Searching for Email Messages on the New Web Interface

Note	You can search for rejected connections based on the sender IP address, domain or network owner.

Note	Tracking searches do not support wildcard characters or regular expressions. Tracking searches are not case sensitive.

• [For Messages and Rejected Connections] Message Received: Specify a date and time range for the query using “Last Day,” “Last 7 Days,” or “Custom Range.” Use the “Last Day” option to search for messages within the past 24 hours, and use the “Last 7 Days” option to search for messages within the past full seven days, plus the time that has passed on the current day.

  If you do not specify a date, the query returns data for all dates. If you specify a time range only, the query returns data for that time range across all available dates. If you specify the current date and 23:59 as the end date and time, the query returns all data for the current date.

  Dates and times are converted to GMT format when they are stored in the database. When you view dates and times on an appliance, they are displayed in the local time of the appliance.

  Messages appear in the results only after they have been logged on the Email Security appliance and retrieved by the Security Management appliance. Depending on the size of logs and the frequency of polling, there could be a small gap between the time when an email message was sent and when it actually appears in tracking and reporting results.

• Envelope Sender: Select Begins With, Is, or Contains, and enter a text string to search for in the envelope sender. You can enter email addresses, user names, or domains. Use the following formats:

  • For email domains: example.com, [203.0.113.15], [ipv6:2001:db8:80:1::5]

  • For full email addresses: user@example.com, user@[203.0.113.15] or user@[ipv6:2001:db8:80:1::5].

  • You can enter any character(s). No validation of your entry is performed.

• Subject: Select Begins With, Is, Contains, or Is Empty, and enter a text string to search for in the message subject line.

• Envelope Recipient: Select Begins With, Is, or Contains, and enter text to search for in the envelope recipient. You can enter email addresses, user names, or domains.

  If you use the alias table for alias expansion on your Email Security appliances, the search finds the expanded recipient addresses rather than the original envelope addresses. In all other cases, message tracking queries find the original envelope recipient addresses.

  Otherwise, valid search criteria for Envelope Recipient are the same as those for Envelope Sender.

  You can enter any character(s). No validation of your entry is performed.

• Attachment Name: Select Begins With, Is, or Contains, and enter an ASCII or Unicode text string for one Attachment Name to find. Leading and trailing spaces are not stripped from the text you enter.

• Reply-To: Select Begins With, Is, or Contains, and enter a text string to search for messages based on the Reply-To header of the message.

• File SHA256: Enter a File SHA-256 value of the message.

  For more information about identifying files based on SHA-256 hash, see Identifying Files by SHA-256 Hash.

• Cisco Host: Select All Host to search across all email security appliances or select the required email security appliance from the drop-down menu.

• Message ID Header and Cisco MID: Enter a text string for the message ID header, the Cisco IronPort message ID (MID), or both.

• [For Messages and Rejected Connections] Sender IP Address/ Domain/ Network Owner: Enter a sender IP address, domain or nework owner details.

  • An IPv4 address must be 4 numbers separated by a period. Each number must be a value from 0 to 255. (Example: 203.0.113.15).

  • An IPv6 address consists of 8 sets of 16-bit hexadecimal values separated by colons.

    You can use zero compression in one location, such as 2001:db8:80:1::5.

  • Message Event: Select the events to track. Options are Virus Positive, Spam Positive, Suspect Spam, contained malicious URLs, contained URL in specified category, DLP Violations (you can enter the name of a DLP policy and select violation severities or action taken), DMARC violations, Delivered, Advanced Malware Protection Positive (for malware found in an attachment), Hard Bounced, Soft Bounced, currently in a policy, virus, or outbreak quarantine, caught by message filters or content filters, and Quarantined as Spam. Unlike most conditions that you add to a tracking query, events are added with an “OR” operator. Selecting multiple events expands the search.

You do not need to complete every field. Except for the Message Event options, the query is an “AND” search. The query returns messages that match the “AND” conditions specified in the search fields. For example, if you specify text strings for the envelope recipient and the subject line parameters, the query returns only messages that match both the specified envelope recipient and the subject line.

Note	In the new web interface, to perform a partial URL search, you need to add "*" before and after the search string to retrieve the results.

Each row corresponds to an email message. Scroll down to load more messages in the view.

If necessary, you can refine your search by entering new search criteria, and run the query again. Alternatively, you can refine the search by narrowing the result set, as described in the following section.

Click Export to export the search results.