核心电子数据展示入门Get started with Core eDiscovery

Microsoft 365 中的核心电子数据展示提供了一个基本的电子数据展示工具,组织可以使用这些工具在 Microsoft 365 和 Office 365 中搜索和导出内容。Core eDiscovery in Microsoft 365 provides a basic eDiscovery tool that organizations can use to search and export content in Microsoft 365 and Office 365. 您还可以使用核心电子数据展示对内容位置(如 Exchange 邮箱、SharePoint 网站、OneDrive 帐户和 Microsoft 团队)放置电子数据展示保留。You can also use Core eDiscovery to place an eDiscovery hold on content locations, such as Exchange mailboxes, SharePoint sites, OneDrive accounts, and Microsoft Teams. 部署核心电子数据展示无需任何内容,但在您的组织开始使用核心电子数据展示来搜索、导出和保留内容之前,IT 管理员和电子数据展示管理器必须完成一些先决条件任务。Nothing is needed to deploy Core eDiscovery, but there are some prerequisite tasks that an IT admin and eDiscovery manager have to complete before your organization can start using Core eDiscovery to search, export, and preserve content.

本文讨论了设置核心电子数据展示所需的步骤。This article discusses the steps necessary to set up Core eDiscovery. 这包括确保访问核心电子数据展示所需的正确许可,并在内容位置放置电子数据展示保留,以及将权限分配给 IT、法律和调查团队,以便他们能够访问和管理案例。This includes ensuring the proper licensing required to access Core eDiscovery and place an eDiscovery hold on content locations, as well as assigning permissions to your IT, legal, and investigation team so they can access and manage cases. 此外,本文还提供了使用案例搜索和导出内容的高级别概述。This article also provides a high-level overview of using cases to search for and export content.

步骤1:验证并分配适当的许可证Step 1: Verify and assign appropriate licenses

核心电子数据展示的许可要求相应的组织订阅和每用户许可。Licensing for Core eDiscovery requires the appropriate organization subscription and per-user licensing.

  • 组织订阅: 若要访问 Microsoft 365 合规性中心中的核心电子数据展示或 Office 365 安全性 & 合规性中心并使用保留和导出功能,您的组织必须具有 Microsoft 365 E3 或 Office 365 E3 订阅或更高版本。Organization subscription: To access Core eDiscovery in the Microsoft 365 compliance center or the Office 365 Security & Compliance Center and use the hold and export features, your organization must have a Microsoft 365 E3 or Office 365 E3 subscription or higher.

  • 每用户许可: 若要在邮箱和网站上放置电子数据展示保留,必须为用户分配以下许可证之一,具体取决于您的组织订阅:Per-user licensing: To place an eDiscovery hold on mailboxes and sites, a user must be assigned one of the following licenses, depending on your organization subscription:

    • Microsoft 365 E3 或 Office 365 E3 许可证或更高版本A Microsoft 365 E3 or Office 365 E3 license or higher

    OROR

    • Office 365 E1 许可证与 Exchange Online 计划2或 Exchange Online 存档外接程序许可证Office 365 E1 license with an Exchange Online Plan 2 or Exchange Online Archiving add-on license

    ANDAND

    • 使用 SharePoint Online 计划2或 OneDrive for business 计划2附加许可证的 Office 365 E1 许可证Office 365 E1 license with an SharePoint Online Plan 2 or OneDrive for Business Plan 2 add-on license

    有关如何分配许可证的信息,请参阅向 用户分配许可证For information about how to assign licenses, see Assign licenses to users.

有关许可的信息:For information about licensing:

步骤2:分配电子数据展示权限Step 2: Assign eDiscovery permissions

若要访问核心电子数据展示或添加为核心电子数据展示事例的成员,必须为用户分配适当的权限。To access Core eDiscovery or be added as a member of a Core eDiscovery case, a user must be assigned the appropriate permissions. 具体来说,用户必须作为 "Office 365 安全 & 合规中心" 中的 "电子数据展示管理器" 角色组的成员进行添加。Specifically, a user must be added as a member of the eDiscovery Manager role group in the Office 365 Security & Compliance Center. 此角色组的成员可以创建和管理核心电子数据展示事例。Members of this role group can create and manage Core eDiscovery cases. 他们可以添加和删除成员、为用户放置电子数据展示保留、创建和编辑搜索以及从核心电子数据展示事例导出内容。They can add and remove members, place an eDiscovery hold on users, create and edit searches, and export content from a Core eDiscovery case.

完成以下步骤以将用户添加到电子数据展示管理器角色组:Complete the following steps to add users to the eDiscovery Manager role group:

  1. 转到 https://protection.office.com/permissions 并使用 Microsoft 365 或 Office 365 组织中的管理员帐户的凭据登录。Go to https://protection.office.com/permissions and sign in using the credentials for an admin account in your Microsoft 365 or Office 365 organization.

  2. 在 " 权限 " 页上,选择 " 电子数据展示管理器 " 角色组。On the Permissions page, select the eDiscovery Manager role group.

  3. 在 "电子数据展示管理器" 弹出页面上,单击电子数据展示管理器部分旁边的 "编辑"。On the eDiscovery Manager flyout page, click Edit next to the eDiscovery Manager section.

  4. 在编辑角色组向导中的 " 选择电子数据展示管理器 " 页上,单击 " 选择发现管理器"。On the Choose eDiscovery Manager page in the edit role group wizard, click Choose Discovery Manager.

  5. 单击 " 添加 ",然后选中要添加到角色组的所有用户的复选框。Click Add then select the checkbox for all users you want to add to the role group.

  6. 单击 " 添加 " 以添加选定的用户,然后单击 " 完成"。Click Add to add the selected users, and then click Done.

  7. 单击 " 保存 " 将用户添加到角色组,然后单击 " 关闭 " 完成步骤。Click Save to add the users to the role group, and then click Close to complete the step.

有关电子数据展示管理器角色组的详细信息More information about the eDiscovery Manager role group

"电子数据展示管理器" 角色组中有两个子组。There are two subgroups in the eDiscovery Manager role group. 这些子组之间的差异基于作用域。The difference between these subgroups is based on scope.

  • 电子数据展示管理器: 可以查看和管理他们创建的核心电子数据展示事例或其成员。eDiscovery Manager: Can view and manage the Core eDiscovery cases they create or are a member of. 如果另一个电子数据展示管理器创建了一个事例,但未将另一个电子数据展示管理器添加为这种情况的成员,则第二个电子数据展示管理器将无法在合规性中心的核心电子数据展示页面上查看或打开该事例。If another eDiscovery Manager creates a case but doesn't add a second eDiscovery Manager as a member of that case, the second eDiscovery Manager won't be able to view or open the case on the Core eDiscovery page in the compliance center. 通常,可以将组织中的大多数用户添加到电子数据展示管理器子组。In general, most people in your organization can be added to the eDiscovery Manager subgroup.

  • 电子数据展示管理员: 可以执行电子数据展示管理器可以执行的所有案例管理任务。eDiscovery Administrator: Can perform all case management tasks that an eDiscovery Manager can do. 此外,电子数据展示管理员可以:Additionally, an eDiscovery Administrator can:

    • 查看核心电子数据展示页面上列出的所有事例。View all cases that are listed on the Core eDiscovery page.

    • 在组织中管理任何事例,然后在将自己添加为案例成员。Manage any case in the organization after they add themselves as a member of the case.

    • 组织中的任何事例的访问和导出事例数据。Access and export case data for any case in the organization.

    由于访问范围很广,组织应仅有几个作为电子数据展示管理员子组成员的管理员。Because of the broad scope of access, an organization should have only a few admins who are members of the eDiscovery Administrators subgroup.

有关电子数据展示权限的详细信息以及分配给电子数据展示管理器角色组的每个角色的说明,请参阅 分配电子数据展示权限For more information about eDiscovery permissions and a description of each role that's assigned to the eDiscovery Manager role group, see Assign eDiscovery permissions.

步骤3:创建核心电子数据展示事例Step 3: Create a Core eDiscovery case

下一步是创建事例并开始使用核心电子数据展示。The next step is to create a case and start using Core eDiscovery. 完成以下步骤以创建事例并添加成员。Complete the following steps to create a case and add members. 创建案例的用户将自动添加为成员。The user who creates the case is automatically added as a member.

  1. 转到 https://compliance.microsoft.com 并使用已为其分配了相应电子数据展示权限的用户帐户的凭据登录。Go to https://compliance.microsoft.com and sign in using the credentials for a user account that has been assigned the appropriate eDiscovery permissions. 组织管理角色组的成员也可以创建核心电子数据展示事例。Members of the Organization Management role group can also create Core eDiscovery cases.

  2. 在 Microsoft 365 合规性中心的左侧导航窗格中,单击 " 全部显示",然后单击 " 电子数据展示 > 核心"。In the left navigation pane of the Microsoft 365 compliance center, click Show all, and then click eDiscovery > Core.

  3. 核心电子数据展示 页面上,单击 " 创建事例"。On the Core eDiscovery page, click Create a case.

  4. 在 " 新事例 " 弹出页面上,为事例提供 (必需) 的名称,然后键入一个可选的事例编号和说明。On the New case flyout page, give the case a name (required), and then type an optional case number and description. 案例名称在您的组织中必须是唯一的。The case name must be unique in your organization.

  5. 单击 " 保存 " 以创建事例。Click Save to create the case.

    创建新事例并将其显示在核心电子数据展示页面上。The new case is created and displayed on the Core eDiscovery page. 您可能需要单击 " 刷新 " 以显示新事例。You may have to click Refresh to display the new case.

第4步 (可选) :将成员添加到核心电子数据展示事例Step 4 (optional): Add members to a Core eDiscovery case

如果您在第3步中创建了一个事例,并且您是唯一将使用该事例的人,则不必执行此步骤。If you create a case in Step 3 and you're the only person who will use the case, then you don't have to perform this step. 您可以开始使用事例来创建电子数据展示保留、搜索内容或导出搜索结果。You can start using the case to create eDiscovery holds, search for content, or export search results. 如果要向其他用户授予 (或角色组) 对该案例的访问权限,请执行此步骤。Perform this step if you want to give other users (or roles group) access to the case.

  1. 在 Microsoft 365 合规性中心的 核心电子数据展示 页面上,单击要向其添加成员的事例的名称。On the Core eDiscovery page in the Microsoft 365 compliance center, click the name of the case that you want to add members to.

  2. 在 " 管理此案例 " 弹出页面上的 " 管理成员" 下,单击 " 添加 " 向事例添加成员。On the Manage this case flyout page, under Manage members, click Add to add members to the case.

    您还可以选择将角色组添加为事例的成员。You can also choose to add role group as members of a case. 在 " 管理角色组" 下,单击 " 添加"。Under Manage role groups, click Add. 您只能将您所属的角色组分配给一个案例。You can only assign the role groups that you are a member of to a case. 这是因为角色组控制谁可以将成员分配到电子数据展示事例。That's because role groups control who can assign members to an eDiscovery case.

  3. 在可以添加为案例成员的人员或角色组列表中,单击要添加的人员的名称 (或角色组) 旁边的复选框。In the list of people or role groups that can be added as members of the case, click the check box next to the names of the people (or role groups) that you want to add. 如果您有一个很大的用户可以添加为成员的列表,请使用 搜索 框在列表中搜索特定人员。If you have a large list of people who can added as members, use the Search box to search for a specific person in the list.

  4. 选择要添加为事例成员的人员或角色组后,单击 " 添加"。After you select the people or role groups to add as members of the case, click Add.

  5. 单击 " 保存 " 以保存新的事例成员列表。Click Save to save the new list of case members.

浏览核心电子数据展示工作流Explore the Core eDiscovery workflow

为了让你开始使用核心电子数据展示,下面是一个简单的工作流,可为感兴趣的人创建电子数据展示保留,搜索与调查相关的内容,然后导出该数据以供将来查看。To get you started using core eDiscovery, here's a simple workflow of creating eDiscovery holds for people of interest, searching for content that relevant to your investigation, and then exporting that data for further review. 在上述每个步骤中,我们还将重点介绍您可以浏览的一些扩展核心电子数据展示功能。In each of these steps, we'll also highlight some extended Core eDiscovery functionality that you can explore.

核心电子数据展示工作流

  1. 创建电子数据展示保留Create an eDiscovery hold. 创建案例后的第一步是将保留 (也称为 电子数据展示保留) 在调查中的人员的内容位置。The first step after creating a case is placing a hold (also called an eDiscovery hold) on the content locations of the people of interest in your investigation. 内容位置包括 Exchange 邮箱、SharePoint 网站、OneDrive 帐户以及与 Microsoft 团队和 Office 365 组关联的邮箱和网站。Content locations include Exchange mailboxes, SharePoint sites, OneDrive accounts, as well as the mailboxes and sites associated with Microsoft Teams and Office 365 Groups. 虽然此步骤是可选的,但创建电子数据展示保留会保留在调查过程中可能与事例相关的内容。While this step is optional, creating an eDiscovery hold preserves content that may be relevant to the case during the investigation. 创建电子数据展示保留时,可以保留特定内容位置中的所有内容,也可以创建基于查询的保留以仅保留与保留查询匹配的内容。When you create an eDiscovery hold you can preserve all content in specific content locations or you can create a query-based hold to preserve only the content that matches a hold query. 除了保留内容之外,创建电子数据展示保留的另一个好理由是:快速搜索保留 (上的内容位置,而不是在下一步中创建和运行搜索时选择要搜索) 的每个位置。In addition to preserving content, another good reason to create eDiscovery holds is to quickly search the content locations on hold (instead of having to select each location to search) when you create and run searches in the next step. 完成调查后,可以释放您创建的任何保留。After you complete your investigation, you can release any hold that you created.

  2. 搜索内容Search for content. 创建电子数据展示保留后,使用内置搜索工具在保留时搜索内容位置。After you create eDiscovery holds, use the built-in search tool to search the content locations on hold. 您还可以在其他内容位置搜索可能与案例相关的数据。You can also search other content locations for data that may be relevant to the case. 您可以创建和运行与事例相关联的不同搜索。You can create and run different searches that are associated with the case. 使用关键字、属性和条件 构建搜索查询 ,以使用最可能与案例相关的数据返回搜索结果。You use keywords, properties, and conditions to build search queries that return search results with the data that's most likely relevant to the case. 还可以执行以下操作:You can also:

    • 查看可帮助您优化搜索查询以缩小结果范围的搜索统计信息。View search statistics that may help you refine a search query to narrow the results.

    • 预览搜索结果以快速验证是否找到了相关数据。Preview the search results to quickly verify whether the relevant data is being found.

    • 修订查询并重新运行搜索。Revise a query and rerun the search.

  3. 导出和下载搜索结果Export and download search results. 在搜索和查找与调查相关的数据后,可以将其导出到 Office 365 以供调查团队之外的人查看。After you search for and find data that's relevant to your investigation, you can export it out of Office 365 for review by people outside of the investigation team. 导出数据的过程分为两个步骤。Exporting data is a two-step process. 第一步是在不使用 Office 365 的情况下导出搜索结果。The first step is to export the results of a search in the case out of Office 365. 这是通过将搜索结果复制到 Microsoft 提供的 Azure 存储位置来实现的。This is accomplished by copying the results of a search to a Microsoft-provided Azure Storage location. 下一步是使用电子数据展示导出工具将内容下载到本地计算机。The next step is to use the eDiscovery Export tool to download the content to a local computer. 除了导出的数据文件之外,导出包的包含还包含导出报告、摘要报告和错误报告。In addition to the exported data files, the contains of the export package also contains an export report, a summary report, and an error report.