Guest James_Havens Posted December 13, 2022 Posted December 13, 2022 Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Advanced eDiscovery (Aed) section of this blog series is aimed at legal and HR officers who need to understand how to perform a basic investigation. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the use of Advanced eDiscovery. It is presumed that you already data to search inside your tenant. We will only step through a basic eDiscovery case (see the Use Case section). Out-of-Scope This document does not cover any other aspect of Microsoft E5 Compliance, including: Data Classification Information Protection Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) Premium eDiscovery Overview and Settings Case Creation and Case Settings Data Sources and Collections Review Sets Communications Holds Exports Processing [*]Insider Risk Management (IRM) [*]Priva [*]Advanced Audit [*]Microsoft Cloud App Security (MCAS) [*]Information Barriers [*]Communications Compliance [*]Licensing It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). It is also presumed you are using an existing Information Types (SIT) or a SIT you have created for your testing. If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog. That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows. Microsoft Compliance - Paint By Numbers Series (Part 1) - Sensitive Information Types - Microsoft Tech Community Use Case There are many use cases for Advanced eDiscovery. For the sake of simplicity, we will use the following: Your organization has a Human Resources investigation against a specific user. Overview of Document This part of the blog is looking at the Exports tab, and how it should be used in an eDiscovery case. Definitions Data Sources – These are the locations (EXO, SPO, OneDrive) where searches will be performed. These are all the custodians (users) being investigated. This is not the users performing the investigation. Collections – This is the actual search being performed. Collections include user, keyword, data, etc. Review Sets – Once a collection/search has been performed, the data most be reviewed. This tab is where secondary searches can be done and a review of the data. Communications – If the HR or legal team wishes, they can notify the user that they are under investigation. You can also set up reminder notifications in this section of the UI. Note - This task is optional. [*]Hold – Once the data has been collected/searched or reviewed, either all or part of the data can be placed on legal hold. This means that the data cannot be deleted by the end user and if they do, then only their reference to the data is deleted. If the user deletes their reference, then the data is placed into a hidden hold directory. [*]Processing – This tab is related to the indexing of data in your production environment. You would use this if you are not finding data that you expect and you need to re-run indexing activities. Note - This task is optional. [*]Exports #1 – When referring to the tab, this provides the data from the case to be exported to a laptop or desktop. [*]Export #2 – This is also the term used to export a .CSV report. [*]Jobs – This provides a list of every job run in eDiscovery and is useful when trying to see the current status of your jobs (example – Collection, Review, Processing, Export, etc). This is useful if you launch an activity and want to monitor its status in real-time. [*]Setting – High level analytics and settings and reports, etc. [*]Custodian – This is the individual being investigated. Notes Core vs Advanced eDiscovery (high level overview) Core eDiscovery – This allows for searching and export of data only. It is perfect for basic “search and export” needs of data. It is not the best tool for data migration or HR and/or Legal case management and workflows. Advanced eDiscovery – This tool is best used as a first and second pass tool to cull the data before handing that same data to outside council or legal entity. This tool provides a truer work flow for discovery, review, and export of data along with reporting and redacting of data. [*]If you are not familiar with the Electronic Discovery Reference Model (EDRM), I recommend you learn more about it as it is a universal workflow for eDiscoveries in the United States. The link is in the appendix. [*]For my test, I am using a file named “1-MB-Test-SSN-1-AeD” with the phrase “Friedrich Conrad Rontgen invented the X-Ray” inside it. This file name stands for 1MB file with SSN information for Advanced eDiscovery testing. [*]We will not be using all of the tabs in available in a AeD case. [*]How do user deletes of data work with AeD? [*]If the end user deletes the data on their end and there IS NO Hold, then the data will be placed into the recycle bin on the corresponding applications. [*]If the end user deletes the data on their end and there IS a Hold, then the data will NOT be placed into the recycle bin on the corresponding applications. However, the user reference to the data will be deleted so they will believe that the data is deleted. Pre-requisites You should review the previous parts of this eDiscovery blog series and be sure you have done them. Jobs tab The Jobs tab shows all historical and active jobs being run as part of your eDiscovery case. You can find this tab on the far right of your case panel. In the bottom of this pane, you will see your eDiscovery jobs. The value of this tab, from a day to day perspective, is that you can see the status of your job The value of this tab, from a day-to-day perspective, is that you can see the status of your eDiscovery activities is that you can see if the activity is Successful, In Progress, or Failed. Then you can know if you need to step away from the case and do something else while the activity completes. We are now done with this part of the eDiscovery blog. Appendix and Links EDRM Model - EDRM Overview of the Advanced eDiscovery solution in Microsoft 365 - Microsoft 365 Compliance | Microsoft Docs Work with custodians in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Search the audit log in the Security & Compliance Center - Microsoft 365 Compliance | Microsoft Docs Work with processing errors in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Export case data in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Manage jobs in Advanced eDiscovery - Microsoft 365 Compliance | Microsoft Docs Continue reading... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.