Skip to main content

How can we help you?

Druva Documentation

How to search backed up emails

License editions: To understand the applicable license editions, see Plans & Pricing.

The availability of this feature may be limited based on the license type, region, and other criteria. To access this feature, contact your Druva Account Manager or Druva Support.

Overview

Using the Federated Search capability, administrators can quickly find end-user emails that are backed up by inSync. You can search only those emails that are backed up for the following email clients:

  • Gmail
  • Exchange Online

email search on the new ui.png

Note

  • You cannot search emails saved in *.PST. folder. However, you can search PST files using file search

Following is a list of metadata attributes that inSync indexes for emails:

  • Email subject
  • Attachment name for each email

 

When you search using keywords in an email address, the last word in the local-part of the email address and the last word in the domain name are not valid search queries. For example, if you search a user - ernie.carter@secure.druva.com, carter in the local-part and com in the domain name are not valid search queries.

Search Emails

Procedure

  1. Click the  icon to access the Global Navigation Panel and select Federated Search . The Federated Search page is displayed.
  2. Select Emails and enter a part or the entire email subject or a part or the entire attachment name in the search box. Use the filters and search operators available for email search to narrow down your search results.

    If you have not selected the Match exact words filter, then all words in the search query should at least contain 3 characters. For example, "qu" or "quarterly re" are invalid search queries whereas "qua" or "quarterly rep" are valid search queries.

    The filters available for email search are described in the table below. 
Filter Name Description
From

Search emails from a particular sender.

In this field, you cannot enter names containing spaces. To add names containing spaces, copy the name containing spaces and paste it in this field. 

To/CC/BCC

Search emails that were sent to a specific recipient. 

In this field, you cannot enter names containing spaces. To add names containing spaces, copy the name containing spaces and paste it in this field. 

Email Sent/Received Between Search emails that were sent or received between a specific date range.  
Profiles Search emails created by users associated to a particular profile. Start typing the profile name to view the list of profiles that match your search string.

Legal Holds

Note:  This field is displayed only when you access Federated Search as a Legal Administrator.

Select the Legal Holds that you want to search. You can select multiple Legal Holds.

Users Search emails sent by a particular user. By default, inSync searches emails from all users but if you want to search emails from a specific user, enter the name of the user in this field.

Custodians

Note: This field is displayed only when you access Federated Search as a Legal Administrator.

Select the custodians whose backed up data you want to search.

Match exact words Select this check box if you want inSync to match the exact words of your query. For example, if your search query contains 2 characters, select this check box. 
Email(s) with attachment(s) only  Select this check box if you want to search emails that contain only attachments. 
Attachment Type Search emails that contain the attachment type specified in this filter. 
  1. Click the Search icon.

Search emails without email subject

 This functionality is available only for customers on-boarded after June 8, 2019. 

Federated Search enables you to search for emails using different email parameters such as from, to, date when the email was sent, attachment name and so on. This is useful when you don't know the subject of the email but are aware of any of the email parameters.  You can use one or a combination of the following parameters to search an email in inSync:

  • From: Enter the email ID of the user who had sent the email. 
  • Recipients: Enter the email IDs of the recipients of the email. 
  • Date: Enter the period when the email was sent or received. 
  • Name or SHA1 value: Enter the file name or the SHA1 hash value of the email attachment that you want to find. Enter the SHA1 hash value in the following format: checksum:<SHA1> For example:checksum:e575245991980f0f706eabfd16f99a624106b808
  • File Size: Define the range of the size of the file.
  • Extension:  Enter the extension name of the attachment or select the extension name from the drop-down list. You can search for different extension types such as txtpngmp4, and so on.
  • Data Source: Select the data source where the email resides.
  • Profiles: Select the profile that is associated with the user who sent the email. 
  • Users: Select the user who sent the email. 

Download Emails

You can download all the emails that are displayed in the search results in EML format for further analysis and review.

Procedure

  1. Search for the emails that you want to download.
  2. Select the emails that you want to download and click Download.

If you select multiple emails, all the selected emails are downloaded in a compressed file format. Following is the file naming convention of the downloaded emails:

SearchResults-<Date stamp>, <Time stamp>.<file extension of the compressed file format>

Delete Emails

Use the Federated Search capability to find and delete malicious or sensitive emails from the data source or from both, data source and snapshot.  For detailed information on email deletion, see Defensible Deletion of Files and Emails.

Procedure

  1. Search for the emails.
  2. Select the emails that you want to delete.
  3. Click more options, and then click Delete. You can choose to delete the emails only from the data source or from both data sources and snapshots.
  • Delete from  Data Source: With this option selected, all the versions of the selected emails are deleted immediately from the active data source (SaaS Apps).  However, all the versions of these emails continue to reside in the snapshot (Storage Database) and will be available for search, indexing, and backup. You cannot delete emails for inactive or disabled data sources and the emails that belong to users on legal hold.
  • Delete from  Data Source and Snapshot: With this option selected, all the versions of the selected emails are deleted immediately from the active data source (SaaS Apps) as well as the snapshot (Storage Database). Emails will not be available for search, indexing, and backup. You cannot delete emails for inactive or disabled data sources and the emails that belong to users on legal hold.

Delete options for emailsfor select.png

  1. Click Delete again in the confirmation message.

 

 

  • You cannot undo an email delete action.​​​​​​
  • With the Delete from Source and Snapshot option, you cannot delete emails (Exchange Online and Gmail) for which Data Lock is enabled.

Email Search Results

The search results show a maximum of 1000 results that match your search query. inSync displays the search results progressively; loading the search results while scrolling. Using the Email Result option, upto 20,000 search results in CSV format can be sent to the email address of the administrator who is logged in.

Procedure

  1. Search for emails.
  2. Click Email Results. The search results are emailed to you in CSV format.
    image of csv file for emails.png

The fields in the CSV file are explained in the following table.

Filter Name Description
Time when searched Displays the date and time stamp when the search query was run.
Query Displays the search query that was entered.
Exact Match, Dates, Types, Attachments, From, Participants, Users, Device Platforms Each filter is represented in a separate line and it displays the value that you used for each filter. If you have not applied a particular filter then, it displays Not Applied beside that filter name. If you have applied a filter, then the value of the filter is displayed beside the filter name.
Matches Displays a numeric value of the number of search results that matched your search query. 
Subject Displays the subject of the email.
Attachments Displays all the attachments of the emails along with attachment name and file size. 
Send/Received Time Displays the date and time stamp when the email was sent or received.
From Displays the email ID of the email sender.
To Displays the email ID of the email receiver.
Cc Displays the email ID of the person who was CCed in the email.
Bcc Displays the email ID of the person who was BCCed in the email.
User ID Displays the unique ID of the user.
User Name Displays the name of the user associated with the User ID.
Device ID Displays the unique ID of the device.
Device Name Displays the name of the device where the file is stored.

Search for users by legal admin

Legal admin must be assigned to a custom role that has a combination of Legal Hold Management rights > View Legal Hold, Data Governance > Access Federated Search plus any one or all of the following rights - User Management, Deployment Management, Profile Management, Backup and restore management, Data Governance, Alerts and Reports Management, CloudCache Management. Legal administrators get access to profile(s) assigned to them by the cloud administrator and can search and view details of all users mapped to those profile(s) in addition to legal hold users.

If the legal admin has extended rights, they can search and view details of all users mapped to the assigned profile(s) in addition to legal hold users.

Procedure to search and view all users

  1. From the global navigation bar, click Federated Search. The Email Search tab appears.
  2. Select Emails and enter a part or the entire email subject or a part or the entire attachment name in the search box. Select the Data Source as per your requirement. For example, Exchange Online.
  3. Select the All Users option if you want to search and get a view of all users including users on legal hold.
  4. Select the profile from which you want to fetch the users. This field is displayed only for supported user-based SaaS Apps.
  5. Enter the user names whose details you want to view. Click Search.

Procedure to search and view only legal hold users (Custodians)

  1. From the global navigation bar, click Federated Search. The Email Search tab appears.
  2. Select Emails and enter a part or the entire email subject or a part or the entire attachment name in the search box. Select the Data Source as per your requirement. For example, Exchange Online.
  3. Select the Users on Legal Hold option if you want to search and get a view of only users put on legal hold.
  4. Select the legal hold policy from which you want to fetch the users.
  5. Enter the custodian names whose details you want to view. Click Search.

The cloud and legal administrators cannot search and view users and their data if user Data Privacy settings are enabled.