Use the condition builder to create search queries in eDiscovery

2025-06-17

The condition builder provides an easy-to-use search experience when you build search queries in eDiscovery. Use the condition builder in search and review sets to construct simple and complex keyword queries, queries with operators (AND, OR), or both to help identify items in your organization.

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Using the condition builder

To create a query and custom conditional filtering for your search, use the following controls:

Keywords: This common condition is always available as the first condition in your query and helps you get started quickly for search tasks. The Keywords condition only supports the Equal operator and can be excluded from your query by leaving the value field blank. To add additional Keywords conditions, select Add conditions and select Keywords.
Add conditions: Allows you to add a condition for the specific data sources for the search. To add additional conditions to your query, select Add conditions to display the list of available conditions. Each condition value selection adds a new condition to your query. Choose the AND/OR operator as appropriate.
AND/OR: These conditional logical operators allow you to select the query operation that applies to a specific condition. These operators allow you to use multiple conditions connected to your query.
Selecting an operator: Depending on the selected condition, the operators compatible for the condition are available to select. For example, if the Date condition is selected, the available operators are Before, After, and Between. If the Size (in bytes) condition is selected, the available operators are Greater than, Greater or equal, Less than, Less or equal, Between, and Equal.
Value: Depending on the selected condition, the values compatible for the condition are available in the value details pane or you can add inline. Depending on the condition type associated with the value, you see options to define, filter, or search for values associated with the selected condition. For example, if you select Sender as the condition, you can search for and add specific users in your organization or external users. If you select Size (in bytes) as the condition, you see the option to enter a number for the size as the value. If the value is blank, the value field border is displayed in red to help notify you that a value is needed.
Remove a filter condition: To remove an individual condition, select the remove icon to the right of each filter line.
Save as draft: To save the current set of conditions as a draft, select Save as draft from the query drop-down.
Discard: To discard any changes made to the search, including conditions, and data source, select Discard from the Save as draft drop-down.

Guidelines for using conditions

Keep the following in mind when using search conditions.

A condition is logically connected to the keyword query (specified in the keyword box) by AND and OR operators. That means that items have to satisfy both the keyword query and the condition to be included in the results.
If you add two or more unique conditions to a search query (conditions that specify different properties), those conditions are logically connected by the AND and OR operators. That means only items that satisfy all the conditions (in addition to any keyword query) are returned.
If you add more than one condition for the same property, those conditions are logically connected by the OR operator. That means items that satisfy the keyword query and any one of the conditions are returned. So, groups of the same conditions are connected to each other by the OR operator and then sets of unique conditions are connected by the AND operator.
If you add multiple values (separated by commas or semi-colons) to a single condition, those values are connected by the OR operator. That means items are returned if they contain any of the specified values for the property in the condition.
Any condition that uses an operator with Contains and Equals logic returns similar search results for simple string searches. A simple string search is a string in the condition that doesn't include a wildcard). For example, a condition that uses Equals any of returns the same items as a condition that uses Contains any of.
The search query that is created by using the keywords box and conditions is displayed on the Search page, in the details pane for the selected search. In a query, everything to the right of the notation (c:c) indicates conditions that are added to the query. (c:c) shouldn't be used in manually entered queries and isn't equal to AND or OR.
Conditions only add properties to the search query; they don't add operators. This is why the query displayed in the detail pane doesn't show operators to the right of the (c:c) notation. KQL adds the logical operators (according to the previously explained rules) when the executing the query.
You can use the drag and drop control to resequence the order of conditions. Select the control for a condition and move it up or down.
Some condition properties allow you to type multiple values (separated by semi-colons). Each value is logically connected by the OR operator, and results in the query (filetype=docx) OR (filetype=pptx) OR (filetype=xlsx). The following illustration shows an example of a condition with multiple values.

Find and select conditions

When you select Add conditions in the condition builder, the Choose which conditions to add flyout pane is displayed to help you refine your search query with specific conditions. Use options in the following sections to help you choose applicable conditions:

Filter conditions by area

Quickly filter the condition view for mailboxes and site properties to help locate a specific condition for your search query. Filter available conditions in the following global groups:

All: Shows all conditions and condition groups.
Common: Filters and displays only the conditions that apply to both mailboxes and sites.
Exchange mailboxes: Filters and displays only the conditions that apply to mailboxes.
SharePoint and OneDrive sites: Filters and displays only the conditions that apply to SharePoint and OneDrive sites.

Condition picker

To quickly search for a specific condition, use the Tell us what you're looking for field to enter the name of the condition. The results are automatically scoped to the filter for global groups. For example, to search for any condition named Type (or one that contains the term type in the condition name), select All as the global filter, then enter type in the Tell us what you're looking for field. The condition view returns all conditions in all condition groups that contain the term type. Select the applicable condition to add to your search query.

Condition picker example.

Scenario example

The eDiscovery administrator needs to create a query to find emails sent from User1 to User4 that were sent between September 15, 2024 and October 15, 2024 that contains the keywords compliance and audit. For this example, the administrator creates the following query using the new query builder:

For the first filter, the administrator uses the Keywords condition, the Equal operator, and compliance, audit as the keyword Value.
Next, the administrator selects Add conditions, selects Sender, then selects the Contains any of operator, then selects User1 from the list of users available in the Value details pane. This can include external users.
Next, the administrator selects Add conditions, selects the To filter, then selects the Contains any of operator, then selects User4 from the list of users available in the Value details pane. This can include external users.
To define the date range, the administrator selects Add conditions, selects Date, then selects the Between operator, and then selects the starting and ending dates for the Value.
Finally, the administrator selects Run query to return applicable results.

Condition builder example.

Using search conditions

You can add conditions to a search query to narrow a search and return a more refined set of results. Each condition adds a clause to the KQL search query that is created and run when you start the search.

Special characters
Conditions for common properties
Conditions for mail properties
Conditions for document properties
Operators used with conditions

Special characters

Some special characters aren't included in the search index and therefore aren't searchable. This also includes the special characters that represent search operators in the search query. Here's a list of special characters that are either replaced by a blank space in the actual search query or cause a search error.

+ - = : ! @ # % ^ & ; _ / ? ( ) [ ] { }

Conditions for common properties

Create a condition using common properties when searching mailboxes and sites in the same search. The following table lists the available properties to use when adding a condition.

Condition	Description
Content kind¹	Applied to both Exchange and SharePoint items, it refers to the type or category of the content. For example, ContentKind:SharePointDocument, ContentKind:Copilot, etc.
Content source application¹	Identifies the application or service where the content originated. For example, ContentSourceApplication:OneDriveForBusiness, ContentSourceApplication:SharePoint, etc.
Date	For email, the date a message was created or imported from a PST file. For documents, the date a document was last modified. If you're searching for email messages for a specific time period, you should use the message Received and Sent conditions if you're unsure if the email messages might have been imported instead of natively created in Exchange.
Identifier¹	For email, the ID for a specific message. Message IDs are included in the audit record, data loss prevention (DLP) alerts, or review set metadata and allow you build a specific search for an individual message. For Microsoft Teams messages, the ID of the chat or reaction. The ChatThreadID is included in the audit record, data loss prevention (DLP) alerts, or review set metadata and allow you build a specific search for an individual chat or reaction.
Sender/Author	For email, the person who sent a message. For documents, the person cited in the author field from Office documents. You can type more than one name, separated by commas. Two or more values are logically connected by the OR operator. (See Recipient Expansion)
Size (in bytes)	For both email and documents, the size of the item (in bytes).
Subject/Title	For email, the text in the subject line of a message. For documents, the title of the document. The Title property is metadata specified in Microsoft Office documents. You can type the name of more than one subject/title values, separated by commas. Two or more values are logically connected by the OR operator. Note: Don't include double quotation marks to the values for this condition because quotation marks are automatically added when using this search condition. If you add quotation marks to the value, two pairs of double quotations are added to the condition value, and the search query returns an error.
Retention label	For both email and documents, retention labels applied to messages and documents. Retention labels can be used to declare records and help you manage the data lifecycle of content by enforcing retention and deletion rules specified by the label. For more information about retention labels, see Learn about retention policies and retention labels.

Conditions for mail properties

Create a condition using mail properties when searching mailboxes or public folders in Exchange Online. The following table lists the email properties that you can use for a condition. These properties are a subset of the email properties that were previously described. These descriptions are repeated for your convenience.

Condition	Description
Message kind	The message type to search. This is the same property as the Kind email property. Possible values: contacts docs email externaldata fax im journals meetings microsoftteams notes posts rssfeeds tasks voicemail
Participants	All the people fields in an email message. These fields are From, To, Cc, and Bcc. (See Recipient Expansion)
Received	The date that an email message was received by a recipient. This is the same property as the Received email property.
Recipients	All recipient fields in an email message. These fields are To, Cc, and Bcc. (See Recipient Expansion)
Sender	The sender of an email message.
Sent	The date that an email message was sent by the sender. This is the same property as the Sent email property.
Subject	The text in the subject line of an email message. Note: Don't include double quotation marks to the values for this condition because quotation marks are automatically added when using this search condition. If you add quotation marks to the value, two pairs of double quotations are added to the condition value, and the search query will return an error.
To	The recipient of an email message in the To field.
Topic¹	Summary of the main subject or theme discussed in an email thread or conversation.
Type	The message class property for an email item. This is the same property as the ItemClass email property. It's also a multi-value condition. So to select multiple message classes, hold the CTRL key and then select two or more message classes in the drop-down list that you want to add to the condition. Each message class that you select in the list are logically connected by the OR operator in the corresponding search query. For a list of the message classes (and their corresponding message class ID) that are used by Exchange and that you can select in the Message class list, see Item Types and Message Classes.

Conditions for document properties

Create a condition using document properties when searching for documents on SharePoint and OneDrive sites. The following table lists the document properties that you can use for a condition. These properties are a subset of the site properties that were previously described. These descriptions are repeated for your convenience.

Condition	Description
Author	The author field from Office documents, which persists if a document is copied. 例如，如果用户创建文档并将其通过电子邮件发送到其他人，然后将其上传到 SharePoint，则该文档仍将保留原始作者。
已创建	创建文档的日期。
文件类型	文件的扩展名;例如，docx、one、pptx 或 xlsx。此属性与 FileExtension 网站属性相同。注意：如果在搜索查询中包含使用 Equals 或 Equals 任一运算符的文件类型条件，则不能通过将通配符 ( * ) 包含在文件类型) 末尾来返回文件类型的所有版本来使用前缀搜索 (。如果这样做，则忽略通配符。例如，如果包含条件 `Equals any of doc`，则仅返回扩展名为的文件 `.doc` 。不会返回扩展名 `.docx` 为的文件。若要返回文件类型的所有版本，请在关键字 (keyword) 查询中使用 property：value* 对;例如。 `filetype:doc*`
上次修改时间	上次修改文档的日期。
路径¹	SharePoint 网站中文件或文件夹的 URL 或位置。
敏感信息类型 (SIT) ¹	文档中包含的敏感信息类型。 SCT 是基于模式的分类器，可检测敏感信息，例如社会保障、信用卡或银行帐号，以识别敏感项目。有关 SIT 的详细信息，请参阅了解敏感信息类型。
敏感度标签¹	应用于文档的敏感度标签。敏感度标签允许对组织数据进行分类和保护，同时确保用户的工作效率及其协作能力不受阻碍。有关敏感度标签的详细信息，请参阅了解敏感度标签。
标题	文档的标题。 Title 属性是 Office 文档中指定的元数据。它不同于文档的文件名。

与条件一起使用的运算符

当您添加一个条件时，您可以选择与该条件的属性类型相关的运算符。下表描述了与条件一起使用的运算符，并列出了在搜索查询中使用的等效项。

运算符	查询等效项	说明
活动后	`property>date`	使用日期条件。返回在指定日期后发送、接收或修改的项。
活动前	`property<date`	使用日期条件。返回在指定日期前发送、接收或修改的项。
Between	`date..date`	使用日期和大小条件。当使用日期条件时，返回在指定的日期范围内发送、接收或修改的项。当使用大小条件时，返回大小在指定范围内的项。
包含任意	`(property:value) OR (property:value)`	与指定字符串值的属性条件一起使用。返回包含一个或多个指定字符串值任何部分的项目。
不包含任何	`-property:value` `NOT property:value`	与指定字符串值的属性条件一起使用。返回不包含指定字符串值任何部分的项目。
不等于任何	`-property=value` `NOT property=value`	与指定字符串值的属性条件一起使用。返回不包含特定字符串的项目。
等于²	`size=value`	返回与指定大小相等的项目。
等于任何	`(property=value) OR (property=value)`	与指定字符串值的属性条件一起使用。返回与一个或多个指定字符串值匹配的项。
大²	`size>value`	返回指定属性大于指定值的项。
大于或等于²	`size>=value`	返回指定属性大于或等于指定值的项。
少²	`size<value`	返回大于或等于指定值的项。
小于或等于²	`size<=value`	返回大于或等于指定值的项。
不等于²	`size<>value`	返回与指定大小不相等的项目。

注意

¹ 此运算符是电子数据展示高级功能条件。

² 此运算符仅适用于使用 Size 属性的条件。