Assistance with creating a KQL script for Microsoft Purview

Brendan Short 0 Reputation points
2024-08-22T06:15:05.64+00:00

I need help creating a KQL script for Microsoft Purview. My organisation needs to see all emails sent from Outlook with an attachment that were external to our network domain. I'm not a programmer, but I've already started a case in eDiscovery Premium, added my custodians and data source, and now need to set up my collection. Specifically, I need to add a KQL script to instruct Purview on what to search for. I would like the script to identify emails with attachments sent externally from our network to other email addresses and ignore emails sent with an attachment internally through our network/domain. Once I have a working KQL script, I can export the results to a review set. Any help with the required script is greatly appreciated.

Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,144 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Pauline Mbabu 250 Reputation points Microsoft Employee
    2024-08-23T11:19:19.5566667+00:00

    Hello @Brendan Short ,
    I followed this doc https://learn.microsoft.com/en-us/purview/ediscovery-keyword-queries-and-search-conditions#recipient-expansion AND https://learn.microsoft.com/en-us/purview/ediscovery-kql-editor to try and create a Query that suits your scenario.

    Query one:
    (Type=Email) AND (Recipients<>"yourdomain.com") AND (HasAttachment=true)
    This Query will return Emails that have attachments that are sent to receipts that are not in your domain.

    The Documentation doesn't give any direction of getting emails that are specifically sent from your domain. It only gives the option to use Participants which will return messages sent by or sent to a user in the specified domain.
    Using this the field will look like below:
    (Type=Email) AND (Participants:"your domain" AND Recipients<>"your domain") AND (HasAttachment=true)

    I hope this gives you better context on this.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.