Freigeben über

Search, review, and refine results in Data Security Investigations (preview)

You can use search in Data Security Investigations (preview) to search for Microsoft 365 content such as email, documents, and instant messaging conversations in your organization that are relevant to a security incident. Use search to find content in these cloud-based Microsoft 365 data sources:

  • Exchange Online mailboxes
  • SharePoint sites
  • OneDrive accounts
  • Microsoft Copilot and Agent prompts and responses
  • Microsoft Teams

You can create and run different searches that are associated with an investigation. You use conditions (such as keywords, file types, incidents, etc.) to build search queries that return search results with the data that's most likely relevant to the investigation. You can also:

  • View search statistics that might help you refine a search query to narrow results.
  • Preview the search results to quickly verify whether the relevant data is being found.
  • Revise a query and rerun the search.

When you're satisfied with the results of a search and you're ready to review and analyze the results, you can add them to an investigation scope in the investigation. Adding copies of the original data to an investigation scope also facilitates the AI analysis and review process by providing you with advanced categorization, examination, and vector search tools.

Access search tools

Select the Summary from the navigation options at the top of any page within a specific investigation to access search tools.

Search tools include the data source picker, the query builder, and the search by file options. You can refine search query data sources and conditions at any time during the investigation and add the results to an investigation scope.

Data sources

In Microsoft 365, data is stored across three platforms: Exchange, Teams, and SharePoint. These platforms serve as the backbone for organizing and managing data within Microsoft 365 applications. Most Microsoft 365 apps store data in one or more of the following containers:

  • Users: Data associated with individual users, such as their mail, 1:1 Teams messages, and OneDrive files.
  • Groups: Data owned by the organization or a group of users within an organization. These groups are often referred to as Unified Groups or Teams.

In Data Security Investigations (preview), the concept of data sources streamlines the process of identifying and managing data across Microsoft 365 platforms. Analysts select a user or group and searches are scoped to those data sources only. Analysts can refine the scope by selecting or excluding specific locations as needed.

Analysts can also use organization-wide sources to perform search across your organization. Organization-wide sources include:

  • All people and groups: Includes all users and all groups in your organization.
  • All public folders: Includes all content in Exchange public folders mailboxes.

Query builder

The Query builder option in search provides a visual filtering experience when you build search queries in in Data Security Investigations (preview). Use the query builder to construct complex queries with additional functionality, including AND, OR, and grouping of conditions. These features in the query builder help you build queries more effectively, provide a visual interface for grouping subqueries, and provide additional space for complex keyword queries to be constructed and reviewed.

Using the query builder

To create a query and custom filtering for your search, use the following controls:

  • AND/OR: These conditional logical operators allow you to select the query condition that applies to specific filters and filter subgroups. These operators allow you to use multiple filters or subgroups connected to a single filter in your query.
  • Select a filter: Allows you to select filters for the specific data sources and location content selected for the collection.
  • Add filter: Allows you to add multiple filters to your query. Is available after you've defined at least one query filter.
  • Select an operator: Depending on the selected filter, the operators compatible for the filter are available to select. For example, if the Date filter is selected, the available operators are Before, After, and Between. If the Size (in bytes) filter is selected, the available operators are Greater than, Greater or equal, Less than, Less or equal, Between, and Equal.
  • Value: Depending on the selected filter, the values compatible for the filter are available. Additionally, some filters support multiple values and some filters support one specific value. For example, if the Date filter is selected, select date values. If the Size (in bytes) filter is selected, select a value for bytes.
  • Add subgroup: After you've defined a filter, you can add a subgroup to refine the results returned by the filter. You can also add a subgroup to a subgroup for multi-layered query refinement.
  • Remove a filter condition: To remove an individual filter or subgroup, select the remove icon to the right of each filter line or subgroup.
  • Clear all: To clear the entire query of all filters and subgroups, select Clear all.

Scenario example

A Data Security Investigations (preview) analyst needs to create a query to any item that includes the keyword confidential used between January 1, 2025 and March 16, 2025. For this example, the analyst creates the following query using the query builder:

  1. For the first filter, the analyst selects Keyword, then selects the Equal operator, then enters confidential in the Value control.
  2. Next, the analyst selects Add subgroup and the AND operator, then the Add filter.
  3. The analyst selects the Date filter, the Between operator, and start and ending dates for the Value.
  4. The analyst selects Save to save the query, then Review scope to run the search query.

Query builder example.

Create a search query with Microsoft Security Copilot

The Query with Copilot option in search allows you to use natural language and Microsoft Security Copilot to quickly generate a custom query in the query builder. Use this option to construct complex queries with additional functionality, including AND, OR, and grouping of conditions, all while using natural language prompts.

This feature also helps you build queries more easily using predefined prompts for common scenarios and allows you to refine and enhance custom prompts for more accurate search queries. You can also choose to use prompt suggestions as a starting point to create and refine KeyQL queries for common or custom search scenarios.

To create a search query with Copilot, complete the following steps:

  1. After you select data sources for your query, select Query with Copilot.
    • Enter your search query question in the Describe what you'd like to find field. You can include user, data source, and other content details as applicable.
    • Select View prompts to select one of the following prompt suggestions:
      • Find all emails containing the words budget and finance and have attachments
      • Search for files of type .docx that contain the words confidential and budget
  2. Select Review scope to see estimates and statistics for the search or add the results directly to your investigation scope. If you want to save the query parameters you've defined and run the query later, select Save.

Find from file

The From file option allows you to upload one or more files to find related content for a specific investigation. Use audit activity .csv to find related messages and files for specific user within a specific time frame. Each file is limited to 10-MB max file size, and files can be .csv. Query builder is disabled when searching by file.

Scope dashboard

The Search tab displays statistics and metrics for the data results included in the search query. This view helps you determine if the search query results are ready for adding to the investigation scope or if you need to refine your query for broader or narrower results.

The search results for the Scope dashboard are included in the following sections:

  • Summary: This section shows the number of search hits, locations, data sources, and the total file size of partially indexed items.

    • Total matches: Displays the total search hit count and volume from all items matching the query criteria from locations searched.
    • Locations: Displays the fraction of locations with hits out of all locations searched. The numerator shows the locations with hits and denominator shows the number of locations searched. Locations with errors are shown in red. To view full details on all the locations and associated hits and errors, select Download report to download the full .csv report.
    • Data sources: Displays the fraction of data sources with hits out of all data sources searched. The numerator shows the data sources with hits and denominator shows the number of data sources included in the search. This data source is consistent with the data source in the search design flow and should match the number of people or groups included in the search. A tenant-wide data source of All people and all groups counts as a single data source.
    • Partially indexed items or "Advanced indexed items hits": Displays the count and volume of partially and unindexed items returned as part of the search. Die erweiterte indizierte Trefferanzahl stammt aus einer Statistikstichprobe für die teilweise indizierten Elemente. Die tatsächlichen Treffer können mehr sein und sollten mithilfe der Aktionen zu einem Überprüfungssatz hinzufügen und Suchergebnisse exportieren bestätigt werden.
    • Top-Datenquellen: Zeigt die fünf wichtigsten Datenquellen an, die die meisten Suchtreffer für Ihre Abfrage bilden. Die Namen dieser Datenquellen (Namen von Benutzern, Gruppen oder organization breiten Speicherorten) werden mit der Trefferanzahl aufgelistet. Diese Datenquellen sollten mit dem übereinstimmen, was Sie beim Erstellen der Suchabfrage im Datenquellenworkflow ausgewählt haben.
    • Indizierung status: Aufschlüsselung der nicht indizierten (einschließlich teilweise indizierten) und vollständig indizierten Datenelementen.
    • Top-Standorttyp: Trefferanzahl nach Standorttyp (Postfach im Vergleich zu Website).

Wählen Sie Ansicht erneut generieren aus, um die Abfrage erneut auszuführen und die aktuellsten Ergebnisse zu überprüfen. Wählen Sie Bericht herunterladen aus, um alle Bereichsergebnisse in einer einzelnen .csv-Datei zu kombinieren. Wenn Sie die top 100 Ergebnisse für einen beliebigen Trendbereich anzeigen, wählen Sie Bericht herunterladen aus, um eine .csv Datei der 100 wichtigsten Ergebnisse des ausgewählten Treffertrends zu sehen.

Beispiele Dashboard

Mit Beispielen können Sie eine repräsentative Teilmenge einzelner Elemente und Details für jedes Element überprüfen, das für die Suche zurückgegeben wird. Die Anzahl der Stichproben pro Standort und die Anzahl der in der Suche definierten Stichprobenstandorte bestimmen die Anzahl der Stichprobenelemente und die Positionsdarstellung in den Stichprobenelementen.

Die Suchergebnisse für die Spalten Samples Dashboard enthalten die folgenden Informationen für jedes Element:

  • Betreff/Titel: Der Betreff oder Titel der elemente, die im Beispiel enthalten sind.
  • Datum: Das Datum, an dem das Element erstellt oder gesendet wurde.
  • Absender/Autor: Der Absender oder Autor des Elements.

Wählen Sie ein Beispielelement aus, um die Quellinformationen für das Element anzuzeigen. Falls für das Element verfügbar, zeigt diese Ansicht eine umfangreiche Ansicht eines ausgewählten Elements an, sodass Sie die Relevanz des Elements im Zusammenhang mit der definierten Suchdatenquelle und den bedingungen auswerten können.

Wählen Sie Berichte herunterladen aus, um alle Beispielergebnisse in einer einzelnen .csv-Datei zu kombinieren. Wählen Sie Einstellungen anzeigen aus, um die Einstellungen anzuzeigen, die auf die Generierung der Beispielansicht angewendet werden.