Microsoft 365 Content Search using KQL Query

How to use Kusto Query Language (KQL) in Content Search?

Microsoft Office 365 tenants holds huge amount of data that resides in multiple locations i.e. Exchange, SharePoint, Teams, Public Folders etc. and to search for some specific content including email items or documents could be a challenge for customers. The security operations team or Compliance and Governance team might end up in situations often where they need the user’s data for legal purposes. That is where Content Search comes in which is not a new feature but had been quite handy in these cases.

Recently, Microsoft has introduced searching for content from Content Search under Compliance Center using Kusto Query Language (KQL). You might be familiar with this language if you had been searching for logs using Log Analytics Workspace in Azure, yes, this is the same KQL. Microsoft has whole documentation on learning KQL here. In this blog, I will show you some sample KQL queries which you can run to search content from Exchange for legal or deletion purpose or any other useful action that might be required.

Search for email items in Exchange Online

1. Go to the URL https://compliance.microsoft.com
2. Click Content Search
3. Give a useful name and description
4. Under locations, select Exchange. If you want to filter mailboxes, you can filter it if you want.

Data Locations in Content Search

5. In the next screen, there was only one option earlier “Condition card builder” which is also useful and easy to use but for this blog, we will focus on KQL. Select the second option KQL Editor

KQL for Content Search

6. Now in the editor box, we have to type KQL query which is enriched with IntelliSense already, so do not worry about remembering the code. In this example, we will search email by Sender and Subject and see the results.

from:“naqashahmed036_gmail.com#EXT#@yourdomain.onmicrosoft.com” (c:s) Subject:SPAMMING

• The “from” parameter searches for sender. In this case, an external Gmail account
• The “(c:s”) parameter is written by itself which means OR operator
• The “Subject” parameter searches for the subject line in the email item

7. Once the query is written, click Next, review your query and hit submit

8. Monitor the search case as it goes form “Starting” to “InProgress” to “Completed”.

9. Once completed, you can review the statistics of the search case and also see the sample emails which are retrieved.

Content Search summary

10. You can review the sample of searched emails by clicking “Review Sample” to confirm the required emails. If not satisfied, you can re-run the search after modifying your query. In below screenshot, you can see the sample email has been found after running the above query successfully.

The Governance or Security team can then take useful actions or delete such emails using PowerShell module of Compliance Search.

Microsoft has listed so many parameters which can be used to refine your query and search for the right content in different locations. It is a good feature introduced by Microsoft but make sure to only use Content Search for legal purpose and not to give permissions to normal users to run the search. Better to setup alerts for admins whenever a search case is created.

Thank you