Add Microsoft 365 data exported out of MS Purview portal
Nuix Workstation can do the following related to Microsoft 365 applications:
Add and ingest Microsoft Teams PST data.
Process Microsoft Office 365 Purview Compliance Portal (PCP) audit logs. This was previously named the MS Security Compliance Centre, (SCC)
Promote the following from Nuix Workstation to Nuix Discover®:
Chat Reactions
Visible History Start Time
Member Added and Member Removed log events
The following topics in this section should be covered in the following sequence:
Add Microsoft Teams PST data as evidence
Process Microsoft 365 PCP audit logs
Promote Microsoft 365 chat messages to Nuix Discover
Add Microsoft Teams PST data as evidence
Nuix Workstation supports the ingestion of Microsoft Teams PST data, allowing you to search on and use Microsoft Teams content during eDiscovery investigations. You can then also use the Microsoft Teams PST data downloaded from the Microsoft Office 365 Purview Compliance Portal (PCP) (previously named the Microsoft 365 Security Compliance Center) to promote it to Nuix Discover.
Background to working with Microsoft Teams PST data
The following are answers to commonly asked questions on how Nuix Workstation ingests Microsoft Teams PST data.
What are the SPOOLS and Substrate folders in the Microsoft Teams PST data?
Substrate and SPOOLS are temporarily hidden folders created by Microsoft for storing Microsoft Teams and Channel data. This means they have more than one repository for storing “digital twins”. Nuix Workstation does not change or modify these hidden Teams PST folders. On ingesting them, they list as evidence.
Where is Microsoft Teams content stored?
The following table details where Microsoft Teams stores content:
| Content-type |
Stored location and notes |
| Teams 1:1 chats |
Messages in 1:1 chats store in the Exchange Online mailbox of all chat participants. Files shared in a 1:1 chat store in the OneDrive for Business account of the person who shared the file. |
| Teams group chats |
Messages in group chats store in the Exchange Online mailbox of all chat participants. Files shared in group chat chats store in the OneDrive for Business account of the person who shared the file. |
| Teams channels |
All channel messages and posts store in the Exchange Online mailbox associated with the team. Files shared in a channel store in the SharePoint Online site associated with the team. |
| Private Teams channels |
Messages sent in a private channel store in the Exchange Online mailboxes of all members of the private channel. Files shared in a private channel store in a dedicated SharePoint Online site associated with the private channel. |
| Note: "Microsoft Teams channels" attachments store in the SharePoint URL format in PST. So, you cannot retrieve the contents of the attachment if you do not select Sharepoint data along with the Exchange folders in the “eDiscovery” flow. However, Microsoft Teams chat data stores in the PST itself, which you can retrieve. |
|
The following image shows where Sharepoint data is extracted along with the exchange PST from the PCP.
How do I retrieve the Microsoft Teams PST from the PCP?
To retrieve the Microsoft Teams PST from the PCP:
Go to https://compliance.microsoft.com/
Create a new content search.
Select Microsoft Teams channels and/or Microsoft Teams teams exchange mailboxes.
Define your search conditions.
Export the content search results, using one of the ways detailed in the following table:
| Content-type |
Exporting method |
| One PST file for each mailbox |
Exports one PST file for each user mailbox that contains search results, reproducing the mailbox folder structure from the source mailbox. Any results from a user's archive mailbox are included in the same PST file. |
| One PST file containing all messages |
Exports a single PST file (named .pst) containing the search results from all source mailboxes included in the search, reproducing the mailbox folder structure for each message. |
| One PST file containing all messages in a single folder |
Exports search results to a single PST file where all messages are in a single, top-level folder, allowing a review of items in chronological order, and sorted by sent date. |
| Individual messages |
Exports search results as individual email messages using the .msg format to a folder in the file system. The folder path for individual messages is the same as when you export the results to a PST file. |
Note: Not all content is discoverable. The IT team can specify the Microsoft Teams team and channels they want to export from the PCP. The folder structure of Teams PST data depends on the search criteria and export option used when downloading export search results.
The name of the Teams channel is not eDiscoverable, meaning it cannot be categorized by a Teams Channel conversation or message into its respective channels.
MIME types supported for Microsoft Teams PST data
Nuix Workstation supports the following MIME types for Microsoft Teams PST data:
| Description |
Query String |
Kind |
Notes |
| Microsoft Teams Channel Conversation |
application/vnd.microsoft.m365.teams.channel- conversation |
Chat Conversations |
A Conversation or thread in a channel |
| Microsoft Teams Channel Message |
application/vnd.microsoft.m365.teams.channel-message |
Chat Messages |
A Message in a channel |
| Microsoft Teams Chat Conversation |
application/vnd.microsoft.m365.teams.chat-conversation |
Chat Conversations |
A Conversation in a Private chat |
| Microsoft Teams Chat Message |
application/vnd.microsoft.m365.teams.chat-message |
Chat Messages |
A Message in a chat |
| Microsoft Teams Calendar Event |
application/vnd.microsoft.m365.calendar-event |
Calendar Events |
A Team Calendar Event |
The data representation through Microsoft Teams PST is different from Microsoft Office 365 connectors in Nuix Workstation. The following image shows the difference in their folder structures:
MIME types unsupported for Microsoft Teams PST data
Nuix Workstation does not support the following Microsoft Teams MIME types through Microsoft Teams PST data:
application/vnd.microsoft.m365.team - Microsoft Teams Team
application/vnd.microsoft.m365.teams.channel - Microsoft Teams channel
application/vnd.microsoft.m365.message.reaction – Microsoft M365 Message Reaction
Unsupported MIME types are exported as a Microsoft Outlook Folder from the PST. There are insufficient properties to distinguish Microsoft Outlook Folders to differentiate the Teams Channel folder from the Teams Team folder.
Reaction types are also not eDiscoverable, and therefore unavailable in the Microsoft Teams PST export from the PCP. See 'Conduct an eDiscovery investigation of content in Microsoft Teams' for details.
Process Microsoft 365 PCP audit logs
Nuix Workstation supports audit logs from the Microsoft Office 365 Purview Compliance Portal (PCP), previously named the Security Compliance Centre, (SCC). You download Microsoft 365 audit logs from the Microsoft 365 portal. For more information, go to: Microsoft 365 Compliance | Microsoft Docs.
As a single source for unified Microsoft 365 logs, the audit log contains a wealth of data allowing you to:
See key details, such as who had access to information, and at what time.
Filter, view, and search across thousands of different types of audit events.
See what new MIME types were added.
The audit log is a CSV file that contains the following information for each log entry:
CreationDate
UsersIds
Operations
AuditData
The audit log is a JSON object that contains the audit events, where:
Each log entry is a separate row.
Every member becomes a child of that particular row.
Note: Before ingesting the logs, in the MIME Type Settings tab under Logs, ensure you select all descendants under these Microsoft Office 365 logs:
Microsoft Office 365 SCC Log
Microsoft Office 365 SCC Log Event
Microsoft Office 365 SCC Log Member
Once you ingest the logs, the Results pane displays the information for the logs as individual items.
Promote Microsoft 365 chat messages to Nuix Discover
This section covers how to:
Promote and search on chat reaction types
Promote participant Visible History Start Time
Promote Member Added and Removed log events
A chat includes a variety of information, in addition to the messages that participants send to each other.
A chat can include the following information:
Content that participants send to each other, such as messages, reactions, and attachments
Members joining and leaving events
Metadata, such as the date and time of the chat, the names of participants, and the number of messages in the conversation
You can promote the following from Nuix Workstation to Nuix Discover:
Chat Reactions
Visible History Start Time
Member Added and Member Removed log events
Note: Nuix Workstation cannot promote activities to Nuix Discover but allows you to review them in Nuix Workstation.
Promote and search on chat reaction types
Nuix Workstation supports these chat reaction types: Like, Heart, Laugh, Surprised, Sad, and Angry.
When Nuix Workstation promotes Microsoft 365 chat messages, it also promotes the chat reactions. Then you can filter and search for Microsoft 365 reaction types.
Promote participant Visible History Start Time
The Visible History Start Time property in a Microsoft 365 User Group Chat is metadata that shows the chat history of a user when added to a conversation. If the chat history has been shared with a user, Nuix Workstation displays the date from which messages are visible to a user in a conversation.
Promote Member Added and Removed log events
To promote Member Added events or Member Removed log events to Nuix Discover:
Select and right-click the member added and removed log events.
Select Export > Promote to Nuix Discover. The Promote to Nuix Discover window opens.
Select the account and the case you want to promote.
Confirm the summary and click OK.
The promotion to Nuix Discover starts. It can take 3-4 minutes to complete.
Note: You must promote the chat message and these event logs to Nuix Discover in the same promotion job.
On promoting chat items from Nuix Workstation to Nuix Discover, the chat view includes a summary table that displays the participant names and the number of messages (MSGs) and attachments (ATCs) sent by each participant. If the chat file includes attachments, they are attached to the chat document in the application.
Also see Promote documents to Nuix Discover.
For more details on how to review chat documents in Nuix Discover, see the Promote to Nuix Discover from Nuix Workstation guide.