Cisco Cisco Content Security Management Appliance M160 Guía Del Usuario
6-5
AsyncOS 8.3.5 for Cisco Content Security Management User Guide
Chapter 6 Tracking Email Messages
Searching for Email Messages
Note
Tracking searches do not support wildcard characters or regular expressions. Tracking searches
are not case sensitive.
are not case sensitive.
•
Envelope Sender: Select Begins With, Is, or Contains, and enter a text string to search for in the
envelope sender. You can enter email addresses, user names, or domains. Use the following formats:
envelope sender. You can enter email addresses, user names, or domains. Use the following formats:
–
For email domains:
example.com, [203.0.113.15], [ipv6:2001:db8:80:1::5]
example.com, [203.0.113.15], [ipv6:2001:db8:80:1::5]
–
For full email addresses:
user@example.com, user@[203.0.113.15] or user@[ipv6:2001:db8:80:1::5].
user@example.com, user@[203.0.113.15] or user@[ipv6:2001:db8:80:1::5].
–
You can enter any character(s). No validation of your entry is performed.
•
Envelope Recipient: Select Begins With, Is, or Contains, and enter text to search for in the envelope
recipient. You can enter email addresses, user names, or domains.
recipient. You can enter email addresses, user names, or domains.
If you use the alias table for alias expansion on your Email Security appliances, the search finds the
expanded recipient addresses rather than the original envelope addresses. In all other cases, message
tracking queries find the original envelope recipient addresses.
expanded recipient addresses rather than the original envelope addresses. In all other cases, message
tracking queries find the original envelope recipient addresses.
Otherwise, valid search criteria for Envelope Recipient are the same as those for Envelope Sender.
You can enter any character(s). No validation of your entry is performed.
•
Subject: Select Begins With, Is, Contains, or Is Empty, and enter a text string to search for in the
message subject line.
message subject line.
•
Message Received: Specify a date and time range for the query using “Last Day,” “Last 7 Days,” or
“Custom Range.” Use the “Last Day” option to search for messages within the past 24 hours, and
use the “Last 7 Days” option to search for messages within the past full seven days, plus the time
that has passed on the current day.
“Custom Range.” Use the “Last Day” option to search for messages within the past 24 hours, and
use the “Last 7 Days” option to search for messages within the past full seven days, plus the time
that has passed on the current day.
If you do not specify a date, the query returns data for all dates. If you specify a time range only, the
query returns data for that time range across all available dates. If you specify the current date and
23:59 as the end date and time, the query returns all data for the current date.
query returns data for that time range across all available dates. If you specify the current date and
23:59 as the end date and time, the query returns all data for the current date.
Dates and times are converted to GMT format when they are stored in the database. When you view
dates and times on an appliance, they are displayed in the local time of the appliance.
dates and times on an appliance, they are displayed in the local time of the appliance.
Messages appear in the results only after they have been logged on the Email Security appliance and
retrieved by the Security Management appliance. Depending on the size of logs and the frequency
of polling, there could be a small gap between the time when an email message was sent and when
it actually appears in tracking and reporting results.
retrieved by the Security Management appliance. Depending on the size of logs and the frequency
of polling, there could be a small gap between the time when an email message was sent and when
it actually appears in tracking and reporting results.
•
Sender IP Address: Enter a sender IP address and select whether to search messages or to search
rejected connections only.
rejected connections only.
–
An IPv4 address must be 4 numbers separated by a period. Each number must be a value from
0 to 255. (Example: 203.0.113.15).
0 to 255. (Example: 203.0.113.15).
–
An IPv6 address consists of 8 sets of 16-bit hexadecimal values separated by colons.
You can use zero compression in one location, such as 2001:db8:80:1::5.
You can use zero compression in one location, such as 2001:db8:80:1::5.
•
Message Event: Select the events to track. Options are Virus Positive, Spam Positive, Suspect
Spam, contained malicious URLs, contained URL in specified category, DLP Violations (you can
enter the name of a DLP policy and select violation severities or action taken), DMARC violations,
Delivered, Advanced Malware Protection Positive (for malware found in an attachment), Hard
Bounced, Soft Bounced, currently in a policy, virus, or outbreak quarantine, caught by message
filters or content filters, and Quarantined as Spam. Unlike most conditions that you add to a tracking
query, events are added with an “OR” operator. Selecting multiple events expands the search.
Spam, contained malicious URLs, contained URL in specified category, DLP Violations (you can
enter the name of a DLP policy and select violation severities or action taken), DMARC violations,
Delivered, Advanced Malware Protection Positive (for malware found in an attachment), Hard
Bounced, Soft Bounced, currently in a policy, virus, or outbreak quarantine, caught by message
filters or content filters, and Quarantined as Spam. Unlike most conditions that you add to a tracking
query, events are added with an “OR” operator. Selecting multiple events expands the search.