Microsoft 365 Security & Compliance

Overview

Nevelex Labs provides a configurable Microsoft 365 Security & Compliance plugin to expose and automate the search and purge capabilities of the Security & Compliance Center.

Functionality

This plugin supports operations to:

Run Compliance Searches based on configurable search parameters.
Notify on the completion of a Compliance Search.
Purge (soft purge) emails found in the Compliance Search.
Remove a previous Compliance Search from the Microsoft 365 Security & Compliance portal.

Instance Configuration Parameters

Property

Description

Instance Name

Name of the Microsoft 365 Security & Compliance instance.

Unique ID

A system-wide unique identifier for this plugin instance used to locate the service.

Username

The Microsoft 365 Security & Compliance administrator username.

Password

The Microsoft 365 Security & Compliance administrator password and confirmation field.

Concurrent Searches or Purges

The maximum number of concurrent compliance searches or purges. Defaults to 10 if not specified.

Verbose Logging

Enables verbose debug logging for this plugin in the system logs.

Flow Node

Search construction node designed to create and perform a Security and Compliance search within an Office 365 Exchange instance. When a message arrives, this node will construct and execute a Compliance Search within the Security and Compliance portal. When the search finishes, the result of the Compliance Search will be passed as output. Note, the result counts do include emails which have already been soft purged. However, the purge summary does not include emails which were already purged.

Property

Description

Name

The display name of the node within the flows.

Unique ID

System-wide unique ID of the plugin instance.

Mode

This field provides the ability to:

Guided – sets up user-friendly mode for configuring the search parameters.
Expert – directly allows the operator to define the search with substitution rules for populating the search using the message payload.

Mode: Guided

In guided mode, the output message is created by taking each configured search property, parsing the incoming message if needed, and adding a logical AND operation between each property.

Attachment
Bcc
Body
Category
Cc
From
Importance
Kind
Participants
Received
Recipients
Sent
Size
Subject
To

Mode: Expert

In expert mode, the output message is created by parsing the query for <msg.*> and replacing it with the corresponding value from the incoming message. If you append ” -x” or ” -x” to a message containing a date in the form MM/DD/YYYY, it will subtract x days from the date. E.g., if msg.payload.received is equal to 06/25/2018 <msg.payload.received -10> will evaluate to 06/15/2018. To get the current date, use <now> and to get x days before the current date, use <now -x>. If you want the text in the message, add the escape character \ i.e. \<msg.payload.subject> will be output as <msg.payload.subject>.

Node to execute a soft purge using the designated Nevelex Labs Office 365 Exchange Plugin Instance. When a message arrives, this node instructs the Office 365 Exchange Plugin Instance to perform a soft purge of emails matching an existing Compliance Search. The NL-Office-365-Exchange-Search node must be used prior to this node to create and execute the search.

Property

Description

Name

The display name of the node within the flows.

Unique ID

System-wide unique ID of the plugin instance.

Node to execute a deletion of an existing Compliance Search using the designated Nevelex Labs Office 365 Exchange Plugin Instance. When a message arrives, this node instructs the Office 365 Exchange Plugin Instance to remove an existing Compliance Search. The NL-Office-365-Exchange-Search node must be used prior to this node to create and execute the search.

Property

Description

Name

The display name of the node within the flows.

Unique ID

System-wide unique ID of the plugin instance.

Learn More

Plugin Startup

Service Starts
PowerShell Started
If the PowerShell fails to start, the plugin remains active. A PowerShell connection will be attempted on any use of the O365 nodes.

O365 Node Usage

Receive a request to search, purge, or remove a compliance search
If PowerShell is not running:
1. Restart PowerShell
2. Wait for PowerShell to restart
3. On failure, log failure and break out
  The failure will be logged to the Incident timeline.
Perform the requested operation
Return results of operation

Caveat

PowerShell is used to connect to the Security & Compliance portal. By default, this is limited to 3 (three) concurrent connections. This plugin will fail to function if there isn’t an available connection.

Permissions

To perform content searches, the user must have the ability to perform content searches and perform purges. The Organization Management role provides this capability. If the user is not allowed to perform these operations, the following error is seen in the Incident timeline.

Running the Get-Command command in a remote session returned no results.

For more details on permissions in the Security and Compliance Portal, see the Assign eDiscovery permissions in the Security & Compliance Center and Permissions in the Security & Compliance Center Microsoft pages.

Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

Contact Us

EULA