Design a compliance content search in O365 to ONLY return a specific person and a specific domain

dragonspeed

1/11/24, 11:07 PM

I am attempting to do a content search through Exchange on O365 to return mail between [email protected] and anyone at outsidedomain.com

I thought that this should work in the KQL:

(ParticipantDomains:outsidedomain.com) AND ((Sender:[email protected]) OR (Recipients:[email protected]))

However, this seems to include all mail to/from [email protected]

No matter who it is sent from/to
Also if [email protected] is in a group to whom it was sent.

What do I need to put, to only find direct email conversations between [email protected] and anyone at outsidedomain.com?

Thanks

1062

2 + 0

microsoft-office-365

exchangeonline

office365

compliance

Score:1

Server

dragonspeed

1/12/24, 11:39 PM

Another suggested answer, from outside this site was the following:

(([email protected]) AND (Participants=outsidedomain.com) OR 
([email protected]) AND (Participants=outsidedomain.com))

This appears to result in the data I was looking for.

+ 1

Yuki Sun

1/13/24, 1:14 AM

Great to see that you've got the answer that works for your situation : ) Thanks for the share!

Score:0

Server

Yuki Sun

1/12/24, 6:07 AM

Also if [email protected] is in a group to whom it was sent.

To the best of my knowledge, it's not feasible to exclude this kind of mails from the results. A thought is to export the search result report file (.csv), open it in Excel to filter out mails sent to groups.

However, this seems to include all mail to/from [email protected]

No matter who it is sent from/to

Although "participantdomains" looks like the most suitable property for your requirement, I cannot find any introduction about it in this official document. Also based on my test, I can reproduce that all mails would be included in the result when using "ParticipantDomains:outsidedomain.com".

Given this situation, I'd suggest using Partifipants:"outsidedomain.com" instead. You can choose to search within the [email protected]'s Exchange mailbox only so that no other conditions need to be included in the query.

+ 1

dragonspeed

1/12/24, 3:19 PM

Thanks. It's frustrating that the participantsdomain LOOKS good but isn't. I can't just search in the user's mailbox because they are gone and the mail exists in this strange "hold state" without a mailbox from what I can gather. Will have a look again, this morning.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Design a compliance content search in O365 to ONLY return a specific person and a specific domain

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.