×
Microsoft 365 Security & Compliance
Microsoft 365 Security & Compliance

Overview

Nevelex Labs provides a configurable Microsoft 365 Security & Compliance plugin to expose and automate the search and purge capabilities of the Security & Compliance Center.

Functionality

This plugin supports operations to:

  • Run Compliance Searches based on configurable search parameters.
  • Notify on the completion of a Compliance Search.
  • Purge (soft purge) emails found in the Compliance Search.
  • Remove a previous Compliance Search from the Microsoft 365 Security & Compliance portal.

Instance Configuration Parameters

Property
Description

Instance Name

Name of the Microsoft 365 Security & Compliance instance.


Unique ID

A system-wide unique identifier for this plugin instance used to locate the service.


Username

The Microsoft 365 Security & Compliance administrator username.


Password

The Microsoft 365 Security & Compliance administrator password and confirmation field.


Concurrent Searches or Purges

The maximum number of concurrent compliance searches or purges. Defaults to 10 if not specified.


Verbose Logging

Enables verbose debug logging for this plugin in the system logs.

Flow Node

Search construction node designed to create and perform a Security and Compliance search within an Office 365 Exchange instance. When a message arrives, this node will construct and execute a Compliance Search within the Security and Compliance portal. When the search finishes, the result of the Compliance Search will be passed as output. Note, the result counts do include emails which have already been soft purged. However, the purge summary does not include emails which were already purged.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Mode

This field provides the ability to:

  • Guided – sets up user-friendly mode for configuring the search parameters.
  • Expert – directly allows the operator to define the search with substitution rules for populating the search using the message payload.

Mode: Guided

In guided mode, the output message is created by taking each configured search property, parsing the incoming message if needed, and adding a logical AND operation between each property.

  • Attachment
  • Bcc
  • Body
  • Category
  • Cc
  • From
  • Importance
  • Kind
  • Participants
  • Received
  • Recipients
  • Sent
  • Size
  • Subject
  • To

Mode: Expert

In expert mode, the output message is created by parsing the query for <msg.*> and replacing it with the corresponding value from the incoming message. If you append ” -x” or ” -x” to a message containing a date in the form MM/DD/YYYY, it will subtract x days from the date. E.g., if msg.payload.received is equal to 06/25/2018 <msg.payload.received -10> will evaluate to 06/15/2018. To get the current date, use <now> and to get x days before the current date, use <now -x>. If you want the text in the message, add the escape character \ i.e. \<msg.payload.subject> will be output as <msg.payload.subject>.

Node to execute a soft purge using the designated Nevelex Labs Office 365 Exchange Plugin Instance. When a message arrives, this node instructs the Office 365 Exchange Plugin Instance to perform a soft purge of emails matching an existing Compliance Search. The NL-Office-365-Exchange-Search node must be used prior to this node to create and execute the search.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.

Node to execute a deletion of an existing Compliance Search using the designated Nevelex Labs Office 365 Exchange Plugin Instance. When a message arrives, this node instructs the Office 365 Exchange Plugin Instance to remove an existing Compliance Search. The NL-Office-365-Exchange-Search node must be used prior to this node to create and execute the search.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.

Learn More

Plugin Startup

  1. Service Starts
  2. PowerShell Started

O365 Node Usage

  1. Receive a request to search, purge, or remove a compliance search
  2. If PowerShell is not running:
    1. Restart PowerShell
    2. Wait for PowerShell to restart
    3. On failure, log failure and break out
  3. Perform the requested operation
  4. Return results of operation

Caveat

Permissions

To perform content searches, the user must have the ability to perform content searches and perform purges. The Organization Management role provides this capability. If the user is not allowed to perform these operations, the following error is seen in the Incident timeline.

For more details on permissions in the Security and Compliance Portal, see the Assign eDiscovery permissions in the Security & Compliance Center and Permissions in the Security & Compliance Center Microsoft pages.

Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2021, All Rights Reserved.

EULA