MS-500 Microsoft 365 Security Administration Topic: eDiscovery, Reporting, Auditing and Alerts
December 16, 2022

1. Introduction to eDiscovery in Microsoft 365

So if you’re not really familiar with the concept of e-discovering forensics, forensics involves capturing evidence and information that could be used as evidence in a legal court of law. When you think about us, it’s kind of funny how people get caught up in this sort of thing. You might be the person who has to collect evidence for some kind of legal case that’s going on in your company or organization. You may have some kind of crime that’s occurred, and you’re expected to grab information and be able to present that. Or you might have to assist a legal team of people in getting information and being able to provide that very, very quickly.

So Microsoft has a set of tools that are there to help you and assist you in your cloud-oriented environment with all of your documents that you are managing. So Microsoft has Ediscovery, a suite of e-discovery tools and systems that are linked to the various products that Microsoft has linked to the cloud. You can search the contents of Exchange Online, the mailboxes; you can look at Office 365 groups and the collaboration going on there involving teams; SharePoint Online; even OneDrive for Business; the documents that are stored up there in people’s cloud storage; and of course, Skype for business conversations.

All of that ties into your Discovery system. That is with Microsoft 365.There are actually quite a few different sets of searches and tools that can be utilized to assist in this. not to mention the fact that you can export this to third-party tools. So some of you guys that might have done forensics with some of the other forensic tools out there, like Autopsy or OS forensics, can utilize some of this information to be exported out to some of those tools as well. So, with Discover, not only does it have its own built-in tools for scanning cloud services, but it also has ways to export as well. So about eDiscovery.

So with eDiscovery, you’re going to open up what is called an eDiscovery case, okay? Now there’s two ways of going about this. Ediscovery case is a basic e-discovery system that you can use, and there’s also what’s known as “advanced e-discovery,” which I’ll look at in just a second. Okay? So in an Ediscovery case, you’re going to open a case, and that’s going to be the first step. You’ve got to open a case, and you’re going to add members who are allowed to have access to that case. So other users, including yourself, can go in and look at this discovery information that you’ve pulled in, okay? You can put a hold on specific content locations.

For example, I could send a hold email if I wanted to. I can do custom searches, specific searches that pertain to certain keywords or certain sensitive pieces of information. I can save those searches for later, maybe present them to someone, and then I have the ability to export the search information so that it can be pulled in some of the other forensic tools that people like to use. Now, as I mentioned, you’ve also got advanced discovery. Okay? So advanced is Discovery that you can tell by its name that it is a more advanced system. It’s what they call it a more advanced workflow, which is a system that you kind of stepped through for preserving, collecting, reviewing, and then obviously exporting, which I’ve mentioned to essentially put together a good case of evidence that’s going to be used.

So if any of you guys have done forensics in the past, you might have heard of a term called the “chain of custody.” and that’s obviously very important. Including in the cloud environment, chain of custody involves being able to collect all this evidence and then keep that information safe and secure and monitored, audited, and logged, among other good stuff. You’ll need to be able to prove the chain of custody if this goes to court. So the discovery system that Microsoft has put together is definitely in line with trying to keep that chain of custody so that it can be proved. Obviously, if you have collected evidence in your environment and you are unable to prove the chain of custody in a court of law, the chain of custody is deemed broken and the case is dismissed. A judge is not going to allow that in a court of law unless you can prove it. So this is all part of that advanced discovery.

In discovery cases, proving the chain of custody entails gathering this information, keeping it safe, and ensuring that it has not been tampered with. Okay. Another thing about advanced discoveries is that they have a few more capabilities involving allowing a legal team to get full access to what they need in order to do a legal hold. Basically, assist them throughout the entire legal process. So the advanced discovery is more along the lines of dealing with a group or a team of people that need to do an investigation, whereas the regular discovery is more along the lines of one or two people that just need to collect some information to present. Okay, so the Microsoft Discovery system is a pretty nice little system. They’re adding new features to it all the time. It’s one of those things that I think, over the course of time, you’re going to notice is going to look a little different. They’re adding more and more advanced features as time goes on. But all in all, it’s a good system, and it’s a pretty easy system for them to use.

2. Demonstration for adding privileges to a user to manage eDiscovery

In this demonstration, I want to walk you through assigning a role that’s going to allow somebody to work with Ediscovery. Okay? So our first step is to go to Admin,, show all, and go to security. As always, we return to security and compliance. And when you’re going to set up some roles to give some rights to somebody in the Security Compliance Center, you’re going to click on permissions. We’re going to choose permissions. Let’s scroll down.

And the position I’m looking for is known as the discovery manager. So let’s go ahead and click on that and take a look at what we’ve got here. So the discovery manager is in charge. The following tasks are completed: searches and locations, mailbox holding, SharePoint online sites, and one drive for business. So if I was being told, let’s say this was an exam scenario, that I was needing to give these privileges out to somebody to be able to place holds on mailboxes, SharePoint online sites, and all that good stuff, then I would need to work through that process of giving them the Discovery Manager role.

So this is where I would go to do that: select the role. Okay, I’ll scroll down to Discovery Manager, which is right here. So I’m going to edit this right here. All right. And then at that point, I would choose who my manager was going to be. Now in this case, if you’ve already got a user listed—as in my case, I have Aaron Jones—then that might be the user that I’m wanting to keep there. Or I could edit this and add other users simply by clicking Add. Okay, so if Aaron Jones was the person I needed to be able to do this with, then great, I’m done. If I needed to add another user, I would click Add another user point.You would add the user you want, you would click Done, and you would click Save. And you’ve now officially given this user the privilege of being able to be an Discovery Manager and place holds on mailboxes and all that good stuff.

3. Stepping through the hands on tutorial for assigning eDiscovery Manager rights

Drop the little show all the way down. Go to the Security Compliance Center, which is located in the Security Center. In this instance, we’ll go to permissions and choose the “discovery manager” role. We’re going to edit this Discovery Manager. Choose an e-discovery manager. We’re going to add the user, Aaron Jones. Click “add,” “done,” and “save.” And we’ve now officially added that user as an “ediscovery.” So we’re just going to save it and close it, and we’re good. We’ve now officially finished the little tutorial.

4. Demonstration using eDiscovery and placing a hold on a user

Okay, in this demonstration, I want to walk you through the rediscovery process. We’re going to jump into it, we’re going to create a case, and we’re going to learn how we can put a legal hold on a user’s mailbox for a specific user for a certain keyword, right? So I’m going to go ahead and drop down all the show lips here. I’m in the portal. I’m going to go to security, which is going to take us to security compliance. We’re going to scroll down and go to Discovery. So we’ve got this nice little e-discovery dropdown here, as I mentioned, regular e-discovery. Then there’s advanced. So in this case, we’re going to do discovery. We’re going to open a case, name it, and put it on legal hold for the user. We’re going to hit Save, and then from there, we’re going to go ahead and click Open and open that case up, all right?

 At that point, we can click on “Hold.” We’re going to click to create a hold and give this description here. So we’re going to put a legal hold on User, and we’re going to go ahead and hit Save Next. All right? From there, we’re going to specify the users we want to include. So we’re going to say, “Choose user groups or teams.” Choose user groups or teams. We put in the user’s name. Let’s say the user we want to do this for is Alex. We’re going to search, and it’s going to look for our users. And there is Alex Jones. We’re going to choose Alex Jones, pick on Alex Jones, and we’re going to click Done. And at that point, we have these options here. So these are the locations we’re choosing. All right, you can also choose sites like SharePoint sites and all that if you want.

We can even include exchanging public folders if we want. We’ll click “Next” on that, all right? And this is where we can add a keyword. So maybe we’re looking for a particular keyword for this user that they’ve maybe used in an email, and we’ll use “payroll,” which we’ve used in the past, for example. So we could add other conditions if we wanted. We want to throw some other conditions into their date, sender size, subject compliance, labels, message class participants, and all sorts of other conditions we could add. We can throw those in there. Maybe the email is being sent from somebody—from this person to somebody outside our organization. We could throw a condition in there for that if we wanted. Okay, in this case, I’m not going that deep into it. I just want to simply create an Ediscovery hold for this user for any keywords that contain the word “payroll.” So I’m going to go ahead and click Next, and there is the information for us to review. If I wanted to go through and edit any of these right now, I could obviously do so. And I’m going to say, “Create this hold.”

Okay? And then, at that point, we’ve now created our little hold on the user. And we could go ahead too, if we wanted to, and do some searches just by clicking on searches. And we could do a new search, put in a keyword here, and this is going to help us go ahead and find out right out of the gate if this person has actually violated anything. This would collect evidence involving the fact that we can save these searches as well. So we can create the search and do a search. It would show up over here, all right? And then we can save that search if we want. We can also choose specific locations. We can say all locations, locations on hold, or specify a specific location if we want as well. Then we could save and run. Another option is to export. We can export this information and put it in a format that could be available for another search tool or another forensics tool. Okay? And then from there, we’ve basically created a rule. If we wanted to switch this over to an advanced cDiscovery, we could have more options to consider in advance.

5. Stepping through the hands on tutorial for placing an eDiscovery Hold

Then we’d click the show, all ellipses go to security button, which would take us to the security and compliance center. We’re going to drop down Ediscovery, click on Ediscovery, create a case, and give the case a name. In this case, it’ll be the email “Hold for Payroll” keyword. And then we’re going to click “Save.” Let’s open the case.

We’re going to click on Holds, then click Create. All right. From there, we’re going to give that thing a name. In this case, it will be called the “Hold for Payroll” keyword. We’re going to click Next and choose our user groups or teams. From there, we would select the user that we wanted. In this case, it’s the user Alex. We’re going to search, and there’s Alex right there. We’re going to select Alex. Choose that point, click Done, click Next, put our keyword in the word “Payroll,” and then click Next again. and then create this hold. All right. And we’ve now officially created our little hold. and pretty straightforward, not having to go through the advanced side of things for that. This is just a basic hold on a user.

6. Working with Security Reports in Microsoft 365

I’d like to take a moment and look at the different security reports that we have in our Microsoft 365 environment. Now I will say this: this is something that is, I think, growing. I think Microsoft is still adding new stuff and making changes to it. It might even still be in its infancy. But they’ve come a long way already. And I do feel like, as time goes on, they’re going to really add a lot of reporting capabilities that we can take advantage of. But, to get there, you must first go to the admin area of or Portal Click on “Show all ellipses here” and then click “Security.” This is going to bring you into the Security and Compliance Center. So we’ll bring this up and look down here toward the bottom, where it says Reports. Okay? So we can drop down reports, and we’re going to click on the dashboard. Okay, so here are our reports.

Dashboard. Now, unless you’re in an environment where a lot is going on, you’re not going to see much here. If you set up a new tenant to practise with or whatever, there’s not really a lot here you’re going to gain. Unless you start trying to hack your own environment or something. Then maybe you’ll start seeing some options. But as you can see, spoof domains have failed authentication over the past 30 days. So that would involve your domain names. You’ve received impersonations over the last seven days. So if something like Advanced Threat Protection or whatever is detected as impersonation, that would show up here. So you’ve got some of your available reports. Now we’ll get into scheduling reports in a minute. I haven’t scheduled any reports, so there are no reports available. One thing you can do is click through some of these reports, bring them up, and schedule them to generate a report at a certain time. In some cases, especially if you are trying to create a special report and there’s a lot of data, it’s going to take some time to process. And so once you’ve done that, the report will become available. It’ll become available here, but it’ll also be available for you to download, which I’ll show you here in a second.

Okay. So from there, I’ve got how labels were applied. If I’ve had any labels that have been applied with the help of Azure information protection, data loss prevention policies, and data loss prevention practises, you can look at false positives. So as you can see, things have been good on my end. I haven’t read any of the sections here. All right, this is definitely something you should pull up and take a look at it.As far as the exam and all that are concerned, I really wouldn’t worry about getting any kind of simulation on this or any of that. But they do expect you to at least know—hey, you can look at reports here. You’ve got spoof detections; you’ve got spam detections. As you can see, all the email that I’ve had recently has been good; I haven’t had any bad email there. I’m not aware of any incidents involving data loss prevention. connector report; there is no issue there. So when you get into things like connectors, you start talking about things like Exchange and how Exchange Online is receiving email and sending email out, and all that encryption reporting. So dealing with encryption on our user’s end will enable things like, again, Exchange Online, Mail Flow, and whether or not that email has been encrypted.

Now you can click on these reports. So, like, if I go here to this mail flow report, I want to see more information on it. I can click on it, and it will show me the information here. This is all done through Microsoft’s Graph API and their business intelligence engine, their Powerbase, and all that plays a role in this. But the Graph API is what’s showing you these different graphs that you can look at. You can also, again, create a schedule if you want and set a certain schedule that is going to generate a report, okay? And then, when you do that, you can manage all this. It says manage schedules over here. You can click on that to see any of your scheduled reports.

And then, when a report gets generated, especially if it’s a big report where you’ve got a lot of data that it’s got to pull, you can choose reports for download, and those reports for download will be right here. Okay? But that’s what’s going to happen when you go through the process on your dashboard of specifying things maybe that you want to look at, and then if you’ve got a lot of data in your company and a lot of things going on, it’s going to take a long time to process. In my case, with this little tenant, I don’t really have much going on, so it’s able to generate it relatively quickly.

But I encourage you: if you’re in an environment right now that’s got a lot going on, you’re not really going to hurt anything by generating reports. So if you can log on to your own tenant—if you’ve got a big tenant or whatever—to check out some of these reports, I encourage you to do that because there’s a lot of insight that you can gain from pulling this information.

So anyway, reports are pretty easy to use. Again, I do feel like they’ve come a long way, but I feel like they’ve got a long way to go in terms of adding lots of great little features for us to filter all this stuff. And I think Microsoft is definitely moving in that direction, but it’s going to take some time to give us a lot more filtering capabilities. That’s really what I’d like to see. I’d like to see more abilities to pull these reports up and filter those reports a little bit more than what we’ve got. Now, don’t get me wrong. You can pull the report and put it into a CSV spreadsheet or something, and you can filter with something like Excel. But I think as time goes on, they’re going to start adding a lot more to that insofar as being able to control what we’re looking at and the kinds of reports that we want. customizing things a little bit more. Okay? But all in all, as you can see, reports are a pretty straightforward drop-down menu that we can play around with in our security compliance center.

7. Working with Auditing Alerts and Content Searches in Microsoft 365

Let’s talk now about the process of being able to do searches and looking at the audit side of things with Microsoft 365. So here we are on or Portal? Dot You can click on “Show all click securities,” which will bring you back into the Security and Compliance Center. Once you get in the Security Compliance Center, if you look to the left, you’ll notice that you can drop down right here where it says “Search.” And if you click “Search,” you’ve got the option to do a content search. So I can click on “Content Search,” and this is going to allow me to search for particular content in my environment. This is along the same lines as what we’ve got with our rediscovery. So I can do a new search if I want. I can search based on keywords. Okay?

So if I were trying to search for a keyword like “budget,” I could say “save and run.” Now, if I want, I could go ahead and save the search. Then this could be used in Discovery as well if I wanted, but I could go ahead and save and run. The other thing you’ve got to do is notice that you have to specify locations. If you want to choose specific locations, you can choose “Modify there” or “All locations.” Again, keep in mind that this can take a long time if you’re working in a large environment; it could take hours and hours and hours, possibly even days, in a very large environment. So you might want to keep that in mind if you’re doing, you know, a certain keyword search here. This is along the exact same lines of what we have in the Discovery I’m thinking along the same lines.

So it’ll go through, it’ll search, and if it locates any locations that have the keyword budget, and I’m talking like Exchange, SharePoint, and OneDrive, it’ll look for that keyword in the files in those locations, even teams like messages, and it would pull that information and let me analyse it. And I can export this as well if I want to. Okay? Jumping back over here, we also have audit log search. So with the different auditing capabilities that Microsoft 365 has, you can also do audit log searches as well. So you can choose a specific date and time, like a start point and an end point. Maybe you’re trying to search based on the date and time of your IP address, the user, the activity they performed, or the item that was involved. You can have a start date and an end date on that if you want. You can specify the name of the user that you want to actually look at, and then you can do a search. You can even create a new alert policy if you want.

Okay, so I could come up here and say, “Test custom alert.” Okay, send this alert when you drop that down, and you can choose the activities the person has performed once it appears on the screen. Okay, so they may have printed a file, deleted a file, renamed a file, or created a file. So all these different options are here; take a look at some of the different options you have. I mean, there are a tonne of options here. So I checked out a file, copied a file, discarded a file, checked it out, moved a file, and restored a file. I mean, look at all this stuff that you do involving just monitoring the different files that you’ve got. Okay, let’s go delete a file, right?

So we’ll set that as one of our conditions. You can do it now, and you can do it multiple times if you want. You can specify a particular user if you want. Like if I wanted to do Alex Rogers, I could select that user, and then I could say, “Send an alert.” We’re going to send an alert to the mod administrator, the admin. So that’s [email protected]. So then I would click Save, and I’ve now generated that alert, so it’ll go through, and anytime Alex Rogers deletes a file, it’s going to generate an audit log that I can search through, but also appear under alerts. I can click “view alerts.” Okay? It’s going to show me any alert activity that I have. And you can actually create more of these alert policies here as well.

So there’s actually a little bit of control you can get with auditing and all that. Really, if you take an exam, I really wouldn’t worry too much about getting any hands-on activities on this particular topic, but definitely they want you to kind of understand what an alert is and then the fact that you can also look through the audit log and all that. Keep in mind that the very first time you go into the audit log, your auditing won’t be turned on. So you do have to turn it on. I’ve already turned it on in my case, but when you turn it on, the sad part is that it can take about 24 hours before it actually becomes active. So if you go in here now and turn this on, it could take a while, and supposedly Microsoft is going to change that. So, hopefully, things have already changed for you. However, when this video was being recorded, they used to require you to click on to enable it, and it would take 24 hours to become active. Okay. So, of course, I do like to keep my stuff updated. So if it seems like something’s out of date here, just make sure you message me, and I’ll make sure things get updated. But all in all, as you can see, this is a lot longer than working with Ediscovery, to be honest. So you can jump around and manage your settings and stuff pretty easily through this.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!