συμβάν
Συμμετοχή στην πρόκληση του Microsoft Learn
19 Νοε, 11 μ.μ. - 10 Ιαν, 11 μ.μ.
Ignite Edition - Δημιουργήστε δεξιότητες στα προϊόντα ασφαλείας της Microsoft και κερδίστε ένα ψηφιακό σήμα μέχρι τις 10 Ιανουαρίου!
Εγγραφή τώραΑυτό το πρόγραμμα περιήγησης δεν υποστηρίζεται πλέον.
Κάντε αναβάθμιση σε Microsoft Edge για να επωφεληθείτε από τις τελευταίες δυνατότητες, τις ενημερώσεις ασφαλείας και την τεχνική υποστήριξη.
The condition builder provides an easy-to-use search experience when you build search queries in eDiscovery (preview). Use the condition builder in search and review sets to construct simple and complex keyword queries, queries with operators (AND, OR), or both to help identify items in your organization.
Φιλοδώρημα
Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.
To create a query and custom conditional filtering for your search, use the following controls:
Keep the following in mind when using search conditions.
(c:c)
indicates conditions that are added to the query. (c:c)
shouldn't be used in manually entered queries and isn't equal to AND or OR.(c:c)
notation. KQL adds the logical operators (according to the previously explained rules) when the executing the query.(filetype=docx) OR (filetype=pptx) OR (filetype=xlsx)
. The following illustration shows an example of a condition with multiple values.When you select Add conditions in the condition builder, the Choose which conditions to add flyout pane is displayed to help you refine your search query with specific conditions. Use options in the following sections to help you choose applicable conditions:
Quickly filter the condition view for mailboxes and site properties to help locate a specific condition for your search query. Filter available conditions in the following global groups:
To quickly search for a specific condition, use the Tell us what you're looking for field to enter the name of the condition. The results are automatically scoped to the filter for global groups. For example, to search for any condition named Type (or one that contains the term type in the condition name), select All as the global filter, then enter type in the Tell us what you're looking for field. The condition view returns all conditions in all condition groups that contain the term type. Select the applicable condition to add to your search query.
The eDiscovery administrator needs to create a query to find emails sent from User1 to User4 that were sent between September 15, 2024 and October 15, 2024 that contains the keywords compliance and audit. For this example, the administrator creates the following query using the new query builder:
You can add conditions to a search query to narrow a search and return a more refined set of results. Each condition adds a clause to the KQL search query that is created and run when you start the search.
Some special characters aren't included in the search index and therefore aren't searchable. This also includes the special characters that represent search operators in the search query. Here's a list of special characters that are either replaced by a blank space in the actual search query or cause a search error.
+ - = : ! @ # % ^ & ; _ / ? ( ) [ ] { }
Create a condition using common properties when searching mailboxes and sites in the same search. The following table lists the available properties to use when adding a condition.
Condition | Description |
---|---|
Content kind | Applied to both Exchange and SharePoint items, it refers to the type or category of the content. For example, ContentKind:SharePointDocument, ContentKind:Copilot, etc. |
Content source application | Identifies the application or service where the content originated. For example, ContentSourceApplication:OneDriveForBusiness, ContentSourceApplication:SharePoint, etc. |
Date | For email, the date a message was created or imported from a PST file. For documents, the date a document was last modified. If you're searching for email messages for a specific time period, you should use the message Received and Sent conditions if you're unsure if the email messages may have been imported instead of natively created in Exchange. |
Identifier | For email, the ID for a specific message. Message IDs are included in the audit record, data loss prevention (DLP) alerts, or review set metadata and allow you build a specific search for an individual message. For Microsoft Teams messages, the ID of the chat or reaction. The ChatThreadID is included in the audit record, data loss prevention (DLP) alerts, or review set metadata and allow you build a specific search for an individual chat or reaction. |
Sender/Author | For email, the person who sent a message. For documents, the person cited in the author field from Office documents. You can type more than one name, separated by commas. Two or more values are logically connected by the OR operator. (See Recipient Expansion) |
Size (in bytes) | For both email and documents, the size of the item (in bytes). |
Subject/Title | For email, the text in the subject line of a message. For documents, the title of the document. The Title property is metadata specified in Microsoft Office documents. You can type the name of more than one subject/title values, separated by commas. Two or more values are logically connected by the OR operator. Note: Don't include double quotation marks to the values for this condition because quotation marks are automatically added when using this search condition. If you add quotation marks to the value, two pairs of double quotations are added to the condition value, and the search query will return an error. |
Retention label | For both email and documents, retention labels applied to messages and documents. Retention labels can be used to declare records and help you manage the data lifecycle of content by enforcing retention and deletion rules specified by the label. For more information about retention labels, see Learn about retention policies and retention labels. |
Sensitive information type (SIT) | For both email and documents, sensitive information types included in messages and documents. SITs are pattern-based classifiers and they detect sensitive information like social security, credit card, or bank account numbers to identify sensitive items. For more information about SITs, see Learn about sensitive information types. |
Sensitivity label | For both email and documents, sensitivity labels applied to messages and documents. Sensitivity labels let you classify and protect your organization's data, while making sure that user productivity and their ability to collaborate isn't hindered. For more information about sensitivity labels, see Learn about sensitivity labels. |
Create a condition using mail properties when searching mailboxes or public folders in Exchange Online. The following table lists the email properties that you can use for a condition. These properties are a subset of the email properties that were previously described. These descriptions are repeated for your convenience.
Condition | Description |
---|---|
Message kind | The message type to search. This is the same property as the Kind email property. Possible values:
|
Participants | All the people fields in an email message. These fields are From, To, Cc, and Bcc. (See Recipient Expansion) |
Received | The date that an email message was received by a recipient. This is the same property as the Received email property. |
Recipients | All recipient fields in an email message. These fields are To, Cc, and Bcc. (See Recipient Expansion) |
Sender | The sender of an email message. |
Sent | The date that an email message was sent by the sender. This is the same property as the Sent email property. |
Subject | The text in the subject line of an email message. Note: Don't include double quotation marks to the values for this condition because quotation marks are automatically added when using this search condition. If you add quotation marks to the value, two pairs of double quotations are added to the condition value, and the search query will return an error. |
To | The recipient of an email message in the To field. |
Topic | Summary of the main subject or theme discussed in an email thread or conversation. |
Type | The message class property for an email item. This is the same property as the ItemClass email property. It's also a multi-value condition. So to select multiple message classes, hold the CTRL key and then select two or more message classes in the drop-down list that you want to add to the condition. Each message class that you select in the list are logically connected by the OR operator in the corresponding search query. For a list of the message classes (and their corresponding message class ID) that are used by Exchange and that you can select in the Message class list, see Item Types and Message Classes. |
Create a condition using document properties when searching for documents on SharePoint and OneDrive sites. The following table lists the document properties that you can use for a condition. These properties are a subset of the site properties that were previously described. These descriptions are repeated for your convenience.
Condition | Description |
---|---|
Author | The author field from Office documents, which persists if a document is copied. For example, if a user creates a document and the emails it to someone else who then uploads it to SharePoint, the document will still retain the original author. |
Created | The date that a document is created. |
File type | The extension of a file; for example, docx, one, pptx, or xlsx. This is the same property as the FileExtension site property. Note: If you include a File type condition using the Equals or Equals any of operator in a search query, you can't use a prefix search (by including the wildcard character ( * ) at the end of the file type) to return all versions of a file type. If you do, the wildcard is ignored. For example if you include the condition |
Last modified | The date that a document was last changed. |
Path | The URL or location of a file or folder within a SharePoint site. |
Title | The title of the document. The Title property is metadata that's specified in Office documents. It's different than the file name of the document. |
When you add a condition, you can select an operator that is relevant to type of property for the condition. The following table describes the operators that are used with conditions and lists the equivalent that is used in the search query.
Operator | Query equivalent | Description |
---|---|---|
After | property>date |
Used with date conditions. Returns items that were sent, received, or modified after the specified date. |
Before | property<date |
Used with date conditions. Returns items that were sent, received, or modified before the specified date. |
Between | date..date |
Use with date and size conditions. When used with a date condition, returns items there were sent, received, or modified within the specified date range. When used with a size condition, returns items whose size is within the specified range. |
Contains any of | (property:value) OR (property:value) |
Used with conditions for properties that specify a string value. Returns items that contain any part of one or more specified string values. |
Doesn't contain any of | -property:value |
Used with conditions for properties that specify a string value. Returns items that don't contain any part of the specified string value. |
Doesn't equal any of | -property=value |
Used with conditions for properties that specify a string value. Returns items that don't contain the specific string. |
Equals | size=value |
Returns items that are equal to the specified size.1 |
Equals any of | (property=value) OR (property=value) |
Used with conditions for properties that specify a string value. Returns items that are a match of one or more specified string values. |
Greater | size>value |
Returns items where the specified property is greater than the specified value.1 |
Greater or equal | size>=value |
Returns items where the specified property is greater than or equal to the specified value.1 |
Less | size<value |
Returns items that are greater than or equal to the specific value.1 |
Less or equal | size<=value |
Returns items that are greater than or equal to the specific value.1 |
Not equal | size<>value |
Returns items that don't equal the specified size.1 |
Σημείωση
1 This operator is available only for conditions that use the Size property.
συμβάν
Συμμετοχή στην πρόκληση του Microsoft Learn
19 Νοε, 11 μ.μ. - 10 Ιαν, 11 μ.μ.
Ignite Edition - Δημιουργήστε δεξιότητες στα προϊόντα ασφαλείας της Microsoft και κερδίστε ένα ψηφιακό σήμα μέχρι τις 10 Ιανουαρίου!
Εγγραφή τώρα