Create a search query for a case in eDiscovery (preview)
Article
You can use search in eDiscovery (preview) to search for in-place content such as email, documents, and instant messaging conversations in your organization that are relevant to a case. Use search to find content in these cloud-based Microsoft 365 data sources:
Exchange Online mailboxes
SharePoint sites
OneDrive accounts
Microsoft Teams
Microsoft 365 Groups
Viva Engage Groups
You can create and run different searches that are associated with the case. You use conditions (such as keywords) to build search queries that return search results with the data that's most likely relevant to the case. You can also:
View search statistics that may help you refine a search query to narrow the results.
Preview the search results to quickly verify whether the relevant data is being found.
Revise a query and rerun the search.
After you search for and find data that's relevant to your investigation, you can send the results to a review set for further investigation or export it for review by people outside of the investigation team.
Note
For organizations that have EU General Data Protection Regulation (GDPR) requirements to protect and enable individuals' privacy rights inside the European Union (EU), you can also manage investigations in response to a Data Subject Requests (DSRs) submitted by a person in your organization. The User Data Search case tool has been retired, and its functionality has merged with eDiscovery (preview). You can now use search to find content to support DSRs all locations supported by eDiscovery searches.
The time zone for all searches is Coordinated Universal Time (UTC). Changing time zones for your organization isn't currently supported. Time zone display settings in the search view are only for applicable for values in Data column and don't affect time stamps on collected items.
Keyword searches aren't case-sensitive. For example, cat and CAT return the same results.
The Boolean operators AND, OR, NOT, and NEAR must be uppercase.
Using quotes stops wild cards and any operations inside the quotes.
A space between two keywords or two property:value expressions is the same as using OR. For example, from:"Sara Davis" subject:reorganization returns all messages sent by Sara Davis or messages that contain the word reorganization in the subject line. However, using a mix of spaces and OR conditionals in a single query may lead to unexpected results. We recommend using either spaces or OR in a single query.
Use syntax that matches the property:value format. Values aren't case-sensitive, and they can't have a space after the operator. If there's a space, your intended value is a full-text search. For example to: pilarp searches for "pilarp" as a keyword, rather than for messages sent to pilarp.
When searching a recipient property, such as To, From, Cc, or Recipients, you can use an SMTP address, alias, or display name to denote a recipient. For example, you can use pilarp@contoso.com, pilarp, or "Pilar Pinilla."
You can use only prefix searches; for example, cat* or set*. Suffix searches (*cat), infix searches (c*t), and substring searches (*cat*) aren't supported.
When searching a property, use double quotation marks (" ") if the search value consists of multiple words. For example, subject:budget Q1 returns messages that contain budget in the subject line and that contain Q1 anywhere in the message or in any of the message properties. Using subject:"budget Q1" returns all messages that contain budget Q1 anywhere in the subject line.
To exclude content marked with a certain property value from your search results, place a minus sign (-) before the name of the property. For example, -from:"Sara Davis" excludes any messages sent by Sara Davis.
You can export items based on message type. For example, to export Skype conversations and chats in Microsoft Teams, use the syntax kind:im. To return only email messages, you would use kind:email. To return chats, meetings, and calls in Microsoft Teams, use kind:microsoftteams.
When searching sites, you have to add the trailing / to the end of the URL when using the path property to return only items in a specified site. If you don't include the trailing /, items from a site with a similar path name are also returned. For example, if you use path:sites/HelloWorld then items from sites named sites/HelloWorld_East or sites/HelloWorld_West would also be returned. To return items only from the HelloWorld site, you have to use path:sites/HelloWorld/.
The Query language-country/region must be defined in your search query before collecting content.
When searching the Sent folders for emails, using the SMTP address for the sender isn't supported. Items in the Sent folder contain only display names.
Create a search query
Tip
Do you prefer an interactive configuration guide experience? Check out the Design a search guide.
After creating a new case, you're automatically directed to the Searches tab in the case and you're ready to create a search for the case. Searches help you find the items you want to collect for the case.
Select Create a search. If this is a new case without any previous searches, you can also select Create a search in the main pane under Start searching for relevant data.
On the Enter details to get started page, complete the following fields:
Search name: give the search a name (required). The search name must be unique in your organization
Search description: Add an optional description to help others understand this search.
Select Create to create the new search and start your queries to find relevant data for the case.
On the Query tab in the search, add data sources for your search
Select Add data sources or Add tenant-wide sources.
Add data sources: Selecting this option adds individual data sources to your organization.
Add tenant-wide sources: Selecting this option includes sources across your organization. Choose to apply to all sources or refine selections to a subset of data sources.
For example, selecting All people and groups and selecting All for Mailboxes adds all user Exchange mailboxes in your organization as a data source. selecting All people and groups and selecting All for Sites adds all user SharePoint and OneDrive sites in your organization as a data source.
On the Search for sources flyout pane, you'll search and add data sources for your search query. You can filter to scope data sources to help you choose one or more users or group sources to add to the search.
The left side of the pane displays the Filter options for sources, By default, All sources in the tenant is selected to include all source in your organization for selection and addition to the search.
Use on of the following options in the Show for filter to help scope your sources in the Search section:
All people and groups (default)
People only
Groups only
If applicable, select Exclude inactive users to reduce the scope of sources to only currently active users.
After you've filtered the data sources, use the search control and selectors in the Search section to add specific data sources, users, and groups to the search query. Enter the specific users, groups, or organization locations you want to add in the search field and select Search.
Search for people using the following values:
First and family name of the user display name (for example, John Smith)
First name only
User SMTP address
User alias
Exchange GUID
URL of the user's OneDrive site
Search for groups using the following values:
Group mailbox SMTP address
URL of group site. The URL of a Teams channel site resolves the Teams group as a data source.
Select Manage to update the mailbox or site associated with selected sources. Otherwise, select Save and close.
Review your selections and confirm the included resources for each data source. Select Save. You've now scoped the data sources that your search queries examine.
In the Data sources section, select the ellipse menu for any data source for management options for the data source.
For management options, select from the following:
Manage data source: Manage data sources for the selected user or site.
Disable mailboxes: Disable mailboxes for the selected user or site. Select this option again to enable the mailbox for the user or site.
Disable sites: Disable the site for the selected user or site. Select this option again to enable the site for the user or site.
Frequent collaborators: Select associated mailboxes and sites for users that frequently collaborate with the selected user.
Manager: Select associated mailboxes and sites of the user's manager.
Direct reports: Select associated mailboxes and sites of the user's direct reports.
Groups the user owns: Select associated mailboxes and sites of groups the user is an owner of.
Groups the user is in: Select associated mailboxes and sites of groups the user is a member of.
For group sources, select from the following:
Members: Select associated mailboxes and sites of people who are members of the group.
Use the Data sources command bar controls to add, update, sync, and search for other data sources for the search (as needed)
Search and add: Select the + icon to add data sources.
Manage: Select the pencil icon to manage assigned data sources.
Sync: Select the sync icon to synchronize data sources and update the data sources with the most recent data sources in your organization.
Search: Select the search icon to search the data sources currently included in the search query.
To define the parameters of your search query, you can choose from the following options on the Query tab:
Condition builder: The condition builder option in search provides an easy-to-user search experience when you build search queries in eDiscovery (preview). Use keywords or custom conditions to focus the scope of your search queries. Additionally, you can use the Keyword Query Language (KQL) query condition option in search that provides guidance and lets you quickly paste long, complex queries directly into the editor. It also helps you build search queries from scratch and identifies potential errors and displays hints about how to resolve issues.
You can also quickly build KeyQL queries for your search using Microsoft Security Copilot. For guidance, see the following section in this article.
Search by file: Upload one or more files to find related or similar content for a specific case. Use audit activity csv to find related messages and files for specific user within a specific time frame. Or provide sample evidence to find similar content. Each file is limited to 10-MB max file size, and files can be csv or txt. Query build and KQL options are disabled when search by file.
Select Run query. If you want to save the query parameters you've defined and run the query later, select Save as draft.
Create a KeyQL search query with Microsoft Copilot (preview)
The Natural Language Query (preview) KeyQL builder option in search allows you to use natural language and Microsoft Security Copilot to quickly generate a Keyword Query Language (KeyQL) statement. Use the builder to construct complex queries with additional functionality, including AND, OR, and grouping of conditions, all while using natural language prompts.
This feature helps you build queries more easily using predefined prompts for example scenarios and allows you to refine and enhance custom prompts for more accurate search queries. You can also choose to use prompt suggestions as a starting point to create and refine KeyQL queries for common or custom search scenarios.
To create a search query with Copilot, complete the following steps:
After you've selected data sources for your query, select Draft a query with Copilot.
In the Natural language prompt pane, choose one of the following options:
Enter your search query question. You can include user, data source, and other content details as applicable.
Select View prompts to select one of the following prompt suggestions:
Find all emails containing the words budget and finance and have attachments
Search all chats in the month of January 2020 that contain the word 'financial year'
Search for files of type .docx that contain the words confidential and budget
Review the natural language prompt. To refine the prompt with Copilot, select Refine.
When the prompt is finalized, select Generate KeyQL.
Review the KeyQL query in the Keyword Query Language (KeyQL) result pane. If you need to refine the KeyQL query results, you can update the prompt in the Natural language prompt pane and select Generate KeyQL again. 1. When the KeyQL results are finalized, select Copy KeyQL.
Paste the KeyQL results in the query field on the Keyword query language (KeyQL) tab. You can close Draft a query with Copilot.
Select Run query. If you want to save the query parameters you've defined and run the query later, select Save as draft.
Run a search query
After you've created a search query manually or using Security Copilot, you're ready to run the query and generate search results.
To run a search query, complete the following steps:
Go to the Microsoft Purview portal and sign in using the credentials for a user account assigned eDiscovery permissions.
Select the eDiscovery solution card and then select Cases (preview) in the left nav.
Select a case. On the Searches tab, select a saved search.
Select Run query.
After you select Run query, you'll see the Format query results flyout pane. Choose the view you would like to generate for the query and its settings. You can choose either the Statistics or Sample view:
Statistics: This view generates a summary of collected data estimates arranged by top indicators. Choose one or more of the following options:
Include categories: Refine your view to include people, sensitive information types, item types, and errors.
Include query keywords report: Assess keyword relevance for different parts of your search query/
Investigate partially indexed items: Partially indexed items typically account for approximately one percent of content in data sources by count. Selecting this option (and only this option), generates summary information (item count and location) about partially indexed items included in the selected data sources for the search. No partially indexed items are reindexed or processed. To further process partially indexed items in scoped data sources, consider the following advanced indexing options:
Exclude partially indexed items in locations without search hits: Choosing this additional option reduces the scope of partially indexed items (or advanced indexing if that options is selected) by limiting the inclusion of partially indexed items from only the data sources that include items relevant to your search. This excludes partially indexed items from data sources that don't include any items relevant to your search.
For example, you've selected multiple mailboxes, SharePoint sites, and OneDrive sites as data sources for your search. When the search is run, only a few of the mailboxes and sites have indexed items relevant to the search conditions, the rest of the mailboxes and sites don't contain any natively indexed items relevant to your search conditions. If you've selected this option, the partially indexed items in the mailboxes and sites that contain natively indexed items relevant to the search are included in the search statistics results. The partially indexed items in the mailboxes and sites that don't contain any natively indexed items relevant to the search are ignored and not reported in the search statistics results.
Perform advanced indexing on partially indexed items: The scope of where advanced indexing is run depends on if you've selected the Exclude partially indexed items in locations without search hits option. The advanced indexing process runs a statistic sample of partially indexed items in scope and determine if these items match the query or not:
Selected with the Exclude partially indexed items in locations without search hits option: This applies to partially indexed items only to data sources with fully indexed items matching the search query. These items are sampled, indexed, and the items matching the search query are displayed in search statistics (as applicable).
Selected without the Exclude partially indexed items in locations without search hits option: This applies to all partially indexed items in all data sources included in the search. All items are sampled, indexed, and the items matching the search query are displayed in search statistics (as applicable).
Sample: This view generates a representative selection of the full search results. Define the parameters for the following options:
Select the number of sample items to generate per location: Choose either 1, 10, or 100.
Select the number of locations to get samples from: Choose either 10, 100, 1000, or 10000.
Select Run query to immediately run the query.
Depending on the query view options you selected, you'll automatically be directed to the Statistics or Sample tab. The search query assessment is started and the time remaining to process the query is calculated. For more information about evaluating and fine-tuning your search results, see Review and evaluate search results.