Back to blog

Exploring the Security and Compliance Center – Part 6: Search and Investigation

Jun 7, 2016 by Emma Robinson

This is one of the last posts in our exploration of the new Office 365 Security and Compliance Center. (Read the full blog series here First ImpressionsReportsPermissionsData Loss PreventionData Management and Service AssuranceSearch and Investigation, and Alerts)
No time to read the full series now? Download our white paper ‘Getting Started with the Security and Compliance Center’ which includes all the blogs on Office 365 Security and Compliance. Get your copy here 
The section we’ll be focusing on here is Search and Investigation.
No matter the context, it is always frustrating when you can’t find what you need when you need it. Phone, keys, a missing sock – we’ve all done it, but it’s all the more frustrating when the item you’re looking for is business-critical, and in data-form, meaning that you have to rely on keywords, dates, and potential locations to try and unearth it (there’s no option to look down the back of the sofa, or under the bed).
The Search and Investigation feature of the Security and Compliance Center aims to alleviate these frustrations as they occur through enhanced search capabilities, as well as putting ‘the tools in place that inform you of the various activities that are going on in your organization, so you can quickly assess them and, if needed, take action.’
Let’s take a look at these tools:
Content Search
Previously called ‘Search’ in the old Compliance Center, Content Search is the area you should head to if you need to find a particular piece of content within your Office 365 environment – whether this is an email, document or Skype for Business conversation. Content Search looks in mailboxes, SharePoint Online sites, and OneDrive for Business locations. There are no restrictions on the number of mailboxes or sites you can search, and there are also no limits to the number of searches that can be run at the same time.
Things you need to know before you can search:

  • To access and use the Content Search, you must be a member of the eDiscovery Manager role group in the Security and Compliance Center. This can be configured in the Permissions section of the center (more about this can be found in our blog post on this area).
  • There are certain limits on Content Search – these are listed on this support page for reference.
  • You can also use this tool to search for content in Office 365 groups, including the group mailbox, shared calendar and the SharePoint sites associated with a group.

As you see above, the search options are relatively self-explanatory, and allow for wide and narrow searches, depending on your needs. Add in the areas you would like to search and click ‘Next’
Search Conditions
On the next page, you can add any relevant keywords and select the conditions that you would like to be placed on to the search.
The conditions available are split into three types:

  • Common: Date, size, sender, author, subject, title.
  • Mail: Participants, senders, recipients, subject, received, date, sent date, message type.
  • Documents: Author, title, created date, last modified date, file type.

Once you have put in your search criteria, click ‘Search’, and the list of results should include the items that match your search terms. You can preview the search results by clicking ‘Results’ in the details pane, and then selecting ‘Preview Search Results’. It is possible to search within the results based on different attributes, and when you find an item you would like to see, select it by clicking ‘Show Item’.
It is also possible to update, edit and export the search results:

  • When a search is updated, the query is rerun against the same criteria. On the Content search page, select the search you want to update. In the details pane, under ‘Results’, click ‘Update Search Results’. By re-running the query, you will return the most recent data for the search.
  • To edit a search, select it from the list and in the details pane, under ‘Query’, click ‘Edit Search’. Using the ‘Locations’ page, you can make any changes to the areas you would like to search, and on the ‘Query’ page, you can edit the search query – then just click ‘Search’ on either page to rerun it.
  • You can export search results to a local computer – but only if you are assigned the Export management role in the Office 365 Security & Compliance Center (This role is part of the eDiscovery Manager role group). If there are email results, they will be downloaded to your computer as PST files. When the search content is from SharePoint or OneDrive for Business, copies of native Office documents are exported. There are a number of limitations to export, based around size and quantity, a full explanation is given on Microsoft’s support pages.

Audit Log Search
Audit Log search is a great compliance tool, with the potential to unearth some detailed information about user activity. One very very important thing you must do before you can use it, is turn it on. You will not be able to run an audit log search until this is done and you won’t be able to gather any log information prior to enabling it. It is easy to come unstuck with this, so try to pre-empt any need you may have, or err on the side of caution and turn it on as soon as possible. Once it is enabled, it will take a couple of hours to prepare the log, and there is also some delay on the log events – it can take up to 15 minutes for a SharePoint or OneDrive for Business event to show up in the log, an Exchange Online or Azure Active Directory event can take up to 12 hours.
You also have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the Office 365 audit log. These roles are assigned to the Compliance Management and Organization Management role groups by default, and are located on the Permissions page in the Exchange admin center.
In this area you can see a number of user and administrator activities over the last 90 days, for example whether a user has viewed or downloaded a specific document or perhaps they’ve deleted an item from their mailbox. It is a unified audit log, which means that you can search for:

  • User activity in SharePoint Online and OneDrive for Business
  • User activity in Exchange Online (Exchange mailbox audit logging)
  • Admin activity in SharePoint Online
  • Admin activity in Azure Active Directory (the directory service for Office 365)
  • Admin activity in Exchange Online (Exchange admin audit logging)
  • User and admin activity in Sway

To search the Audit log, add your requirements into the fields below, then click ‘Search’. As with Content search, it is possible to filter and export the results. Detailed guidance for Audit log search can be found here.
Audit Log Search1
Electronic or eDiscovery is the term used for identifying, preserving and providing electronic information that can be used as evidence in legal cases or investigations. It is a very powerful tool, with the potential to expose sensitive information, so the Search and Investigation area can be used to manage the cases, and control who can create, access, and modify eDiscovery cases in your organisation. Recently Microsoft have also added a ‘new case management, hold, search, and export experience‘, which offers enhanced case management, better preservation of data that has been put on ‘hold’ and improved ‘granular search capabilities’. They have also announced that this area will continue to improve, and will receive ‘additional eDiscovery enhancements, such as keyword statistics, source statistics and export de-duplication’ in the coming months.
You can add a case by clicking the ‘+’ button, and filling out the name and description. Once it is completed, your new case will show in the list, and you can go into it, make any changes, add holds, searches or assign access to other users.
Edit eDiscovery
Due to the nature of eDiscovery, it is essential that the correct permissions are set, and that the data can only be accessed by the appropriate users. You can set various levels of access in the ‘Permissions’ section of the Security and Compliance Center (more about this can be found in part 3 of our blog).
There are a couple of features in the Security and Compliance Center that need to be configured before they are able to work in your environment. While this isn’t exactly a limitation of the center, it could cause issues with usability, and it does mean that users are required to be proactive and possess some level of foresight in order to get what they need. Who knows, later updates may remove this need to ‘turn on’ features, but for the meantime, it is definitely something to keep in mind.
Our advice? Head into the center and make sure you enable audit logging as soon as possible, as well as configuring any features you plan on using. That way, when you need compliance-related information, you will have some data to work with – and you won’t come unstuck!
The final post in this series will look at the recently added Alerts section, so make sure you check it out if you’re interested in identifying user activity and want to find out more about the new Advanced Security Management. You can also get a copy of the full blog series by downloading our white paper on the Office 365 Security and Compliance Center.
Cogmotive is the leading global provider of enterprise level reporting and analytics applications for Office 365. Find out more now.