3.8 eDiscovery: Content Search for Security Investigations

eDiscovery: Content Search for Security Investigations

Introduction

eDiscovery is primarily a legal tool — it was designed for litigation, regulatory investigations, and compliance audits. But SOC analysts use it for a specific purpose: locating and preserving content when an investigation requires the actual data, not just the metadata about who accessed it.

The audit log tells you that j.morrison downloaded 47 files from SharePoint. eDiscovery tells you what those files contain. The audit log tells you that a compromised account sent 12 emails to external recipients. eDiscovery lets you find those exact emails, read their content, and export them as evidence. The audit log tells you that an inbox rule was forwarding to an external address. eDiscovery lets you find every email that was forwarded before you discovered the rule.

This subsection teaches you to use eDiscovery as a security investigation tool: when to use it (and when the audit log is sufficient), how to create cases and build searches, how to interpret results, how to export evidence, and when to coordinate with legal counsel for legal hold.

When to use eDiscovery vs audit log search

Creating an eDiscovery case for a security investigation

eDiscovery investigations are organized into cases. A case is a container that groups searches, holds, exports, and permissions for a specific investigation. Creating a case before running searches is best practice because it provides access control (only case members can see the results), audit trail (all actions within the case are logged), and evidence organization (searches are grouped logically rather than scattered across the portal).

Navigate to the Purview portal → eDiscovery → Cases → Create case. Provide a case name that matches your incident ID (e.g., “INC-2026-0318-morrison-BEC”) and a description. Add case members — typically yourself, the incident commander, and legal counsel if engaged. The case is now ready for searches.

eDiscovery (Standard) is included with E3 and provides case management, content search, and export. This is sufficient for most security investigations.

eDiscovery (Premium) requires E5 and adds review sets (a staging area for reviewing and tagging search results before export), advanced analytics (near-duplicate detection, email threading, relevance scoring), and custodian management (tracking which users’ data is subject to the investigation). Premium is valuable for large-scale investigations with thousands of search results, but Standard is adequate for typical SOC investigations.

Building effective content searches

Content Search queries use a KQL-like syntax (not identical to Sentinel KQL, but conceptually similar) to locate content across M365 data stores. The search targets include Exchange mailboxes (email and calendar items), SharePoint sites (documents and pages), OneDrive accounts (personal files), and Teams conversations (messages and shared files in team channels).

Keyword queries search for specific terms in content. The syntax supports boolean operators (AND, OR, NOT), phrases (“wire transfer instructions”), wildcards (financ* matches financial, finance, financing), and property filters (from:j.morrison, subject:“invoice payment”, sent:2026-03-18..2026-03-19).

Example queries for common security investigation scenarios:

Finding all emails sent by a compromised account to external recipients during the compromise window: from:j.morrison@northgateeng.com AND sent:2026-03-18..2026-03-19 AND NOT to:northgateeng.com

Finding all documents in a SharePoint site that contain credit card numbers: Search the specific SharePoint site URL with keyword: "4[0-9]{3} [0-9]{4} [0-9]{4} [0-9]{4}" (note: Content Search supports limited regex for pattern matching).

Finding all Teams messages containing a specific topic during the investigation period: "acquisition" OR "merger" OR "Project Phoenix" with date filter and Teams location selected.

Finding emails that were forwarded to an external address by an inbox rule: Search the external recipient’s domain: to:attacker@gmail.com across the compromised user’s mailbox and any other mailboxes that might have been affected.

Location selection determines which data stores to search. For a compromised account investigation, select the user’s mailbox (all email), their OneDrive (personal files), and any SharePoint sites they had access to. For a broader investigation (phishing campaign affecting multiple users), you may search all mailboxes with specific keyword criteria.

Previewing and interpreting results

After a search completes (which may take minutes to hours depending on scope), preview the results in the portal. The preview shows a sample of matching items: email subject lines, sender/recipient, date, and a content snippet showing the keyword match. For documents, the preview shows the file name, location, modification date, and a content snippet.

Review the preview to assess relevance before exporting. Not every search result is investigation-relevant — keyword searches are inherently imprecise. An email containing “wire transfer” might be a legitimate financial communication, not an attacker’s fraudulent request. The preview lets you assess the results and refine the query before committing to a full export.

Result statistics show the total number of items found, the total data size, the number of locations with results, and the number of unindexed items (content that could not be searched due to format or encryption). Unindexed items require special attention — they may contain evidence that the keyword search could not detect.

Exporting evidence

When the preview confirms relevant results, export the content for evidence preservation and analysis. Export options include individual messages (as .eml files), PST files (mailbox content in Outlook-compatible format), individual documents (SharePoint/OneDrive files), and summary reports (CSV listing all items with metadata).

For incident report evidence: export the specific items that document the compromise — the phishing email, the emails the attacker sent, the files the attacker downloaded, the inbox rule creation confirmation. Include these exports in your incident evidence folder (Module 14) with chain-of-custody documentation showing when the export was performed, by whom, and from which eDiscovery case.

For legal proceedings: legal counsel determines the export scope. The SOC analyst performs the technical export; legal counsel manages the legal aspects (privilege review, production formatting, submission to opposing counsel or regulatory authority). Do not independently decide what to export for legal purposes — always coordinate with legal counsel.

Legal hold: when and how

Legal hold (also called litigation hold) preserves content from deletion. When hold is placed on a mailbox or site, all content is preserved — even if the user deletes emails or files, the deleted items are retained in a hidden preservation folder and remain searchable through eDiscovery.

When to request a legal hold: When an investigation may lead to litigation (the organization may sue the insider for data theft, or the attacker may be prosecuted), when regulatory reporting is required (preserving evidence for the supervisory authority), or when legal counsel advises preservation (often issued proactively when any significant data breach occurs).

Who requests the hold: Legal counsel requests the hold. The SOC analyst does not independently decide to place content on hold. However, the SOC analyst should proactively inform legal counsel when an investigation involves potential litigation or regulatory exposure, so legal can make the hold decision promptly.

How hold works technically: In the eDiscovery case, add the user’s mailbox and/or OneDrive as a “custodian” and place a hold on their content. The hold takes effect within minutes and persists until explicitly released. All content that exists at the time of the hold is preserved, including content the user subsequently deletes. New content created after the hold is also preserved.

Hold and investigation interaction: Placing a hold does not notify the user (unless you configure it to). This is important for insider risk investigations where you do not want to alert the subject that their data is being preserved. The hold operates silently in the background, and the user’s normal experience is unaffected — they can still read, send, and delete emails (the deletes are preserved behind the scenes, but the user does not see this).

Common eDiscovery search patterns for security investigations

Beyond the general search syntax covered above, these specific search patterns address the most common security investigation questions.

Pattern 1: Find all emails the attacker sent during the compromise window. This captures outbound emails from the compromised account to any recipient, including internal phishing emails the attacker sent to other employees.

Search query: from:j.morrison@northgateeng.com AND sent:2026-03-18..2026-03-19 Locations: compromised user’s mailbox + all mailboxes (to capture received copies in other inboxes)

Review the results for: fraudulent emails (BEC wire transfer requests, fake invoice redirects), internal phishing (the attacker may have used the compromised account to phish other users), and data exfiltration emails (sensitive data sent to external addresses). Each email found is an evidence artifact.

Pattern 2: Find all documents accessed from a compromised SharePoint site. When the audit log shows the attacker accessed a specific SharePoint site, use eDiscovery to examine what content was available.

Search query: site:https://northgateeng.sharepoint.com/sites/finance Add conditions: date range matching the compromise window, file types (.xlsx, .csv, .pdf, .docx)

This returns all documents on the site, not just those the attacker accessed. Cross-reference with the audit log FileDownloaded events to identify which of these documents were actually downloaded. The remaining documents represent potential exposure — the attacker could have viewed them without downloading.

Pattern 3: Find Teams messages containing specific keywords. During BEC investigations, attackers sometimes use Teams to communicate with internal targets (posing as the compromised user to request urgent actions).

Search query: "urgent" OR "wire transfer" OR "payment" OR "invoice" with date filter Locations: Teams conversations in the compromised user’s channels

Teams messages are stored in the user’s mailbox (for 1:1 chats) and in group mailboxes (for channel conversations). Content Search locates them in both locations. Each suspicious Teams message is evidence of the attacker using the compromised account for social engineering.

Pattern 4: Find emails forwarded by a malicious inbox rule. When you discover a forwarding rule that sent emails to an external address, use eDiscovery to determine what was forwarded.

Search query: to:attacker@proton.me across the compromised user’s mailbox Alternatively: search the compromised user’s Sent Items and Deleted Items for copies of forwarded messages

Evidence chain documentation for eDiscovery exports

Every eDiscovery export must have documented chain of custody. This is not optional bureaucracy — it is the difference between evidence that is admissible and evidence that is challenged.

Document for each export: the case name and ID, the search query used (exact text), the date and time of the export, the analyst who performed the export (you), the total items exported and data volume, the export destination (where the files were saved), the hash value of the export container (PST or ZIP file), and the relationship to the incident (which investigation question the export answers).

Store exports in a dedicated evidence folder with restricted access. Do not store eDiscovery exports on your personal desktop, in a shared team drive, or in any location where unauthorized personnel could access them. Evidence integrity depends on controlled access throughout the custody chain.

Knowledge check