Jeremy Weisinger
asked on
How to structure a query for Office 365 eDiscovery to find all emails sent eternally
Office 365 Security and Compliance.
I would like to structure a content search query so that it will return any email sent externally. I'm struggling with finding the syntax for it.
Example of the results I'm looking for.
Internal domain: dom.com
Should match: Recipients - joe@ext.com
Should match: Recipients - joe@ext.com, jane@test.com
Should match: Recipients - joe@ext.com, jack@dom.com, jill@dom.com
Should not match: Recipients - jack@dom.com, jill@dom.com
Should not match: Recipients - jack@dom.com
I would like to structure a content search query so that it will return any email sent externally. I'm struggling with finding the syntax for it.
Example of the results I'm looking for.
Internal domain: dom.com
Should match: Recipients - joe@ext.com
Should match: Recipients - joe@ext.com, jane@test.com
Should match: Recipients - joe@ext.com, jack@dom.com, jill@dom.com
Should not match: Recipients - jack@dom.com, jill@dom.com
Should not match: Recipients - jack@dom.com
ASKER
I have read through that a bit but I suppose I could go deeper on it.
However, my query is more complex than your suggestion allows.
I need to include any email that is sent to ANY external domain, even if internal domain users are included in the recipients. But I do not want to return any emails only sent to internal users.
Do you know the syntax that meets this requirement?
However, my query is more complex than your suggestion allows.
I need to include any email that is sent to ANY external domain, even if internal domain users are included in the recipients. But I do not want to return any emails only sent to internal users.
Do you know the syntax that meets this requirement?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was afraid that might be the case.
I am testing this query:
The odd thing is that seems to work but my understanding of the logic says that it shouldn't. I would think that it wouldn't return any results since someone in the domain would be a sender or recipient. But I do get results and the preview shows emails and they seem to match up. It didn't return any emails that were just internal. I need to test further to make sure it returns emails that are sent to internal and external recipients. Thoughts?
I'll post back with my test results.
I am testing this query:
(c:c)(-participants:dom.com)(kind=email)The odd thing is that seems to work but my understanding of the logic says that it shouldn't. I would think that it wouldn't return any results since someone in the domain would be a sender or recipient. But I do get results and the preview shows emails and they seem to match up. It didn't return any emails that were just internal. I need to test further to make sure it returns emails that are sent to internal and external recipients. Thoughts?
I'll post back with my test results.
Participants should include both sender and recipients, so I'm not sure that will work.
ASKER
After messing around and talking with Microsoft, I don't believe it is possible to do what I want natively.
Thanks for your help!
Jeremy
Thanks for your help!
Jeremy
Recipients:jane@test.com
If you do not want to include internal recipients only, simply do not add them to the query.
The Recipients keyword searches the To, CC, and BCC fields.
You can refer to this document for keyword search information.