Forum Discussion
KQL query in exchange help
Hello. I'm struggling to build out a query and am getting lost. I have never used KQL and am hoping someone may be able to help me figure out how to write queries for the following 2 scenarios in e...
Did you ever resolve this?
I am in the process of doing something similar and the results of my searches are not making sense. The first search I attempt to get everything, then the 2nd is just privileged stuff and a 3rd only non privileged. The logic being if S1 is the same size as S2+S3 I have good results. This does not seem to work out, ever.
Here was my post, did not see yours until after i made it: eDiscovery KQL assistance
- Hi. Yes, I was able to get a colleague to help me make a few minor tweaks to my query. I updated the list of keywords to exclude (and it was important that I used "NOT" instead of "-" for the exclusion operator). The query below returned results with the limitations I was seeking:
NOT (petunia OR "ACME Operations Manager" OR "manager - 12345" OR "other text") AND ((sent>2022-02-01 AND sent<2022-04-30) OR (received>2022-02-01 AND received<2022-04-30)) AND ((From<>email address removed for privacy reasons AND To<>email address removed for privacy reasons) OR (From<>email address removed for privacy reasons AND To<>email address removed for privacy reasons)) AND ((From<>email address removed for privacy reasons AND To<>email address removed for privacy reasons) OR (From<>email address removed for privacy reasons AND To<>email address removed for privacy reasons))