Implement sensitive data ediscovery searches in Exchange Online
Sensitive data searches for ediscovery currently work only in Sharepoint and One Drive. It also works for DLP in Exchange. This lack severely limits the usefulness of eDiscovery in Security and Compliance for Office 365.
Use compliance tag as a condition after labeling content, and we are working on sensitive data search in the UI.
Michael O'Keeffe commented
This is critical. I was extremely disapointed to learn (after waiting 2 weeks for a resolution to a support case) that this wasn't in place. Email is one of the most common workloads that gets shifted first to the cloud, contains a bunch of PII data, and is the most common vector for infiltration, which means its the most common product we have to notify for data breaches.
In addition, if you run a PII search on the exchange data, instead of getting no results, you get back every single item in the mailbox - terminally dumb behaviour.
If it doesn't work (which it doesn't), it would be great to get an error message, or at least no results when the match doesn't work properly.
Refer support case #12487439.
I have been actively trying to approach this in the right way with Microsoft and keep coming up with documented dead ends from their support system (which points you first to resolution documents and such). I came to the conclusion that this something that cannot be done.
Finding personal data subject to GDPR relies on using sensitive information types in Office 365. These define how the automated process recognizes specific information types such as health service numbers and credit card numbers. At this time these cannot be used to find data in Exchange mailboxes at rest. However, sensitive information types can be used with data loss prevention policies to find personal data in mail while in transit.
…you can’t currently use Content Search to find personal data at rest in Exchange Online mailboxes, you can use the sensitive information types you curate for GDPR to find and protect personal information as it is sent through email.
You can also use the *-ComplianceSearch cmdlets in Security & Compliance Center PowerShell to search for these properties. The topic also describes:
• Using Boolean search operators, search conditions, and other search query techniques to refine your search results.
• Searching for sensitive data types and custom sensitive data types in SharePoint and OneDrive for Business.
• Content Search in the Security & Compliance Center and the corresponding *-ComplianceSearch cmdlets in Security & Compliance Center PowerShell use the Keyword Query Language (KQL). For more detailed information, see Keyword Query Language syntax reference.
Alex Guajardo commented
I understand that this kind of search can be resource consuming, but maybe an option of restricting to at most 20 or 50 mailboxes would still be very very useful.
This is becoming critical to search mailbox using the sensitive types. Heard from the support team that this is currently being tested, any Idea when this will be rolled out?
Colin Weeks commented
This really needs to happen with new privacy laws and GDPR coming in.
exchange online data at rest can not be scanned for compliance violations using the sensitive information templates found in the SCC unlike SharePoint Online data. They can only be used for transport rules while the emails in transit.
This request is to make email data at rest searchable using the sensitive information templates used in DLP, ADG, eDiscovery.
Jacob Reinhardt commented
This idea is a year old, but it is really true and needs to be added someday.