1. What is Content Search?
In Microsoft 365, you have the ability, if need be, to set up an Ediscovery search where you can set up a case and go through and search for specific content in response to some EDiscovery requests. But there are times when you don’t need to go through all of that formal environment just to go out and look for some content that has nothing to do with litigation. In that case, you can leverage content search. Content Search has the capability of searching across the entire environment. Whether it be instant messaging, documents, or emails, it doesn’t matter. And the neat thing about a content search is that it’s extremely scalable, right? which means that as we go out there and start doing more searches, we have the ability for it to scale out the search engines so we can get a faster result.
In addition to that, unlike EDiscovery, Content Search is not limited in terms of the number of searches that it can go out there and do it. I’m not limited to just, say, 10,000 mailboxes. I can search my entire environment without worrying about any of the limits that would otherwise be imposed on me in an Ediscovery search environment. In addition to that, when I do the search, I’m going to get a nice summary that’s going to give me an estimate of the search results and show me how many different things actually hit or are matched up with the terms that I’m searching in my environment. and I get a nice display of that in the details. in the search result. I have the ability to go out there and do these searches, but only if I am a member of the Discovery Manager role group in the Security and Compliance Center. Now, the interesting thing is that I’m searching SharePoint sites, Exchange sites, and instant messaging, but I don’t have to be a SharePoint administrator or an Exchange administrator. Just make me an Discovery Manager, and I can search across the entire environment without having to have those individual administrative roles.
2. Creating a Content Search
If you’re given the right permissions to be an eDiscovery manager in the Security and Compliance Center, you’ll have the ability to complete a content search, right? In the Security and Compliance Center, I’m going to scroll down to the Search section, and in the Search section, you’ll see the ability to create a content search. So let’s just go ahead and click on Content Search. In the content search environment, there are multiple ways that you can actually do a content search. If you have a specific ID for, say, an email message, you can go out there and just search for that specific message if you want to. Or you have the ability to go out there and do a new search, where you just click it, fill out all the information, and start the search. Or you can go through and do what’s called a “guided search.” When you choose guided search, it’s basically going to walk you through a little wizard format to set up the search. The truth is, whether I do a guided or a new search, I’m filling out basically the same information. It’s just the way it’s presented to me.
Let’s go ahead and give this search a name. We’ll just call this our demo search. I’m not going to worry about the description in here right now. Now, notice I can choose my location, right? I have the ability to choose various locations where I want these searches to actually occur. In this case, we can go through and select all locations if we want to as well.So everywhere that there’s data now, this search will include it. We’ll click next on there, and then I’ll start entering the keywords. Now I can show it as a list if I want to. And so we wanted to go in there and, I don’t know, let’s say we wanted to search anywhere where the word “aroma” happened to show up. That would be a lot of places, I’m sure. How about the word? If we want to look for our good friend Ethan to see if he’s there, we could put some conditions in there if we wanted to. For Arama and Ethan, for example, let’s go ahead and finish that up and start our query. So now it’s going through and actually doing the search across the entire environment to see where those items should appear. Once the search completes, it’s going to actually display a preview of some of your search results. Out here, we can go through and actually take a look and see some of these things. Some of them will have preview capabilities that can be shown; others may not.
Most of these look like they’re going to be things in the SharePoint environment here. It looks like somebody made a request for some bereavement in the organization. We can also download those original items if we want to. And as you can see, I have the option of viewing 5100 results per page. I can go through and open this up and see the individual results. I can also look at my search statistics to kind of see what was found overall. It looks like we found almost 11,000 different items between Exchange, mailboxes, and SharePoint sites that contain either the word Ethan or the word Aroma in it. Now I have the ability to go out there. If we drop the more button, I can export the report of this, which will give me a report on the information itself, or I can actually export the results. And if I export the results for all the emails, it’s going to go and put them into a PST file for any of the sites that will put them into an MHTML file for me. And if there were any documents that were responsive, I’d get them all zipped up into one document folder so I have the ability to pull those things out so I can look at them later or offline if I wanted to. Using the content search in 365.
3. Auditing in Microsoft 365
With Office 365, you have the ability to have auditing go across your entire environment. Now, if you wanted to use auditing, it would actually track all of the user activity as well as administrative activity in your 365 tenant. Somebody opens something up, creates something, and assigns somebody some permissions to it. We’re going to be able to have that as an audited activity so that we can actually track what they’re doing. Now, it’s not on by default; it’s there, but you actually have to go into the audit environment in the Security and Compliance Center and click the on button first. After you turn it on, it typically takes about 24 hours before you start seeing results. When you do audit searches out there, right, if you want to be able to look at the audits, you have to have at least the “view only audit logs” environment or the “audit log” role in Exchange Online. That’s right. I mentioned an online exchange. It’s interesting that the audit logs that appear in the Security and Compliance Center are actually managed and controlled in Exchange Online.
That’s where all the auditing is actually taking place. And that auditing includes activities in teams, activities in SharePoint OneDrive, and so on, but it’s actually being done under Exchange Online. So if you wanted to give somebody the right to view those or to work with the audit logs, you actually assign that role-based access control permission in Exchange Online. Now, for the audit logs, it’s going to keep that activity automatically backlogged for 90 days. So you have 90 days, during which we can go back and actually look at something. If it goes to 95 days, 91 days, or something like that, and you need it to go back that far, you’re not going to have that information available. If you need your logs to go beyond this, some people may consider integrating it with Log Analytics and Exchange in Azure, as well as Logan. You can connect your Office 365 environment to it and have it start storing those logs in a storage account in Azure. That gives you a little bit more time for it, so you don’t have to worry about the 90-day limit there. But otherwise, just know that after 90 days, any activity will be gone.
4. Searching Audit Logs
If you would like, you can actually set up what’s called an “audit policy” in SharePoint Online so you can audit various activities, like somebody going out there and modifying the task lists or updates, dating items in the list, going out there and adding items, deleting items from the calendar, or working with documents. You have the ability to go out there and actually configure it based on document types. You must access your actual site settings as well as your site settings under your Web Designer Galleries. There, you’re going to click on Site Content Types, and then within your Site Content Types, you’ll have the ability to go out there and define the types of things that you want to audit, like email messages and calendar items and the like. And then we have the ability to go out there and create a content-type policy template to dictate if we want to track.
If somebody goes out there and edits the document, somebody is going to go out there and check the document out, which means that they’re going to lock it for anybody else online, and they’re going to have it offline for a period of time. You have the ability to go out there and have that audit track if someone deletes an item within that library. But you do need to go into your web design and sort your content types to figure out which content types you want to audit on. And then you need to go into the Site Collection Administration and actually set up a policy to enable the auditing for that type of object.
