Delen via


Use the condition builder to create search queries in eDiscovery (preview)

The condition builder provides an easy-to-use search experience when you build search queries in eDiscovery (preview). Use the condition builder in search and review sets to construct simple and complex keyword queries, queries with operators (AND, OR), or both to help identify items in your organization.

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Using the condition builder

To create a query and custom conditional filtering for your search, use the following controls:

  • Keywords: This common condition is always available as the first condition in your query and helps you get started quickly for search tasks. The Keywords condition only supports the Equal operator and can be excluded from your query by leaving the value field blank. To add additional Keywords conditions, select Add conditions and select Keywords.
  • Add conditions: Allows you to add a condition for the specific data sources for the search. To add additional conditions to your query, select Add conditions to display the list of available conditions. Each condition value selection adds a new condition to your query. Choose the AND/OR operator as appropriate.
  • AND/OR: These conditional logical operators allow you to select the query operation that applies to a specific condition. These operators allow you to use multiple conditions connected to your query.
  • Selecting an operator: Depending on the selected condition, the operators compatible for the condition are available to select. For example, if the Date condition is selected, the available operators are Before, After, and Between. If the Size (in bytes) condition is selected, the available operators are Greater than, Greater or equal, Less than, Less or equal, Between, and Equal.
  • Value: Depending on the selected condition, the values compatible for the condition are available in the value details pane or you can add inline. Depending on the condition type associated with the value, you see options to define, filter, or search for values associated with the selected condition. For example, if you select Sender as the condition, you can search for and add specific users in your organization or external users. If you select Size (in bytes) as the condition, you see the option to enter a number for the size as the value. If the value is blank, the value field border is displayed in red to help notify you that a value is needed.
  • Remove a filter condition: To remove an individual condition, select the remove icon to the right of each filter line.
  • Save as draft: To save the current set of conditions as a draft, select Save as draft from the query drop-down.
  • Discard: To discard any changes made to the search, including conditions and data source, select Discard from the Save as draft drop-down.

Guidelines for using conditions

Keep the following in mind when using search conditions.

  • A condition is logically connected to the keyword query (specified in the keyword box) by AND and OR operators. That means that items have to satisfy both the keyword query and the condition to be included in the results.
  • If you add two or more unique conditions to a search query (conditions that specify different properties), those conditions are logically connected by the AND and OR operators. That means only items that satisfy all the conditions (in addition to any keyword query) are returned.
  • If you add more than one condition for the same property, those conditions are logically connected by the OR operator. That means items that satisfy the keyword query and any one of the conditions are returned. So, groups of the same conditions are connected to each other by the OR operator and then sets of unique conditions are connected by the AND operator.
  • If you add multiple values (separated by commas or semi-colons) to a single condition, those values are connected by the OR operator. That means items are returned if they contain any of the specified values for the property in the condition.
  • Any condition that uses an operator with Contains and Equals logic returns similar search results for simple string searches. A simple string search is a string in the condition that doesn't include a wildcard). For example, a condition that uses Equals any of returns the same items as a condition that uses Contains any of.
  • The search query that is created by using the keywords box and conditions is displayed on the Search page, in the details pane for the selected search. In a query, everything to the right of the notation (c:c) indicates conditions that are added to the query. (c:c) shouldn't be used in manually entered queries and isn't equal to AND or OR.
  • Conditions only add properties to the search query; they don't add operators. This is why the query displayed in the detail pane doesn't show operators to the right of the (c:c) notation. KQL adds the logical operators (according to the previously explained rules) when the executing the query.
  • You can use the drag and drop control to resequence the order of conditions. Select the control for a condition and move it up or down.
  • Some condition properties allow you to type multiple values (separated by semi-colons). Each value is logically connected by the OR operator, and results in the query (filetype=docx) OR (filetype=pptx) OR (filetype=xlsx). The following illustration shows an example of a condition with multiple values.

Find and select conditions

When you select Add conditions in the condition builder, the Choose which conditions to add flyout pane is displayed to help you refine your search query with specific conditions. Use options in the following sections to help you choose applicable conditions:

Filter conditions by area

Quickly filter the condition view for mailboxes and site properties to help locate a specific condition for your search query. Filter available conditions in the following global groups:

  • All: Shows all conditions and condition groups.
  • Common: Filters and displays only the conditions that apply to both mailboxes and sites.
  • Exchange mailboxes: Filters and displays only the conditions that apply to mailboxes.
  • SharePoint and OneDrive sites: Filters and displays only the conditions that apply to SharePoint and OneDrive sites.

Condition picker

To quickly search for a specific condition, use the Tell us what you're looking for field to enter the name of the condition. The results are automatically scoped to the filter for global groups. For example, to search for any condition named Type (or one that contains the term type in the condition name), select All as the global filter, then enter type in the Tell us what you're looking for field. The condition view returns all conditions in all condition groups that contain the term type. Select the applicable condition to add to your search query.

Condition picker example.

Scenario example

The eDiscovery administrator needs to create a query to find emails sent from User1 to User4 that were sent between September 15, 2024 and October 15, 2024 that contains the keywords compliance and audit. For this example, the administrator creates the following query using the new query builder:

  1. For the first filter, the administrator uses the Keywords condition, the Equal operator, and compliance, audit as the keyword Value.
  2. Next, the administrator selects Add conditions, selects Sender, then selects the Contains any of operator, then selects User1 from the list of users available in the Value details pane. This can include external users.
  3. Next, the administrator selects Add conditions, selects the To filter, then selects the Contains any of operator, then selects User4 from the list of users available in the Value details pane. This can include external users.
  4. To define the date range, the administrator selects Add conditions, selects Date, then selects the Between operator, and then selects the starting and ending dates for the Value.
  5. Finally, the administrator selects Run query to return applicable results.

Condition builder example.

Using search conditions

You can add conditions to a search query to narrow a search and return a more refined set of results. Each condition adds a clause to the KQL search query that is created and run when you start the search.

Special characters

Some special characters aren't included in the search index and therefore aren't searchable. This also includes the special characters that represent search operators in the search query. Here's a list of special characters that are either replaced by a blank space in the actual search query or cause a search error.

+ - = : ! @ # % ^ & ; _ / ? ( ) [ ] { }

Conditions for common properties

Create a condition using common properties when searching mailboxes and sites in the same search. The following table lists the available properties to use when adding a condition.

Condition Description
Content kind Applied to both Exchange and SharePoint items, it refers to the type or category of the content.

For example, ContentKind:SharePointDocument, ContentKind:Copilot, etc.
Content source application Identifies the application or service where the content originated.

For example, ContentSourceApplication:OneDriveForBusiness, ContentSourceApplication:SharePoint, etc.
Date For email, the date a message was created or imported from a PST file. For documents, the date a document was last modified.

If you're searching for email messages for a specific time period, you should use the message Received and Sent conditions if you're unsure if the email messages may have been imported instead of natively created in Exchange.
Identifier For email, the ID for a specific message. Message IDs are included in the audit record, data loss prevention (DLP) alerts, or review set metadata and allow you build a specific search for an individual message.

For Microsoft Teams messages, the ID of the chat or reaction. The ChatThreadID is included in the audit record, data loss prevention (DLP) alerts, or review set metadata and allow you build a specific search for an individual chat or reaction.
Sender/Author For email, the person who sent a message. For documents, the person cited in the author field from Office documents. You can type more than one name, separated by commas. Two or more values are logically connected by the OR operator.
(See Recipient Expansion)
Size (in bytes) For both email and documents, the size of the item (in bytes).
Subject/Title For email, the text in the subject line of a message. For documents, the title of the document. The Title property is metadata specified in Microsoft Office documents. You can type the name of more than one subject/title values, separated by commas. Two or more values are logically connected by the OR operator.

Note: Don't include double quotation marks to the values for this condition because quotation marks are automatically added when using this search condition. If you add quotation marks to the value, two pairs of double quotations are added to the condition value, and the search query will return an error.

Retention label For both email and documents, retention labels applied to messages and documents. Retention labels can be used to declare records and help you manage the data lifecycle of content by enforcing retention and deletion rules specified by the label. For more information about retention labels, see Learn about retention policies and retention labels.
Sensitive information type (SIT) For both email and documents, sensitive information types included in messages and documents. SITs are pattern-based classifiers and they detect sensitive information like social security, credit card, or bank account numbers to identify sensitive items. For more information about SITs, see Learn about sensitive information types.
Sensitivity label For both email and documents, sensitivity labels applied to messages and documents. Sensitivity labels let you classify and protect your organization's data, while making sure that user productivity and their ability to collaborate isn't hindered. For more information about sensitivity labels, see Learn about sensitivity labels.

Conditions for mail properties

Create a condition using mail properties when searching mailboxes or public folders in Exchange Online. The following table lists the email properties that you can use for a condition. These properties are a subset of the email properties that were previously described. These descriptions are repeated for your convenience.

Condition Description
Message kind The message type to search. This is the same property as the Kind email property. Possible values:
  • contacts
  • docs
  • email
  • externaldata
  • fax
  • im
  • journals
  • meetings
  • microsoftteams
  • notes
  • posts
  • rssfeeds
  • tasks
  • voicemail
Participants All the people fields in an email message. These fields are From, To, Cc, and Bcc. (See Recipient Expansion)
Received The date that an email message was received by a recipient. This is the same property as the Received email property.
Recipients All recipient fields in an email message. These fields are To, Cc, and Bcc. (See Recipient Expansion)
Sender The sender of an email message.
Sent The date that an email message was sent by the sender. This is the same property as the Sent email property.
Subject The text in the subject line of an email message.

Note: Don't include double quotation marks to the values for this condition because quotation marks are automatically added when using this search condition. If you add quotation marks to the value, two pairs of double quotations are added to the condition value, and the search query will return an error.

To The recipient of an email message in the To field.
Topic Summary of the main subject or theme discussed in an email thread or conversation.
Type The message class property for an email item. This is the same property as the ItemClass email property. It's also a multi-value condition. So to select multiple message classes, hold the CTRL key and then select two or more message classes in the drop-down list that you want to add to the condition. Each message class that you select in the list are logically connected by the OR operator in the corresponding search query.

For a list of the message classes (and their corresponding message class ID) that are used by Exchange and that you can select in the Message class list, see Item Types and Message Classes.

Conditions for document properties

Create a condition using document properties when searching for documents on SharePoint and OneDrive sites. The following table lists the document properties that you can use for a condition. These properties are a subset of the site properties that were previously described. These descriptions are repeated for your convenience.

Condition Description
Author The author field from Office documents, which persists if a document is copied. For example, if a user creates a document and the emails it to someone else who then uploads it to SharePoint, the document will still retain the original author.
Created The date that a document is created.
File type The extension of a file; for example, docx, one, pptx, or xlsx. This is the same property as the FileExtension site property.

Note: If you include a File type condition using the Equals or Equals any of operator in a search query, you can't use a prefix search (by including the wildcard character ( * ) at the end of the file type) to return all versions of a file type. If you do, the wildcard is ignored. For example if you include the condition Equals any of doc*, only files with an extension of .doc is returned. Files with an extension of .docx isn't returned. To return all versions of a file type, used the property:value pair in a keyword query; for example, filetype:doc*.

Last modified The date that a document was last changed.
Path The URL or location of a file or folder within a SharePoint site.
Title The title of the document. The Title property is metadata that's specified in Office documents. It's different than the file name of the document.

Operators used with conditions

When you add a condition, you can select an operator that is relevant to type of property for the condition. The following table describes the operators that are used with conditions and lists the equivalent that is used in the search query.

Operator Query equivalent Description
After property>date Used with date conditions. Returns items that were sent, received, or modified after the specified date.
Before property<date Used with date conditions. Returns items that were sent, received, or modified before the specified date.
Between date..date Use with date and size conditions. When used with a date condition, returns items there were sent, received, or modified within the specified date range. When used with a size condition, returns items whose size is within the specified range.
Contains any of (property:value) OR (property:value) Used with conditions for properties that specify a string value. Returns items that contain any part of one or more specified string values.
Doesn't contain any of -property:value

NOT property:value

Used with conditions for properties that specify a string value. Returns items that don't contain any part of the specified string value.
Doesn't equal any of -property=value

NOT property=value

Used with conditions for properties that specify a string value. Returns items that don't contain the specific string.
Equals size=value Returns items that are equal to the specified size.1
Equals any of (property=value) OR (property=value) Used with conditions for properties that specify a string value. Returns items that are a match of one or more specified string values.
Greater size>value Returns items where the specified property is greater than the specified value.1
Greater or equal size>=value Returns items where the specified property is greater than or equal to the specified value.1
Less size<value Returns items that are greater than or equal to the specific value.1
Less or equal size<=value Returns items that are greater than or equal to the specific value.1
Not equal size<>value Returns items that don't equal the specified size.1

Note

1 This operator is available only for conditions that use the Size property.