Szerkesztés

Megosztás a következőn keresztül:


Start-HistoricalSearch

This cmdlet is available only in the cloud-based service.

Use the Start-HistoricalSearch cmdlet to start a new historical search.

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax.

Syntax

Start-HistoricalSearch
     -EndDate <DateTime>
     -ReportTitle <String>
     -ReportType <HistoricalSearchReportType>
     -StartDate <DateTime>
     [-BlockStatus <String>]
     [-CompressFile <Boolean>]
     [-ConnectorType <String>]
     [-DeliveryStatus <String>]
     [-Direction <MessageDirection>]
     [-DLPPolicy <MultiValuedProperty>]
     [-EncryptionTemplate <String>]
     [-EncryptionType <String>]
     [-Locale <CultureInfo>]
     [-MessageID <MultiValuedProperty>]
     [-NetworkMessageID <MultiValuedProperty>]
     [-NotifyAddress <MultiValuedProperty>]
     [-OriginalClientIP <String>]
     [-RecipientAddress <MultiValuedProperty>]
     [-SenderAddress <MultiValuedProperty>]
     [-SmtpSecurityError <String>]
     [-TLSUsed <String>]
     [-TransportRule <MultiValuedProperty>]
     [-Url <String>]
     [<CommonParameters>]

Description

A historical search provides message trace and report details in a comma-separated value (CSV) file for messages that are aged between 1-4 hours (depending on your environment) and 90 days old. There is a limit of 250 historical searches that you can submit in a 24 hour period; you'll be warned if you're nearing the daily quota. Cancelled searches count against the daily quota. Also, in each CSV file there is a limit of 100000 results or lines.

If you specify a distribution group, all messages might not be returned in the results. To ensure that all messages are returned, specify the individual recipient.

You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.

Examples

Example 1

Start-HistoricalSearch -ReportTitle "Fabrikam Search" -StartDate 1/1/2023 -EndDate 1/7/2023 -ReportType MessageTrace -SenderAddress michelle@fabrikam.com -NotifyAddress chris@contoso.com

This example starts a new historical search named "Fabrikam Search" that has the following properties:

  • Date range: January 1 2023 to January 6 2023. Because we aren't specifying the time of day, the value 0:00 AM is used. In this example, the date range is equivalent to -StartDate "1/1/2023 0:00 AM" -EndDate "1/7/2023 0:00 AM"
  • Report type: Message trace
  • Sender address: michelle@fabrikam.com
  • Internal notification email address: chris@contoso.com

Parameters

-BlockStatus

The BlockStatus parameter filters the results in OutboundSecurityReport reports by the status of messages sent externally, messages blocked due to security checks, or messages sent successfully.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-CompressFile

{{ Fill CompressFile Description }}

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-ConnectorType

The ConnectorType parameter filters the results in ConnectorReport reports by the connector type. Valid values are:

  • OnPremises
  • Partner
  • NoConnector
Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-DeliveryStatus

The DeliveryStatus parameter filters the results by the delivery status of the message. You can use one of the following values:

  • Delivered
  • Expanded
  • Failed
Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-Direction

The Direction parameter filters the results by the direction of the message. Valid values are:

  • All: Incoming and outgoing messages.
  • Received: Ingoing messages only.
  • Sent: Outgoing messages only.
Type:MessageDirection
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-DLPPolicy

The DLPPolicy parameter filters the results by the name of the DLP policy that acted on the message. You can specify multiple DLP policies separated by commas.

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-EncryptionTemplate

{{ Fill EncryptionTemplate Description }}

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-EncryptionType

{{ Fill EncryptionType Description }}

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-EndDate

The EndDate parameter specifies the end date of the date range.

Use the short date format that's defined in the Regional Options settings on the computer where you're running the command. For example, if the computer is configured to use the short date format MM/dd/yyyy, enter 09/01/2018 to specify September 1, 2018. You can enter the date only, or you can enter the date and time of day. If you enter the date and time of day, enclose the value in quotation marks ("), for example, "09/01/2018 5:00 PM".

If you don't specify the time of day, the default value 0:00 AM is used. For example, the value 12/31/2022 is really "12/31/2022 0:00 AM", which means no data from 12/31/2022 is included (only data from 12/30/2022 is included).

You also need to use at least one of the following parameters in the command: MessageID, RecipientAddress, or SenderAddress.

Type:DateTime
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-Locale

The Locale parameter filters the results by the locale of the message.

Valid input for this parameter is a supported culture code value from the Microsoft .NET Framework CultureInfo class. For example, da-DK for Danish or ja-JP for Japanese. For more information, see CultureInfo Class.

Type:CultureInfo
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-MessageID

The MessageId parameter filters the results by the Message-ID header field of the message. This value is also known as the Client ID. The format of the Message-ID depends on the messaging server that sent the message. The value should be unique for each message. However, not all messaging servers create values for the Message-ID in the same way. Be sure to include the full Message ID string (which may include angle brackets) and enclose the value in quotation marks (for example, "d9683b4c-127b-413a-ae2e-fa7dfb32c69d@DM3NAM06BG401.Eop-nam06.prod.protection.outlook.com").

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-NetworkMessageID

The NetworkMessageId parameter filters the message tracking log entries by the value of the NetworkMessageId field. This field contains a unique message ID value that persists across copies of the message that may be created due to bifurcation or distribution group expansion. An example value is 1341ac7b13fb42ab4d4408cf7f55890f.

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-NotifyAddress

The NotifyAddress parameter specifies the email addresses of internal recipients to notify when the historical search is complete. The email address must be in an accepted domain that's configured for your organization. You can enter multiple email addresses separated by commas.

To view the results of the historical search, you need to specify at least one email address for the NotifyAddress parameter. Otherwise, you need to click on the completed message trace in the Exchange admin center at Mail flow > Message trace.

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-OriginalClientIP

The OriginalClientIP parameter filters the results by the original IP address of the message. For incoming messages, the OriginalClientIP value is the sender's IP address. For outgoing messages, the OriginalClientIP value is the IP address of the external SMTP server that received the message.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-RecipientAddress

The RecipientAddress parameter filters the results by the recipient's email address. You can specify multiple values separated by commas. The maximum number of addresses is 100.

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:True
Applies to:Exchange Online, Exchange Online Protection

-ReportTitle

The ReportTitle parameter specifies a descriptive name for the historical search. If the value contains spaces, enclose the value in quotation marks (").

You also need to use at least one of the following parameters in the command: MessageID, RecipientAddress, or SenderAddress.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-ReportType

The ReportType parameter specifies the type of historical search that you want to perform. You can use one of the following values:

  • ATPReport: Defender for Office 365 File types report and Defender for Office 365 Message disposition report
  • ConnectorReport: Inbound/Outbound Message Report.
  • DLP: Data Loss Prevention Report.
  • MessageTrace: Message Trace Report.
  • MessageTraceDetail: Message Trace Details Report.
  • OutboundSecurityReport: Outbound Message in Transit Security Report.
  • P2SenderAttribution: P2 Sender Attribution Report.
  • SPAM: SPAM Detections Report.
  • Spoof: Spoof Mail Report.
  • TransportRule: Transport or Mail Flow Rules Report.
  • UnifiedDLP: Unified Data Loss Prevention Report.

You also need to use at least one of the following parameters in the command: MessageID, RecipientAddress, or SenderAddress.

Type:HistoricalSearchReportType
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-SenderAddress

The SenderAddress parameter filters the results by the sender's email address. You can specify multiple values separated by commas. The maximum number of addresses is 100.

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-SmtpSecurityError

The SmtpSecurityError parameter filters the results in OutboundSecurityReport reports by the error type of blocked messages when sent externally.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-StartDate

The StartDate parameter specifies the start date of the date range.

Use the short date format that's defined in the Regional Options settings on the computer where you're running the command. For example, if the computer is configured to use the short date format MM/dd/yyyy, enter 09/01/2018 to specify September 1, 2018. You can enter the date only, or you can enter the date and time of day. If you enter the date and time of day, enclose the value in quotation marks ("), for example, "09/01/2018 5:00 PM".

Type:DateTime
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-TLSUsed

The TLSUsed parameter filters the results in ConnectorReport reports by the TLS version. Valid values are:

  • No Tls
  • TLS1.2
  • TLS1.3
Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-TransportRule

The TransportRule parameter filters the results by the name of the Exchange mail flow rule (also known as a transport rule) that acted on the message. You can specify multiple transport rules separated by commas.

Type:MultiValuedProperty
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

-Url

{{ Fill Url Description }}

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

Inputs

Input types

To see the input types that this cmdlet accepts, see Cmdlet Input and Output Types. If the Input Type field for a cmdlet is blank, the cmdlet doesn't accept input data.

Outputs

Output types

To see the return types, which are also known as output types, that this cmdlet accepts, see Cmdlet Input and Output Types. If the Output Type field is blank, the cmdlet doesn't return data.