cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

KQL query in exchange help

Kit_6872
Copper Contributor

‎Apr 24 2023 06:02 AM

‎Apr 24 2023 06:02 AM

KQL query in exchange help

Hello.  I'm struggling to build out a query and am getting lost.  I have never used KQL and am hoping someone may be able to help me figure out how to write queries for the following 2 scenarios in eDiscovery search.  I've tried building out the query for the first search since it seems to me that it would be the less complex of the two, but keep getting failures.  I appreciate any assistance!

 

 

Search 1:

Exchange content timeframe: 1/1/2019-3/31/2019

Custodian:  Bugs Bunny (source of exchange content)

Exclude exchange content between Bugs Bunny and Daffy Duck, but include all other content between Bugs Bunny and other parties; and exclude exchange content (including attachments) pertaining to ACME Operations Manager or Petunia Pig

 

Search 2:

Exchange content timeframe: 1/1/2019-3/31/2019

Custodian:  Elmer Fudd (source of exchange content)

Exclude exchange content between Bugs Bunny and Daffy Duck, but include all other content between Bugs Bunny and other parties; and exclude exchange content (including attachments) pertaining to ACME Operations Manager or Petunia Pig

253 Views
0 Likes
2 Replies
Reply
2 Replies
Chuck33

‎May 08 2023 11:08 AM - edited ‎May 08 2023 11:15 AM

‎May 08 2023 11:08 AM - edited ‎May 08 2023 11:15 AM

Re: KQL query in exchange help

Did you ever resolve this?

I am in the process of doing something similar and the results of my searches are not making sense. The first search I attempt to get everything, then the 2nd is just privileged stuff and a 3rd only non privileged. The logic being if S1 is the same size as S2+S3 I have good results. This does not seem to work out, ever.

Here was my post, did not see yours until after i made it: eDiscovery KQL assistance 

0 Likes
Reply
Kit_6872

‎May 08 2023 11:38 AM

‎May 08 2023 11:38 AM

Re: KQL query in exchange help

Hi. Yes, I was able to get a colleague to help me make a few minor tweaks to my query. I updated the list of keywords to exclude (and it was important that I used "NOT" instead of "-" for the exclusion operator). The query below returned results with the limitations I was seeking:

NOT (petunia OR "ACME Operations Manager" OR "manager - 12345" OR "other text") AND ((sent>2022-02-01 AND sent<2022-04-30) OR (received>2022-02-01 AND received<2022-04-30)) AND ((From<>email address removed for privacy reasons AND To<>email address removed for privacy reasons) OR (From<>email address removed for privacy reasons AND To<>email address removed for privacy reasons)) AND ((From<>email address removed for privacy reasons AND To<>email address removed for privacy reasons) OR (From<>email address removed for privacy reasons AND To<>email address removed for privacy reasons))
0 Likes
Reply