Office 365 eDiscovery between two or more users

If you are an Office 365 Administrator and haven’t yet taken a look at the new Office 365 Security and Compliance Center it’s definitely time to take it out for a spin. One area of interest is that there are many new options available graphically in the Content Search and eDsicovery features to help refine searches. A great way to get familiar with the underlying KQL syntax that is used “under the hood” is to look at the “Query” section on the results page. At the conclusion of this post we’ll also look at a KQL Generator for a more advanced search scenario.

image image


Understanding some basics of KQL can help you solve complex search refinement scenarios. Using a bit of KQL in the keyword list can save a lot of time combing through results. For example, a common scenario for Content Search or eDiscovery is looking only for mail messages exchanged between two or more users. The KQL generator included at the end of this post generates KQL specifically for this scenario since including more than a few users can otherwise involve quite a bit of typing. Start by scoping the queried mailboxes to just the users in the investigation which will result in much faster search times in very large environments. Then add each user’s email address or alias to the tool (adding additional fields as needed) and then select “Get KQL” and use the generated result in the “keywords” field of the search. Using a filter in this scenario can easily reduce the number of results by 100x or more. This is a KQL sample that was generated for messages between three users.




For more advanced queries, de-duplication, machine learning, and predictive coding, use Office 365 Advanced eDiscovery. Advanced eDiscovery provides significant time and cost savings by adding data and textual analytics to the eDiscovery process.


KQL tool for discovering messages between users