You can use search in Data Security Investigations (preview) to search for Microsoft 365 content such as email, documents, and instant messaging conversations in your organization that are relevant to a security incident. Use search to find content in these cloud-based Microsoft 365 data sources:
- Exchange Online mailboxes
- SharePoint sites
- OneDrive accounts
- Microsoft Copilot and Agent prompts and responses
- Microsoft Teams
You can create and run different searches that are associated with an investigation. You use conditions (such as keywords, file types, incidents, etc.) to build search queries that return search results with the data that's most likely relevant to the investigation. You can also:
- View search statistics that might help you refine a search query to narrow results.
- Preview the search results to quickly verify whether the relevant data is being found.
- Revise a query and rerun the search.
When you're satisfied with the results of a search and you're ready to review and analyze the results, you can add them to an investigation scope in the investigation. Adding copies of the original data to an investigation scope also facilitates the AI analysis and review process by providing you with advanced categorization, examination, and vector search tools.
Access search tools
Select the Summary from the navigation options at the top of any page within a specific investigation to access search tools.
Search tools include the data source picker, the query builder, and the search by file options. You can refine search query data sources and conditions at any time during the investigation and add the results to an investigation scope.
Data sources
In Microsoft 365, data is stored across three platforms: Exchange, Teams, and SharePoint. These platforms serve as the backbone for organizing and managing data within Microsoft 365 applications. Most Microsoft 365 apps store data in one or more of the following containers:
- Users: Data associated with individual users, such as their mail, 1:1 Teams messages, and OneDrive files.
- Groups: Data owned by the organization or a group of users within an organization. These groups are often referred to as Unified Groups or Teams.
In Data Security Investigations (preview), the concept of data sources streamlines the process of identifying and managing data across Microsoft 365 platforms. Analysts select a user or group and searches are scoped to those data sources only. Analysts can refine the scope by selecting or excluding specific locations as needed.
Analysts can also use organization-wide sources to perform search across your organization. Organization-wide sources include:
- All people and groups: Includes all users and all groups in your organization.
- All public folders: Includes all content in Exchange public folders mailboxes.
Query builder
The Query builder option in search provides a visual filtering experience when you build search queries in in Data Security Investigations (preview). Use the query builder to construct complex queries with additional functionality, including AND, OR, and grouping of conditions. These features in the query builder help you build queries more effectively, provide a visual interface for grouping subqueries, and provide additional space for complex keyword queries to be constructed and reviewed.
Using the query builder
To create a query and custom filtering for your search, use the following controls:
- AND/OR: These conditional logical operators allow you to select the query condition that applies to specific filters and filter subgroups. These operators allow you to use multiple filters or subgroups connected to a single filter in your query.
- Select a filter: Allows you to select filters for the specific data sources and location content selected for the collection.
- Add filter: Allows you to add multiple filters to your query. Is available after you've defined at least one query filter.
- Select an operator: Depending on the selected filter, the operators compatible for the filter are available to select. For example, if the Date filter is selected, the available operators are Before, After, and Between. If the Size (in bytes) filter is selected, the available operators are Greater than, Greater or equal, Less than, Less or equal, Between, and Equal.
- Value: Depending on the selected filter, the values compatible for the filter are available. Additionally, some filters support multiple values and some filters support one specific value. For example, if the Date filter is selected, select date values. If the Size (in bytes) filter is selected, select a value for bytes.
- Add subgroup: After you've defined a filter, you can add a subgroup to refine the results returned by the filter. You can also add a subgroup to a subgroup for multi-layered query refinement.
- Remove a filter condition: To remove an individual filter or subgroup, select the remove icon to the right of each filter line or subgroup.
- Clear all: To clear the entire query of all filters and subgroups, select Clear all.
Scenario example
A Data Security Investigations (preview) analyst needs to create a query to any item that includes the keyword confidential used between January 1, 2025 and March 16, 2025. For this example, the analyst creates the following query using the query builder:
- For the first filter, the analyst selects Keyword, then selects the Equal operator, then enters confidential in the Value control.
- Next, the analyst selects Add subgroup and the AND operator, then the Add filter.
- The analyst selects the Date filter, the Between operator, and start and ending dates for the Value.
- The analyst selects Save to save the query, then Review scope to run the search query.
Create a search query with Microsoft Security Copilot
The Query with Copilot option in search allows you to use natural language and Microsoft Security Copilot to quickly generate a custom query in the query builder. Use this option to construct complex queries with additional functionality, including AND, OR, and grouping of conditions, all while using natural language prompts.
This feature also helps you build queries more easily using predefined prompts for common scenarios and allows you to refine and enhance custom prompts for more accurate search queries. You can also choose to use prompt suggestions as a starting point to create and refine KeyQL queries for common or custom search scenarios.
To create a search query with Copilot, complete the following steps:
- After you select data sources for your query, select Query with Copilot.
- Enter your search query question in the Describe what you'd like to find field. You can include user, data source, and other content details as applicable.
- Select View prompts to select one of the following prompt suggestions:
- Find all emails containing the words budget and finance and have attachments
- Search for files of type .docx that contain the words confidential and budget
- Select Review scope to see estimates and statistics for the search or add the results directly to your investigation scope. If you want to save the query parameters you've defined and run the query later, select Save.
Find from file
The From file option allows you to upload one or more files to find related content for a specific investigation. Use audit activity .csv to find related messages and files for specific user within a specific time frame. Each file is limited to 10-MB max file size, and files can be .csv. Query builder is disabled when searching by file.
Scope dashboard
The Search tab displays statistics and metrics for the data results included in the search query. This view helps you determine if the search query results are ready for adding to the investigation scope or if you need to refine your query for broader or narrower results.
The search results for the Scope dashboard are included in the following sections:
Summary: This section shows the number of search hits, locations, data sources, and the total file size of partially indexed items.
- Total matches: Displays the total search hit count and volume from all items matching the query criteria from locations searched.
- Locations: Displays the fraction of locations with hits out of all locations searched. The numerator shows the locations with hits and denominator shows the number of locations searched. Locations with errors are shown in red. To view full details on all the locations and associated hits and errors, select Download report to download the full .csv report.
- Data sources: Displays the fraction of data sources with hits out of all data sources searched. The numerator shows the data sources with hits and denominator shows the number of data sources included in the search. This data source is consistent with the data source in the search design flow and should match the number of people or groups included in the search. A tenant-wide data source of All people and all groups counts as a single data source.
- Partially indexed items or "Advanced indexed items hits": Displays the count and volume of partially and unindexed items returned as part of the search. 인덱싱된 고급 적중 횟수는 부분적으로 인덱싱된 항목에 대한 통계 샘플에서 가져오며, 실제 적중 횟수는 더 많을 수 있으며 검토 집합에 추가 및 검색 결과 내보내기 작업을 사용하여 확인해야 합니다.
- 상위 데이터 원본: 쿼리와 일치하는 가장 많은 검색 적중을 구성하는 상위 5개 데이터 원본을 표시합니다. 이러한 데이터 원본의 이름(사용자, 그룹 또는 organization 전체 위치의 이름)은 적중 횟수와 함께 나열됩니다. 이러한 데이터 원본은 검색 쿼리를 빌드할 때 데이터 원본 워크플로에서 선택한 것과 일치해야 합니다.
- 인덱싱 상태: 인덱싱되지 않은(부분 인덱싱 포함) 및 완전히 인덱싱된 데이터 항목의 분석입니다.
- 상위 위치 유형: 위치 유형별 적중 횟수(사서함 및 사이트)입니다.
뷰 다시 생성을 선택하여 쿼리를 다시 실행하고 최신 결과를 검토합니다. 보고서 다운로드를 선택하여 모든 범위 결과를 단일 .csv 파일로 결합합니다. 추세 영역에 대한 상위 100개 결과를 볼 때 선택한 적중 추세의 상위 100개 결과의 .csv 파일에 대한 보고서 다운로드 를 선택합니다.
샘플 dashboard
샘플을 사용하면 개별 항목의 대표 하위 집합과 검색을 위해 반환된 각 항목에 대한 세부 정보를 검사할 수 있습니다. 위치당 샘플 수와 검색에 정의된 샘플 위치 수에 따라 샘플 항목의 샘플 항목 수와 위치 표현이 결정됩니다.
샘플 dashboard 열에 대한 검색 결과에는 각 항목에 대한 다음 정보가 포함됩니다.
- 제목/제목: 샘플에 포함된 항목의 제목 또는 제목입니다.
- 날짜: 항목을 만들거나 보낸 날짜입니다.
- 보낸 사람/작성자: 항목의 보낸 사람 또는 작성자입니다.
항목의 원본 정보를 보려면 샘플 항목을 선택합니다. 항목에 사용할 수 있는 경우 이 보기는 선택한 항목의 풍부한 보기를 표시하므로 정의된 검색 데이터 원본 및 조건과 관련된 항목의 관련성을 평가할 수 있습니다.
보고서 다운로드를 선택하여 모든 샘플 결과를 단일 .csv 파일로 결합합니다. 보기 설정을 선택하여 샘플 보기 생성에 적용된 설정을 봅니다.