This article is contributed. See the original author and article here.
This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.
All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data.
The Advanced eDiscovery (Aed) section of this blog series is aimed at legal and HR officers who need to understand how to perform a basic investigation.
This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the use of Advanced eDiscovery.
It is presumed that you already data to search inside your tenant.
We will only step through a basic eDiscovery case (see the Use Case section).
This document does not cover any other aspect of Microsoft E5 Compliance, including:
- Sensitive Information Types
- Exact Data Matching
- Data Protection Loss (DLP) for Exchange, OneDrive, Devices
- Microsoft Cloud App Security (MCAS)
- Records Management (retention and disposal)
- Overview of Advanced eDiscovery (AeD)
- Reports and Analytics available in of Advanced eDiscovery (AeD)
It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).
It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing.
There are many use cases for Advanced eDiscovery. For the sake of simplicity, we will use the following: Your organization has a Human Resources investigation against a specific user.
Overview of Document
- Use Case
- Create a Case
- Run an investigation
- Export a subset of data
- Appendix and Links
- Data Sources – These are the locations (EXO, SPO, OneDrive) where searches will be performed. These are all the custodians (users) being investigated. This is not the users performing the investigation.
- Collections – This is the actual search being performed. Collections include user, keyword, data, etc.
- Review Sets – Once a collection/search has been performed, the data most be reviewed. This tab is where secondary searches can be done and a review of the data.
- Communications – If the HR or legal team wishes, they can notify the user that they are under investigation. You can also set up reminder notifications in this section of the UI.
- Note – This task is optional.
- Hold – Once the data has been collected/searched or reviewed, either all or part of the data can be placed on legal hold. This means that the data cannot be deleted by the end user and if they do, then only their reference to the data is deleted. If the user deletes their reference, then the data is placed into a hidden hold directory.
- Processing – This tab is related to the indexing of data in your production environment. You would use this if you are not finding data that you expect and you need to re-run indexing activities.
- Note – This task is optional.
- Exports #1 – When referring to the tab, this provides the data from the case to be exported to a laptop or desktop.
- Export #2 – This is also the term used to export a .CSV report.
- Jobs – This provides a list of every job run in eDiscovery and is useful when trying to see the current status of your jobs (example – Collection, Review, Processing, Export, etc). This is useful if you launch an activity and want to monitor its status in real-time.
- Setting – High level analytics and settings and reports, etc.
- Custodian – This is the individual being investigated.
- Core vs Advanced eDiscovery (high level overview)
- Core eDiscovery – This allows for searching and export of data only. It is perfect for basic “search and export” needs of data. It is not the best tool for data migration or HR and/or Legal case management and workflows.
- Advanced eDiscovery – This tool is best used as a first and second pass tool to cull the data before handing that same data to outside council or legal entity. This tool provides a truer work flow for discovery, review, and export of data along with reporting and redacting of data.
- If you are not familiar with the Electronic Discovery Reference Model (EDRM), I recommend you learn more about it as it is a universal workflow for eDiscoveries in the United States. The link is in the appendix.
- For my test, I am using a file named “1-MB-Test-SSN-1-AeD” with the phrase “Friedrich Conrad Rontgen invented the X-Ray” inside it. This file name stands for 1MB file with SSN information for Advanced eDiscovery testing.
- We will not be using all of the tabs in available in a AeD case.
- How do user deletes of data work with AeD?
- If the end user deletes the data on their end and there IS NO Hold, then the data will be placed into the recycle bin on the corresponding applications.
- If the end user deletes the data on their end and there IS a Hold, then the data will NOT be placed into the recycle bin on the corresponding applications. However, the user reference to the data will be deleted so they will believe that the data is deleted.
If you have performed Part 1 of this blog series (creating a Sensitive Information Type), then you have everything you need. If you have not done that part of the blog, you will need to populate your test environment with test data for the steps to follow.
Create a Case
- Click Create Case
- Give the case a Name, Case Number (if applicable), and Case Description, and then click No, just go to the home page.
a. Note – the more you put in the description, the better for reporting later on. So, if you have received an email from HR, Legal, outside council, etc., you can cut and paste that information into the Case Description.
- You will now find yourself in the Case Overview.
- With the case created, we will now run an investigation
Run an investigation
In this section, we will walk through the steps and flow to run a basic eDiscovery case:
- Configure data sources
- Run a collection
- Working with data into a review set
- Export a subset of data
Configure Data Sources
There are 2 ways to indicate what data sources will be searched, custodian or location.
- Select the Data Sources tab and then click Add Data Source. You will have several options. We will choose Add new custodians. This allows you to search across multiple Office 365 applications for a user.
- Type the name of the custodian you want to search. I will only selecting one user at this time, Pradeep.
- Select your Hold Setting. The Hold Setting indicates which users’ data set to place on automatic hold when searched. If you do not select Hold for a user, the user’s data will be searched but not placed automatically on legal hold.
- In the Review section of the wizard, you will see what data locations are being searched and which are placed on automatic hold.
a . Note #1 – Any data location associated with that user will have a number 1 associated with it. If there is no number associated with the data location, then, the user is not determined to have any data in that location. Automatic Hold will be placed on locations where the user has data, per the 2nd step of the wizard.
b. Note #2 – When you edit a custodian, you can change or clear the setting in this screen.
- If you are content with what you see, click Submit. Then click Done on the next screen.
- If wish to search specific locations, and not just users and their associated data locations, you can select Add data locations. Asdf
- You can add SharePoint or Exchange locations. I will add the default SharePoint location of the “The Landing” which is one of my pre-populated SharePoint sites. I will not be adding an Exchange location.
- Then click Add.
Run a Collections
- Now we will run a collection (ie. search) of data. Select the Collections tab and click Add Collection and chose Standard collection.
- Give the collection a name and description and click Next.
- For the custodians being searched (Custodial Data Sources), you can search either a) specific custodians assigned to this case or b) all users associated with your case. I will choose All users. Click Next.
- Next are Non-custodial data sources. These are sites, groups and other sources that are not associated with the custodians that you might want to add to your search. For now, accept the default and select Next.
- If you want to add other locations, other than those associated with the user via their Identity, then you can add them in the Additional Locations part of the wizard. For example, you can search Sarah Smith’s email in addition to Pradeep’s by adding her mailbox in this section. Accept the default and click Next.
- We have come at long last to the search criteria itself. In this section labeled Conditions, you can run searches based on keyword or other conditions.
- For my test I am using a file named “1-MB-Test-SSN-1-AeD” with the phrase “Friedrich Conrad Rontgen invented the X-Ray” inside it. This stands for 1MB file with SSN information for Advanced eDiscovery testing. I will search against the three names of this inventor.
- Here is a list of those other conditions you can choose from.
- Select the criteria that you want to search. When you are ready, click Next.
a. Note – A common initial search is to search a user or set of users and a date range. Then run a secondary search against a secondary search on a narrower data range, keywords, a subset of users, etc. In Advanced eDiscovery, we will do those sorts of searches in the Review Sets tab which is next.
10. Next is Save Draft or Collection. Here you have the option to save this collection as a draft (meaning the data set is not officially placed on hold) or you can collect items into a review set. We will choose the latter (Collect items and add to review set), and I will add it to a new Review set.
- Note #1 – If you have a case with multiple collections, you might decide to add a collection to a pre-existing Review Set. I do not have one here and so will use a new review set.
- Note #2 – If adding to an existing Review Set, you can select Additional collection settings. Again, we will not do those here as those options are also found in the Review Set section of the eDiscovery too.
- Note #3– placing data in a Review Set does not place that data on hold. That is a done in the Hold tab which will allow you to place a “hold in place” action on data. We will not be performing that in this blog
- Under Collection ingestion scale, I will choose the first option, Add all collection to review set.
- Note – you can chose to add only part of the collection to a review set, if you wish.
- Now review your collection and select Submit and then Done.
- Click Done and move to the Review Sets tab.
Working with data in a Review Set
- Go to the Review Sets tab. Select the review set you just created click Open Review Set.
- Note – You, can also click Add Review Set to create a new review set. The reason to do this is so that you can better organize your future collections.
2. Let us take a tour of this interface. A ribbon across the top will show several options. Let us take a tour of this interface
a. The first ribbon across the top will show several options to narrow your results by Keyword, Date, Sender/Author, Subject/Title, and/or Tags
b. The second ribbon allows for actions against the data in the Review Set: Overview (Summary), Analytics, Actions (download, report, redaction, etc), Tags (legal), and Manage (the collected data).
- If you select a file or email a preview panel will appear on the right. I will select a file. Atop the preview pane you can find options to view the Source file, look at the file in plain text, Annotate the file for redaction, or look at the metadata. I will not be making any annotations to this file at this time.
- I will now export data for review by an external legal team. I am going to highlight some files, and then go to the top toolbar and select Actions->Export. I will give the export a name and fill in the other details as needed.
- Again, I am going to highlight some files, and then go to the top toolbar and select Actions->Export. I will give the export a name and fill in the other details as needed.
- Give the export a name and a description and click leave the rest of the settings at their defaults. Then click Export.
- A job will be created. Click OK. This set of exported data will appear in the Exports tab.
Export a subset of data
- On the Exports tab, click on your export. A window will appear on the right which will tell you if your export was successful. If so, you can now download it along with a summary report to your local machine and then hand it over to outside council as needed.
- Congratulations! You have now have now completed a basic Advanced eDiscovery case and have finished this blog series.
Appendix and Links
- Overview of the Advanced eDiscovery solution in Microsoft 365 – Microsoft 365 Compliance | Microsoft Docs
- Work with custodians in Advanced eDiscovery – Microsoft 365 Compliance | Microsoft Docs
- Search the audit log in the Security & Compliance Center – Microsoft 365 Compliance | Microsoft Docs
- Work with processing errors in Advanced eDiscovery – Microsoft 365 Compliance | Microsoft Docs
- Export case data in Advanced eDiscovery – Microsoft 365 Compliance | Microsoft Docs
- Manage jobs in Advanced eDiscovery – Microsoft 365 Compliance | Microsoft Docs
Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such. Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.