI-Powered Detection Free
  • Sensitivity Labels: Create & Protect Free
  • Sensitivity Labels: Publish & Auto-Apply
  • Email Encryption: Lock Down Messages
  • Purview IP Client: Classify Files at Scale

Domain 2: Implement DLP and Retention

  • DLP Foundations: Stop Data Leaks
  • DLP Policies: Build, Manage & Extend
  • DLP: Precedence & Adaptive Protection
  • Endpoint DLP: Setup & Configuration
  • Endpoint DLP: Advanced Rules & Monitoring
  • Retention: Plan Your Data Lifecycle
  • Retention Labels: Publish & Auto-Apply
  • Retention: Policies, Precedence & Recovery

Domain 3: Manage Risks, Alerts, and Activities

  • Insider Risk: Foundations & Setup
  • Insider Risk: Policies & Indicators
  • Insider Risk: Investigate & Close Cases
  • Adaptive Protection: Risk Levels Meet DLP
  • Purview Audit: Investigate & Retain
  • Activity Explorer & Content Search
  • Alert Response: Purview, XDR & Cloud Apps
  • DSPM for AI: Setup & Controls
  • DSPM for AI: Policies & Monitoring
Domain 3: Manage Risks, Alerts, and Activities Premium ⏱ ~12 min read

Activity Explorer & Content Search

Activity Explorer shows what users are doing with sensitive data. Content search finds specific items across mailboxes, sites, and public folders. Two essential investigation surfaces for information security.

Two investigation surfaces

☕ Simple explanation

Activity Explorer is like watching live security camera feeds — you see what people are DOING with your data right now. Who changed a label? Who triggered a DLP policy? Who downloaded sensitive files?

Content search is like sending a search dog into every room in the building — it finds specific items (emails, documents, Teams messages) across your entire M365 tenant based on keywords, dates, senders, or locations.

Activity Explorer shows actions. Content search finds things.

Activity Explorer in Microsoft Purview displays a filterable timeline of data-related activities: label applications, DLP policy matches, endpoint activities, and sensitive content interactions. It aggregates data from Exchange, SharePoint, OneDrive, Teams, and endpoints into a unified view for compliance monitoring and investigation.

Content search searches across Exchange mailboxes, SharePoint sites, OneDrive accounts, and Microsoft 365 Groups to find items matching specific criteria — keywords, date ranges, senders/recipients, file types, or metadata. Results can be previewed and exported for further analysis or legal review.

Activity Explorer

What it shows

Activity TypeSourceExamples
Label activitiesSensitivity and retention labelsLabel applied, label changed, label removed, justification provided
DLP activitiesDLP policiesDLP rule matched, DLP override, DLP false positive reported
Endpoint activitiesEndpoint DLPFile copied to USB, file printed, file uploaded, app access blocked
Auto-labelingAuto-labeling policiesLabel auto-applied (client-side or service-side)

Filters and analysis

FilterWhat It Narrows
Activity typeFocus on specific actions (e.g., only DLP matches)
Date rangeNarrow to specific time period
UserActivities by a specific user
LocationSharePoint, Exchange, OneDrive, or endpoints
LabelActivities involving a specific sensitivity or retention label
PolicyActivities triggered by a specific DLP policy

Common investigation patterns

PatternWhat to Look ForAction
Label downgrade spikeMultiple users downgrading labels in a short periodCheck if a policy is too restrictive or users are circumventing
DLP override patternSame user repeatedly overriding DLP blocksReview the user’s justifications — legitimate need or security bypass?
Endpoint exfiltrationUSB copies or cloud uploads of sensitive dataCorrelate with Insider Risk alerts
Auto-labeling gapContent in scope not being labelledCheck auto-labeling policy mode (simulation vs active)

Content search

Content search finds specific items across your M365 tenant. It is a separate tool from audit log search.

Where Content search looks

LocationWhat It Searches
Exchange mailboxesEmails, calendar items, contacts, tasks
SharePoint sitesDocuments, list items, pages
OneDrive accountsPersonal cloud files
Microsoft 365 GroupsGroup mailboxes and SharePoint content
Exchange public foldersPublic folder content

Creating a Content search

StepWhat You Configure
1. NameSearch name and description
2. LocationsAll locations, specific mailboxes, specific sites, or specific groups
3. Search conditionsKeywords, date range, sender/recipients, file types, SIT matches
4. RunExecute the search
5. PreviewView matched items before exporting
6. ExportDownload results for analysis (requires eDiscovery Export tool)

Search query syntax

OperatorExampleWhat It Finds
ANDconfidential AND mergerItems containing both words
ORconfidential OR restrictedItems containing either word
NOTbudget NOT draftItems with “budget” but not “draft”
Phrases"quarterly earnings"Exact phrase match
Wildcardsfinanc*Matches financial, finance, financing, etc.
Date rangesent:2026-01-01..2026-03-31Items sent in Q1 2026
Senderfrom:john@meridian.comItems from a specific sender
Activity Explorer monitors behaviour; Content search finds items
FeatureActivity ExplorerContent Search
PurposeSee what users are DOING with dataFIND specific items across M365
Data shownActivities: label changes, DLP matches, endpoint eventsContent: emails, documents, Teams messages
Best forMonitoring trends, investigating behaviourFinding specific items for review, investigation, or export
OutputActivity timeline with filtersList of matching items, preview, export
ExportActivity reports (CSV)Full content export (emails, documents)
Portal locationPurview → Data classification → Activity explorerPurview → Content search
💡 Scenario: Zara investigates a data sharing pattern

Atlas Global’s security team notices unusual external sharing in Activity Explorer — a spike in “DLP override” activities from the marketing department over the past week.

Zara’s investigation:

  1. Activity Explorer: Filter by activity “DLP override” + date range “last 7 days” + location “Marketing SharePoint”
  2. Findings: 45 overrides by 3 users — all sharing client presentations externally with justification “client meeting”
  3. Content search: Search the Marketing SharePoint for documents shared externally in the last 7 days
  4. Results: 60 documents found — most are legitimate client decks, but 3 contain internal pricing data that should not have been shared
  5. Action: Escalate the 3 pricing documents to the compliance team. Adjust the DLP policy to block pricing data without override.
Question

What is Activity Explorer used for?

Click or press Enter to reveal answer

Answer

Activity Explorer shows a timeline of data-related activities: label changes, DLP policy matches, endpoint events (USB copies, printing), and auto-labeling results. It is used for monitoring trends, investigating user behaviour, and correlating activities with alerts.

Click to flip back
Question

What is Content search used for?

Click or press Enter to reveal answer

Answer

Content search finds specific items (emails, documents, Teams messages) across Exchange mailboxes, SharePoint sites, OneDrive accounts, and M365 Groups. Results can be previewed and exported for investigation or legal review. It searches content, not activities.

Click to flip back
Question

Name two search operators you can use in Content search queries.

Click or press Enter to reveal answer

Answer

AND (both terms must appear), OR (either term), NOT (exclude a term), exact phrases in quotes, wildcards with asterisk, date ranges with sent: or received:, and sender filters with from:.

Click to flip back
Knowledge Check

Priya at Meridian Financial needs to find all emails containing client account numbers sent to external recipients by the trading team in the last 90 days. Which tool should she use?

🎬 Video coming soon

Next up: Alert Response: Purview, XDR & Cloud Apps — when alerts fire across Purview, Defender XDR, and Cloud Apps, respond effectively from the right console.

← Previous

Purview Audit: Investigate & Retain

Next →

Alert Response: Purview, XDR & Cloud Apps

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.