Use the condition builder to create search queries in eDiscovery

2025-06-17

The condition builder provides an easy-to-use search experience when you build search queries in eDiscovery. Use the condition builder in search and review sets to construct simple and complex keyword queries, queries with operators (AND, OR), or both to help identify items in your organization.

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Using the condition builder

To create a query and custom conditional filtering for your search, use the following controls:

Keywords: This common condition is always available as the first condition in your query and helps you get started quickly for search tasks. The Keywords condition only supports the Equal operator and can be excluded from your query by leaving the value field blank. To add additional Keywords conditions, select Add conditions and select Keywords.
Add conditions: Allows you to add a condition for the specific data sources for the search. To add additional conditions to your query, select Add conditions to display the list of available conditions. Each condition value selection adds a new condition to your query. Choose the AND/OR operator as appropriate.
AND/OR: These conditional logical operators allow you to select the query operation that applies to a specific condition. These operators allow you to use multiple conditions connected to your query.
Selecting an operator: Depending on the selected condition, the operators compatible for the condition are available to select. For example, if the Date condition is selected, the available operators are Before, After, and Between. If the Size (in bytes) condition is selected, the available operators are Greater than, Greater or equal, Less than, Less or equal, Between, and Equal.
Value: Depending on the selected condition, the values compatible for the condition are available in the value details pane or you can add inline. Depending on the condition type associated with the value, you see options to define, filter, or search for values associated with the selected condition. For example, if you select Sender as the condition, you can search for and add specific users in your organization or external users. If you select Size (in bytes) as the condition, you see the option to enter a number for the size as the value. If the value is blank, the value field border is displayed in red to help notify you that a value is needed.
Remove a filter condition: To remove an individual condition, select the remove icon to the right of each filter line.
Save as draft: To save the current set of conditions as a draft, select Save as draft from the query drop-down.
Discard: To discard any changes made to the search, including conditions, and data source, select Discard from the Save as draft drop-down.

Guidelines for using conditions

Keep the following in mind when using search conditions.

A condition is logically connected to the keyword query (specified in the keyword box) by AND and OR operators. That means that items have to satisfy both the keyword query and the condition to be included in the results.
If you add two or more unique conditions to a search query (conditions that specify different properties), those conditions are logically connected by the AND and OR operators. That means only items that satisfy all the conditions (in addition to any keyword query) are returned.
If you add more than one condition for the same property, those conditions are logically connected by the OR operator. That means items that satisfy the keyword query and any one of the conditions are returned. So, groups of the same conditions are connected to each other by the OR operator and then sets of unique conditions are connected by the AND operator.
If you add multiple values (separated by commas or semi-colons) to a single condition, those values are connected by the OR operator. That means items are returned if they contain any of the specified values for the property in the condition.
Any condition that uses an operator with Contains and Equals logic returns similar search results for simple string searches. A simple string search is a string in the condition that doesn't include a wildcard). For example, a condition that uses Equals any of returns the same items as a condition that uses Contains any of.
The search query that is created by using the keywords box and conditions is displayed on the Search page, in the details pane for the selected search. In a query, everything to the right of the notation (c:c) indicates conditions that are added to the query. (c:c) shouldn't be used in manually entered queries and isn't equal to AND or OR.
Conditions only add properties to the search query; they don't add operators. This is why the query displayed in the detail pane doesn't show operators to the right of the (c:c) notation. KQL adds the logical operators (according to the previously explained rules) when the executing the query.
You can use the drag and drop control to resequence the order of conditions. Select the control for a condition and move it up or down.
Some condition properties allow you to type multiple values (separated by semi-colons). Each value is logically connected by the OR operator, and results in the query (filetype=docx) OR (filetype=pptx) OR (filetype=xlsx). The following illustration shows an example of a condition with multiple values.

Find and select conditions

When you select Add conditions in the condition builder, the Choose which conditions to add flyout pane is displayed to help you refine your search query with specific conditions. Use options in the following sections to help you choose applicable conditions:

Filter conditions by area

Quickly filter the condition view for mailboxes and site properties to help locate a specific condition for your search query. Filter available conditions in the following global groups:

All: Shows all conditions and condition groups.
Common: Filters and displays only the conditions that apply to both mailboxes and sites.
Exchange mailboxes: Filters and displays only the conditions that apply to mailboxes.
SharePoint and OneDrive sites: Filters and displays only the conditions that apply to SharePoint and OneDrive sites.

Condition picker

To quickly search for a specific condition, use the Tell us what you're looking for field to enter the name of the condition. The results are automatically scoped to the filter for global groups. For example, to search for any condition named Type (or one that contains the term type in the condition name), select All as the global filter, then enter type in the Tell us what you're looking for field. The condition view returns all conditions in all condition groups that contain the term type. Select the applicable condition to add to your search query.

Condition picker example.

Scenario example

The eDiscovery administrator needs to create a query to find emails sent from User1 to User4 that were sent between September 15, 2024 and October 15, 2024 that contains the keywords compliance and audit. For this example, the administrator creates the following query using the new query builder:

For the first filter, the administrator uses the Keywords condition, the Equal operator, and compliance, audit as the keyword Value.
Next, the administrator selects Add conditions, selects Sender, then selects the Contains any of operator, then selects User1 from the list of users available in the Value details pane. This can include external users.
Next, the administrator selects Add conditions, selects the To filter, then selects the Contains any of operator, then selects User4 from the list of users available in the Value details pane. This can include external users.
To define the date range, the administrator selects Add conditions, selects Date, then selects the Between operator, and then selects the starting and ending dates for the Value.
Finally, the administrator selects Run query to return applicable results.

Condition builder example.

Using search conditions

You can add conditions to a search query to narrow a search and return a more refined set of results. Each condition adds a clause to the KQL search query that is created and run when you start the search.

Special characters
Conditions for common properties
Conditions for mail properties
Conditions for document properties
Operators used with conditions

Special characters

Some special characters aren't included in the search index and therefore aren't searchable. This also includes the special characters that represent search operators in the search query. Here's a list of special characters that are either replaced by a blank space in the actual search query or cause a search error.

+ - = : ! @ # % ^ & ; _ / ? ( ) [ ] { }

Conditions for common properties

Create a condition using common properties when searching mailboxes and sites in the same search. The following table lists the available properties to use when adding a condition.

Condition	Description
Content kind¹	Applied to both Exchange and SharePoint items, it refers to the type or category of the content. For example, ContentKind:SharePointDocument, ContentKind:Copilot, etc.
Content source application¹	Identifies the application or service where the content originated. For example, ContentSourceApplication:OneDriveForBusiness, ContentSourceApplication:SharePoint, etc.
Date	For email, the date a message was created or imported from a PST file. For documents, the date a document was last modified. If you're searching for email messages for a specific time period, you should use the message Received and Sent conditions if you're unsure if the email messages might have been imported instead of natively created in Exchange.
Identifier¹	For email, the ID for a specific message. Message IDs are included in the audit record, data loss prevention (DLP) alerts, or review set metadata and allow you build a specific search for an individual message. For Microsoft Teams messages, the ID of the chat or reaction. The ChatThreadID is included in the audit record, data loss prevention (DLP) alerts, or review set metadata and allow you build a specific search for an individual chat or reaction.
Sender/Author	For email, the person who sent a message. For documents, the person cited in the author field from Office documents. You can type more than one name, separated by commas. Two or more values are logically connected by the OR operator. (See Recipient Expansion)
Size (in bytes)	For both email and documents, the size of the item (in bytes).
Subject/Title	For email, the text in the subject line of a message. For documents, the title of the document. The Title property is metadata specified in Microsoft Office documents. You can type the name of more than one subject/title values, separated by commas. Two or more values are logically connected by the OR operator. Note: Don't include double quotation marks to the values for this condition because quotation marks are automatically added when using this search condition. If you add quotation marks to the value, two pairs of double quotations are added to the condition value, and the search query returns an error.
Retention label	For both email and documents, retention labels applied to messages and documents. Retention labels can be used to declare records and help you manage the data lifecycle of content by enforcing retention and deletion rules specified by the label. For more information about retention labels, see Learn about retention policies and retention labels.

Conditions for mail properties

Create a condition using mail properties when searching mailboxes or public folders in Exchange Online. The following table lists the email properties that you can use for a condition. These properties are a subset of the email properties that were previously described. These descriptions are repeated for your convenience.

Condition	Description
Message kind	The message type to search. This is the same property as the Kind email property. Possible values: contacts docs email externaldata fax im journals meetings microsoftteams notes posts rssfeeds tasks voicemail
Participants	All the people fields in an email message. These fields are From, To, Cc, and Bcc. (See Recipient Expansion)
Received	The date that an email message was received by a recipient. This is the same property as the Received email property.
Recipients	All recipient fields in an email message. These fields are To, Cc, and Bcc. (See Recipient Expansion)
Sender	The sender of an email message.
Sent	The date that an email message was sent by the sender. This is the same property as the Sent email property.
Subject	The text in the subject line of an email message. Note: Don't include double quotation marks to the values for this condition because quotation marks are automatically added when using this search condition. If you add quotation marks to the value, two pairs of double quotations are added to the condition value, and the search query will return an error.
To	The recipient of an email message in the To field.
Topic¹	Summary of the main subject or theme discussed in an email thread or conversation.
Type	The message class property for an email item. This is the same property as the ItemClass email property. It's also a multi-value condition. So to select multiple message classes, hold the CTRL key and then select two or more message classes in the drop-down list that you want to add to the condition. Each message class that you select in the list are logically connected by the OR operator in the corresponding search query. For a list of the message classes (and their corresponding message class ID) that are used by Exchange and that you can select in the Message class list, see Item Types and Message Classes.

Conditions for document properties

Create a condition using document properties when searching for documents on SharePoint and OneDrive sites. The following table lists the document properties that you can use for a condition. These properties are a subset of the site properties that were previously described. These descriptions are repeated for your convenience.

Condition	Description
Author	The author field from Office documents, which persists if a document is copied. Par exemple, si un utilisateur crée un document et l’envoie par e-mail à une autre personne qui le charge ensuite dans SharePoint, le document conserve toujours l’auteur d’origine.
Créé	Date de création d’un document.
Type de fichier	Extension d’un fichier ; par exemple, docx, one, pptx ou xlsx. Il s’agit de la même propriété que la propriété de site FileExtension. Note: Si vous incluez une condition de type de fichier à l’aide de l’opérateur Égal ou Égal à l’un des opérateurs dans une requête de recherche, vous ne pouvez pas utiliser une recherche de préfixe (en incluant le caractère générique ( * ) à la fin du type de fichier) pour renvoyer toutes les versions d’un type de fichier. Si vous le faites, le caractère générique est ignoré. Par exemple, si vous incluez la condition `Equals any of doc`, seuls les fichiers avec une extension de `.doc` sont retournés. Les fichiers avec une extension de `.docx` ne sont pas retournés. Pour retourner toutes les versions d’un type de fichier, utilisez la paire propriété :value* dans une requête mot clé , par exemple. `filetype:doc*`
Dernière modification	Date de la dernière modification apportée à un document.
Chemin^{d’accès 1}	URL ou emplacement d’un fichier ou d’un dossier dans un site SharePoint.
Type d’informations sensibles (SIT)¹	Types d’informations sensibles inclus dans les documents. Les SIT sont des classifieurs basés sur des modèles et ils détectent des informations sensibles telles que la sécurité sociale, les carte de crédit ou les numéros de compte bancaire pour identifier les éléments sensibles. Pour plus d’informations sur les SIT, consultez En savoir plus sur les types d’informations sensibles.
Étiquette de confidentialité¹	Étiquettes de confidentialité appliquées aux documents. Les étiquettes de confidentialité vous permettent de classifier et de protéger les données de votre organization, tout en veillant à ce que la productivité des utilisateurs et leur capacité à collaborer ne soient pas entravées. Pour plus d’informations sur les étiquettes de confidentialité, consultez En savoir plus sur les étiquettes de confidentialité.
Titre	Titre du document. Cette propriété correspond aux métadonnées spécifiées dans les documents Office. Il est différent du nom de fichier du document.

Opérateurs utilisés avec des conditions

Lorsque vous ajoutez une condition, vous pouvez sélectionner un opérateur pertinent par rapport au type de propriété pour la condition. Le tableau suivant décrit les opérateurs qui sont utilisés avec les conditions et répertorie l’équivalent utilisé dans la requête de recherche.

Opérateur	Équivalent dans la requête	Description
Après	`property>date`	Utilisé avec les conditions de date. Renvoie les éléments qui ont été envoyés, reçus ou modifiés après la date spécifiée.
Avant	`property<date`	Utilisé avec les conditions de date. Renvoie les éléments qui ont été envoyés, reçus ou modifiés avant la date spécifiée.
Between	`date..date`	Utilisé avec les conditions de date et de taille. Lorsqu’il est utilisé avec une condition de date, renvoie les éléments qui ont été envoyés, reçus ou modifiés dans la plage de dates spécifiée. Lorsqu’il est utilisé avec une condition de taille, renvoie les éléments dont la taille est comprise dans la plage spécifiée.
Contient l’un des éléments	`(property:value) OR (property:value)`	Utilisé avec les conditions des propriétés qui spécifient une valeur de chaîne. Renvoie les éléments qui contiennent une partie d’une ou plusieurs valeurs de chaîne spécifiées.
Ne contient pas	`-property:value` `NOT property:value`	Utilisé avec les conditions des propriétés qui spécifient une valeur de chaîne. Renvoie les éléments qui ne contiennent aucune partie de la valeur de chaîne spécifiée.
N’est pas égal à	`-property=value` `NOT property=value`	Utilisé avec les conditions des propriétés qui spécifient une valeur de chaîne. Renvoie les éléments qui ne contiennent pas la chaîne spécifique.
Égal à²	`size=value`	Renvoie les éléments qui sont égaux à la taille spécifiée.
Est égal à l’un des éléments	`(property=value) OR (property=value)`	Utilisé avec les conditions des propriétés qui spécifient une valeur de chaîne. Retourne des éléments qui correspondent à une ou plusieurs valeurs de chaîne spécifiées.
Supérieur²	`size>value`	Renvoie les éléments pour lesquels la propriété spécifiée est supérieure à la valeur spécifiée.
Supérieur ou égal^{à 2}	`size>=value`	Renvoie les éléments pour lesquels la propriété spécifiée est supérieure ou égale à la valeur spécifiée.
Moins²	`size<value`	Renvoie les éléments qui sont supérieurs ou égaux à la valeur spécifique.
Inférieur ou égal^{à 2}	`size<=value`	Renvoie les éléments qui sont supérieurs ou égaux à la valeur spécifique.
N’est pas égal^{à 2}	`size<>value`	Renvoie les éléments qui ne sont pas égaux à la taille spécifiée.

Remarque

¹ Cet opérateur est une condition de fonctionnalité premium eDiscovery.

² Cet opérateur est disponible uniquement pour les conditions qui utilisent la propriété Size .