SharePoint/Teams Components and Locations
(Common eDiscovery targets – default content types)
- Documents/Files – multiple item types – Stand alone files are stored in the Document Libraries. Can get size/count for individual document libraries with this PowerBI method.
- Hidden/Alternative locations – Versions, Recoverable Items, held items
- Lists – Multiple Item types – Event, Link, Contact, Task, Announcement
- Pages – filetype:aspx
- Forms – Actual form filetype:xml, form data can be stored as flat file(s) in doc library, in list or other data connections.
- Messages – kind:im – Post/IM stored in Group or individual mailbox
- Digital assets – filetype:(extension) – Audio, video and images
- Teams default adds –
- Wiki/Whiteboard – filetype:mht
- Notebook/Notes – filetype:one
SharePoint components and objects have a wide range of standard and extensible properties. The default tenant index includes the below searchable properties. The blue columns are copied directly from the Microsoft documentation found here. The last column contains practical observations and recommendations from ongoing eDJ testing, client observations and your input. Every M365 tenant configuration, feature rollout and content are unique. The Microsoft Purview team rolls out new features and fixes constantly. We rate and comment monthly on those with eDiscovery impact on the M365 Road Map page. Please comment (registered users) or use the feedback form with your own observations so that we can keep this information evergreen and accurate. Close the left navigation bar for better table view.
SharePoint Properties
| wdt_ID | wdt_created_by | wdt_created_at | wdt_last_edited_by | wdt_last_edited_at | Property | Property description | Example | Result Examples | eDJ Search Notes - *not from or vetted by MSFT |
|---|---|---|---|---|---|---|---|---|---|
| 1 | Greg-Buckles | 2024/06/11 10:11 AM | Greg-Buckles | 2024/06/11 10:11 AM | Author | The author field from Office documents, which persists if a document is copied. For example, if a user creates a document and the emails it to someone else who then uploads it to SharePoint, the document will still retain the original author. Be sure to use the user's display name for this property. | author:"Garth Fort" | All documents that are authored by Garth Fort. | The Author internal document property has proven wildly inconsistent in eDJ and client tenant testing without a default application policy that automatically populates that information. It appears to record the display name rather than USERID or other names. eDJ recommends only using it to supplement external file properties. |
| 2 | Greg-Buckles | 2024/06/11 10:11 AM | Greg-Buckles | 2024/06/11 10:11 AM | ContentType | The SharePoint content type of an item, such as Item, Document, or Video. | contenttype:document | All documents would be returned. | The ContentType is assigned by the application and must be tested within tenant and users groups. eDJ recommends using actual FileExtension variations for best results. |
| 3 | Greg-Buckles | 2024/06/11 10:11 AM | Greg-Buckles | 2024/06/11 10:11 AM | Created | The date that an item is created. | created>=2021-06-01 | All items created on or after June 1, 2021. | Created/Modifed dates are easily overwritten by migrations or even common business practices. eDJ recommends performing quality control checks on criteria with/without dates and expand results to folder level where inconsistent results are found. |
| 4 | Greg-Buckles | 2024/06/11 10:11 AM | Greg-Buckles | 2024/06/11 10:11 AM | CreatedBy | The person that created or uploaded an item. Be sure to use the user's display name for this property. | createdby:"Garth Fort" | All items created or uploaded by Garth Fort. | CreatedBy/ModifiedBy document properties are the primary fields for reliable custodial criteria. As noted in Created date property, these can be easily overwritten in migrations and common work work events. Quality control testing should be done to determine whether this has ocurred prior to reliance on these ownership properties in holds and collections. |
| 5 | Greg-Buckles | 2024/06/11 10:11 AM | Greg-Buckles | 2024/06/11 10:11 AM | DetectedLanguage | The language of an item. | detectedlanguage:english | All items in English. | While Microsoft 365 supports 60+ languages, identification and population of languages within document content has not been extensively tested by eDJ. |
| 6 | Greg-Buckles | 2024/06/11 10:11 AM | Greg-Buckles | 2024/06/11 10:11 AM | DocumentLink | To return items located in subfolders of the folder that you specify for the documentlink property, you have to add /* to the URL of the specified folder; for example, documentlink: "https://contoso.sharepoint.com/Shared Documents/*" For more information about searching for the documentlink property and using a script to obtain the documentlink URLs for folders on a specific site, see Use Content search for targeted collections. | documentlink:"https://contoso-my.sharepoint.com/personal/garthf_contoso_com/Documents/Private" documentlink:"https://contoso-my.sharepoint.com/personal/garthf_contoso_com/Documents/Shared with Everyone/*" AND filename:confidential | The first example returns all items in the specified OneDrive for Business folder. The second example returns documents in the specified site folder (and all subfolders) that contain the word "confidential" in the file name. | The DocumentLink property contains the full path and file name of documents. This makes it the 'best' property found in testing to support location based criteria and scope. However, because KQL requires a minimum of 4 preceding characters it does not support preceding wildcard characters like *evidence*. This limits the search scenarios where you do not have full paths. I.e. find every folder with *Fraud* in the the name. Futher testing is warranted changes observed in FileName searches where spaces or break characters have created tokenized search behavior. |
| 7 | Greg-Buckles | 2024/06/11 10:11 AM | Greg-Buckles | 2024/06/11 10:11 AM | FileExtension | The extension of a file; for example, docx, one, pptx, or xlsx. | fileextension:xlsx | All Excel files (Excel 2007 and later) | Test results have been good with FileExtension properties if you expand to cover all logical variations such as doc, docx, docm, doct, etc. |
| 8 | Greg-Buckles | 2024/06/11 10:11 AM | Greg-Buckles | 2024/06/11 10:11 AM | FileName | The name of a file. | filename:"marketing plan" filename:estimate | The first example returns files with the exact phrase "marketing plan" in the title. The second example returns files with the word "estimate" in the file name. | FileName searches are excellent for early scoping and investigative searches. They work well when you already know the exact(full) filename or want to identify locations with a list of possible names. The many common scenarios where files are automatically incremented or altered make extensive QC advisable in hold and collection scenarios. |
| 9 | Greg-Buckles | 2024/06/11 10:11 AM | Greg-Buckles | 2024/06/11 10:11 AM | LastModifiedTime | The date that an item was last changed. | lastmodifiedtime>=2021-05-01 lastmodifiedtime>=2021-05-01 AND lastmodifiedtime<=2021-06-01 | The first example returns items that were changed on or after May 1, 2021. The second example returns items changed between May 1, 2021 and June 1, 2021. | See Created date. |
| 10 | Greg-Buckles | 2024/06/11 10:11 AM | Greg-Buckles | 2024/06/11 10:11 AM | ModifiedBy | The person who last changed an item. Be sure to use the user's display name for this property. | modifiedby:"Garth Fort" | All items that were last changed by Garth Fort. | See CreatedBy property notes. |
| 11 | Greg-Buckles | 2024/06/11 10:11 AM | Greg-Buckles | 2024/06/11 10:11 AM | SharedWithUsersOWSUser | Documents that have been shared with the specified user and displayed on the Shared with me page in the user's OneDrive for Business site. These are documents that have been explicitly shared with the specified user by other people in your organization. When you export documents that match a search query that uses the SharedWithUsersOWSUser property, the documents are exported from the original content location of the person who shared the document with the specified user. For more information, see Searching for site content shared within your organization. | sharedwithusersowsuser:garthf sharedwithusersowsuser:"garthf@contoso.com" | Both examples return all internal documents that have been explicitly shared with Garth Fort and that appear on the Shared with me page in Garth Fort's OneDrive for Business account. | This property is ONLY populated when individual files are shared with a specific person. It is not populated when folders or sites are shared and should not be relied upon to determine whether files were accessible by internal users. |
| 12 | Greg-Buckles | 2024/06/11 10:11 AM | Greg-Buckles | 2024/06/11 10:11 AM | Size | The size of an item, in bytes. | size>=1 size:1..10000 | The first example returns items larger than 1 byte. The second example returns items from 1 through 10,000 bytes in size. | eDJ has seen file size vary by small amounts when documents are saved by different users or applications based on text format padding presets. eDJ recommends using a size range when trying to find specific items based on byte size. |
| 13 | Greg-Buckles | 2024/06/11 10:11 AM | Greg-Buckles | 2024/06/11 10:11 AM | Title | The title of the document. The Title property is metadata that's specified in Microsoft Office documents. It's different from the file name of the document. | title:"communication plan" | Any document that contains the phrase "communication plan" in the Title metadata property of an Office document. | See Author property notes. This is an internal application property that is inconsistently applied by different application settings and versions. |
| Property | Property description | Example | Result Examples | eDJ Search Notes - *not from or vetted by MSFT |
0
0
votes
Article Rating
