Del via

Use the Process report in eDiscovery

Process report

eDiscovery includes a Process manager that lists all processes scoped to the current eDiscovery page you are on. For example, if you are on the Search page, the Process manager lists all processes relevant to the current search. If you are in a case, the Process manager lists all processes relevant to the current case. Each process in the Process manager list contains a detailed report .zip file that contains detailed information about the process once the process is completed. You can download the process report .zip file for more information about when the process was run, the applied settings, the query used, and if the process had any item level or location level errors.

Important

Processes listed on the Process manager page can't be deleted or removed. Long-running processes automatically time out after seven days.

Process types and descriptions

These processes are triggered by user actions when using and managing searches, review sets, and holds.

Process type Area Description
Add to review Review set A user adds search results to a review set or adds items into the review set from another review set. The items are copied to an Azure Storage location and then those items in the Azure Storage location are reindexed. This new index is used when querying and analyzing items in the data set.
Applying or updating hold Hold A user places data sources on hold or updates a hold.
Export Search
Review set		 A user exports documents from a search or a review set. When the export process is complete, they can download the exported data to a local computer.
Generate sample Search After a user creates and runs a new search estimate (or reruns an existing search estimate), the search tool prepares a sample subset of items (that match the search query) that can be previewed. Previewing search results help you determine the effectiveness of the search.
Generate statistics Search After a user creates and runs or reruns a search estimate, the search tool searches the index for items that match the search query and prepares an estimate that includes the number and total size of all items by the search, the number of data sources searched and other relevant pattern to the search hits like keywords, sensitive information types, and more.
Run analytics Search A user analyzes data in a review set by running eDiscovery analytics tools such as near duplicate detection, email threading analysis, and themes analysis.
Tag Review set This process is triggered when a user selects Start tagging process in the Tagging panel when reviewing documents in a review set. A user can start this process after tagging documents in a review set and then bulk-selecting them in the view document panel.

Process status

The following table describes the different status states for processes:

Status Description
Abandoned The process was automatically stopped. This stoppage might be due to excessive processing time or other reasons.
Canceled The process was canceled by the user.
Complete The process was successfully completed.
Failed The process encountered an error and failed to complete. This might be caused by a wrongly formatted query.
In progress The process is in progress. You can monitor the progress of the process in the Process manager for the area.

Download report

All processes support the ability to download a packaged report. The packaged report name is Reports-caseName-EntityName-ProcessName-timestamp.zip. With EntityName being the user given name to the search or hold. Depending on the process, the report contains different .csv files.

  • Summary: Tracks the time the process started, when it ended, the number of total items or locations, and the user who submitted the process request. It also contains the search query used and if a compliance boundary is applied. For Add to review set and Export from search processes, the summary report contains the summary of factors affecting the total item count added to review set or exported. The report name is Summary_the date/time of the report.csv.
  • Settings: Contains the enumerated settings parameter for the process and values. The report name is Settings_the date/time of the report.
  • Statistics: Contains all statistics details for the process, including all categories (if the setting was selected during process submission) such as sensitive information types, data type, and communication participants. The report name is Statistics_the date/time of the report.
  • Locations: Tracks all data sources and associated locations scoped for the process. Includes the user/group entity name, location (mailbox/site URL), and count returned for that location. Also includes the status of the location (success/error and error detail). The report name is Locations_the date/time of the report.
  • Items: Track all items processed, including information such as item ID, location of the item, subject/title of the item, item class/type, and success/error status. The report name is Items_the date/time of the report.

The following table shows the process types and available reports:

Process type Summary Settings Statistics Location Items
Add to review Supported. Supported. Supported. Supported.
Apply hold/rerun policy Supported. Supported.
Export (review set) Supported. Supported. Supported. Supported.
Export (search) Supported. Supported. Supported. Supported.
Generate sample Supported. Supported. Supported. Supported.
Generate statistics Supported. Supported. Supported. Supported.
Redact Supported. Supported. Supported.
Tag Supported. Supported.

Summary CSV report

All reporting packages contain a Summary-the date/time of the report.csv file. This file contains the following information:

Overview

The following details are included in this section of the report:

  • Job ID: A unique identifier assigned to each eDiscovery process for support reference purposes.
  • Case name: The name assigned to the eDiscovery case.
  • Search name: The name given to a specific search within an eDiscovery case when the process is run. Only applicable for processes like Generate statistics, Generated sample, Add to review set, and Export from a search.
  • Review set name: The name of the review set where search results are added when the the process is run. Only applicable for the Add to review set and Export from a review set processes.
  • Export name: The name given to the export. Only applicable for the Add to review set and Export from a review set processes.
  • IsRetry: Indicates if the current process is triggered by the Retry failed locations operation. If the value is Yes, it contains the aggregated hit count and the location reports detail the failed locations. Only applicable for the Generate statistics process.
  • Query: The query conditions for the applicable process types.
  • StartTime: The date/time when the report generation was started.
  • EndTime: The date/time when the report generation was completed.
  • SubmittedBySmtp: The SMTP address for the user creating the report.
  • Security filter applied: Indicates if security filters were applied during the process run. Yes indicated that filters were used to limit results based on specified criteria set by an admin in PowerShell.
  • Location restriction: The filters applied to limit the search to specific locations. To review which mailboxes are filtered, you can use the provided query with the Get-Mailbox or Get-Recipient cmdlets and the -Filter attribute. For example, if the filter attribute is Department -eq 'marketing', retrieve the relevant mailboxes with Get-Recipient -Filter "Department -eq 'marketing'. The output lists all mailboxes allowed to be searched.
  • Content restriction: The query used to filter content during the search. Content matching this query is included in the search results. The provided query is available to perform KQL searches.

Search results

Summary of number of items that matched your search query, including partially indexed items or items where advanced indexing was performed (depending on what setting you selected). The following details are included in this section of the report:

  • Indexed items: Number of items matching the query that were natively indexed by Exchange and SharePoint.
  • Partially indexed items: Number of partially indexed items that might not match the query. Included if you chose to include partially indexed items.
  • Advanced Indexed Items: Number of items matching the query if you chose to perform advanced indexing on partially indexed items.

Consumption summary

The following details are included in this section of the report:

  • Microsoft 365 content data: Total size of data for all Microsoft 365 data.
  • Microsoft 365 metadata: Total size of metadata for all Microsoft 365 data and Microsoft 365 Copilot data.
  • Non-Microsoft 365 AI content data: Total size of data for all non-Microsoft 365 AI data. Includes data from Microsoft Fabric Copilot, Microsoft Security Copilot, and other AI data from enterprise and cloud applications.
  • Non-Microsoft 365 AI metadata: Total size of metadata for all non-Microsoft 365 AI data.

Note

Summary information for metadata is only available for export from review set processes.

Error

The following details are included in this section of the report:

  • Retrieval exceptions: Number of items that weren't exported or added to review set due to exceptions such as empty files, access time-outs, etc.

Warning

  • Items with processing errors: Number of items that experienced processing errors but were still exported or added to the review set. These errors might be caused by unsupported file types, decryption issues, etc.

Totals

The following details are included in this section of the report:

  • Total items collected: Total number of items exported or added to the review set. This number factors in items from estimated results, the settings that might increase or decrease the number of items retrieved, and items that weren't collected due to errors.

Information

Note

The Information section of this report reflects how the item count can increase or decrease based on the settings you choose. The calculation process uses these settings and updates search estimate count, so the counts won't add up exactly in most cases. This information is meant to give you a sense of the changes and the reasons behind them.

The following details are included in this section of the report:

  • Duplicates in review set (skipped): Items that were skipped because they already exist in the review set.
  • Cloud attachments: Number of cloud attachments in email messages and Teams conversations that originated from links shared through SharePoint or OneDrive. Maps to the setting Access links(cloud attachments) in messages.
  • Cloud attachments versions: Number of cloud attachment versions that were collected depending on whether you chose to include more than just the latest version in your query.
  • Cloud attachments at time of sharing: Number of cloud attachments versions that represent the original version shared from SharePoint or OneDrive. This applies only to cloud attachments that have a retention label applied, which retains a copy of the file at the time of sharing.
  • Contextual conversation: Number of contextual chat messages that were collected along with the message that matched your query. This indicates the number of additional messages collected before and after the message with hit. Maps to the setting "Include Teams and Viva Engage conversations".
  • Teams conversations consolidated into transcripts: Teams chat conversations that were converted to HTML transcript files. This results in many Teams chat message to be consolidated into a single HTML transcript. Maps to the setting "Organize conversations into HTML transcripts".
  • SharePoint file versions: Number of SharePoint file versions that were collected depending on whether you chose to include more than just the latest version.
  • SharePoint list items collected as .csv files: Matches from the same SharePoint list are exported or added to review set as a single SharePoint list csv item. Maps to the setting "Collect files attached to SharePoint lists and their child items."
  • List attachments: Number of list attachments collected. Maps to the setting Include list attachments when collecting files attached to SharePoint lists.
  • Items in SharePoint folders: Number of items expanded from SharePoint folders that matched your query. Maps to setting Collect all items (even if they don't match search query).
  • Items extracted from parent items: Number of embedded or attached items that were extracted from parent items. For example, this might include attachments or embedded images from an email that matched your query.

Settings CSV report

The settings report help users validate and interpret the configuration of their submitted processes. This report is included in the downloadable report package and captures the specific options selected during the submission of a process, such as Generate statistics, Add to review set, and Export.

These settings directly influence the scope and format of the results. Some of these settings examples are:

  • Include document versions: Determines the number of versions of a document to include, which can significantly increase the volume of exported data.

  • Organize conversations into HTML transcripts: Affects how Teams conversations are threaded and presented.

  • Access links in message: Impacts the retrieval of file from cloud attachment link presented in emails and conversations.

  • Various export formats and options: Influences how exported content is organized and packaged.

  • Decryption settings: Indicate whether the specific process has associated Exchange or SharePoint decryption capability enabled.

Understanding these settings is essential for defensibility and transparency. The settings.csv file serves as a reference point for what was configured at the time of submission, allowing users to reconcile the actual output with their intended configuration. This is especially important when reviewing results or responding to legal or compliance inquiries.

Statistics CSV report

This report provides detailed information for all the patterns derived from search hits when the Generate statistics process is completed. The report contains information on the top communication participants, the top item type, the top sensitive information type, and more.

The following details are included in this report:

  • DataSourceName: A list of data source names associated with the process. This information indicates the name of the people or groups.
  • DateSourceType: Type of data source. For example, Group or TeamsGroup.
  • Location: The location information. For example, the URL of the site or SMTP address of the mailbox.
  • LocationType: Type of location. For example, a mailbox or site.
  • LocationSubType: The subtype of the location type. If the location type is Mailbox, the subtype might have PrimaryMailbox, *SystemMailbox, and other subtypes. If the location type is Site, might have OndeDriveSite and other subtypes.
  • OriginalStateName: Native version of StatName.
  • StatName: Name of the StatType. For example, for StatType Keywords, possible values are the keywords you entered in your query.
  • StatType: The type of statistics information. For example, Keywords, Communication participants, and more.
  • Value: The value or count associated with the statistics in the current data source.

Items CSV report

This report provides a detailed inventory of all items processed during an eDiscovery process, such as using the Add to review set or Export actions. This report is automatically generated and included with the output to support auditing, traceability, and downstream analysis. This report is useful for users that need to validate the scope and accuracy of collected or exported content.

Each row in the file corresponds to a single item and includes the following metadata and more:

  • Date source: Identifies the originating location of the item (mailbox, SharePoint site, Teams chat).

  • Compound path: The full path to the item in its source container.

  • Subject/Title: The subject line (for emails) or title (for documents) of the item.

  • Date: The timestamp associated with the item, such as sent or last modified date.

  • Added by: Indicates how the item was included in the job:

    • IndexedQuery: The item is indexed and matched the search query.
    • UnindexedQuery: The item is included based on its partially indexed content and user specified setting.

  • Status: Indicates whether the item was successfully retrieved and processed. If the item failed to be retrieved (due to access issues, timeout), the ErrorWarning field includes the failure reason.

  • Other metadata: Might include the file extension, content type, workload, and other relevant attributes depending on the source and process type.

Locations CSV report

This report provides a comprehensive overview of the locations targeted during an eDiscovery process, such as Search, Add to review set, or Export. This report helps users understand the scope of the process executed and assess the distribution and relevance of search results across different locations.

This report can help with:

  • Heat Mapping: Identifying which locations yielded the most relevant content and which yielded none, helping users visualize the "hot spots" of data relevance.
  • Query Refinement: Understanding which sources might need to be excluded or more precisely targeted.
  • Audit and Validation: Verifying that the intended locations were included and assessing the effectiveness of the search scope.

By analyzing the location.csv report, you can make informed decisions about refining your search strategy and optimizing the scope of future eDiscovery workflows.

Each row in the report represents a unique content location and includes the following key details:

  • Location: The full URL or SMTP address of the location.
  • Location Subtype: Specifies the type of location, such as PrimaryMailbox, SystemMailbox, ArchiveMailbox, or OneDriveSite.
  • Count: The number of items in the location that matched the search criteria.
  • Size: The total size of responsive items from the location in bytes.
  • Status: Indicates whether the location was successfully processed. If a location failed to be searched or exported, the ErrorWarning field includes the failure reason (permission issues, timeout).