|| Enter search
searches do not support wildcard characters or regular expressions. Tracking
searches are not case sensitive.
- Envelope Sender: Select
Begins With, Is, or Contains, and enter a text string to search for in the
envelope sender. You can enter email addresses, user names, or domains. Use the
- For email domains:
example.com, [203.0.113.15], [ipv6:2001:db8:80:1::5]
- For full email addresses:
email@example.com, firstname.lastname@example.org or user@[ipv6:2001:db8:80:1::5].
- You can enter any
character(s). No validation of your entry is performed.
- Envelope Recipient: Select
Begins With, Is, or Contains, and enter text to search for in the envelope
recipient. You can enter email addresses, user names, or domains.
If you use the
alias table for alias expansion on your Email Security appliances, the search
finds the expanded recipient addresses rather than the original envelope
addresses. In all other cases, message tracking queries find the original
envelope recipient addresses.
valid search criteria for Envelope Recipient are the same as those for Envelope
You can enter
any character(s). No validation of your entry is performed.
- Subject: Select Begins With, Is,
Contains, or Is Empty, and enter a text string to search for in the message
- Message Received: Specify a date and
time range for the query using “Last Day,” “Last 7 Days,” or “Custom Range.”
Use the “Last Day” option to search for messages within the past 24 hours, and
use the “Last 7 Days” option to search for messages within the past full seven
days, plus the time that has passed on the current day.
If you do not
specify a date, the query returns data for all dates. If you specify a time
range only, the query returns data for that time range across all available
dates. If you specify the current date and 23:59 as the end date and time, the
query returns all data for the current date.
Dates and times
are converted to GMT format when they are stored in the database. When you view
dates and times on an appliance, they are displayed in the local time of the
in the results only after they have been logged on the Email Security appliance
and retrieved by the Security Management appliance. Depending on the size of
logs and the frequency of polling, there could be a small gap between the time
when an email message was sent and when it actually appears in tracking and
- Sender IP
Address: Enter a sender IP address and select whether to search messages or to
search rejected connections only.
- An IPv4
address must be 4 numbers separated by a period. Each number must be a value
from 0 to 255. (Example: 203.0.113.15).
- An IPv6
address consists of 8 sets of 16-bit hexadecimal values separated by colons.
You can use zero compression in one location, such as 2001:db8:80:1::5.
Event: Select the events to track. Options are Virus Positive, Spam Positive,
Suspect Spam, contained malicious URLs, contained URL in specified category,
DLP Violations (you can enter the name of a DLP policy and select violation
severities or action taken), DMARC violations, Delivered, Advanced Malware
Protection Positive (for malware found in an attachment), Hard Bounced, Soft
Bounced, currently in a policy, virus, or outbreak quarantine, caught by
message filters or content filters, and Quarantined as Spam. Unlike most
conditions that you add to a tracking query, events are added with an “OR”
operator. Selecting multiple events expands the search.
- Message ID
Header and Cisco IronPort MID: Enter a text string for the message ID header,
the Cisco IronPort message ID (MID), or both.
Settings: From the drop-down menu, select how long you want the query to run
before it times out. Options are “1 minute,” “2 minutes,” “5 minutes,” “10
minutes,” and “No time limit.” Also, select the maximum number of results you
want the query to return (up to 1000).
name: Select Begins With, Is, or Contains, and enter an ASCII or Unicode text
string for one Attachment Name to find. Leading and trailing spaces are not
stripped from the text you enter.
information about identifying files based on SHA-256 hash, see
Identifying Files by SHA-256 Hash.
You do not need
to complete every field. Except for the Message Event options, the query is an
“AND” search. The query returns messages that match the “AND” conditions
specified in the search fields. For example, if you specify text strings for
the envelope recipient and the subject line parameters, the query returns only
messages that match both the specified envelope recipient and the subject line.
results appear at the bottom of the page. Each row corresponds to an email
Figure 1. Message
Tracking Query Results
criteria are highlighted in each row.
If the number
of returned rows is greater than the value specified in the “Items per page”
field, the results appear on multiple pages. To navigate through the pages,
click the page numbers at the top or bottom of the list.
refine the search by entering new search criteria, and run the query again.
Alternatively, you can refine the search by narrowing the result set, as
described in the following section.