eDiscovery Content Search Results

Cloud & SaaSData Access & StorageCloud Control Plane

Location

Microsoft Purview > eDiscovery > Content search

Description

Preserved and exported search results from Microsoft Purview eDiscovery spanning Exchange mailboxes, SharePoint sites, OneDrive accounts, and Teams conversations, enabling keyword-based or date-range-based evidence collection.

Forensic Value

eDiscovery is the authoritative method for legal-hold evidence preservation and targeted content collection in M365 environments. It enables searching across all content sources with a single query, placing results on legal hold to prevent spoliation, and exporting PST/ZIP bundles for offline analysis. For insider threat cases, eDiscovery searches can reveal the full scope of sensitive data a user accessed or shared.

Tools Required

Microsoft Purview Compliance PortaleDiscovery Manager roleMicrosoft Graph API (Compliance)

Collection Commands

PowerShell

New-ComplianceSearch -Name "IR-Investigation" -ExchangeLocation [email protected] -ContentMatchQuery "subject:confidential AND sent>=2024-01-01" | Start-ComplianceSearch

PowerShell

Get-ComplianceSearch -Identity "IR-Investigation" | Format-List Status,Items,Size; New-ComplianceSearchAction -SearchName "IR-Investigation" -Export -Format FxStream

Graph API

POST https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases/{caseId}/searches/{searchId}/estimateStatistics

MITRE ATT&CK Techniques

T1114T1530T1213.002T1567

Used in Procedures

Generate Comprehensive Incident Report

post-incident

Covert Evidence Capture for Insider Threat

preserve

Review Data Disclosure and Notification Decision Evidence

post-incident

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical