eDiscovery Cases

Document created by user.oxriBaJeN4 Employee on Sep 11, 2015Last modified by user.oxriBaJeN4 Employee on Apr 2, 2019
Version 13Show Document
  • View in full screen mode

eDiscovery cases allow administrators to group multiple Archive Searches together in a single case. They can be used in a number of ways as outlined below:


ExportMessages can be exported from the Administration Console in .ZIP files containing messages in .EML format.
Retention AdjustmentMessages can be made subject to a retention adjustment, to increase or decrease the length of time that they are stored in the Mimecast archive.
Litigation HoldMessages can be placed in Litigation Hold, where they will not be expired from the Mimecast archive for a time period defined by an Administrator. This is regardless of the message's actual expiry date.
Link to Smart TagMessages can be linked to a Smart Tag. This allows individual users or groups or users to view archived messages, where they are not the sender or recipient.


Creating an eDiscovery Case


To create and work with eDiscovery cases, you must be an administrator and have one of the following roles:

  • Super Administrator
  • Full Administrator
  • Discovery Officer


To create an eDiscovery case:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Archive | Discovery Cases menu item.
    eDiscovery cases are stored in folders. Cases cannot be created in the "Root" folder. See the Administration Console: Managing Folders page for details of how to create a folder.
  4. Click on the New Discovery Case button. 
  5. Complete the Discovery Properties dialog as follows:

    Field / OptionDescription
    DescriptionEnter in a description for your case. This will be displayed in the Discovery Case Definitions list.
    Notes Enter the case details. This helps you and other administrators identify the case at a later date.
  6. Click on the Save and Exit button.
eDiscovery cases cannot be deleted once they are created.

Assigning Archive Searches to an eDiscovery Case


Build_discovery_case_options.pngThe Build Discovery Case options available are described below. You can use a combination of these options in a single eDiscovery case.


To start assigning archive searches to your eDiscovery case:

  1. Open the Discovery Case.
  2. Select the Build Discovery Case drop-down menu.



Quick SearchA Quick Basic Search allows you to search a specific mailbox in your archive. Additionally, you can narrow the search to include specific text in the selected mailbox.


  1. Click on the Build Discovery Case | Quick Basic Search menu item.
  2. Complete your Search parameters as required:


Search DescriptionA name to identify the search.
Search TextThe text you would like to search for.
MailboxThe Mailbox you would like to limit the search to. Use the Lookup button to locate the correct mailbox.
From DateThe earliest message sent date to be included in the search. The default is Eternal to ensure all past messages are considered in the search.
To DateThe latest message sent date to be included in the search. The default is Eternal to ensure all future messages are considered in the search.



For more granular options, the Advanced Search function can be used:

  1. Click on the Build Discovery Case | Advanced Search menu item.
  2. Complete your Search parameters as required:

    Search TextThe text you would like to search for. View the guidance on screen for using search operators.
    Message ComponentsSelect which message components to be considered in the search.
    Include Litigation Hold MessagesSelect whether to messages that have passed their natural expiry date but are still available due to Litigation Hold.
    Search within a Smart TagWhen used, the search will be limited to messages that have been assigned to the selected Smart Tag.
    Sender and recipient filters

    Either the full email address(s) or domain name of the sender and / or recipient you want to filter the search on:

    • Use spaces to enact an "OR" when including multiple addresses or domains.
    • If you are unsure of the full address use a wildcard (*) for the domain part of the address.
    • A wildcard (*)  cannot be used at the start of an email address.
    • To exclude an address from the search use the "NOT" operator. This must be used after an address or domain to include, for example:
      mimecast.com NOT user@mimecast.com
    Date RangeThe date range to filter the search on based on message sent date.
    Route FilterSpecify the route of the messages to search for, for example, inbound, outbound, or internal.
    Result sort orderThe order in which you would like to see the results.
  3. eDiscovery CaseTo view the results of the search, click the Search button on the top toolbar.
  4. Once reviewed, click on the Back button to return to the Advanced Search screen.
  5. To save the search to the Case, click on the Save and Exit button on the top toolbar.



If there are searches that have previously been saved, these can be linked to an eDiscovery case. To add the Saved Search to the case, click on the Save and Exit button on the top toolbar.


Once a saved search is assigned to an eDiscovery case, it will no longer display within the Archive | Saved Searches section to prevent an accidental update or deletion of the Saved Search.


Export an eDiscovery Case


eDiscovery ExportOnce your eDiscovery case is built, you can export the messages that are part of the case. Each message is in .EML format inside a .ZIP file.


To export an eDiscovery case:

  1. Log on to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Archive | Discovery Cases menu item.
  4. Select the required Discovery Case.
  5. Click on the Export Case button.
  6. Complete the Export Details dialog as required:

    Field / OptionDescription
    Discovery DescriptionSpecify a description for the download.
    Export TypeSpecify the file type to use for the exported file.
    Download FilenameSpecify a file name for the exported file.
  7. Click on the Save button. The export is visible in the Case Exports section of the Discovery Case page.


Canceling an eDiscovery Case Export


While an export is either Pending or In Progress, it's possible to cancel it using the Cancel Exports button in the toolbar.

Cancel Exports


Linking an eDiscovery Case to a Smart Tag


Results from an eDiscovery case can be linked to a previously created Smart Tag. This allows specific users to view messages in a secure manner.


To link an eDiscovery case to a Smart Tag:

  1. Click on the Build Discovery Case | Link to Smart Tag menu item.
  2. Complete the Link Properties settings as required:

Select Smart TagUse the Lookup button next to the Select Smart Tag field to select from a list of existing Smart Tags.
Linking Action

Select whether messages will be linked to the Smart Tag or removed from the Smart Tag.

  • Use Create smart tag links when you want to make the messages linked with a Smart Tag available to the user. Once permissions to access the Smart Tag are applied to a user or group, the associated mail can begin to be viewed in the Mimecast application within minutes. It may take some time for all the emails associated with the tag to be available, depending on the number of emails.
  • Use Remove smart tag links when you want to remove messages from a Smart Tag, preventing users from being able to view them. This action will not be applied immediately, as a request is posted to your account for processing during nightly housekeeping tasks. 
    The Remove smart tag links action is logged in the Administration Console under the Administration | Account | Audit Logs menu item. The action displays in the queue as Archive Service Logs for the Category, and Discovery Case Adjustments as the Type.
Perpetual Link

Check the Perpetual Link option to include all future messages as well as existing ones. If not selected, only those emails that matched the criteria when the search was created will be displayed. Additionally, no future messages will be included.


Once the search options have been created, click on the Save and Exit button on the top toolbar to add them to the Case.


Managing an eDiscovery Case


eDiscovery cases are managed from the Administration Console in the Administration | Archive | Discovery Cases menu. The cases are displayed by folder, with high-level information about each case is available at a glance.

eDiscovery Case


eDiscovery Case Status


eDiscovery cases can have a status of either Editable or Locked. A case will be locked when it:

  • Has been assigned to a Litigation Hold.
  • Has been assigned to a Retention Adjustment.
  • Has been linked to a Smart Tag.
  • Is being exported.
When locked, no new searches can be added and existing searches cannot be amended.

Mimecast will automatically unlock a case if:

  • An associated Litigation Hold expires.
  • There are no Retention Adjustments linked to the case.
  • All linked Smart Tags have been unlinked.
  • It is not being exported. This is automatically checked once per day during nightly housekeeping routines.


When a case is unlocked, an entry of type Unlock Discovery Case is added to the Account Access Event log. This is viewed in the Administration | Account | Audit Logs menu in the Administration Console.


Editable Cases


Discovery_saved_search_options.pngIf the case status is Editable, a Manage Saved Searches option is available. This provides a list of all the searches assigned to the case, giving additional information such as:

  • Who created the search.
  • Whether it was saved.
  • The search time and date.
  • Basic search parameters.


Right-clicking on the search allows the Administrator to amend the search criteria, unlink or delete the saved search. As long as it's editable, you can remove a saved search from an eDiscovery case (the Unlink Saved Search menu item). However, you cannot delete a case once it has been created.


Locked Cases


Once the case has been Locked, a View Saved Searches option is available. The same information is displayed, however no changes can be made to the search. Right clicking on the Saved searches provides the view menu options. A Saved Searches Summary is also provided, listing all searches assigned to the case.




eDiscovery case auditing is linked to the Search Audit logs and the Message View logs. To view the logs, open the case, click on the View Audit logs drop down menu and select a log.


eDiscovery Search Audit


Shows a log of all searches performed as part of this case, along with the search parameters. This also includes any searches that were not saved to the case.


Details such as who created the search, whether it was saved, the time and date of the search, and the basic search parameters are included. Right clicking on a search gives you the option to View Search Parameters or View Search Result. The ability to remove any entries from the list is not available.


eDiscovery Email View Audit


Shows a log of all viewed emails associated with this case. A list of all messages that have been viewed is provided, as well as whether the content or metadata has been viewed, who viewed the message, and the date and time the message was viewed.

3 people found this helpful