Compartir a través de

Search, review, and refine results in Data Security Investigations (preview)

You can use search in Data Security Investigations (preview) to search for Microsoft 365 content such as email, documents, and instant messaging conversations in your organization that are relevant to a security incident. Use search to find content in these cloud-based Microsoft 365 data sources:

  • Exchange Online mailboxes
  • SharePoint sites
  • OneDrive accounts
  • Microsoft Copilot and Agent prompts and responses
  • Microsoft Teams

You can create and run different searches that are associated with an investigation. You use conditions (such as keywords, file types, incidents, etc.) to build search queries that return search results with the data that's most likely relevant to the investigation. You can also:

  • View search statistics that might help you refine a search query to narrow results.
  • Preview the search results to quickly verify whether the relevant data is being found.
  • Revise a query and rerun the search.

When you're satisfied with the results of a search and you're ready to review and analyze the results, you can add them to an investigation scope in the investigation. Adding copies of the original data to an investigation scope also facilitates the AI analysis and review process by providing you with advanced categorization, examination, and vector search tools.

Access search tools

Select the Summary from the navigation options at the top of any page within a specific investigation to access search tools.

Search tools include the data source picker, the query builder, and the search by file options. You can refine search query data sources and conditions at any time during the investigation and add the results to an investigation scope.

Data sources

In Microsoft 365, data is stored across three platforms: Exchange, Teams, and SharePoint. These platforms serve as the backbone for organizing and managing data within Microsoft 365 applications. Most Microsoft 365 apps store data in one or more of the following containers:

  • Users: Data associated with individual users, such as their mail, 1:1 Teams messages, and OneDrive files.
  • Groups: Data owned by the organization or a group of users within an organization. These groups are often referred to as Unified Groups or Teams.

In Data Security Investigations (preview), the concept of data sources streamlines the process of identifying and managing data across Microsoft 365 platforms. Analysts select a user or group and searches are scoped to those data sources only. Analysts can refine the scope by selecting or excluding specific locations as needed.

Analysts can also use organization-wide sources to perform search across your organization. Organization-wide sources include:

  • All people and groups: Includes all users and all groups in your organization.
  • All public folders: Includes all content in Exchange public folders mailboxes.

Query builder

The Query builder option in search provides a visual filtering experience when you build search queries in in Data Security Investigations (preview). Use the query builder to construct complex queries with additional functionality, including AND, OR, and grouping of conditions. These features in the query builder help you build queries more effectively, provide a visual interface for grouping subqueries, and provide additional space for complex keyword queries to be constructed and reviewed.

Using the query builder

To create a query and custom filtering for your search, use the following controls:

  • AND/OR: These conditional logical operators allow you to select the query condition that applies to specific filters and filter subgroups. These operators allow you to use multiple filters or subgroups connected to a single filter in your query.
  • Select a filter: Allows you to select filters for the specific data sources and location content selected for the collection.
  • Add filter: Allows you to add multiple filters to your query. Is available after you've defined at least one query filter.
  • Select an operator: Depending on the selected filter, the operators compatible for the filter are available to select. For example, if the Date filter is selected, the available operators are Before, After, and Between. If the Size (in bytes) filter is selected, the available operators are Greater than, Greater or equal, Less than, Less or equal, Between, and Equal.
  • Value: Depending on the selected filter, the values compatible for the filter are available. Additionally, some filters support multiple values and some filters support one specific value. For example, if the Date filter is selected, select date values. If the Size (in bytes) filter is selected, select a value for bytes.
  • Add subgroup: After you've defined a filter, you can add a subgroup to refine the results returned by the filter. You can also add a subgroup to a subgroup for multi-layered query refinement.
  • Remove a filter condition: To remove an individual filter or subgroup, select the remove icon to the right of each filter line or subgroup.
  • Clear all: To clear the entire query of all filters and subgroups, select Clear all.

Scenario example

A Data Security Investigations (preview) analyst needs to create a query to any item that includes the keyword confidential used between January 1, 2025 and March 16, 2025. For this example, the analyst creates the following query using the query builder:

  1. For the first filter, the analyst selects Keyword, then selects the Equal operator, then enters confidential in the Value control.
  2. Next, the analyst selects Add subgroup and the AND operator, then the Add filter.
  3. The analyst selects the Date filter, the Between operator, and start and ending dates for the Value.
  4. The analyst selects Save to save the query, then Review scope to run the search query.

Query builder example.

Create a search query with Microsoft Security Copilot

The Query with Copilot option in search allows you to use natural language and Microsoft Security Copilot to quickly generate a custom query in the query builder. Use this option to construct complex queries with additional functionality, including AND, OR, and grouping of conditions, all while using natural language prompts.

This feature also helps you build queries more easily using predefined prompts for common scenarios and allows you to refine and enhance custom prompts for more accurate search queries. You can also choose to use prompt suggestions as a starting point to create and refine KeyQL queries for common or custom search scenarios.

To create a search query with Copilot, complete the following steps:

  1. After you select data sources for your query, select Query with Copilot.
    • Enter your search query question in the Describe what you'd like to find field. You can include user, data source, and other content details as applicable.
    • Select View prompts to select one of the following prompt suggestions:
      • Find all emails containing the words budget and finance and have attachments
      • Search for files of type .docx that contain the words confidential and budget
  2. Select Review scope to see estimates and statistics for the search or add the results directly to your investigation scope. If you want to save the query parameters you've defined and run the query later, select Save.

Find from file

The From file option allows you to upload one or more files to find related content for a specific investigation. Use audit activity .csv to find related messages and files for specific user within a specific time frame. Each file is limited to 10-MB max file size, and files can be .csv. Query builder is disabled when searching by file.

Scope dashboard

The Search tab displays statistics and metrics for the data results included in the search query. This view helps you determine if the search query results are ready for adding to the investigation scope or if you need to refine your query for broader or narrower results.

The search results for the Scope dashboard are included in the following sections:

  • Summary: This section shows the number of search hits, locations, data sources, and the total file size of partially indexed items.

    • Total matches: Displays the total search hit count and volume from all items matching the query criteria from locations searched.
    • Locations: Displays the fraction of locations with hits out of all locations searched. The numerator shows the locations with hits and denominator shows the number of locations searched. Locations with errors are shown in red. To view full details on all the locations and associated hits and errors, select Download report to download the full .csv report.
    • Data sources: Displays the fraction of data sources with hits out of all data sources searched. The numerator shows the data sources with hits and denominator shows the number of data sources included in the search. This data source is consistent with the data source in the search design flow and should match the number of people or groups included in the search. A tenant-wide data source of All people and all groups counts as a single data source.
    • Partially indexed items or "Advanced indexed items hits": Displays the count and volume of partially and unindexed items returned as part of the search. El recuento de aciertos indexado avanzado procede de un ejemplo de estadística en los elementos parcialmente indexados, los aciertos reales pueden ser más y se deben confirmar mediante el uso de agregar a un conjunto de revisión y exportar acciones de resultados de búsqueda.
    • Principales orígenes de datos: muestra los cinco principales orígenes de datos que componen la mayoría de los resultados de búsqueda que coinciden con la consulta. Los nombres de estos orígenes de datos (nombres de usuarios, grupos o ubicaciones de toda la organización) se enumeran con el recuento de aciertos. Estos orígenes de datos deben coincidir con lo que seleccionó en el flujo de trabajo de orígenes de datos al compilar la consulta de búsqueda.
    • Estado de indexación: desglose de elementos de datos sin indexar (incluidos parcialmente indizados) y totalmente indexados.
    • Tipo de ubicación superior: recuento de aciertos por tipo de ubicación (buzón frente a sitio).

Seleccione Regenerar vista para volver a ejecutar la consulta y revisar los resultados más recientes. Seleccione Descargar informe para combinar todos los resultados del ámbito en un único archivo .csv. Al ver los 100 primeros resultados de cualquier área de tendencia, seleccione Descargar informe para obtener un archivo .csv de los 100 primeros resultados de la tendencia de aciertos seleccionada.

Panel de ejemplos

Los ejemplos permiten inspeccionar un subconjunto representativo de elementos individuales y detalles de cada elemento devuelto para la búsqueda. El número de muestras por ubicación y el número de ubicaciones de ejemplo definidas en la búsqueda determinan el número de elementos de ejemplo y la representación de ubicación en los elementos de ejemplo.

Los resultados de la búsqueda de las columnas del panel Ejemplos contienen la siguiente información para cada elemento:

  • Asunto o título: asunto o título de los elementos incluidos en el ejemplo.
  • Fecha: fecha en que se creó o envió el elemento.
  • Remitente o autor: remitente o autor del elemento.

Seleccione un elemento de ejemplo para ver la información de origen del elemento. Si está disponible para el elemento, esta vista muestra una vista enriquecida de un elemento seleccionado para que pueda evaluar la relevancia del elemento en relación con el origen de datos de búsqueda definido y las condiciones.

Seleccione Descargar informes para combinar todos los resultados de ejemplo en un único archivo .csv. Seleccione Ver configuración para ver la configuración aplicada a la generación de vista de ejemplo.