In the last article, Advanced eDiscovery in Office 365 explained, I’ve shared some knowledge about Advanced eDiscovery in Office 365 – how it works, how is it different from eDiscovery. In this article, I will show you how to create and configure an Advanced eDiscovery case in Office 365 to find relevant data.
Start with creating an eDiscovery case
Before you jump into any advanced features, you need to create a case first. Since eDiscovery mechanisms have not been moved to the new Microsoft security & compliance centers (not yet, anyway), you need to use the old Office 365 security & compliance center to create a new case:
Go directly to https://protection.office.com/advancedediscoverycases and create a new case, At first, you will be able to fill only the name, number and description, where only the name is a required field. Advanced settings will be available in a while:
After you save, the case will be available from both Office 365 security & compliance center where you created it and from Microsoft compliance center. However, opening the case in the latter center redirects you to the old Office 365 admin center:
Now, the case needs to be configured. Mind that if you want to use the advanced eDiscovery settings like email threading, duplication identification, themes, or OCR settings, you need to configure set them up before running your first search.
Configure your advanced settings first
To access the advanced settings, open the advanced eDiscovery case and go to the Settings tab and select the Search & analytics option:
Here, you can modify advanced settings. While near duplicates and themes are turned on by default and you simply need to adjust their levels, Optical Character Recognition is turned off. If you want your searches to read text found in image files, turn it on. Mind that this might greatly increase the time Office 365 needs to perform searches in this eDiscovery case:
Once the advanced search features are set up, you can continue setting up the eDiscovery case. The next step is making sure that all relevant data will not be deleted.
Create holds to preserve content
Holds, also known as litigation holds are a way to preserve content – once you create them, they make sure no relevant data is deleted permanently. Logically, it is one of the first steps you should think about if you want to preserve specific Office 365 contents for litigation.
Users to whom the feature is applied will be able to delete all items as per usual, but those items will not be purged with a litigation hold active. You can use the Holds tab to manage this eDiscovery aspect:
After you give your litigation hold a friendly name, you can choose which locations should be affected by it:
When it comes to Exchange – a hold is applied on a per-user basis. It means that even if you decide to apply the hold to a group, it will be applied to users who are currently members of this group. The hold settings will not be automatically extended for new users or taken away from removed ones. You can also pick the SharePoint sites the content of which should be preserved and decide whether to put data from public folders on hold or not. The next tab allows you to limit the hold to fit a specific query:
If you do not specify any conditions, all contents found in the resources picked in the previous step will be protected from deletion. You can, however, specify the date, size or any other filter to secure only a very specific set of items.
Mind that creating holds might cause mailboxes to quickly grow in size. While the size itself might not be the greatest problem, it will become harder and harder to find the right items if nothing can be deleted permanently from certain resources.
Search your tenant
The next step is creating a valid search. When trying to find the relevant data, it is crucial to apply filters – the more you apply, the more relevant data you are likely to find. Go to the Searches tab and create a new search:
Although each case will be different, it is a good practice to create more very specific searches than trying to look for all items and filter them afterwards. Advanced eDiscovery features help achieve the highest level of item relevance; however, if you don’t use the right filters for your documents, finding the relevant data will take considerably more time.
The search interface is similar to the one from the Holds tab. The Keywords & Conditions picker is almost identical. The additional step is for choosing custodians.
Like in the Holds tab, pick locations in which the search should be performed. The difference is that you can choose all locations at the same time, an option available to public folders only when setting up holds:
Now, when the set-up search is done, it is time to use the found items in a review set.
Create a review set
A review set is, like the name suggests, a set of documents for revision. A set is created from one or more eDiscovery searches:
Going to the Review Sets tab allows you to open the relevant review set and make use of further advanced eDiscovery features:
Clicking a review set opens it and allows to manage it by clicking Manage review set:
The Manage review set window contains a few useful options, like adding data from sources other than Office 365 tenant, or accessing analytics. The most important feature, though, is relevance – which allows you to train the system to find the relevant data:
Relevance training requires at least 500 documents tagged as Relevant or Not Relevant to the case. Which makes it completely unnecessary for cases which makes it useless if your searches return less items. On the other hand, the relevance feature can help a great deal if your searches return more items even though you filtered down the results: