Collecting from Office 365
Office 365 offers eDiscovery and searching within the platform, for administrators or any authorized users to run searches and review/monitor user activity.
Content Search
This eDiscovery feature has a tool called Content Search, which can search across user mailboxes (active and inactive), public folders, SharePoint Online sites, and OneDrive for Business locations. Content search limits keyword lists to 20 lines, due to issues that arise with large keyword lists. Additionally, Boolean operators (AND, OR, NOT, as well as many others) can be used to narrow down results to a more filtered dataset.
Core eDiscovery
With Core eDiscovery, an admin (or authorized user) can create a case and an eDiscovery hold. Creating a case also provides the ability to add authorized users to the case, perform searches specific to that case, export results, and overall keep the project organized within one space.
Audit Search
Another useful tool within the eDiscovery feature is Audit Search. An audit can be enabled for any users, and once enabled, can track and record specific activities for that user. This is useful for a number of reasons, and especially useful to track a user’s activity if they are suspected of anything malicious. The following outlines the activity that can be tracked:
- User activity in SharePoint Online and OneDrive for Business
- User activity in Exchange Online (Exchange mailbox audit logging)
- Admin activity in SharePoint Online
- Admin activity in Azure Active Directory (the directory service for Office 365)
- Admin activity in Exchange Online (Exchange admin audit logging)
- User and admin activity in Sway
- eDiscovery activities in the security and compliance center
- User and admin activity in Power BI
- User and admin activity in Microsoft Teams
- User and admin activity in Dynamics 365
- User and admin activity in Yammer
- User and admin activity in Microsoft Power Automate
- User and admin activity in Microsoft Stream
- Analyst and admin activity in Microsoft Workplace Analytics
- User and admin activity in Microsoft Power Apps
- User and admin activity in Microsoft Forms
- User and admin activity for sensitivity labels for sites that use SharePoint Online or Microsoft Teams
Advanced eDiscovery (Only available for some subscriptions)
In addition to these features, there are also advanced features available to those who
have Office 365 E3 with the Advanced Compliance add-on, or an E5 subscription.
Advanced eDiscovery 2.0 is the most recent version, and it offers the ability to further work with the data collected. It allows for deduplication, results refinement, the ability to generate reports to CSV, and so much more.
After searches are completed and data is ready for review, the search results can be previewed within the platform or can be exported for external review. The process taken will vary every time, depending on the needs of your case.
If the need for collecting Office 365 data arises, contact us at ArcherHall to discuss your options!
Sources:
docs.microsoft.com