STALE-FORGOTTEN/ABANDONED existing sensitive emails with sensitive information
Hello team, In my company we have stale emails from 200 which contain sensitive data like: SINs, Driver Licenses, invoices, etc. the users reject to delete those emails as they may needs for reference. i.e.: Use case: HR needs to keep sensitive email as reference if end-user update life insurance beneficiaries, this email must be kept as evidence of the user's request update. this kind of emails can't be removed. However, this emails without protection in the user's mailbox is only meat for the attackers. unfortunately, we can`t protect existing emails with auto-labeling. So, what is the best practice to take backup emails, secure the emails and remove those from un-secure storage like user`s mailbox. This case apply almost 100% to any organization, this is a problem for everyone. ------------------------------------------------------------------------------------------------------------------------------------------ My approach: eDiscovery download all sensitive emails discovered. Apply label using AIP UL client to the download *.msg which put the files *.pfile Create folder in HR user's OneDrive which the email will be removed. If the user needs to search for any email's metadata, he can search directly, or if they need to search using email's content, he manually should remove sensitivity label to all items inside the folder. After the search content in *.msg, the user should apply protection again. Fallback: If the user forget protect the sensitive emails, the idea is to run schedule script to check for *msg, if found, it will apply label using PS. I want to check any other approach best practice is recommended? Backup & Setup Global Admin (GA) prepares local backup: export saved as native *.msg files. Create & Secure the Evidence Folder GA connects to user’s OneDrive. GA creates folder: ArchivedSensitiveEmails. GA applies retention label (Record) to folder → prevents rename/move GA breaks inheritance → only the OneDrive owner (Edit) Upload & Protect GA uploads the backup emails (*.msg) into the new folder. GA applies sensitivity label (Viewer-only) → user can open but not print/copy/forward. Now all items are protected as *.msg.pfile. User Workflow (On-Demand Search) User may remove protection on a file/folder to perform keyword search on native .msg. User is required to reapply protection after finishing the search (via Purview client). Automatic Weekly Enforcement Scheduled PowerShell job runs weekly across all OneDrives. Script scans ArchivedSensitiveEmails folder for unprotected .msg. If found → automatically applies encryption using the GA’s published sensitivity label. Access rights: only the OneDrive owner (Viewer) — optional HR group can also be added. Script deletes original .msg after creating .msg.pfile to enforce security. CSV log maintained for audit of actions (protected, skipped, errors). ------------------------------------------------------------------------------------------------------------------------------------------ So, what is the best practice or recommendation from Microsoft to protect the existing sensitive emails?
eDiscovery keyword statistics.
Noticing with this roadmap item: https://admin.microsoft.com/AdminPortal/Home?#/MessageCenter/:/messages/MC1105008 specifically Expanded search condition builder with support for logical operators (AND, OR, NEAR) in the keywords field That when running a new search that the statistics generated for keywords claims that "Query does not contain keywords" and doesn't generate the Statistics reports for keywords anymore. Tried with keywords on multiple lines as well as same line but separated with OR statements. Is this known issue?
Does anyone know what the 'CS019-009' error means for eDiscovery premium jobs?
Hello, Once in a while, a job in eDiscovery premium will fail with error "CS019-009". For example when preparing search preview, making an export or adding a collection to a review set. The job will give status "failed". When restarted, the job runs completely fine so we never create a ticket for this. I can't seem to find anywhere what "CS019-009" means. Is this a generic error? Thanks in advance!eDiscovery is NOT working correctly with KeyQL Sensitive Type
Hello team, I am running in eDiscovery using KeyQL or Query builder data at REST in EXO (Stale emails) that contain sensitive Info like: Canada Social Insurance number. The query run correctly, however, the output statistics pull out other type of sensitive Info, this means that the eDiscovery is not discovering what is was requested in the KeyQL query. Canada Social Insurance Number a2f29c85-ecb8-4514-a610-364790c0773e KeyQL Query: (SensitiveType:a2f29c85-ecb8-4514-a610-364790c0773e|1..|85..100) AND Date>2025-01-01 Please see the output of the Query: In addition with this problem, Why we can't delete the stale emails using as condition the "Sensitive info", so, If I need to delete the emails before 2020 with "Canada Social Insurance number", how can I do it? It will be almost impossible if the cybersecurity team needs to do with the end-user email by email? Best regards,
ChatGPT and eDiscovery
Hi Everyone, Can someone guide me on the correct way to perform eDiscovery for ChatGPT content? I followed the article below and can see AI interactions in the activity logs, but when I run eDiscovery, it doesn’t return any results. Microsoft Purview for ChatGPT Enterprise Any help would be greatly appreciated!Graph Security Legal hold Communication endpoint
Why is there no legal hold communication endpoint for the https://learn.microsoft.com/en-us/graph/api/resources/security-ediscoverycase?view=graph-rest-1.0? We need to be able to list, create and update legal hold communications for various eDiscovery cases with Graph.Name & alias mismatch in eDiscovery Premium
Purview eDiscovery Premium manager here. Has anyone in this forum encountered a problem where the display name for one custodian and the email address for another somehow get mixed and one of the metadata fields ends up looking like this? Example Case: Ren v. Stimpy Custodian 1: Ren Hoek <rhoek@companydotcom> Custodian 2: Stimpson J. Cat <sjcat@companydotcom> In the list of possible senders in the review set I find: Ren Hoek <sjcat@companydotcom> This shouldn't be possible. There's no one in the active directory with that display name and email combination. Those are two completely separate accounts. In the actual review set that I'm managing, there are over one hundred appearances of this mismatch. We have a ticket open with Microsoft, but the ticket isn't going anywhere. Microsoft doesn't seem to have an answer for it. We have verbal confirmation from Microsoft that it's just a display issue with Purview and that there are no actual emails going out as "Ren Hoek <sjcat@companydotcom>". But what we don't have is an explanation as to why this happened in Purview and no clear idea how to prevent it or how frequently its happening. Exporting the files that show the mismatch via Purview's export tool shows the proper pairing of name and alias on the native file. No mismatch, so that's good. But, when downloading the files, one by one, you see the mismatch. This is, of course, a problem. Anyone have any insight into this? Can the error be duplicated somehow? Any help would be greatly appreciated. Edit: the only items this affects are calendar invites. All emails, chats, etc. display with the correct display name & alias.
eDiscovery - MS Teams chat and images
Hi, I need to search the records of 30 employees over a period of 1.5 years. Mainly it's about conversations in MS Teams, also group chats. I've made several collections, each collection has a 3-month interval. Search conditions for each 3 month collection look like this "((Date=2022-07-01..2022-09-30)) AND ((Kind=im) OR (Kind=microsoftteams) OR (Kind=posts))" Of course, the date ranges in individual collections change. I found one group chat that I need to review in its entirety, i.e. as one record, from beginning to end (for the period of 3 months indicated in the collection). Unfortunately, each conversation in the review set is divided into smaller ones. Some are not arranged chronologically, filtering by date does not change anything. Could you help and tell how to do it correctly so that the conversation in the selected group chat is visible as one chord from start to end? In addition, I have a problem that some of the found messages do not contain photos / multimedia that were attached by chat participants. Is there any option to find a missing photo or not to miss any photos/media from the search? Regards, Antonio
