Поділитися через


Use the condition builder to create search queries in eDiscovery (preview)

The condition builder in search provides a visual conditional filtering experience when you build search queries in eDiscovery (preview). Use the condition builder to construct queries with operators (AND, OR), to help you build queries more effectively, and provide additional space for complex keyword queries to be constructed and reviewed.

Tip

Get started with Microsoft Copilot for Security to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Copilot for Security in Microsoft Purview.

Using the condition builder

To create a query and custom conditional filtering for your search, use the following controls:

  • AND/OR: These conditional logical operators allow you to select the query condition that applies to specific filters and filter subgroups. These operators allow you to use multiple filters or subgroups connected to a single filter in your query.
  • Add a condition: Allows you to add a condition for the specific data sources and location selected for the search.
  • Select an operator: Depending on the selected filter, the operators compatible for the filter are available to select. For example, if the Date filter is selected, the available operators are Before, After, and Between. If the Size (in bytes) filter is selected, the available operators are Greater than, Greater or equal, Less than, Less or equal, Between, and Equal.
  • Value: Depending on the selected filter, the values compatible for the filter are available. Additionally, some filters support multiple values and some filters support one specific value. For example, if the Date filter is selected, select date values. If the Size (in bytes) filter is selected, select a value for bytes.
  • Remove a filter condition: To remove an individual filter or subgroup, select the remove icon to the right of each filter line or subgroup.
  • Clear all: To clear the entire query of all filters and subgroups, select Clear all.

Guidelines for using conditions

Keep the following in mind when using search conditions.

  • A condition is logically connected to the keyword query (specified in the keyword box) by AND and OR operators. That means that items have to satisfy both the keyword query and the condition to be included in the results.
  • If you add two or more unique conditions to a search query (conditions that specify different properties), those conditions are logically connected by the AND and OR operators. That means only items that satisfy all the conditions (in addition to any keyword query) are returned.
  • If you add more than one condition for the same property, those conditions are logically connected by the OR operator. That means items that satisfy the keyword query and any one of the conditions are returned. So, groups of the same conditions are connected to each other by the OR operator and then sets of unique conditions are connected by the AND operator.
  • If you add multiple values (separated by commas or semi-colons) to a single condition, those values are connected by the OR operator. That means items are returned if they contain any of the specified values for the property in the condition.
  • Any condition that uses an operator with Contains and Equals logic returns similar search results for simple string searches. A simple string search is a string in the condition that doesn't include a wildcard). For example, a condition that uses Equals any of returns the same items as a condition that uses Contains any of.
  • The search query that is created by using the keywords box and conditions is displayed on the Search page, in the details pane for the selected search. In a query, everything to the right of the notation (c:c) indicates conditions that are added to the query. (c:c) shouldn't be used in manually entered queries and isn't equal to AND or OR.
  • Conditions only add properties to the search query; they don't add operators. This is why the query displayed in the detail pane doesn't show operators to the right of the (c:c) notation. KQL adds the logical operators (according to the previously explained rules) when the executing the query.
  • You can use the drag and drop control to resequence the order of conditions. Select the control for a condition and move it up or down.
  • Some condition properties allow you to type multiple values (separated by semi-colons). Each value is logically connected by the OR operator, and results in the query (filetype=docx) OR (filetype=pptx) OR (filetype=xlsx). The following illustration shows an example of a condition with multiple values.

Scenario example

The eDiscovery administrator needs to create a query to find emails sent from Aimee Miller to Adam Eham, Adele Vance, or Aditya Dash that were sent between February 9, 2023 and March 9, 2023 that contains the keywords compliance and audit. For this example, the administrator creates the following query using the new query builder:

  1. For the first filter, the administrator selects Sender, then selects the Equals any of operator, then selects Aimee Miller from the list of users available in the Value control.
  2. Next, the administrator selects Add subgroup and the OR operator to define the other users that Aimee may have sent an email to about the compliance audit.
  3. In the subgroup, the administrator selects the To filter, the Equals any of operator, and the Value (user) for each of the other users that Aimee may have sent email to about the compliance audit. In this example, the administrator creates a filter in the subgroup for Adam Eham, Adele Vance, and Aditya Dash.
  4. To define the date range, the administrator selects Add filter and selects the Date filter, the Between operator, and start and ending dates for the Value.
  5. Finally, the administrator selects the Keyword list filter, the Equal operator, and compliance, audit as the keyword Value.

Query builder example.

Using search conditions

You can add conditions to a search query to narrow a search and return a more refined set of results. Each condition adds a clause to the KQL search query that is created and run when you start the search.

Special characters

Some special characters aren't included in the search index and therefore aren't searchable. This also includes the special characters that represent search operators in the search query. Here's a list of special characters that are either replaced by a blank space in the actual search query or cause a search error.

+ - = : ! @ # % ^ & ; _ / ? ( ) [ ] { }

Conditions for common properties

Create a condition using common properties when searching mailboxes and sites in the same search. The following table lists the available properties to use when adding a condition.

Condition Description
Date For email, the date a message was created or imported from a PST file. For documents, the date a document was last modified.

If you're searching for email messages for a specific time period, you should use the message Received and Sent conditions if you're unsure if the email messages may have been imported instead of natively created in Exchange.
Identifier For email, the ID for a specific message. Message IDs are included in the audit record, data loss prevention (DLP) alerts, or review set metadata and allow you build a specific search for an individual message.

For Microsoft Teams messages, the ID of the chat or reaction. The ChatThreadID is included in the audit record, data loss prevention (DLP) alerts, or review set metadata and allow you build a specific search for an individual chat or reaction.
Sender/Author For email, the person who sent a message. For documents, the person cited in the author field from Office documents. You can type more than one name, separated by commas. Two or more values are logically connected by the OR operator.
(See Recipient Expansion)
Size (in bytes) For both email and documents, the size of the item (in bytes).
Subject/Title For email, the text in the subject line of a message. For documents, the title of the document. The Title property is metadata specified in Microsoft Office documents. You can type the name of more than one subject/title values, separated by commas. Two or more values are logically connected by the OR operator.

Note: Don't include double quotation marks to the values for this condition because quotation marks are automatically added when using this search condition. If you add quotation marks to the value, two pairs of double quotations are added to the condition value, and the search query will return an error.

Retention label For both email and documents, retention labels applied to messages and documents. Retention labels can be used to declare records and help you manage the data lifecycle of content by enforcing retention and deletion rules specified by the label. For more information about retention labels, see Learn about retention policies and retention labels.
Sensitive information type (SIT) For both email and documents, sensitive information types included in messages and documents. SITs are pattern-based classifiers and they detect sensitive information like social security, credit card, or bank account numbers to identify sensitive items. For more information about SITs, see Learn about sensitive information types.
Sensitivity label For both email and documents, sensitivity labels applied to messages and documents. Sensitivity labels let you classify and protect your organization's data, while making sure that user productivity and their ability to collaborate isn't hindered. For more information about sensitivity labels, see Learn about sensitivity labels.

Conditions for mail properties

Create a condition using mail properties when searching mailboxes or public folders in Exchange Online. The following table lists the email properties that you can use for a condition. These properties are a subset of the email properties that were previously described. These descriptions are repeated for your convenience.

Condition Description
Message kind The message type to search. This is the same property as the Kind email property. Possible values:
  • contacts
  • docs
  • email
  • externaldata
  • fax
  • im
  • journals
  • meetings
  • microsoftteams
  • notes
  • posts
  • rssfeeds
  • tasks
  • voicemail
Participants All the people fields in an email message. These fields are From, To, Cc, and Bcc. (See Recipient Expansion)
Type The message class property for an email item. This is the same property as the ItemClass email property. It's also a multi-value condition. So to select multiple message classes, hold the CTRL key and then select two or more message classes in the drop-down list that you want to add to the condition. Each message class that you select in the list are logically connected by the OR operator in the corresponding search query.

For a list of the message classes (and their corresponding message class ID) that are used by Exchange and that you can select in the Message class list, see Item Types and Message Classes.

Received The date that an email message was received by a recipient. This is the same property as the Received email property.
Recipients All recipient fields in an email message. These fields are To, Cc, and Bcc. (See Recipient Expansion)
Sender The sender of an email message.
Sent The date that an email message was sent by the sender. This is the same property as the Sent email property.
Subject The text in the subject line of an email message.

Note: Don't include double quotation marks to the values for this condition because quotation marks are automatically added when using this search condition. If you add quotation marks to the value, two pairs of double quotations are added to the condition value, and the search query will return an error.

To The recipient of an email message in the To field.

Conditions for document properties

Create a condition using document properties when searching for documents on SharePoint and OneDrive sites. The following table lists the document properties that you can use for a condition. These properties are a subset of the site properties that were previously described. These descriptions are repeated for your convenience.

Condition Description
Author The author field from Office documents, which persists if a document is copied. For example, if a user creates a document and the emails it to someone else who then uploads it to SharePoint, the document will still retain the original author.
Title The title of the document. The Title property is metadata that's specified in Office documents. It's different than the file name of the document.
Created The date that a document is created.
Last modified The date that a document was last changed.
File type The extension of a file; for example, docx, one, pptx, or xlsx. This is the same property as the FileExtension site property.

Note: If you include a File type condition using the Equals or Equals any of operator in a search query, you can't use a prefix search (by including the wildcard character ( * ) at the end of the file type) to return all versions of a file type. If you do, the wildcard is ignored. For example if you include the condition Equals any of doc*, only files with an extension of .doc will be returned. Files with an extension of .docx isn't returned. To return all versions of a file type, used the property:value pair in a keyword query; for example, filetype:doc*.

Operators used with conditions

When you add a condition, you can select an operator that is relevant to type of property for the condition. The following table describes the operators that are used with conditions and lists the equivalent that is used in the search query.

Operator Query equivalent Description
After property>date Used with date conditions. Returns items that were sent, received, or modified after the specified date.
Before property<date Used with date conditions. Returns items that were sent, received, or modified before the specified date.
Between date..date Use with date and size conditions. When used with a date condition, returns items there were sent, received, or modified within the specified date range. When used with a size condition, returns items whose size is within the specified range.
Contains any of (property:value) OR (property:value) Used with conditions for properties that specify a string value. Returns items that contain any part of one or more specified string values.
Doesn't contain any of -property:value

NOT property:value

Used with conditions for properties that specify a string value. Returns items that don't contain any part of the specified string value.
Doesn't equal any of -property=value

NOT property=value

Used with conditions for properties that specify a string value. Returns items that don't contain the specific string.
Equals size=value Returns items that are equal to the specified size.1
Equals any of (property=value) OR (property=value) Used with conditions for properties that specify a string value. Returns items that are a match of one or more specified string values.
Greater size>value Returns items where the specified property is greater than the specified value.1
Greater or equal size>=value Returns items where the specified property is greater than or equal to the specified value.1
Less size<value Returns items that are greater than or equal to the specific value.1
Less or equal size<=value Returns items that are greater than or equal to the specific value.1
Not equal size<>value Returns items that don't equal the specified size.1

Note

1 This operator is available only for conditions that use the Size property.