Exchange Online Search and Purge with PowerShell and Threat Explorer
Hi All,
In this Article i'll show you how you can "Search and Purge" Emails in Exchange Online.
With Compliance Search you can search for Mails and purge (Soft- or HardDelete) them afterwards. That's usually the case for Phishing or Spam Incidents.
Your search can cover a maximum of 50’000 Mailboxes
A new Compliance Search will create an Alert by default.
A new Compliance Search will create an Alert by default.
First of all you need to have the correct Permissions https://security.microsoft.com/permissions
Select "Email & collaboration Roles"
I'have created a custom Role with the following Roles and assign this to Max Muster
- Preview
- Search And Purge
- Compliance Search
Let's assume we search for this Mail
Max Muster can now connect with Security and Compliance part of the ExchangeOnlineManagement PowerShell Module
Connect-IPPSSession
Get-Module
Get-Command -Module <tmpxxxx.xxx>
Now he can start a Compliance Search with Keyword Query Language (KQL)
https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-referenceNew-ComplianceSearch -ContentMatchQuery <KQL Query>
New-ComplianceSearch -Name "ComplianceSearchDemo" -Description "BOA: ComplianceSearchDemo" -ExchangeLocation All -ContentMatchQuery "(From:zainabyusuf128@gmail.com) AND (Subject:'Spende')"
A Compliance Search raises an Alert
Now you need to Start the Compliance Search
Get-ComplianceSearch -Identity <Name>
Start-ComplianceSearch -Identity <Name>
Get-ComplianceSearch -Identity <Name>
Start-ComplianceSearch -Identity <Name>
Get-ComplianceSearch -Identity <Name>
You can check if the ComplianceSearch has a status of "Completed" then look at the details
Get-ComplianceSearch -Identity <Name>
Get-ComplianceSearch -Identity <Name> | fl
You see how many Items are found and the Mailbox it was found on
The Content Search can be viewed or created in the Microsoft Purview Portal https://compliance.microsoft.com/contentsearchv2?viewid=search
If you have the "Preview" Role you can view Samples.
This is useful to check if you have matched the correct Emails and not Mails that should not be there.
Then you have to refine your search query.
Now we can define the Action for this Search
#Purge to Recoverable Items for the User
New-ComplianceSearchAction -SearchName "ComplianceSearchDemo" -Purge -PurgeType SoftDelete
Purge to Exchange Dumpster
#New-ComplianceSearchAction -SearchName "ComplianceSearchDemo" -Purge -PurgeType HardDelete
New-ComplianceSearchAction -SearchName "ComplianceSearchDemo" -Purge -PurgeType SoftDelete
Purge to Exchange Dumpster
#New-ComplianceSearchAction -SearchName "ComplianceSearchDemo" -Purge -PurgeType HardDelete
Get-ComplianceSearchAction
I can confirm, that i see this Mail in my "Recover Deleted Items" in Outlook
Sometimes it's more easy to create the Search in the Microsoft Purview Portal https://compliance.microsoft.com/contentsearchv2?viewid=search
You need to define a Name
Select the Location. You can select all Mailboxes or include or exclude specific Mailboxes
With the Conditions you can create your Search
This is the Search i've created
If you select "KQL Editor" then you see the KQL Query of the GUI you just created.
Over time you will understand the KQL Syntax and don't use the GUI anymore.
Summary
Search is created and submitted. A Search from the GUI is automatically started.
The Compliance Searches will stay there. You need to delete them in the GUI or with PowerShell
Remove-ComplianceSearchAction
Search and Purge with Threat Explorer
Microsoft Defender for Office 365 security product overview
If you are Exchange Administrator and have the Emails & Collaboration Role
- Search And Purge
- Compliance Search
You will also be able to Search and Purge with Threat Explorer
Search in Threat Explorer
Select the Items you want to remove from the Result Table in the Bottom
Then select "Message actions" and "Soft delete"
Now you have to go through the Wizard
Select a severity. I think that this is a low severity
After a few Minutes you can see that in the Actioncenter
See de Details if you select one Action
Mail has been SoftDeleted - Remediation complete
Regards
Andres Bohren