When GAT+ is installed, our system begins to index all of the emails in every account covering a period of 28 days (4 weeks) prior to the install date. This helps us build up some statistics so you can view recent trends. We then index every email going forward indefinitely.
In cases where you need to search for emails older than 28 days from the date of GAT+ install, you can use the real-time search called Email Content Search in GAT+.
Search the entirety of any users mailbox for any set of emails, from any time period, as long as the email is still there (not permanently deleted by the user).
You can exclude “chats” if you use “in:anywhere -in:chats” if you wish to narrow down the search to a specific period use the following search operators after:YYYY/MM/DD and/or before:YYYY/MM/DD. Alternatively, you can use older_than:5d or newer_than:30d.
So the full search term might look like this “in:anywhere -in:chats after:2019/03/01 before:2019/03/31 is:read”. View the full list of search operators available.
The search may take some time especially if you’re dealing with thousands of emails.
When the “Search emails” button is pressed, the result will start and appear on the screen with every 5 sec refresh, until the search is done.
While you wait for the search to complete, you can use it to search for anything else in other tabs.
When you come back in Email content search the search will be in the background.
To access just select “Previous searches” and you can see the previous searches.
After the search completes (Status: Completed), you can select the green checkmark and all emails for this user will be displayed.
You can select “Access permission granted” and using “Unlock” to gain access to the emails and be able to download them.
Once it is approved by the Security officer, select “Apply grant” to see all the emails of the searched user.
You can select all the emails and download them in bulk.
Or you can choose individual emails from the right-hand side under the “Actions” tab.
You can also add additional filters on top of this real-time search, click on the Apply custom filter button.
One example of using the Apply custom filters in Email content search is to narrow down the above search to find only emails with more than 4 email attachments.
You can always return to the Email content search you had previously done access and remove them from the listing.
In conclusion, Email content search provides a powerful alternative to scan based searches but may be slower as the email metadata is not already indexed. If your email audit does not require up to the minute information I would recommend sticking with scan-based searches within the Emails tab.