Updated on 29 Jan,2025
Microsoft 365 Purview Compliance Manager offers a powerful Content Search feature that allows organizations to search across emails, Teams chats, SharePoint, OneDrive for Business, and even CoPilot usage. This tool is often the first stop when investigating emails and other online content.
Key Features of Content Search
Extensive Search Scope: Covers emails, Teams chats, SharePoint, OneDrive, and CoPilot interactions.
Search Refinement: Filter results based on keywords, email addresses, and other parameters.
Preview and Export: Search results can be estimated, previewed, and ultimately exported.
Integration with eDiscovery: Enables litigation holds and deeper investigative workflows.
Microsoft Purview Licensing and Access
The features available depend on the organization's Microsoft version:
E5 License: Access to Premium eDiscovery tools, including Advanced Audit Logging.
Lower-tier Licenses: Access to Standard eDiscovery tools, which still provide audit log search capabilities.
--------------------------------------------------------------------------------------------------------
Exporting Mailboxes to .PST Format
Microsoft 365 allows the export of mailboxes via Content Search. Once a search is completed, results can be exported in .PST format for emails, while SharePoint and OneDrive content is exported in native formats.
Export Limitations
Maximum 2 TB of data per search per day.
Supports up to 100,000 mailboxes per export.
Individual .PST files are capped at 10 GB, with large searches split into multiple files.
A maximum of 10 exports can run simultaneously.
To perform an export, the user must be assigned to the eDiscovery Manager role.
--------------------------------------------------------------------------------------------------------
Unified Audit Logs (UAL) and Their Importance
Microsoft 365 provides Unified Audit Logs (UAL) for tracking activity across Exchange Online, SharePoint Online, OneDrive for Business, and Azure AD. These logs help security teams investigate potential threats and track attacker activities.
Key Points About UAL:
Enabled by Default (since 2019): Previously, logging had to be manually enabled for each user.
Retention Policy:
90 days by default.
Up to 1 year for Microsoft 365 E5 users.
Azure AD logs are retained for 180 days (depending on the license).
Export Format: Logs are exported in JSON format and can be processed using third-party tools for extended retention.
-------------------------------------------------------------------------------------------------------
Auditing and Logging
Office 365 offers built-in auditing and APIs for Exchange Online, SharePoint Online, OneDrive for Business, and Azure AD. However, auditing is not enabled by default.
Here's how you can enable auditing for a user via PowerShell:
Set-Mailbox -Identity "Akash Patel" -AuditEnabled $trueWhen enabling logging, not all items are logged by default. You can chain multiple commands to set all available logging options for mailbox owner accounts:
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true -AuditOwner "Create,HardDelete,MailboxLogin,Move,MoveToDeleteditems,SoftDelete,Update"
What to Keep in Mind
Logging Limitations: Logging in Office 365 has limitations, such as no logoff events and limited logging for non-admin accounts.
Log Retrieval Time: Logs for SharePoint and OneDrive are typically available 15 minutes after the event, while Exchange Online and Azure AD logs may take between 30 minutes to 12 hours.
--------------------------------------------------------------------------------------------------------
One critical audit category is MailItemsAccessed, which logs when a user or attacker views emails. Initially restricted to admin users, it is now available for all tenants—though the rollout has been slow.
--------------------------------------------------------------------------------------------------------
Investigating Logs with PowerShell
The Search-UnifiedAuditLog PowerShell cmdlet is a powerful tool for log analysis.
Search-UnifiedAuditLog -StartDate 029/01/2025 -EndDate 30/01/2025 -UserIds <user1,user2> -Operations MailItemsAccessedLog Availability:
SharePoint & OneDrive logs: Available ~15 minutes after events.
Exchange Online & Azure AD logs: May take 30 minutes to 12 hours to appear.
--------------------------------------------------------------------------------------------------------
Extracting Microsoft 365 Audit Logs Efficiently
Extracting logs manually can be cumbersome due to limitations in Microsoft’s interface. Fortunately, third-party tools simplify this process:
Microsoft-Extractor-Suite
I have created a detailed article on Microsoft-Extractor-Suite (This article will be enough to get you running and understand how this tools work addition to another tool microsoft analyzer which will help you in investigation)
Streamlining Cloud Log Analysis with Free Tools: Microsoft-Extractor-Suite and Microsoft-Analyzer-Suite
Hawk (PowerShell-Based Investigation Tool) (Will create article on this in future)
GitHub Link: Hawk - O365 Intrusion Analysis
--------------------------------------------------------------------------------------------------------
Final Thoughts
Microsoft 365 Purview provides robust eDiscovery, search, and audit capabilities for compliance and security teams. Understanding how to effectively leverage these tools—alongside PowerShell and third-party utilities—can make investigations faster and more efficient. Ensure that audit logs are enabled and verify logging configurations to avoid surprises during critical incidents!
------------------------------------------------------Dean-----------------------------------
Commenti