Forum Discussion
E-Discovery Search assistance
Hi All,
Legal is requesting I compile a PST file with all emails that were sent or received from 4 different external email addresses. I log into Microsoft 365 compliance and create an e-Discovery content search limiting the scope to just 8 exchange mailboxes in my organization. I then use the participants field where I enter the 4 email addresses we are interested in (these are email addresses outside of my organization). When I review the exported results, I find all kinds of emails that do not have the specific addresses I am looking for (not in to, from, or cc fields) . Some of the results do contain the addresses I want, but not all. Any tips or hints on how I can get better results from my search?
- Are you including unindexed items in the export? Another thing that comes in mind is to ensure multiple OR clauses are combined in (via brackets), as otherwise you end up with quite broader search than expected.
- I appreciate the response.
I was using the query builder to put together my search. I removed the keyword search box and left Participants as the only condition. Under participants I used the statement "Equals any of" and entered the addresses I am looking for in the search box. When I convert to KQL editor, the search looks like this: (c:c)(participants=email address removed for privacy reasons)(participants=email address removed for privacy reasons)(participants=email address removed for privacy reasons)(participants=email address removed for privacy reasons)
Is there a way to better format this in the KQL editor?
I did not include items that werent indexed. I am going to re-run the export with these items included.
