eDiscovery and audit capabilities of Microsoft 365

https://docs.microsoft.com/en-us/learn/modules/describe-ediscovery-capabilities-of-microsoft-365/

Purpose of eDiscovery

https://docs.microsoft.com/en-us/learn/modules/describe-ediscovery-capabilities-of-microsoft-365/2-describe-purpose-of-ediscovery

• During litigation for evidence purposes
• Search for content in
  • Exchange
  • Groups
  • Teams
  • SharePoint
  • OneDrive
  • Skype
  • Yammer

Capabilities of content search

https://docs.microsoft.com/en-us/learn/modules/describe-ediscovery-capabilities-of-microsoft-365/3-describe-content-search-tool

• Used from compliance center
• Must be a member of
  • Administrator
  • Compliance officer
  • eDiscovery manager

Run a search

• Choose a location or not
• Choose a keyword query

Complete actions on content

• Export
• Download
• Delete the results from user mailboxes
• Microsoft supplied PowerShell scripts that can
  • Search specific mailbox and site folders
  • Search mailbox and OneDrive locations for a list of users
  • Create, report on, and delete multiple searches

Core eDiscovery workflow

https://docs.microsoft.com/en-us/learn/modules/describe-ediscovery-capabilities-of-microsoft-365/4-describe-core-ediscovery-workflow

• Basic tool to search and export content in Microsoft 365
• To access a case you must be a member of eDiscovery Manager
• Start by creating a case in the Microsoft 365 compliance center
  • Need to specify a name
  • Optional to assign a case number
• Work flow
  • Create a hold
  • Search
  • Export
  • Download

Create an eDiscovery hold

• Preserve data relevant to the case
• It can take 24 hours to create a hold
• Two options to scope the content that is preserved
  • Infinite hold where all content in the location is held or only data resulted from a query.
  • Data range hold

Search for content in the case

• Create and run search
• Specify
  • Key words
  • Message properties such as sent/received date
  • Document properties such as file name or changed data
  • Boolean operators such as AND, OR, NOT, or NEAR
  • Sensitive data

Export content from a case

• Export data from the case
• Mailboxes are downloaded as PST or individual messages
• Documents can be downloaded
• A results.csv file contains all the information about items that are exported
• A manifest file (XML) contains information about every search result

Close, reopen, and delete a core eDiscovery case

• Cases can be closed when the investigations is completed
• When closed an holds are turned off
• 30 day grace period known as delay-hold
• Helps ensure data is not deleted immediately
• Main difference between open and close cases us that holds are turned off
• If a case is re-opened the holds are not turned off again
• You can delete active and closed cases which also deletes all searches and exports and cannot be re-opened

Advanced eDiscovery workflow

https://docs.microsoft.com/en-us/learn/modules/describe-ediscovery-capabilities-of-microsoft-365/5-describe-advanced-ediscovery-workflow

• Build upon the core system
• Aligned with the Electronic Discovery Reference Model (EDRM)

1. Add custodians to a case
   • People who have administrative control
2. Search custodial data sources
   • Define locations relevant to the case
3. Add data to a review set
   • Prepare your results for review and analysis
   • Items are copied from their location of origin to a secure location in Azure Storage
   • Data is reindexed to optimize it for review and analysis
4. Review and analyze data
   • Filter, query and tags
   • Goal is to analyze the data set down to what is most relevant
5. Export and download case data
   • Export the data from Advanced eDiscovery for external review
   • Give the data to external investigators
   • Use Azure Storage Explorer to retrieve the data from Azure Storage

Core audit capabilities of Microsoft 365

https://docs.microsoft.com/en-us/learn/modules/describe-ediscovery-capabilities-of-microsoft-365/5a-describe-core-microsoft-365

• View user and admin activity through a unified log file
• Example, did an admin reset a password?
• Log is generated from events across Microsoft 365, Dynamics 365, Power Apps, Power Automate, Power BI, Azure AD
• Log data is preserved at least for 90 days with core audit capabilities
• It can take 30 minutes to 24 hours after an event for it to be in the audit log search results

Purpose and value of advanced auditing

https://docs.microsoft.com/en-us/learn/modules/describe-ediscovery-capabilities-of-microsoft-365/5b-describe-purpose-value-advanced-auditing

• Increase the audit log retention
• Requires either
  • Microsoft 365 E5
  • Microsoft 365 E3
  • Office 365 E3 with Microsoft 365 E5 Compliance
  • Microsoft 365 E5 eDiscovery

Long-term retention of audit logs

• Exchange, SharePoint, and Azure AD logs are retained for one year
• Uses default audit log retention policy
• Retention can be extended to 10 years

Audit log retention policies

• Default is 1 year
• Can be extended to 10 years
• Can be reduced to less than 1 year

Access to crucial events for investigators

• MailItemsAccess
  • Mailbox audit
  • Triggered when mail data is access by mail protocol or mail clients
  • Helps identify data breaches and determine the scope of message compromised
• Send
  • Mailbox audit
  • Triggered when
    • Sends an email
    • Replies to an email
    • Forwards an email
• Content of the message is not displayed; only the meta data
• SearchQueryInitiatedExchange
  • Triggered when a person uses the search bar in OWA
  • Helps determine if an attacker has compromised an account
• SearchQueryInitiatedSharePoint
  • Similar to Mailbox

High-bandwidth access to Office 365 Management Activity API

• Access to audit logs where throttled at the publisher level
• Advanced audit moves from publisher to tenant level
• Customer get their own bandwidth allocation