--- tags: - "⭐topic/\U0001F4BEsoftware/sharepoint" - "⭐topic/\U0001F4BEsoftware/m365" - "\U0001F6A9purpose/ℹ️documentation" --- # KQL fundamentals Microsoft 365 eDiscovery uses a queru language called KQL. It’s finnicky. ## Implicit operators >The KQL syntax supports a sequence of expressions (the **expression-list** element) without any operator between the expressions. In this case, there is an implicit operator between the expressions. The implicit operator is either **AND** (section [2.1.2](https://learn.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-kql/23274d1c-e220-47a1-aad6-eaa3c75ef75d)) or **OR** (section [2.1.8](https://learn.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-kql/0842604c-1fff-4353-b061-fc7a52ee8533)). > >If the query contains any non-property operator (**ALL** (section [2.1.1](https://learn.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-kql/a97c9389-0809-49d7-a95c-f2bd86261f08)), **AND** (section 2.1.2), **NOT** (section [2.1.6](https://learn.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-kql/0e3f9bbe-9f43-436d-b0db-901ff5698e81)), **XRANK** (section [2.1.10](https://learn.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-kql/36b3c22e-2f24-4096-99df-919f40d16864)), and so forth), the query MUST be evaluated as if the implicit operator is **AND** (section 2.1.2). > >There are other special cases regarding the use of the implicit operator. See section [2.3.1.1](https://learn.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-kql/311a6558-0dbf-43be-a966-4901a5fb339e) for the use of the implicit operator in combination with qualified string tokens, and section [2.2.4](https://learn.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-kql/5c7e1e38-b7f2-4b1a-a38c-947e22e1d642) for the use of the implicit operator in combination with property restrictions. — [[MS-KQL]: Implicit Operator | Microsoft Learn](https://learn.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-kql/6dfcc946-bf50-4ead-9c22-f9ea655cc899) eDiscovery seems to use implicit `OR` by default, and only switches to `AND` when things get more complex. To force `AND` wrap keywords in parenthesis. ## `AND`/`OR` shortcuts Microsoft makes [this claim:](https://learn.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-kql/2f65b2fd-7605-4cb4-bb73-21426d4c5968) >The following \[sets of\] queries match the same [items](https://learn.microsoft.com/en-us/openspecs/sharepoint_protocols/ms-kql/6994d06f-c90e-408d-bb79-626de7623ac2#gt_91432874-9050-460a-b621-d77b75d31dee): > >``` >cat +dog >cat AND dog >``` But in testing with eDiscovery Standard, this query: participants=user1 +participants=user2 results in: (participants:"user1" OR participants:"user2") This may be related to the handling of [Implicit operators](#implicit-operators) mentioned above. However, the claim below that appears to be correct: >``` >cat -dog >cat AND NOT dog >``` This rendered correctly as `(participants=user1 AND (NOT (participants=user2)))`. ## `(c:c)` and `(c:s)` “Condition cards” are built in the Purview (previously Compliance) eDiscovery Standard, and the property name `c` with values `c` or `s` (must be inside parenthesis) are reserved there to separate compiled card queries. `(c:c)` is similar to logical `AND` while `(c:s)` is similar to logical `OR`. They are used to separate keywords into groups, so that each group can be individually tracked for the number of results returned for that particular group, and so that queries can more easily be transformed into raw KQL and back. Perhaps `c` means “combine” and `s` “separate”. ## Contains (`:`) vs equality (`=`) Equality is an exact match to the property, while contains is a word match and supports suffix wildcard with `*`. KQL does not support prefix wildcards. # See also [eDiscovery email properties](https://learn.microsoft.com/en-us/microsoft-365/compliance/ediscovery-keyword-queries-and-search-conditions?view=o365-worldwide#searchable-email-properties)