In today's digital landscape, the ability to swiftly and effectively search across vast amounts of data is paramount for organizations. Microsoft's Office 365 offers a robust solution for this with its Content Search feature in the Security & Compliance Center.
What is Content Search?
Content Search is a comprehensive search tool within the Office 365 Security & Compliance Center that allows administrators and investigators to search across all mailboxes within an organization. It's the successor to the older "In-Place eDiscovery" options in Exchange Online and offers a more scalable and feature-rich environment for email investigations.
Key Features and Benefits
Scalability: Unlike its predecessor, Content Search has no limitations on the number of mailboxes that can be targeted in a single search.
Comprehensive Search: Search nearly all email components, including attachments, across multiple mailboxes.
Integrated eDiscovery: Seamlessly integrates with other features within Search & Investigation for advanced eDiscovery tasks like preserving mailboxes on discovery hold.
Audit Log Search: Offers built-in auditing capabilities for tracking user (or attacker) activity within Office 365.
Data Export: Allows exporting search results to .PST format, with robust filtering options available.
How Does it Work?
Performing a Content Search is straightforward. You initiate a search, estimate the results, preview them if necessary, and then copy them to a new mailbox or export them to .PST format.
Here's a quick example of initiating a Content Search via PowerShell:
New-ComplianceSearch -name "Legal Case 80" -ExchangeLocation "Operations" -ContentMatchQuery "'Widget' AND 'Akash'"Data Export Limitations
While Content Search is powerful, there are limitations to be aware of:
Data Limit: A maximum of 2 TB of data can be exported per search (and per day).
Export Format: Exported .PST files will be 10 GB or less, with larger result sets split into multiple .PST files.
Concurrent Exports: Up to 10 exports can run simultaneously.
Auditing and Logging
Office 365 offers built-in auditing and APIs for Exchange Online, SharePoint Online, OneDrive for Business, and Azure AD. However, auditing is not enabled by default.
Here's how you can enable auditing for a user via PowerShell:
Set-Mailbox -Identity "Akash Patel" -AuditEnabled $trueWhen enabling logging, not all items are logged by default. You can chain multiple commands to set all available logging options for mailbox owner accounts:
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true -AuditOwner "Create,HardDelete,MailboxLogin,Move,MoveToDeleteditems,SoftDelete,Update"
What to Keep in Mind
Logging Limitations: Logging in Office 365 has limitations, such as no logoff events and limited logging for non-admin accounts.
Log Retrieval Time: Logs for SharePoint and OneDrive are typically available 15 minutes after the event, while Exchange Online and Azure AD logs may take between 30 minutes to 12 hours.
Conclusion
Content Search in Office 365 offers a powerful set of tools for email investigations, eDiscovery, and auditing. Its scalability, integration capabilities, and robust features make it an indispensable asset for organizations of all sizes. By understanding its capabilities and limitations, you can leverage Content Search to streamline your email investigations and bolster your organization's security posture. Always remember to adhere to forensic best practices to ensure data integrity and legal admissibility in your investigations.
Akash Patel
Comments