When GAT+ is installed, our system begins to index all of the emails in every account covering a period of 28 days (4 weeks) prior to the install date.
This helps us build up some statistics so you can view recent trends. We then index every email going forward indefinitely.
In cases where you need to search for emails older than 28 days from the date of GAT+ install, you can use the real-time search called Email Content Search.
Open GAT+ and navigate to Email from the left side menu.
Select Email content search.
Search the entirety of any user’s mailbox for any set of emails, from any time period, as long as the email is still there (not permanently deleted by the user).
Example: in:anywhere -in:chats
This will query will search for emails anywhere and exclude chats.
To narrow down the search to a specific period, use the following search operators:
after:YYYY/MM/DD and/or before:YYYY/MM/DD.
Alternatively, you can use
older_than:5d or newer_than:30d.
So the full search term might look like this:
in:anywhere -in:chats after:2020/03/01 before:2020/03/31 is:read”.
View the full list of search operators available.
The search may take some time especially if you’re dealing with thousands of emails.
When the “Search emails” button is pressed, the result will start and appear on the screen with every 5-sec refresh, until the search is done.
While you wait for the search to complete, you can use it to search for anything else in other tabs.
If the search takes too long, depending on how many emails the user has, the search might go to the background.
When you come back in Email content search the search will be in the background.
To access just select “Previous searches” and you can see the previous searches.
After the search completes (Status: Completed), you can select the green checkmark and all emails for this user will be displayed.
You can always return to the Email content search you had previously queried and remove them from the listing.
You can select “Email operations” and use “Unlock” to gain access to the emails and be able to download or delete them. Select the ‘Create new access request‘ option to request access from a security officer.
Once it is approved by the Security officer, select ‘Access permissions list’ to see all the emails of the searched user.
You can select all the emails and download them individually or in bulk.
You can also add additional filters on top of this real-time search, click on the Apply custom filter button.
In conclusion, Email content search provides a powerful alternative to scan based searches but may be slower as the email metadata is not already indexed.
If your email audit does not require up to the minute information I would recommend sticking with scan-based searches within the Emails tab.
For any questions please contact us at support@gatlabs.com
