Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
The Next Era of eDiscovery: Embracing Advanced Capabilities for a Comprehensive Digital Landscape
Published Nov 15 2023 08:00 AM 9,647 Views

In today's rapidly evolving digital world, the art of eDiscovery is undergoing a transformative shift. As organizations increasingly rely on sophisticated platforms for their daily operations, the challenge of managing, locating, and analyzing data intensifies. The emergence of modern communication tools and complex data storage locations necessitates eDiscovery tools to be more agile, comprehensive, and integrated than ever before.

 

eDiscovery, at its heart, is about discovering the truth and ensuring justice in a digital world. As the digital realm continues to grow in complexity, tools and platforms must evolve in tandem.

 

That’s why we are excited to announce several new features and capabilities within Microsoft Purview eDiscovery (Premium) to address the challenges of today’s intricate digital landscape, ensuring that organizations remain transparent, compliant, and ahead of the curve. 

 

Identify, Preserve, Collect and Export Microsoft Copilot interactions through eDiscovery.

AI can offer many benefits for organizations, such as improving their efficiency and innovation. However, AI also comes with certain obligations and responsibilities, such as following the rules and norms that apply to their industry and location.

 

When organizations want to deploy new technology like Microsoft Copilot, they need to be assured that they can integrate the technology into their existing eDiscovery workflows, and that they can access and manage the data generated by the technology in a compliant, consistent, defensible and reliable manner. When users within an organization leverage Microsoft Copilot to create prompt and response data, it may contain sensitive or confidential information, or evidence of intellectual property. Organizations need to have visibility and control over this data and be able to identify, preserve, collect, review and export it for legal, regulatory or data security investigation.

 

This is why we are excited to announce the support of Microsoft Purview eDiscovery for Microsoft 365 Copilot interactions.  With this release, eDiscovery will have the ability to help with search, discovery, preservation, review and export of Copilot interactions in Microsoft 365 across Word, Excel, PowerPoint, Teams to name a few. This will help ensure these Copilot conversations are discoverable and actionable through the regular eDiscovery process. It will also provide the ability to filter for specific Copilot interactions in the query building experience to make it easier to scope the searches (see Figure 1). In addition, all the Copilot interactions will be hosted inside the existing Review capability, where you can filter down the necessary details as part of a review cycle (see Figure 2).

 

To learn more about additional Microsoft Purview capabilities supporting Microsoft Copilot, read the blog.

 

Figure 1: Searching for Copilot activities during the search queryFigure 1: Searching for Copilot activities during the search query

 

Figure 2: Copilot in ReviewFigure 2: Copilot in Review

Accelerating eDiscovery workflows leveraging Microsoft Copilot

As organizations manage vast amounts of data, having an intelligent assistant like Microsoft Copilot can aid in navigating, understanding, and analyzing data more efficiently, especially for eDiscovery purposes.  That’s why we are excited to announce two new key capabilities in Microsoft Purview eDiscovery (Premium) that are leveraging the power of Copilot.

 

The first new capability is to help accelerate the query-building experience. Search is one of the most used but highly time-intensive workflows in an investigation. An accurate search is crucial for the success of an investigation. Traditionally, in eDiscovery, a search happens through a condition builder or the input of a query in Keyword Query Language (KQL). While condition builder surfaces most used properties and operators, eDiscovery search is rich in functionality and supports many more properties and operators through the KQL. However, there is a considerable learning curve involved in creating a KQL including learning all supported properties and operators as well the proper format for construction. With Microsoft Copilot, users can now provide a prompt in natural language and get a query generated in KQL that they can use as-is or build onto their existing query. Users can also use Copilot to refine and enhance their natural language prompt for a more accurate KQL (see Figure 3).  With this new capability, users will save time in creating structured KQL to accelerate search iterations. This feature is currently in Private Preview, coming soon to Public Preview.

 

Figure 3: GIF of Natural Language to Keyword Query Language experience in Microsoft PurviewFigure 3: GIF of Natural Language to Keyword Query Language experience in Microsoft Purview

The second major Copilot announcement coming to Microsoft Purview eDiscovery (Premium) is to help accelerate the Review experience. From discussions with customers, 60% of eDiscovery admin or managers’ time is spent reviewing evidence collected in review sets. To help customers address this challenge, we are excited to announce the ability to generate summaries of documents in review sets and provide guided prompts to help accelerate and navigate the investigation more efficiently and effectively (see Figure 4). This feature is currently in Private Preview, coming soon to Public Preview.

 

Figure 4: GIF of Document summary review using Microsoft Copilot including additional prompts.Figure 4: GIF of Document summary review using Microsoft Copilot including additional prompts.

 

Using eDiscovery to support efficient Data Security investigations.

In a world where data security incidents are a question of when, not if, it is critical for investigators to have the right tools to move quickly to identify the breadth of an incident and take actions to mitigate risk. In our recently released Data Security Index report, 37% of Organizations reported that it took more than a month to complete a data security investigation. Considering the volume of investigations required, SecOps investigators are looking for new approaches to search and validate incident-related content and activity.

 

In many cases, SecOps and Analyst teams turn to eDiscovery as a powerful tool to search for evidence and context as to what might have occurred and determine what quick actions need to be taken. As an example, imagine an employee in your organization either intentionally or accidentally overshares sensitive data to a broad audience. This data is very intriguing, and the content is quickly shared further, re-saved to other locations, and proliferates rapidly into insecure and unknown locations across your organization.

 

To help address this and other related scenarios, we are pleased to announce a new data security investigations experience. The new integrations allow Security analysts to harness incident parameters to know where to look for the exact evidence required to assess and mitigate incident risk. In addition, they can explore incident insights to further understand sensitive content sprawl and risk levels as well as mitigate incidents with comprehensive actions to expand the investigation. For example, a security analyst can upload a CSV file with Audit log data to find messages and files created and accessed during an incident, assess the breadth of exposure, and determine if sensitive information has been exposed (see Figure 5). With the recently released Guest reviewer access feature, they can invite collaboration with outside stakeholders and manage the evidence to resolve the investigation. This new data security investigation experience is coming soon to Public Preview.

 

Figure 5: Trigger an investigation with 'Search by file'.Figure 5: Trigger an investigation with 'Search by file'.

 

New capabilities supporting Teams Meeting recordings and transcripts

With Teams becoming a pivotal platform for remote and hybrid work structures, the ability to search, review, and extract content from Teams meeting recordings is indispensable for investigations and often a requirement for complying with regulations. Each meeting contains several components that all contain potentially relevant information for investigations or litigation, for example what was said, by whom, and who was in the meeting at what time. 

 

In June 2023, we released new enhancements for Teams meeting recording and video files to improve management within eDiscovery workflows. This includes the collection and review of metadata associated with Teams meeting recordings and video files in OneDrive and SharePoint including transcripts/captions, chapters, and custom thumbnails (see Figure 6).  The transcript is automatically extracted for additional searching and reviewing and can be used as a cliff note to avoid needing to watch the entire meeting to assess the relevance of the content for the investigation.

 

Figure 6: Teams meeting recording and transcripts.Figure 6: Teams meeting recording and transcripts.

 

Holds related enhancements

Preservation is an important workflow in eDiscovery to ensure responsive content is preserved while also ensuring that anything not responsive to the case anymore is released from hold, to avoid risks and costs of over preservation. To make this workflow efficient, we launched two updates in September and October:

  1. Updates to hold statuses and self-remediation messages and actions in Data Sources (see Figure 7) so users can quickly view the hold status and self – remediate any errors and
  2. A PowerShell cmdlet to
    1. View all holds applied to a given location (Exchange or SharePoint).
    2. Remove any legacy/orphaned holds applied to the location and
    3. View all holds removed through the use of this cmdlet.

Figure 7: Hold status with self-remediation messages.Figure 7: Hold status with self-remediation messages.

 

Quickly identify and preserve Teams channel content across Shared and Private channels

We recognize that identifying and collecting Teams private and shared channel content can be a significant challenge for eDiscovery users due to the diverse locations where channel content is stored, across Exchange, OneDrive for Business, and SharePoint Online.

 

We are pleased to share that in September we announced Teams as a Non-Custodial Data Source to help streamline and accelerate the process of identifying, and preserving Teams channel content. (see Figure 8).

 

Figure 8: Teams as a Non-Custodial data sourceFigure 8: Teams as a Non-Custodial data source

 

eDiscovery support for Microsoft Forms

Microsoft Forms is an application that organizations use for internal surveys, feedback mechanisms, and data collection which can contain sensitive information in addition to content that might be relevant for an investigation or during litigation. Incorporating Forms data into eDiscovery ensures that insights, responses, and feedback are appropriately captured, adding another layer of depth to the investigation process.

 

Coming soon to Public Preview, is the ability for admins to search for Microsoft Forms content specifically within their collections, see the full metadata associated with those items including the Form title, and review both the original Form and responses to the Form as related items within both review and export (see Figure 9). Simplification and ease of use for managing Forms content via eDiscovery will help reduce the pain points of challenging discovery process and improve the confidence of organizations using Forms for critical tasks that may require eDiscovery capabilities.

 

Figure 9: Metadata available during review of Microsoft Forms contentFigure 9: Metadata available during review of Microsoft Forms content

 

Supporting end-to-end automation for eDiscovery

eDiscovery can be a complex and time-consuming task, especially when dealing with large volumes of data across different sources and platforms. To streamline and automate eDiscovery workflows, Microsoft offers a powerful set of APIs specifically designed for eDiscovery and compliance scenarios that allow developers to integrate with Microsoft 365 services and applications. These APIs enable programmatically creating, managing, and exporting cases, custodians, holds, searches, and review sets.

 

Back in June 2022 we first announced the General Availability of some of the APIs, and in our March 2023 blog post we shared the exciting news that the Export API was now Generally Available.

 

Today we are excited to share an additional API that is now in to support the direct Export of content from a Collection, as some unique scenarios require organizations to quickly export content without first adding to a Review set.  Our goal is to provide flexibility for organizations to get access to the content they need for litigation and investigations in a variety of ways, including through the Microsoft Purview Compliance portal user interface, or through the Microsoft Graph APIs.

 

Identification of Inactive OneDrive sites associated with a custodian

Preserving and searching for content on OneDrive sites associated with inactive mailboxes is as important as preserving the inactive mailbox itself. Due to the absence of an AAD account for inactive mailboxes, identification of associated ODB sites can become complex and time-consuming. Coming soon to General Availability, is the support to auto-identify a OneDrive Site associated with an inactive mailbox when adding a user with inactive mailbox as a Custodian in eDiscovery (Premium). This support is being launched for custodians added through the user interface in eDiscovery (Premium).

 

Additional roadmap updates to share!

Since our last blog in March, the team has been busy rolling out several new features! Stay up to date on new roadmap items by visiting: https://aka.ms/ediscoveryroadmap

  • Collection of Teams video clips - GA in June (124848)
  • Jobs report for eDiscovery Administrators - GA in June (101518) and Jobs report for eDiscovery Managers now in Public Preview (180170)
  • Direct Export and Export Item report - GA in June (100055)
  • Guest reviewer – GA in August (98093)
  • PowerShell hold removal cmdlet for legacy and orphaned holds – GA in October (174597)
  • Identify OneDrive sites associated with an inactive mailbox – GA in November (183498)

 

Get Started

To learn more about the announcements above, register for Ignite and watch our session on how to Accelerate risk assessment and incident investigation with AI.

To learn more about eDiscovery, visit our Microsoft documentation at http://aka.ms/eDiscoveryPremium, or our “Become an eDiscovery Ninja” page at https://aka.ms/ediscoveryninja.

 

We are happy to share that there is an easy way for eligible customers to try Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial. By enabling the trial in the compliance portal, you can quickly start using all capabilities of Microsoft Purview, including Insider Risk Management, Records Management, Audit, eDiscovery, Communication Compliance, Information Protection, Data Lifecycle Management, Data Loss Prevention, and Compliance Manager.

Version history
Last update:
‎Nov 14 2023 12:58 PM
Updated by: