Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
You can use search in Data Security Investigations (preview) to search for Microsoft 365 content such as email, documents, and instant messaging conversations in your organization that are relevant to a security incident. Use search to find content in these cloud-based Microsoft 365 data sources:
- Exchange Online mailboxes
- SharePoint sites
- OneDrive accounts
- Microsoft Copilot and Agent prompts and responses
- Microsoft Teams
You can create and run different searches that are associated with an investigation. You use conditions (such as keywords, file types, incidents, etc.) to build search queries that return search results with the data that's most likely relevant to the investigation. You can also:
- View search statistics that might help you refine a search query to narrow results.
- Preview the search results to quickly verify whether the relevant data is being found.
- Revise a query and rerun the search.
When you're satisfied with the results of a search and you're ready to review and analyze the results, you can add them to an investigation scope in the investigation. Adding copies of the original data to an investigation scope also facilitates the AI analysis and review process by providing you with advanced categorization, examination, and vector search tools.
Access search tools
Select the Summary from the navigation options at the top of any page within a specific investigation to access search tools.
Search tools include the data source picker, the query builder, and the search by file options. You can refine search query data sources and conditions at any time during the investigation and add the results to an investigation scope.
Data sources
In Microsoft 365, data is stored across three platforms: Exchange, Teams, and SharePoint. These platforms serve as the backbone for organizing and managing data within Microsoft 365 applications. Most Microsoft 365 apps store data in one or more of the following containers:
- Users: Data associated with individual users, such as their mail, 1:1 Teams messages, and OneDrive files.
- Groups: Data owned by the organization or a group of users within an organization. These groups are often referred to as Unified Groups or Teams.
In Data Security Investigations (preview), the concept of data sources streamlines the process of identifying and managing data across Microsoft 365 platforms. Analysts select a user or group and searches are scoped to those data sources only. Analysts can refine the scope by selecting or excluding specific locations as needed.
Analysts can also use organization-wide sources to perform search across your organization. Organization-wide sources include:
- All people and groups: Includes all users and all groups in your organization.
- All public folders: Includes all content in Exchange public folders mailboxes.
Query builder
The Query builder option in search provides a visual filtering experience when you build search queries in in Data Security Investigations (preview). Use the query builder to construct complex queries with additional functionality, including AND, OR, and grouping of conditions. These features in the query builder help you build queries more effectively, provide a visual interface for grouping subqueries, and provide additional space for complex keyword queries to be constructed and reviewed.
Using the query builder
To create a query and custom filtering for your search, use the following controls:
- AND/OR: These conditional logical operators allow you to select the query condition that applies to specific filters and filter subgroups. These operators allow you to use multiple filters or subgroups connected to a single filter in your query.
- Select a filter: Allows you to select filters for the specific data sources and location content selected for the collection.
- Add filter: Allows you to add multiple filters to your query. Is available after you've defined at least one query filter.
- Select an operator: Depending on the selected filter, the operators compatible for the filter are available to select. For example, if the Date filter is selected, the available operators are Before, After, and Between. If the Size (in bytes) filter is selected, the available operators are Greater than, Greater or equal, Less than, Less or equal, Between, and Equal.
- Value: Depending on the selected filter, the values compatible for the filter are available. Additionally, some filters support multiple values and some filters support one specific value. For example, if the Date filter is selected, select date values. If the Size (in bytes) filter is selected, select a value for bytes.
- Add subgroup: After you've defined a filter, you can add a subgroup to refine the results returned by the filter. You can also add a subgroup to a subgroup for multi-layered query refinement.
- Remove a filter condition: To remove an individual filter or subgroup, select the remove icon to the right of each filter line or subgroup.
- Clear all: To clear the entire query of all filters and subgroups, select Clear all.
Scenario example
A Data Security Investigations (preview) analyst needs to create a query to any item that includes the keyword confidential used between January 1, 2025 and March 16, 2025. For this example, the analyst creates the following query using the query builder:
- For the first filter, the analyst selects Keyword, then selects the Equal operator, then enters confidential in the Value control.
- Next, the analyst selects Add subgroup and the AND operator, then the Add filter.
- The analyst selects the Date filter, the Between operator, and start and ending dates for the Value.
- The analyst selects Save to save the query, then Review scope to run the search query.
Create a search query with Microsoft Security Copilot
The Query with Copilot option in search allows you to use natural language and Microsoft Security Copilot to quickly generate a custom query in the query builder. Use this option to construct complex queries with additional functionality, including AND, OR, and grouping of conditions, all while using natural language prompts.
This feature also helps you build queries more easily using predefined prompts for common scenarios and allows you to refine and enhance custom prompts for more accurate search queries. You can also choose to use prompt suggestions as a starting point to create and refine KeyQL queries for common or custom search scenarios.
To create a search query with Copilot, complete the following steps:
- After you select data sources for your query, select Query with Copilot.
- Enter your search query question in the Describe what you'd like to find field. You can include user, data source, and other content details as applicable.
- Select View prompts to select one of the following prompt suggestions:
- Find all emails containing the words budget and finance and have attachments
- Search for files of type .docx that contain the words confidential and budget
- Select Review scope to see estimates and statistics for the search or add the results directly to your investigation scope. If you want to save the query parameters you've defined and run the query later, select Save.
Find from file
The From file option allows you to upload one or more files to find related content for a specific investigation. Use audit activity .csv to find related messages and files for specific user within a specific time frame. Each file is limited to 10-MB max file size, and files can be .csv. Query builder is disabled when searching by file.
Scope dashboard
The Search tab displays statistics and metrics for the data results included in the search query. This view helps you determine if the search query results are ready for adding to the investigation scope or if you need to refine your query for broader or narrower results.
The search results for the Scope dashboard are included in the following sections:
Summary: This section shows the number of search hits, locations, data sources, and the total file size of partially indexed items.
- Total matches: Displays the total search hit count and volume from all items matching the query criteria from locations searched.
- Locations: Displays the fraction of locations with hits out of all locations searched. The numerator shows the locations with hits and denominator shows the number of locations searched. Locations with errors are shown in red. To view full details on all the locations and associated hits and errors, select Download report to download the full .csv report.
- Data sources: Displays the fraction of data sources with hits out of all data sources searched. The numerator shows the data sources with hits and denominator shows the number of data sources included in the search. This data source is consistent with the data source in the search design flow and should match the number of people or groups included in the search. A tenant-wide data source of All people and all groups counts as a single data source.
- Partially indexed items or "Advanced indexed items hits": Displays the count and volume of partially and unindexed items returned as part of the search. The advanced indexed hit count is from a statistic sample on the partially indexed items, actual hits might be more and should be confirmed using the add to a review set and export search results actions.
- Top data sources: Displays the top five data sources that make up the most search hits matching your query. The names of these data sources (names of users, groups, or organization-wide locations) are listed with the hit count. These data sources should match what you selected in the data sources workflow when building the search query.
- Indexing status: Breakdown of unindexed (including partially indexed) and fully indexed data items.
- Top location type: Hit count by location type (mailbox versus site).
Select Regenerate view to rerun the query and to review the most current results. Select Download report to combine all Scope results into a single .csv file. When viewing the top 100 results for any trend area, select Download report for a .csv file of the top 100 results of the selected hit trend.
Samples dashboard
Samples allow you to inspect a representative subset of individual items and details for each item returned for the search. The number of samples per location and the number of sample locations defined in the search determine the number of sample items and location representation in the sample items.
The search results for the Samples dashboard columns contain the following information for each item:
- Subject/Title: The subject or title of the items included in the sample.
- Date: The date the item was created or sent.
- Sender/Author: The sender or author of the item.
Select a sample item to view the Source information for the item. If available for the item, this view displays a rich view of a selected item so that you can evaluate the relevancy of the item as it relates to the defined search data source and conditions.
Select Download reports to combine all Sample results into a single .csv file. Select View settings to view the settings applied to the sample view generation.