Today, when it comes to forensic analysis of terabyte-sized eDiscovery cases in Microsoft Purview, you’re hitting hard architectural limits. The current search standard, the Keyword Query Language (KeyQL), is optimized for full-text searches, but becomes a massive bottleneck when it comes to metadata aggregation and pattern recognition. The previous workaround – the export of case data to external analysis tools such as Power BI – massively increases the attack surface and creates serious data governance problems (shadow IT).
To eliminate this risky media disruption, Microsoft will natively integrate the Kusto Query Language (KQL) into the new Advanced Review Set Explorer (Roadmap ID 484086) starting in February 2026 (Preview). This gives you the computing power of the Azure Data Explorer engine directly on your backed up case data, making big data analytics high-performance and fully within the protected compliance perimeter.
From search rings to data pipelines
The difference between KeyQL and KQL is not only syntactic, but fundamentally affects the way the underlying Azure architecture is queried.
KeyQL works index-based (similar to Lucene). You define search criteria, and the engine searches the inverted index for hits. The result is static. KQL, on the other hand, is an analytical pipeline language for columnar databases. To detect anomalies in communication patterns, you causally link filtering, aggregation, and transformation steps together, with the output of one step being the input of the next.
By using KQL directly in the Review Set, you can now access over 100 metadata properties of the indexed documents, Teams chats, and emails. In concrete terms, this means that you are no longer just looking for the word “Project X”. You create a pipeline that visualizes in real time how the frequency of communication to “Project X” has changed over time between the development department and external domains, which allows you to isolate the exact time window of an information outflow.
Real-time analysis under strict RBAC control
The human eye recognizes graphic patterns and outliers much faster than endless table rows. The Advanced Review Set Explorer therefore introduces native rendering functions that fundamentally change the triage process.
Instead of blindly searching through a list of 150,000 documents, you first generate a histogram of the data distribution using KQL. This way, you’ll immediately spot spikes or unusual clusters – such as a sudden spike in encrypted .ziparchives over a weekend.
A typical KQL workflow for visualization looks like this:
// Beispiel: Tägliches Volumen von ZIP-Dateien visualisieren
ReviewSet
| where FileType == "zip"
| summarize Count=count() by bin(Timestamp, 1d)
| render timechart
You isolate this data bucket with the click of a mouse and drastically limit the amount of review for the legal reviewers. The effect: The external legal fees for the manual review effort decrease exponentially.
Seamless integration without authorization chaos
The best thing about this architecture: Microsoft enables parallel operation. KeyQL remains available for simple ad-hoc searches. However, those who use the new KQL functions benefit from the existing security architecture:
- Strict RBAC Loyalty: The engine respects the existing eDiscovery permissions model of the M365 tenant. No additional Azure permissions are required.
- Same data, better tools: A reviewer sees exactly the same data in the Advanced Explorer as in the standard view.
- Seamless auditing: Compliance guidelines and auditing logs capture the execution of KQL queries just as precisely as classic search queries.
Result
From an IT security and data governance perspective, the integration of the Kusto engine into Purview is the most important architectural step of the year. Any export of case data – even to encrypted drives or SharePoint sites – is a potential compliance violation under the GDPR. Once data leaves the eDiscovery tool, the retention labels and access controls configured there no longer apply.
By providing analysts with powerful aggregation and visualization tools within the compliance boundaries, Microsoft eliminates the technical constraint of risky data duplication. For M365 admins, this means that the playbooks will have to be rewritten in 2026. The “eDiscovery Reviewer” becomes a data analyst. If you train your team on KQL now, you will save a lot of time and budget during the next major investigation.
Other sources
| Microsoft 365 Roadmap | Advanced review set explorer (ID 484086) | Microsoft 365 Roadmap |
| Microsoft Graph API Docs | ediscoveryReviewSetQuery resource | Microsoft Learn |
Be the first to comment