Share via

Condition Card builder or KQL query sample for eDiscovery?

EnterpriseArchitect 6,386 Reputation points
2023-03-28T14:32:26.24+00:00

Folks,

I need some help in building the KQL query or the Condition Card builder for the below:

All Emails From ******@domain.com to *@competitors.org From 1st February 2023 to 28th February 2023

How to achieve that for the https://compliance.microsoft.com/classicediscovery/v1 because the below wizard showing error:

User's image

Exchange Online
Exchange Online

A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.

Exchange | Exchange Server | Other
Exchange | Exchange Server | Other

A robust email, calendaring, and collaboration platform developed by Microsoft, designed for enterprise-level communication and data management.Miscellaneous topics that do not fit into specific categories.

Exchange | Other
Exchange | Other

A powerful email and collaboration platform developed by Microsoft, designed to support enterprise-level communication and productivity. Miscellaneous topics that do not fit into specific categories.

Microsoft Security | Microsoft Purview
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Felipe M. N. Prates 0 Reputation points
    2023-09-11T16:15:24.0266667+00:00

    By this time you have probably figured it out yourself, but I had a similar issue and solved it without using wildcards. While use the KQL editor, try something like (Date=2023-02-01...2023-02-28)(From=******@domain.com)(To:competitors.org). The colon after To means "contains", so it kind of works as a wildcard.

    Was this answer helpful?

    0 comments
  2. ShaikMaheer-MSFT 38,636 Reputation points Microsoft Employee Moderator
    2023-03-29T10:14:35.2766667+00:00

    Hi EnterpriseArchitect,

    Thank you for posting query in Microsoft Q&A Platform.

    Kindly check if Recipients field has Ends with option and yes, then use values as @competitors.org

    Or if we can write our own KQL query, then kindly check similar to below if you can write your query.

    OfficeMessageTrace
| where SenderAddress == "******@domain.com"
| where RecipientAddress endswith "@competitors.org"
| where TimeGenerated >= datetime(2023-02-01) and TimeGenerated <= datetime(2023-02-28)

    Hope this helps. Please let me know how it goes.

    Please consider hitting Accept Answer button. Accepted answers help community as well.

    Was this answer helpful?

    0 comments
  3. Jame Xu-MSFT 4,201 Reputation points
    2023-03-29T09:56:57.03+00:00

    Hi @EnterpriseArchitect ,

    KQL queries don't support prefix matching with the wildcard * as prefix, so you can't use the wildcard operator before a phrase in free-text queries. However, you can use the wildcard operator after a phrase. You could refer to: https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference

    User's image

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

  4. Bryce Donald 0 Reputation points
    2023-03-28T14:49:27.9066667+00:00

    Hi,

    To build a KQL query or Condition Card builder for the specified criteria, you can try the following steps:

    1. Open the Microsoft 365 Compliance Center and navigate to the "Content search" page.
    2. Click on "Create a new search" and select "Specific locations" option.
    3. Select the mailbox of ******@domain.com as the source location.
    4. Select the "Advanced" option under the "Conditions" section.
    5. Enter the following KQL query in the search box: "from:*****@domain.com AND to:@competitors.org AND received:02/01/2023..02/28/2023".
    6. Click "Save" to create the search and run it.

    Alternatively, you can also use the Condition Card builder to build the same search by following these steps:

    1. Click on "Create a new search" in the "Content search" page.
    2. Select "Specific locations" and choose the mailbox of ******@domain.com.
    3. Under "Conditions", select "Add condition" and choose "Sent".
    4. Choose "Between" and select the date range from 1st February 2023 to 28th February 2023.
    5. Add another condition and choose "Sender".
    6. Enter "******@domain.com" as the sender email address.
    7. Add one more condition and choose "Recipient".
    8. Enter "*.competitors.org" as the recipient email address.
    9. Click "Save" to create the search and run it.

    These steps should help you build the KQL query or Condition Card builder to search for all emails from ******@domain.com to *@competitors.org between 1st February 2023 to 28th February 2023 in the Microsoft 365 Compliance Center.

    Regards,

    Bryce

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.