Condition Card builder or KQL query sample for eDiscovery?

EnterpriseArchitect 5,406 Reputation points
2023-03-28T14:32:26.24+00:00

Folks,

I need some help in building the KQL query or the Condition Card builder for the below:

All Emails From user1@domain.com to *@competitors.org From 1st February 2023 to 28th February 2023

How to achieve that for the https://compliance.microsoft.com/classicediscovery/v1 because the below wizard showing error:

User's image

Microsoft Exchange Online
Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,330 questions
Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,217 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,564 questions
Microsoft Exchange
Microsoft Exchange
Microsoft messaging and collaboration software.
558 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bryce Donald 0 Reputation points
    2023-03-28T14:49:27.9066667+00:00

    Hi,

    To build a KQL query or Condition Card builder for the specified criteria, you can try the following steps:

    1. Open the Microsoft 365 Compliance Center and navigate to the "Content search" page.
    2. Click on "Create a new search" and select "Specific locations" option.
    3. Select the mailbox of user1@domain.com as the source location.
    4. Select the "Advanced" option under the "Conditions" section.
    5. Enter the following KQL query in the search box: "from:user1@domain.com AND to:*@competitors.org AND received:02/01/2023..02/28/2023".
    6. Click "Save" to create the search and run it.

    Alternatively, you can also use the Condition Card builder to build the same search by following these steps:

    1. Click on "Create a new search" in the "Content search" page.
    2. Select "Specific locations" and choose the mailbox of user1@domain.com.
    3. Under "Conditions", select "Add condition" and choose "Sent".
    4. Choose "Between" and select the date range from 1st February 2023 to 28th February 2023.
    5. Add another condition and choose "Sender".
    6. Enter "user1@domain.com" as the sender email address.
    7. Add one more condition and choose "Recipient".
    8. Enter "*.competitors.org" as the recipient email address.
    9. Click "Save" to create the search and run it.

    These steps should help you build the KQL query or Condition Card builder to search for all emails from user1@domain.com to *@competitors.org between 1st February 2023 to 28th February 2023 in the Microsoft 365 Compliance Center.

    Regards,

    Bryce

  2. Jame Xu-MSFT 4,176 Reputation points
    2023-03-29T09:56:57.03+00:00

    Hi @EnterpriseArchitect ,

    KQL queries don't support prefix matching with the wildcard * as prefix, so you can't use the wildcard operator before a phrase in free-text queries. However, you can use the wildcard operator after a phrase. You could refer to: https://video2.skills-academy.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference

    User's image

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  3. ShaikMaheer-MSFT 38,451 Reputation points Microsoft Employee
    2023-03-29T10:14:35.2766667+00:00

    Hi EnterpriseArchitect,

    Thank you for posting query in Microsoft Q&A Platform.

    Kindly check if Recipients field has Ends with option and yes, then use values as @competitors.org

    Or if we can write our own KQL query, then kindly check similar to below if you can write your query.

    OfficeMessageTrace
| where SenderAddress == "user1@domain.com"
| where RecipientAddress endswith "@competitors.org"
| where TimeGenerated >= datetime(2023-02-01) and TimeGenerated <= datetime(2023-02-28)

    Hope this helps. Please let me know how it goes.

    Please consider hitting Accept Answer button. Accepted answers help community as well.

    0 comments
  4. Felipe Prates 0 Reputation points
    2023-09-11T16:15:24.0266667+00:00

    By this time you have probably figured it out yourself, but I had a similar issue and solved it without using wildcards. While use the KQL editor, try something like (Date=2023-02-01...2023-02-28)(From=user1@domain.com)(To:competitors.org). The colon after To means "contains", so it kind of works as a wildcard.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.