Keyword queries and search conditions for Content Search

This topic describes the email and document properties that you can search for in email items in ExchangeOnline and documents stored on SharePoint and OneDrive for Business sites by using the Content Search feature in the Office 365 Security & Compliance Center. The topic also describes:

  • Using Boolean search operators, search conditions, and other search query techniques to refine your search results.

  • Searching for sensitive data types in SharePoint and OneDrive for Business.

  • Searching for site content that's shared with users outside of your organization

For step-by-step instructions on how to create a Content Search, see Run a Content Search in the Office 365 Security & Compliance Center.

Content Search in the Security & Compliance Center uses the Keyword Query Language (KQL). For more detailed information, see Keyword Query Language syntax reference.

Contents

Searchable email properties

Searchable site properties

Searchable contact properties

Searchable sensitive data types

Searching for site content shared with external users

Search operators

Search conditions

Search tips and tricks

Searchable email properties

The following table lists email message properties that can be searched by using the Content Search feature in the Security & Compliance Center or by using the New-ComplianceSearch or the Set-ComplianceSearch cmdlet. The table includes an example of the property:value syntax for each property and a description of the search results returned by the examples. You can type these property:value pairs in the keywords box for a Content Search.

Property

Property description

Examples

Search results returned by the examples

AttachmentNames

The names of files attached to an email message.

attachmentnames:annualreport.ppt

attachmentnames:annual*

Messages that have an attached file named annualreport.ppt. In the second example, using the wildcard returns messages with the word "annual" in the file name of an attachment.

Bcc

The BCC field of an email message.1

bcc:pilarp@contoso.com

bcc:pilarp

bcc:"Pilar Pinilla"

All examples return messages with Pilar Pinilla included in the Bcc field.

Category

The categories to search. Categories can be defined by users by using Outlook or Outlook Web App. The possible values are:

  • blue

  • green

  • orange

  • purple

  • red

  • yellow

category:"Red Category"

Messages that have been assigned the red category in the source mailboxes.

Cc

The CC field of an email message.1

cc:pilarp@contoso.com

cc:"Pilar Pinilla"

In both examples, messages with Pilar Pinilla specified in the CC field.

From

The sender of an email message.1

from:pilarp@contoso.com

from:contoso.com

Messages sent by the specified user or sent from a specified domain.

HasAttachment

Indicates whether or not a message has an attachment. Use the values true or false.

from:pilar@contoso.com AND hasattachment:true

Messages sent by the specified user that have attachments.

Importance

The importance of an email message, which a sender can specify when sending a message. By default, messages are sent with normal importance, unless the sender sets the importance as high or low.

importance:high

importance:medium

importance:low

Messages that are marked as high importance, medium importance, or low importance.

IsRead

Indicates whether or not messages have been read. Use the values true or false.

isread:true

isread:false

The first example returns messages with the IsRead property set to True. The second example returns messages with the IsRead property set to False.

ItemClass

Use this property to search specific third-party data types that your organization imported to Office 365. Use the following syntax for this property: itemclass:ipm.externaldata.<third-party data type>*

itemclass:ipm.externaldata.Facebook* AND subject:"contoso"

itemclass:ipm.externaldata.Twitter* AND from:"Ann Beebe" AND "Northwind Traders"

The first example returns Facebook items that contain the word "contoso" in the Subject property. The second example returns Twitter items that were posted by Ann Beebe and that contain the keyword phrase "Northwind Traders".

For a complete list of values to use for third-party data types for the ItemClass property, see Use Content Search to search third-party data that was imported to Office 365.

Kind

The message type to search. Possible values:

  • contacts

  • docs

  • email

  • externaldata

  • faxes

  • im

  • journals

  • meetings

  • notes

  • posts

  • rssfeeds

  • tasks

  • voicemail

kind:email

kind:email OR kind:im OR kind:voicemail

kind:externaldata

The first example returns email messages that meet the search criteria. The second example returns email messages, instant messaging conversations, and voice messages that meet the search criteria.

The third example returns items that were imported to mailboxes in Office 365 from third-party data sources, such as Twitter, Facebook, and Cisco Jabber, that meet the search criteria. For more information, see Archiving third-party data in Office 365.

Participants

All the people fields in an email message; these fields are From, To, CC, and BCC.1

participants:garthf@contoso.com

participants:contoso.com

Messages sent by or sent to garthf@contoso.com. The second example returns all messages sent by or sent to a user in the contoso.com domain.

Received

The date that an email message was received by a recipient.

received:04/15/2016

received>=01/01/2016 AND received<=03/31/2016

Messages that were received on April 15, 2016. The second example returns all messages received between January 1, 2016 and March 31, 2016.

Recipients

All recipient fields in an email message; these fields are To, CC, and BCC.1

recipients:garthf@contoso.com

recipients:contoso.com

Messages sent to garthf@contoso.com. The second example returns messages sent to any recipient in the contoso.com domain.

Sent

The date that an email message was sent by the sender.

sent:07/01/2016

sent>=06/01/2016 AND sent<=07/01/2016

Messages that were sent on the specified date or sent within the specified date range.

Size

The size of an item, in bytes.

size>26214400

size:1..1048567

Messages larger than 25 MB. The second example returns messages from 1 through 1,048,567 bytes (1 MB) in size.

Subject

The text in the subject line of an email message.

subject:"Quarterly Financials"

subject:northwind

Messages that contain the exact phrase "Quarterly Financials" anywhere in the text of the subject line. The second example returns all messages that contain the word northwind in the subject line.

To

The To field of an email message.1

to:annb@contoso.com

to:annb

to:"Ann Beebe"

All examples return messages where Ann Beebe is specified in the To: line.

Note: 1   For the value of a recipient property, you can use the SMTP address, display name, or alias to specify a user. For example, you can use annb@contoso.com, annb, or "Ann Beebe" to specify the user Ann Beebe.

Return to top

Searchable site properties

The following table lists some of the SharePoint and OneDrive for Business properties that can be searched by using the Content Search feature in the Security & Compliance Center or by using the New-ComplianceSearch or the Set-ComplianceSearch cmdlet. The table includes an example of the property:value syntax for each property and a description of the search results returned by the examples.

For a complete list of SharePoint properties that can be searched, see Overview of crawled and managed properties in SharePoint. Properties marked with a Yes in the Queryable column can be searched.

Property

Property description

Example

Search results returned by the examples

Author

The author field from Office documents, which persists if a document is copied. For example, if a user creates a document and the emails it to someone else who then uploads it to SharePoint, the document will still retain the original author.

author:"Garth Fort"

author:"garthf@contoso.com"

All documents that are authored by Garth Fort.

ContentType

The SharePoint content type of an item, such as Item, Document, or Video.

contenttype:document

All documents would be returned.

Created

The date that an item is created.

created>=06/01/2016

All items created on or after June 1, 2016.

CreatedBy

The person that created or uploaded an item.

createdby:"Garth Fort"

createdby:"garthf@contoso.com"

All items created or uploaded by Garth Fort.

DetectedLanguage

The language of an item.

detectedlanguage:english

All items in English.

FileExtension

The extension of a file.

fileextension:xlsx

All Excel files (Excel 2007 and later)

FileName

The name of a file.

filename:"marketing plan"

filename:estimate

The first example returns files with the exact phrase "marketing plan" in the title. The second example returns files with the word "estimate" in the file name.

LastModifiedTime

The date that an item was last changed.

lastmodifiedtime>=05/01/2016

lastmodifiedtime>=05/10/2016 AND lastmodifiedtime<=06/1/2016

The first example returns items that were changed on or after May 1, 2016. The second example returns items changed between May 1, 2016 and June 1, 2016.

ModifiedBy

The person who last changed an item.

modifiedby:"Garth Fort"

modifiedby:"garthf@contoso.com"

All items that were last changed by Garth Fort.

Site

The URL of a site or group of sites in your organization.

site:https://contoso-my.sharepoint.com

site:https://contoso.sharepoint.com/sites/teams

The first example returns items from the OneDrive for Business sites for all users in the organization. The second example returns items from all team sites.

Size

The size of an item, in bytes.

size>=1

size:1..10000

The first example returns items larger than 1 byte. The second example returns items from 1 through 10,000 bytes in size.

Title

The title of the document. The Title property is metadata that's specified in Microsoft Office documents. It's different from the file name of the document.

title:"communication plan"

Any document that contains the phrase "communication plan" in the Title metadata property of an Office document.

Return to top

Searchable contact properties

The following table lists the contact properties that are indexed and that you can search for using Content Search. These are the properties that are available for users to configure for the contacts (also called personal contacts) that are located in the personal address book of a user's mailbox. To search for contacts, you can select the mailboxes to search and then use one or more contact properties in the keyword query.

Tip: To search for values that contain spaces, use double quotation marks (" ") to contain the phrase; for example, businessaddress:"123 Main Street".

Property          

Property description

BusinessAddress

The address in the Business Address property. The property is also called the Work address on the contact properties page.

BusinessPhone

The phone number in any of the Business Phone number properties.

CompanyName

The name in the Company property.

Department

The name in the Department property.

DisplayName

The display name of the contact. This is the name in the Full Name property of the contact.

EmailAddress

The address for any email address property for the contact. Note that users can add multiple email addresses for a contact. Using this property would return contacts that match any of the contact's email addresses.

FileAs

The File as property. This property is used to specify how the contact is listed in the user's contact list. For example, a contact could be listed as FirstName,LastName or LastName,FirstName.

GivenName

The name in the First Name property.

HomeAddress

The address in any of the Home address properties.

HomePhone

The phone number in any of the Home phone number properties.

IMAddress

The IM address property, which is typically an email address used for instant messaging.

MiddleName

The name in the Middle name property.

MobilePhone

The phone number in the Mobile phone number property.

Nickname

The name in the Nickname property.

OfficeLocation

The value in Office or Office location property.

OtherAddress

The value for the Other address property.

Surname

The name in the Last name property.

Title

The title in the Job title property.

Return to top

Searchable sensitive data types

You can use the Content Search feature in the Security & Compliance Center to search for sensitive data, such as credit card numbers or social security numbers, that is stored in documents on SharePoint and OneDrive for Business sites. You can do this by using the SensitiveType property in a keyword query. For example, the query SensitiveType:"Credit Card Number" returns documents that contain a credit card number. The query SensitiveType:"U.S. Social Security Number (SSN)" returns documents that contains a U.S. social security number.

For more information about creating queries using the SensitiveType property, see Form a query to find sensitive data stored on sites.

Searching for site content shared with external users

You can also use the Content Search feature in the Security & Compliance Center to search for documents stored on SharePoint and OneDrive for Business sites that have been shared with people outside of your organization. This can help you identify sensitive or proprietary information that's being shared outside your organization. You can do this by using the ViewableByExternalUsers property in a keyword query. This property will return documents (or sites) that have been shared with external users by using one of the following sharing methods:

  • A sharing invitation that requires users to sign in to your organization as an authenticated user.

  • An anonymous guest link, which allows anyone with this link to access the resource without having to be authenticated.

Here are some examples:

  • The query ViewableByExternalUsers:true AND SensitiveType:"Credit Card Number" will return all items that have been shared with people outside your organization and contain a credit card number.

  • The query ViewableByExternalUsers:true AND ContentType:document AND Site:https://contoso.sharepoint.com/Sites/Teams will return a list of documents on all team sites in the organization that have been shared with external users.

Tip: A search query such as ViewableByExternalUsers:true AND ContentType:document may return a lot of .aspx files in the search results. To eliminate these (or other types of files), you can use the FileExtension property to exclude specific file types; for example ViewableByExternalUsers:true AND ContentType:document NOT FileExtension:aspx.

What is considered content that is shared with people outside your organization? Documents in your organization's SharePoint and OneDrive for Business sites that are shared by sending a sharing invitations or that are shared in public locations. For example, the following user activities result in content that is viewable by external users:

  • A user shares a file or folder with a person outside your organization.

  • A user creates and sends a link to a shared file to a person outside your organization. This link allows the external user to view (or edit) the file.

  • A user sends a sharing invitation or a guest link to a person outside your organization to view (or edit) a shared file.

Return to top

Search operators

Boolean search operators, such as AND, OR, and NOT, help you define more-precise mailbox searches by including or excluding specific words in the search query. Other techniques, such as using property operators (such as >= or ..), quotation marks, parentheses, and wildcards, help you refine a search query. The following table lists the operators that you can use to narrow or broaden search results.

Operator

Usage

Description

AND

keyword1 AND keyword2

Returns items that include all of the specified keywords or property:value expressions. For example, from:"Ann Beebe" AND subject:northwind would return all messages sent by Ann Beebe that contained the word northwind in the subject line.2

+

keyword1 +keyword2 +keyword3

Returns items that contain eitherkeyword2 or keyword3and that also contain keyword1. Therefore, this example is equivalent to the query (keyword2 OR keyword3) AND keyword1.

Note that the query keyword1 + keyword2 (with a space after the + symbol) isn't the same as using the AND operator. This query would be equivalent to "keyword1 + keyword2" and return items with the exact phase "keyword1 + keyword2".

OR

keyword1 OR keyword2

Returns items that include one or more of the specified keywords or property:value expressions.2

NOT

keyword1 NOT keyword2

NOT from:"Ann Beebe"

Excludes items specified by a keyword or a property:value expression. For example, NOT from:"Ann Beebe" excludes messages sent by Ann Beebe.2

-

keyword1 -keyword2

The same as the NOT operator. So this query returns items that contain keyword1 and would exclude items that contain keyword2.

NEAR

keyword1 NEAR(n) keyword2

Returns items with words that are near each other, where n equals the number of words apart. For example, best NEAR(5) worst returns any item where the word "worst" is within five words of "best". If no number is specified, the default distance is eight words.2

ONEAR

keyword1 ONEAR(n) keyword2

Similar to NEAR, but returns items with words that are near each other in the specified order. For example, best ONEAR(5) worst returns any item where the word "best" occurs before the word "worst" and the two words are within five words of each other. If no number is specified, the default distance is eight words.2

=

property=value

Returns items that are an exact match of the specified value.

:

property:value

The colon (:) in the property:value syntax specifies that the value of the property being searched for contains the specified value. For example, recipients:garthf@contoso.com returns any message sent to garthf@contoso.com.

<

property<value

Denotes that the property being searched is less than the specified value. 1

>

property>value

Denotes that the property being searched is greater than the specified value.1

<=

property<=value

Denotes that the property being searched is less than or equal to a specific value.1

>=

property>=value

Denotes that the property being searched is greater than or equal to a specific value.1

..

property:value1..value2

Denotes that the property being searched is greater than or equal to value1 and less than or equal to value2.1

" "

"fair value"

subject:"Quarterly Financials"

Use double quotation marks (" ") to search for an exact phrase or term in keyword and property:value search queries.

*

cat*

subject:set*

Prefix wildcard searches (where the asterisk is placed at the end of a word) match for zero or more characters in keywords or property:value queries. For example, title:set* returns documents that contain the word set, setup, and setting (and other words that start with "set") in the document title.

( )

(fair OR free) AND (from:contoso.com)

(IPO OR initial) AND (stock OR shares)

(quarterly financials)

Parentheses group together Boolean phrases, property:value items, and keywords. For example, (quarterly financials) returns items that contain the words quarterly and financials.

Notes: 1   Use this operator for properties that have date or numeric values.

2   Boolean search operators must be uppercase; for example, AND. If you use a lowercase operator, such as and, it will be treated as a keyword in the search query.

Return to top

Search conditions

You can also add conditions to a search query to narrow a search and return a more refined set of results. Each condition adds a clause to the KQL search query that is created and run when you start the search.

Conditions for common properties

Create a condition using common properties when searching mailboxes and sites in the same search. The following table lists the available properties to use when adding a condition.

Property

Property description

Date

For email, the date a message was received by a recipient or sent by the sender. For documents, the date a document was last modified.

Size

For both email and documents, the size of the item (in bytes).

Sender/Author

For email, the person who sent a message. For documents, the person cited in the author field from Office documents. You can type more than one name, separated by commas. Two or more values are logically connected by the OR operator.

Subject/Title

For email, the text in the subject line of a message. For documents, the title of the document. As previously explained, the Title property is metadata specified in Microsoft Office documents. You can type the name of more than one subject/title, separated by commas. Two or more values are logically connected by the OR operator.

Return to top

Conditions for mail properties

Create a condition using mail properties when searching mailboxes or public folders. The following table lists the email properties that you can use for a condition. Note that these properties are a subset of the email properties that were previously described; these descriptions are repeated for your convenience.

Property

Property description

Participants

All the people fields in an email message; these fields are From, To, CC, and BCC.

Sender

The sender of an email message.

Recipient

The person an email message was sent to. This is the same property as the To email property.

Subject

The text in the subject line of an email message.

Received date

The date that an email message was received by a recipient. This is the same property as the Received email property.

Sent date

The date that an email message was sent by the sender. This is the same property as the Sent email property.

Message type

The message type to search. This is the same property as the Kind email property.

The message type to search. Possible values:

  • contacts

  • docs

  • email

  • faxes

  • im

  • journals

  • meetings

  • notes

  • posts

  • rssfeeds

  • tasks

  • voicemail

Return to top

Conditions for document properties

Create a condition using document properties when searching for documents on SharePoint and OneDrive for Business sites. The following table lists the document properties that you can use for a condition. Note that these properties are a subset of the site properties that were previously described; these descriptions are repeated for your convenience.

Property

Property description

Author

The author field from Office documents, which persists if a document is copied. For example, if a user creates a document and the emails it to someone else who then uploads it to SharePoint, the document will still retain the original author.

Title

The title of the document. The Title property is metadata that's specified in Office documents. It's different from the file name of the document.

Created date

The date that a document is created.

Last modified date

The date that a document was last changed.

File type

The extension of a file. This is the same property as the FileExtension site property.

Return to top

Operators used with conditions

When you add a condition, you can select an operator that is relevant to type of property for the condition. The following table describes the operators that are used with conditions and lists the equivalent that is used in the search query.

Operator

Query equivalent

Description

After

property>date

Used with date conditions. Returns items that were sent, received, or modified after the specified date.

Before

property<date

Used with date conditions. Returns items that were sent, received, or modified before the specified date.

Between

date..date

Use with date and size conditions. When used with a date condition, returns items there were sent, received, or modified within the specified date range. When used with a size condition, returns items whose size is within the specified range.

Contains any of

(property:value) OR (property:value)

Used with conditions for properties that specify a string value. Returns items that contain any part of one or more specified string values.

Doesn't contain any of

-property:value

NOT property:value

Used with conditions for properties that specify a string value. Returns items that don't contain any part of the specified string value.

Doesn't equal any of

-property=value

NOT property=value

Used with conditions for properties that specify a string value. Returns items that don't contain the specific string.

Equals

Size=value

Returns items that are equal to the specified size.1

Equals any of

(property=value) OR (property=value)

Used with conditions for properties that specify a string value. Returns items that are an exact match of one or more specified string values.

Greater

Size>value

Returns items where the specified property is greater than the specified value.1

Greater or equal

Size>=value

Returns items where the specified property is greater than or equal to the specified value.1

Less

Size<value

Returns items that are greater than or equal to the specific value.1

Less or equal

Size<=value

Returns items that are greater than or equal to the specific value.1

Not equal

Size<>value

Returns items that don't equal the specified size.1

Note: 1   This operator is available only for conditions that use the Size property.

Return to top

Guidelines for using conditions

Keep the following in mind when using search conditions.

  • A condition is logically connected to the keyword query (specified in the keyword box) by the AND operator. That means that items have to satisfy both the keyword query and the condition to be included in the results. This is how conditions help to narrow your results.

  • If you add two or more unique conditions to a search query (conditions that specify different properties), those conditions are logically connected by the AND operator. That means only items that satisfy all the conditions (in addition to any keyword query) are returned.

  • If you add more than one condition for the same property, those conditions are logically connected by the OR operator. That means items that satisfy the keyword query and any one of the conditions are returned. So, groups of the same conditions are connected to each other by the OR operator and then sets of unique conditions are connected by the AND operator.

  • If you add multiple values (separated by commas or semi-colons) to a single condition, those values are connected by the OR operator. That means items are returned if they contain any of the specified values for the property in the condition.

  • The search query that is created by using the keywords box and conditions is displayed on the Search page, in the details pane for the selected search. In a query, everything to the right of the notation (c:c) indicates conditions that are added to the query.

  • Conditions only add properties to the search query; the don't add operators. This is why the query displayed in the detail pane doesn't show operators to the right of the (c:c) notation. KQL adds the logical operators (according to the previously explained rules) when the executing the query.

  • You can use the drag and drop control to re-sequence the order of conditions. Just click on the control for a condition and move it up or down.

  • As previously explained, some condition properties allow you to type multiple values. Each value is logically connected by the OR operator. This results in the same logic as having multiple instances of the same condition, where each has a single value. The following illustrations shows an example of a single condition with multiple values and an example of multiple conditions (for the same property) with a single value. Both examples result in the same query: (filetype="docx") OR (filetype="pptx") OR (filetype="xlsx")

    One condition with multiple values

    Multiple search conditions for the same property

Tip: If a condition accepts multiple values, we recommend that you use a single condition and specify multiple values (separated by commas or semi-colons). This helps ensure the query logic that's applied is what you intend.

Return to top

Examples of using conditions in search queries

The following examples show the GUI-based version of a search query with conditions, the search query syntax that is displayed in the details pane of the selected search (which is also returned by the Get-ComplianceSearch cmdlet), and the logic of the corresponding KQL query.

Example 1

This example returns documents on SharePoint and OneDrive for Business sites that contain a credit card number and were last modified before January 1, 2016.

GUI

First example of search conditions

Search query syntax

SensitiveType:"Credit Card Number"‎(c:c)‎‎(lastmodifiedtime<2016-01-01)‎

Search query logic

SensitiveType:"Credit Card Number"‎ AND (lastmodifiedtime<2016-01-01)

Example 2

This example returns email items or documents that contain the keyword "report", that were sent or created before April 1, 2105, and that contain the word "northwind" in the subject field of email messages or in the title property of documents. The query excludes Web pages that meet the other search criteria.

GUI

Second example of search conditions

Search query syntax

report‎(c:c)‎‎(date<2016-04-01)‎‎(subjecttitle:"northwind")‎‎(-filetype="aspx")‎

Search query logic

report AND (date<2016-04-01) AND (subjecttitle:"northwind") NOT (filetype="aspx")

Example 3

This example returns email messages or calendar meetings that were sent between 12/1/2016 and 11/30/2016 and that contain words that start with "phone" or "smartphone".

GUI

Third example of search conditions

Search query syntax

phone* OR smartphone*‎(c:c)‎‎(sent=2016-12-01..2016-11-30)‎‎(kind="email")‎‎(kind="meetings")‎

Search query logic

phone* OR smartphone*‎ AND ‎‎(sent=2016-12-01..2016-11-30)‎ AND (‎‎(kind="email") OR ‎‎(kind="meetings"))

Return to top

Search tips and tricks

  • Keyword searches are not case sensitive. For example, cat and CAT return the same results.

  • The Boolean operators AND, OR, NOT, NEAR, and ONEAR must be uppercase.

  • A space between two keywords or two property:value expressions is the same as using AND. For example, from:"Sara Davis" subject:reorganization returns all messages sent by Sara Davis that contain the word reorganization in the subject line.

  • Use syntax that matches the property:value format. Values are not case-sensitive, and they can’t have a space after the operator. If there is a space, your intended value will just be a full-text search. For example to: pilarp searches for "pilarp" as a keyword, rather than for messages that were sent to pilarp.

  • When searching a recipient property, such as To, From, Cc, or Recipients, you can use an SMTP address, alias, or display name to denote a recipient. For example, you can use pilarp@contoso.com, pilarp, or "Pilar Pinilla".

  • You can use only prefix wildcard searches; for example, cat* or set*. Suffix wildcard searches (*cat) or substring wildcard searches (*cat*) aren’t supported.

  • When searching a property, use double quotation marks (" ") if the search value consists of multiple words. For example subject:budget Q1 returns messages that contain budget in the in the subject line and that contain Q1 anywhere in the message or in any of the message properties. Using subject:"budget Q1" returns all messages that contain budget Q1 anywhere in the subject line.

  • To exclude content marked with a certain property value from your search results, place a minus sign (-) before the name of the property. For example, -from:"Sara Davis" will exclude any messages sent by Sara Davis.

Return to top

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×