Sdílet prostřednictvím


Search content in a review set in eDiscovery (preview)

In most cases, it's useful to dig deeper into the content in a review set and organize it to facilitate a more efficient review. Using filters and queries in a review set helps you focus on a subset of documents that meet the criteria of your review. For more information about available search conditions, see Use the condition builder to create search queries in eDiscovery (preview).

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Advanced filters (preview)

Improving on the default filters in previous versions, eDiscovery (preview) provides advanced filters that let you build more flexible and advanced filters for review sets. Advanced filtering allows you to:

  • Quickly search for filter conditions.
  • Create complex filters using subgroups, AND, or OR conditions.
  • Easily change your queries with Undo filter query and Redo filter query controls.
  • Manage saved filters without having to navigate to another area.
  • Use Is empty and Isn't empty conditions for each filter.

Important

A review set displays a maximum of 1,000 items per page and up to 10 pages (for a total of 10,000 items displayed per review set). Use default or custom filters to adjust the displayed items as needed. Matched item counts are estimates.

Advanced filter controls (preview)

To create and custom filtering for your review set, use the following controls:

  • AND/OR: These conditional logical operators allow you to select the query condition that applies to specific filters and filter subgroups. These operators allow you to use multiple filters or subgroups connected to a single filter in your query.
  • Select a filter: Allows you to select filters for the specific data sources and location content selected for the search.
  • Add filter: Allows you to add multiple filters to your query. Is available after you've defined at least one query filter.
  • Select an operator: Depending on the selected filter, the operators compatible for the filter are available to select. For example, if the Date filter is selected, the available operators are Before, After, and Between. If the Size (in bytes) filter is selected, the available operators are Greater than, Greater or equal, Less than, Less or equal, Between, and Equal.
  • Value: Depending on the selected filter, the values compatible for the filter are available. Additionally, some filters support multiple values and some filters support one specific value. For example, if the Date filter is selected, select date values. If the Size (in bytes) filter is selected, select a value for bytes.
  • Add subgroup: After you've defined a filter, you can add a subgroup to refine the results returned by the filter. You can also add a subgroup to a subgroup for multi-layered query refinement.
  • Remove a filter condition: To remove an individual filter or subgroup, select the Remove icon to the right of each filter line or subgroup.
  • Clear all: To clear the entire query of all filters and subgroups, select Clear all.

To remove the advanced filter controls from the review set, select Manage > Hide advanced filters (preview). To display advanced filters, Manage > Show advanced filters (preview). Existing filters are removed when showing or hiding advanced filters. To keep filters, save them as a query.

Filter types

Every searchable field in a review set has a corresponding filter that you can use for filter items based on a specific field.

There are multiple types of filters:

  • Freetext: A freetext filter is applied to text fields such as Subject. You can list multiple search terms by separating them with a comma.
  • Date: A date filter is used for date fields such as Last modified date.
  • Search options: A search options filter provides a list of possible values (each value is displayed with a checkbox that you can select) for particular fields in the review. This filter is used for fields, such as Sender, where there's a finite number of possible values in the review set.
  • Keyword: A keyword condition is a specific instance of freetext condition that you can use to search for terms. You can also use KQL-like query language in this type of filter. For more information, see the Query language and Advanced query builder sections in this article.

Save and manage filter queries

After you're satisfied with your filters, you can save the filter combination as a filter query. This saved filter query lets you apply the filter in the future review sessions.

To save a filter, select Save on the Save filter queries command bar and name it. You or other reviewers can run previously saved filter queries by selecting the Saved filter queries dropdown and selecting a filter query to apply to review set documents.

To edit or delete a saved filter query, select Saved filter queries and expand the filter properties to display the Edit and Delete options for the saved filter query.

Use query language support for KQL and Keyword filters

When using the KQL or Keyword filters, you can use a KQL-like query language to build your review set search query. The query language for these two filters supports standard Boolean operators, such as AND, OR, NOT, and NEAR. It also supports a single-character wildcard (?) and a multi-character wildcard (*).

Note

Review filters only support wildcards (? or *) on a single term. Using wildcards in searches on phrases that consist of multiple terms aren't supported.

Scenario examples

Filter for untagged items in a review set

An eDiscovery administrator needs to create a query to find all items in the review set without any tagging applied. For this example, the administrator creates the following review set filter query:

  1. For the first filter, the administrator selects the filter and types tag in filter search. The filter Tags is displayed as a matching option, and the administrator selects it.
  2. The administrator then selects Select an operator and selects the Is empty operator. This operator returns all items that don't have any tags applied.

The review set is immediately updated and only the items that aren't tagged are displayed.

Filter for native file type items in a review set

An eDiscovery administrator needs to create a query to find all items in the review set that are a certain type, such as .csv, .msg, or .pdf. For this example, the administrator creates the following review set filter query:

  1. For the first filter, the administrator selects the filter and types file in filter search. The filter Native file extension is one of the filter options displayed in the search results, and the administrator selects it.
  2. The administrator then selects Select an operator and selects the Equals any of operator.
  3. The administrator selects the Any field and selects the applicable checkboxes for the file types to include in the filter query.

The review set is immediately updated and only the items that match the selected file types are displayed.

Filter partially indexed items

If you selected the option to add partially indexed items from additional data sources when you committed the search estimate to a review set. You'll probably want to identify and view those items to determine if an item might be relevant to your investigation and whether you need to remediate the error that resulted in the item being partially indexed.

At this time, there isn't a filter option in a review set to display partially indexed items. But here's a way you can filter and display the partially indexed items that you added to a review set.

  1. Create a search and add it to a new review set without adding partially indexed items from the additional data sources.
  2. Create a new searcg by copying the search from step 1.
  3. Add the new search to the same review set. But this time, add the partially indexed items from the additional data sources. Because items from the search you created in step 1 have already been added to the review set, only the partially indexed items from the second searchare added to the review set.
  4. After both searches are added to the review set, select the review set, and select Load sets.
  5. Copy or make note of the Load Id for the second search (the one you created in step 2). The search name is identified in the Source info column.
  6. Back in the review set, select Filter, expand the IDs section, and then select the Load Id checkbox.
  7. Expand the Load Id filter, and then select the checkbox for the load ID that corresponds to the second search to display the partially indexed items.

Filter documents by theme

Filtering documents by theme can significantly save time when reviewing documents. For example, if you're looking for documents that discuss a particular subject, you can filter the documents by the dominant theme that is related to that subject. You can also filter documents by other themes in the theme list to find documents that are similar to a document that you're interested in. To display the themes for a document as a column in the document list for the review set, select Customize columns and select Dominant theme and Themes list.

To filter documents by theme, complete the following steps:

  1. In a review set, choose Select a filter and select Dominant theme.
  2. Select an operator to use with the Dominant theme and define the value to use with the operator.
  3. Use an addition Themes list filter and the operator and values to applicable to this filter. You can configure the AND and OR operators to filter documents by a combination of the Dominant theme and Themes list values.