使用 Office 365 中的邮件保护报告查看关于恶意软件、垃圾邮件和规则检测的数据Use mail protection reports in Office 365 to view data about malware, spam, and rule detections

如果你是 Exchange Online 或 Exchange Online Protection (EOP) 管理员,则很有可能想要监视当前检测到的垃圾邮件和恶意软件量,或者想要监视邮件流规则(亦称为"传输规则")的当前匹配频率。通过 Office 365 管理中心的交互式邮件保护报告,你可以快速获取直观的摘要数据报告,并进一步了解每封邮件的详细信息(可回溯 90 天)。If you're an Exchange Online or Exchange Online Protection (EOP) admin, there's a good chance you'd like to monitor how much spam and malware is being detected, or how often your mail flow rules, also called transport rules, are being matched. With the interactive mail protection reports in the Office 365 admin center, you can quickly get a visual report of summary data, and drill-down into details about individual messages, for as far back as 90 days.

Office 365 中的邮件保护报告

本主题包括下列内容:This topic covers the following areas:

您可以自定义筛选发件人和/或收件人或特定域上特定邮件保护报告。您还可以安排自动发送给您的收件箱的邮件报告。若要了解如何执行此操作,请参阅自定义和计划的邮件保护报告 Office 365 自动发送到您的收件箱中You can customize certain mail protection reports to filter on sender and/or recipient or on a specific domain. You can also schedule mail reports to be sent automatically to your inbox. To learn how to do this, see Customize and schedule mail protection reports in Office 365 to be automatically sent to your inbox.

报告概述Reporting overview

您可以从 Office 365 管理中心中报告页访问以下邮件保护报告。You can access the following mail protection reports from the REPORTS page in Office 365 admin center.

保护报告Protection reports

报告Report 描述Description
主要发件人和收件人Top senders and recipients
显示以下内容,具体取决于您选择的报告类型:Shows the following, depending on the type of report you select:
主要邮件收件人 - 整个邮件的前 10 个收件人。Top mail recipients - the top 10 recipients for overall mail.
主要邮件发件人 - 整个邮件的前 10 个发件人。Top mail senders - the top 10 senders for overall mail.
主要垃圾邮件收件人 - 垃圾邮件检测的前 10 个收件人。Top spam recipients - the top 10 recipients for spam detections.
主要垃圾邮件收件人 - 垃圾邮件检测的前 10 个收件人。Top malware recipients - the top 10 recipients for malware detections.
邮件的主要恶意软件Top malware for mail
显示已接收和已发送邮件中的前 10 个恶意软件。Shows the top 10 malware in received and sent mail.
恶意软件检测Malware detections
显示在应用恶意软件操作之前已发送或已接收邮件中的恶意软件检测数量。在图上选择一个点,即可显示有关经过恶意软件筛选的单个邮件的详细信息。Shows the number of malware detections in sent or received mail before the malware action was applied. Details about individual malware-filtered messages are available by selecting a point on the graph.
垃圾邮件检测Spam detections
显示在已发送或已接收邮件中检测到哪些垃圾邮件,按垃圾邮件筛选类型进行分组:Shows what spam was detected in sent or received mail, grouped by spam filtering type:
内容过滤 - 邮件由于符合垃圾邮件特征而被标识为垃圾邮件。Content filtered - mail identified as spam due to message characteristics consistent with spam.
阻止 SMTP - 基于发件人/收件人筛选,在邮件进入服务之前阻止邮件。SMTP blocked - mail blocked before entering the service, based on sender/recipient filtering.
阻止 IP - 基于 IP 信誉,在邮件进入服务之前阻止邮件。IP blocked - mail blocked before entering the service, based on IP reputation.
默认情况下,所有邮件都都包含。您可以修改到特定的发件人和/或收件人筛选此报告的详细信息,或者您可以使用*@domain 以在单个域上获得的报告。若要了解如何执行此操作,请参阅自定义和计划的邮件保护报告 Office 365 自动发送到您的收件箱中By default, all messages are included. You can modify the details of this report to filter to a specific sender and/or a recipient or you can use *@domain to get a report on a single domain. To learn how to do this, see Customize and schedule mail protection reports in Office 365 to be automatically sent to your inbox.
在图上选择一个点,即可显示有关经过内容筛选的单个邮件的详细信息。Details about individual content-filtered messages are available by selecting a point on the graph.
已发送和已接收邮件Sent and received mail
显示按通信类型分组的已发送和已接收邮件:Shows the sent and received mail grouped by traffic type:
正常邮件 - 已接收且未标识为垃圾邮件或恶意软件的邮件。Good mail - messages that were received and not identified as spam or malware.
垃圾邮件 - 被识别为垃圾邮件的邮件。Spam - messages identified as spam.
恶意软件 - 包含恶意软件的邮件。Malware - messages that contained malware.
邮件流规则(亦称为"传输规则")- 至少与一个规则匹配的邮件。Mail flow rules (also called transport rules) - messages that matched at least one rule.
默认情况下,所有邮件都都包含。您可以修改到特定的发件人和/或收件人筛选此报告的详细信息,或者您可以使用*@domain 以在单个域上获得的报告。若要了解如何执行此操作,请参阅自定义和计划的邮件保护报告 Office 365 自动发送到您的收件箱中By default, all messages are included. You can modify the details of this report to filter to a specific sender and/or a recipient or you can use *@domain to get a report on a single domain. To learn how to do this, see Customize and schedule mail protection reports in Office 365 to be automatically sent to your inbox.
单个邮件的详细信息不可用。Details about individual messages are not available.
欺骗邮件报告Spoof mail report
对于拥有 Office 365 企业版 E5 或购买了高级威胁防护 (ATP) 许可证的用户,该图表展示了向你的组织发送的入站电子邮件,其中发件人好像是你组织的代表,但实际上却是其他发件人身份。我们将这称为"内部欺骗"。For customers who have Office 365 Enterprise E5 or have purchased Advanced Threat Protection (ATP) licenses, this chart shows inbound emails sent to your organization where the sender appears to represent your organization, but the actual sender identity is different. This is known as "insider spoofing".
组织可能会使用欺骗有意良好的原因,并且恶意某些类型的欺骗。此报告包括两种类型的欺骗收到您的组织的电子邮件,并帮助您执行操作以允许或阻止进一步来自该发件人的电子邮件。例如,您可能合同第三方发送邀请给所有员工的公司事件-如下所示电子邮件将显示在此报告中,为非垃圾邮件或良好的邮件。Office 365 还检测到恶意方式作为公司发送的邮件和标签此Caught 为垃圾邮件Organizations might use spoofing intentionally for good reason, and some types of spoofing are malicious. This report includes both types of spoofing emails received by your organization, and helps you take action to allow or block further emails from that sender. For example, you might contract a third party to send an invite to all employees for a company event - an email like this would appear in this report as non-spam or Good mail. Office 365 also detects mail sent as your company in a malicious way and labels this Caught as spam.
通过单击图表中指定某天对应的数据点,可以看到更详细的视图。根据下列属性汇总计数:You can see a detailed view by clicking on a data point in the chart for a given day. The counts are aggregated based on the following attributes:
造假发件人-显示来自您的组织的可见的发件人名称。Spoofed Sender - The visible sender name which appears to be from your organization.
True 发件人-实际发件人与已注册的 IP 地址关联。如果此字段为空,DNS 记录已检查 Office 365 时未检测到发件人的域。True Sender - The actual sender associated with the registered IP address. If this field is blank, the sender's domain was not detected when the DNS record was examined by Office 365.
发件人的 IP -的 IP 地址或相关联的欺骗邮件发件人的地址范围。Sender IP - The IP address or address range associated with the sender of the spoof message.
事件类型-是否欺骗邮件被标记为垃圾邮件 (捕获为垃圾邮件) 或非垃圾邮件 (良好的邮件)。Event Type - Whether the spoof message was marked as spam ( Caught as spam) or non-spam ( Good mail).
您可以阻止或允许发送来自该 IP 地址在将来的选择添加到 IP 阻止或 IP 允许列表的电子邮件。如果您知道他们属于安全域,仅将 IP 地址添加到允许列表You can block or allow email sent from this IP address in future by selecting Add to IP Block or IP Allow list. Only add IP addresses to the Allow list if you know they belong to safe domains.

规则报告Rules reports

报告Report
描述Description
邮件的主要规则匹配Top rule matches for mail
针对已接收和已发送邮件显示最匹配的前 10 条邮件流规则。Shows the top 10 most-matched mail flow rules for received and sent mail.
邮件的规则匹配Rule matches for mail
显示邮件流规则匹配次数,按规则严重性进行分组。选择图上的点,即可查看各封邮件的详细信息。 Shows the number of mail flow rule matches, grouped by rule severity. Details about individual messages are available by selecting a point on the graph.
默认情况下,所有邮件都都包含。您可以修改到特定的发件人和/或收件人筛选此报告的详细信息,或者您可以使用*@domain 以在单个域上获得的报告。若要了解如何执行此操作,请参阅自定义和计划的邮件保护报告 Office 365 自动发送到您的收件箱中By default, all messages are included. You can modify the details of this report to filter to a specific sender and/or a recipient or you can use *@domain to get a report on a single domain. To learn how to do this, see Customize and schedule mail protection reports in Office 365 to be automatically sent to your inbox.

DLP 报告DLP reports

报告Report
描述Description
邮件的主要 DLP 策略匹配Top DLP policy matches for mail
显示已接收和已发送邮件前 10 个最匹配的数据丢失防护 (DLP) 策略。Shows the top 10 most-matched data loss prevention (DLP) policies for received and sent mail.
邮件的主要 DLP 规则匹配Top DLP rule matches for mail
显示已接收和已发送邮件前 10 个最匹配的 DLP 规则。Shows the top 10 most-matched DLP rules for received and sent mail.
按邮件严重性显示的 DLP 策略匹配DLP policy matches by severity for mail
显示按严重性分组的邮件 DLP 策略规则匹配数。在图上选择一个点,即可显示有关单个邮件的详细信息。Shows the number of DLP policy rule matches for mail, grouped by severity. Details about individual messages are available by selecting a point on the graph.
邮件的 DLP 策略匹配、重写和误报DLP policy matches, overrides, and false positives for mail
显示 DLP 策略匹配数、重写数(用户已发送邮件,不论 DLP 是否匹配)和误报数(用户报告 DLP 匹配不正确)。在图上选择一个点,即可显示有关单个邮件的详细信息。Shows the number of DLP policy matches, overrides (the user has sent the mail despite a DLP match), and false positives (the user reports that a DLP match was incorrect). Details about individual messages are available by selecting a point on the graph.

备注

DLP 功能仅适用于特定 Exchange Online 和 EOP 订阅计划。有关每个计划中可用的 DLP 功能的信息,请参阅 Exchange Online 服务说明Exchange Online Protection 服务说明中的数据丢失预防表条目。The DLP feature is available only with certain Exchange Online and EOP subscription plans. For information about DLP feature availability with each plan, see the Data Loss Prevention table entries in the Exchange Online Service Description and the Exchange Online Protection Service Description.

在开始之前,您需要知道什么?What do you need to know before you begin?

  • 您必须先获得权限,然后才能执行此过程:You need to be assigned permissions before you can perform this procedure or procedures:

    • 对于 Exchange Online 管理员,若要查看 Office 365 管理中心报告,你需要具备"全局管理员"的 Office 365 管理员角色,并具备 Exchange Online 中的功能权限 主题中在"查看报告"中列出的 Exchange 管理员角色。For Exchange Online admins, in order to view Office 365 admin center reports, you need the "global admin" Office 365 admin role, and the Exchange admin roles listed for the "View reports" entry in the Feature permissions in Exchange Online topic.

    • 对于 EOP 管理员,若要查看 Office 365 管理中心报告,你需要具备"全局管理员"的 Office 365 管理员角色,并具备 Feature Permissions in EOP主题中在"查看报告"条目中列出的 Exchange 管理员角色。For EOP admins, in order to view Office 365 admin center reports, you need the "global admin" Office 365 admin role, and the Exchange admin roles listed for the "View reports" entry in the Feature Permissions in EOP topic.

  • 有关数据何时可用以及可用多长时间的详细信息,请参阅Reporting and Message Trace in Exchange Online Protection中的"报告和邮件跟踪数据的可用性与延迟"部分。For information about when data is available and for how long, see the "Reporting and message trace data availability and latency" section in Reporting and Message Trace in Exchange Online Protection.

  • 如果为超过 7 天的邮件运行详细信息报告,报告将作为可下载的 .csv 文件提供,此文件可在 Excel 等应用程序中打开。If a detail report is run for messages that are older than 7 days, the report is available as a downloadable .csv file, which can be opened in an application such as Excel.

  • Exchange 邮件保护报告还可通过远程 Windows PowerShell 访问。有关 Exchange Online 报告 cmdlet 的完整列表,请参阅 Exchange Online 中的报告 cmdletExchange mail protection reports are also accessible through remote Windows PowerShell. For a complete list of Exchange Online reporting cmdlets, see Reporting cmdlets in Exchange Online.

提示

遇到问题了吗?请在 Exchange 论坛中寻求帮助。 请访问以下论坛:Exchange ServerExchange OnlineExchange Online ProtectionHaving problems? Ask for help in the Exchange forums. Visit the forums at Exchange Server,Exchange Online, or Exchange Online Protection.

查看 Office 365 管理中心中的邮件保护报告View mail protection reports in the Office 365 admin center

当您单击邮件保护报告链接,如发送和接收邮件的报告,一个新窗口打开,并显示包含摘要级别信息的交互式图表。When you click a mail protection report link, such as the sent and received mail report, a new window opens up and displays an interactive chart with summary-level information.

已发送和已接收邮件

摘要数据: 您可以选择要查看最多为 90 天的摘要数据的适当的日期范围。您可以更改视图中才能看到只通过更改位于图右侧的系列切片器符合特定条件的邮件。例如,如果您想要查看除垃圾邮件的所有邮件,则清除垃圾邮件切片器选项。某些报告可能还需要让您进一步缩小您的条件图上方的参数。有关报告和其参数的信息,您可以悬停在报告标题旁的信息链接。Summary data: You can select the appropriate date range to see up to 90 days of summary data. You can change the view to see only messages that match specific criteria by altering the series slicers located on the right side of the graph. For example, if you want to view all messages except spam messages, clear the Spam slicer option. Some reports might also have parameters above the graph that let you further narrow down your criteria. For information about the report and its parameters, you can hover over the information link next to the report title.

详细数据: 单击图中的某个特定数据点,即可显示某些报告的详细邮件数据。选择某个点时,将在图形下方以表的形式显示邮件的详细信息。如果记录太多无法在一页上显示,您可以在详细信息页之间浏览。每条详细信息列出以下内容:Detail data: Detailed message data is available for some reports by clicking on a specific data point within the graph. When a point is selected, the message details are displayed below the graph in a table. You can page through the detail messages if there are more records than can be displayed on one page. Each detail lists the following:

  • 发送邮件的日期。The date the message was sent.

  • 邮件的发件人和收件人(每行仅列出一个收件人)。The sender and recipient of the message (only one recipient is listed per line).

  • 邮件 ID(在邮件头中显示,通常为以下格式:<08f1e0f6806a47b4ac103961109ae6ef@server.domain>)。The message ID (found in the header of the message and usually similar to the following format: <08f1e0f6806a47b4ac103961109ae6ef@server.domain>).

  • 邮件的主题行文本。The subject line text of the message.

你可能会看到其他一些字段,了解垃圾邮件事件类型、匹配的邮件流规则以及与规则相关联的操作等信息,具体视报告类型而定。Depending on the type of report, you may see additional fields that include information such as the spam event type, the mail flow rule matched, and the action associated with a rule.

下图显示了垃圾邮件检测报告及详细数据。The following image shows the spam detections report with detail data.

垃圾邮件检测报告

备注

详细信息数量可能与摘要计数不同。每个报告都会说明如何计算详细记录的数目。The number of details may differ from the summary count. Each report will have an explanation about how the number of detail records is computed.

提示

您可以单击查看表链接表而不是图中显示的数据。您不能向下钻取到邮件详细信息,在表视图中,但是。You can click the View table link to display the data in a table rather than a graph. You can't drill down into message details within the table view, however.

查看超过 7 天的邮件的详细数据View detail data for messages that are older than 7 days

下载为超过 7 天的邮件的详细数据。这将显示为灰色背景的关系图中的区域。当在超过 7 天的数据摘要图形选择数据点时,请求此报告的链接将显示在页面底部。Detail data for messages that are older than 7 days is available as a download. This will be shown as the area in the graph with a gray background. When you select a data point in the summary graph for data older than 7 days, a Request this report link will be displayed on the bottom of the page.

超过 7 天的垃圾邮件检测

为超过 7 天的邮件运行详细报告Run a detail report for messages that are older than 7 days

当您单击请求此报告链接时,您将看到新的页面,允许您提供通知信息并进一步筛选请求。When you click the Request this report link, you'll be presented with a new page that lets you provide notification information and further filter the request.

请求报告参数

可以指定下列参数:You can specify the following parameters:

  • 开始日期和时间结束日期和时间指定要从中报告数据的日期范围。结束日期和时间必须至少 24 小时。Start date and time and End date and time Specify the date range from which you want reporting data. The end date and time must be at least 24 hours old.

  • 传递状态使用列表中,选择您想要查看有关的信息消息的状态。保留所有以应对所有状态的默认值。其他可能值包括:Delivery status Using the list, select the status of the message you want to view information about. Leave the default value of All to cover all statuses. Other possible values are:

    • 传送邮件已成功传递到预定的目标。Delivered The message was successfully delivered to the intended destination.

    • 失败不发送消息。传送已尝试和失败,或消息没有送达,由于筛选服务执行的操作。例如,如果已确定邮件包含恶意软件。Failed The message was not delivered. Either the delivery was attempted and failed, or the message was not delivered as a result of actions taken by the filtering service. For example, if the message was determined to contain malware.

    • 扩展邮件发送到通讯组列表并展开,以便可以逐个查看列表中的成员。Expanded The message was sent to a distribution list and was expanded so the members of the list can be viewed individually.

  • 消息 ID这是在邮件头中找到的 Internet 邮件 ID (也称为客户端 ID)"邮件 ID:"令牌。用户可以为您提供此信息才能调查特定的邮件。Message ID This is the Internet message ID (also known as the Client ID) found in the header of the message with the "Message-ID:" token. Users can provide you with this information in order to investigate specific messages.

    此 ID 的形式取决于发送邮件系统。示例如下:<08f1e0f6806a47b4ac103961109ae6ef@server.domain>。The form of this ID varies depending on the sending mail system. The following is an example: <08f1e0f6806a47b4ac103961109ae6ef@server.domain>.

    备注

    请务必记包含完整邮件 ID 字符串。这可能包括尖括号 (<>)。Be sure to include the full Message ID string. This may include angle brackets (<>).

    该 ID 应该是唯一的,然而其生成取决于发送邮件系统,并且并不是所有发送邮件系统的行为方式都一样。所以,在查询单个邮件 ID 时,有可能获得多个邮件的结果。This ID should be unique; however, it is dependent on the sending mail system for generation, and not all sending mail systems behave the same way. As a result, there's a possibility that you may get results for multiple messages when querying on a single Message ID.

  • 原始客户端 IP 地址指定发件人客户端的 IP 地址。Original client IP address Specify the IP address of the sender's client.

  • 报告标题指定此报告的唯一标识符。这将也用作的主题行文本电子邮件通知。默认值是"<报表类型>详细信息报表<星期几>, <当前日期> <当前时间>"。下面是一个示例:"垃圾邮件详细信息报告星期四,2014 年 2 月 27,7:21:09 AM"。 Report title Specify the unique identifier for this report. This will also be used as the subject line text for the email notification. The default is "< Report type > detail report < day of the week >, < current date > < current time >". Here's an example: "Spam detail report Thursday, February 27, 2014 7:21:09 AM".

  • 通知电子邮件地址指定您想要报告请求完成时收到通知的电子邮件地址。此地址必须驻留在您的接受域列表。Notification email address Specify the email address that you want to receive the notification when the report request completes. This address must reside within your list of accepted domains.

单击提交提交报告请求。虽然可以运行在 24 小时制时间报告量应满足报告需要,您将收到警告如果您正在接近允许您在 24 小时制周期内运行的报告量的阈值。Click Submit to submit the report request. Although the amount of reports you can run over a 24-hour period should be sufficient for your reporting needs, you'll be warned if you're nearing the threshold of the amount of reports you're allowed to run over a 24-hour period.

单击提交按钮后,应出现一条消息,告知您已成功提交报告请求和完成后,电子邮件通知,发送到的电子邮件地址 (如果提供)。它可能需要数小时内完成的报告请求。(如果处理请求,并且成功检索与搜索条件匹配的数据,此通知邮件将包含有关报告和指向可下载的.csv 文件的信息。如果未找到数据的与您指定,系统将要求您提交新请求中的条件更改与搜索条件匹配的顺序来获取有效的结果。)After you click the Submit button, a message should appear letting you know that the report request was successfully submitted and that an email notification will be sent to the email address (if supplied) when it has completed. It may take up to a few hours for the report request to complete. (If the request is processed, and data that matches your search criteria is successfully retrieved, this notification message will include information about the report and a link to the downloadable .csv file. If no data was found that matched the search criteria you specified, you'll be asked to submit a new request with changed criteria in order to obtain valid results.)

查看挂起或已完成的报告请求View pending or completed report requests

若要查看报告请求的状态,您可以单击主页面上,这将打开挂起或已完成的请求页上的查看挂起或已完成的请求链接。To view the status of report requests, you can click the View pending or completed requests link from the main page, which will open the pending or completed requests page.

暂停或已完成请求

挂起或已完成的请求页上,可以查看任何您提交请求的状态 (除了您报告请求,它还列出了您提交的邮件跟踪请求)。从此处,您可以取消挂起的请求或下载完成的报告。The Pending or completed requests page lets you see the status of any of your submitted requests (in addition to your report requests, it also lists your submitted message trace requests). From here, you can cancel pending requests or download a completed report.

可以单击任何列标头,对请求列表进行排序。除报告标题、提交请求的日期和时间以及邮件数量外,报告中还会列出以下状态值:The list of requests can be sorted by clicking any of the column headers. In addition to the report title, the date and time the request was submitted, and the number of messages in the report, the following status values are listed:

  • 未启动请求已提交,但不是尚未运行。此时,您可以选择要取消该请求。Not started The request was submitted but is not yet running. At this point, you have the option to cancel the request.

  • 取消请求已提交,但已被取消。Cancelled The request was submitted but was cancelled.

  • 正在进行中请求正在运行,并且无法取消该请求或下载报告。In progress The request is running, and you can't cancel the request or download the report.

  • 完成请求已完成,并且您可以单击下载此报告以检索.csv 文件中的结果。请注意,是否您的结果超过报表 5000 条消息,它们将截断为 5000 条消息。如果您没有看到所需的所有结果,我们建议您中断搜索到多个查询。Completed The request has completed, and you can click Download this report to retrieve the results in a .csv file. Note that if your results exceed 5,000 messages for a report, they will be truncated to 5,000 messages. If you don't see all the results that you need, we recommend that you break your search out into multiple queries.

选择特定报告时,附加信息将显示在右侧窗格中,这将显示您为该报告指定的搜索条件。When you select a specific report, additional information appears in the right pane, which shows the search criteria you specified for that report.

备注

报告将在 10 天后自动删除。无法手动删除。Reports are automatically deleted after 10 days. They can't be manually deleted.

查看已下载的详细报告View a downloaded detail report

重要

若要查看已下载的邮件保护报告和邮件流规则报告,你必须向角色组分配"仅限查看收件人"角色。默认情况下,下列角色组分配有此角色:合规性管理、技术支持、安全机制管理、组织管理、仅限查看组织管理。若要查看已下载的 DLP 报告,必须分配有"数据丢失防护"角色。默认情况下,只能向合规性管理角色组分配此角色。To view downloaded mail protection and mail flow rules reports, you must have the "View-Only Recipients" role assigned to your role group. By default, the following role groups have this role assigned: Compliance Management, Help Desk, Hygiene Management, Organization Management, and View-Only Organization Management. To view downloaded DLP reports, the required role is "Data Loss Prevention," and by default, it's only available to the Compliance Management role group.

当您下载报表,从查看挂起或已完成的请求页或通知电子邮件时,您可以打开并在 Microsoft Excel 等应用程序中进行查看。When you download a report either from the View pending or completed requests page or from a notification email, you can open and view it in an application such as Microsoft Excel.

每种报告类型包括每封邮件的以下信息:The following information about each message is included for every type of report:

  • origin_timestamp日期和时间的服务,使用配置的 UTC 时区收到邮件。origin_timestamp The date and time at which the message was received by the service, using the configured UTC time zone.

  • sender_address 别名窗体别名的发件人的电子邮件地址 @ sender_address The email address of the sender in the form alias @ domain .

  • recipient_address邮件的收件人。recipient_address The recipient of the message.

  • message_subject邮件主题行文本。如有必要,这是被截尾取前 256 个字符。message_subject The subject line text of the message. If necessary, this is truncated to the first 256 characters.

  • total_bytes邮件,包括以字节为单位的附件的大小。total_bytes The size of the message, including attachments, in bytes.

  • message_id这是在邮件头中找到的 Internet 邮件 ID (也称为客户端 ID)"邮件 ID:"令牌。此窗体而异发送的邮件系统。以下是一个示例: < 08f1e0f6806a47b4ac103961109ae6ef @ 服务器>. message_id This is the Internet message ID (also known as the Client ID) found in the header of the message with the "Message-ID:" token. The form of this varies depending on the sending mail system. The following is an example: < 08f1e0f6806a47b4ac103961109ae6ef @ server . domain >.

    该 ID 应该是唯一的,然而其生成取决于发送邮件系统,并且并不是所有发送邮件系统的行为方式都一样。所以,在查询单个邮件 ID 时,有可能获得多个邮件的结果。This ID should be unique; however, it is dependent on the sending mail system for generation, and not all sending mail systems behave the same way. As a result, there is a possibility that you may get results for multiple messages when querying on a single message ID.

  • network_message_id这是消息的一个影响可能由于分叉或通讯组扩展中创建的副本的唯一的消息 ID 值。示例值为 1341ac7b13fb42ab4d4408cf7f55890f。network_message_id This is a unique message ID value that persists across copies of the message that may be created due to bifurcation or distribution group expansion. An example value is 1341ac7b13fb42ab4d4408cf7f55890f.

  • original_client_ip发件人客户端的 IP 地址。original_client_ip The IP address of the sender's client.

  • 方向性此字段表示 (1) 到您的组织的入站发送邮件还是发送出站 (2) 从您的组织。directionality This field denotes whether the message was sent inbound (1) to your organization or whether it was sent outbound (2) from your organization.

有关垃圾邮件检测到的邮件报告中还包含以下字段:The following fields are also included in reports about spam-detected messages:

  • event_type表示垃圾邮件筛选类型是否:event_type Denotes whether the spam filtering type is:

    • 内容筛选邮件被标识为垃圾邮件由于其内容。Content filtered The message was identified as spam due to its content.

    • 阻止 SMTP进入基于发件人/收件人筛选服务之前阻止邮件。SMTP blocked The message was blocked before entering the service based on sender/recipient filtering.

    • 阻止 IP进入基于 IP 信誉服务之前阻止邮件。IP blocked The message was blocked before entering the service based on IP reputation.

  • scl有关不同的 SCL 值及其含义的详细信息,请参阅Spam Confidence Levelsscl For more information about the different SCL values and what they mean, see Spam Confidence Levels.

  • 国家/地区国家或地区从其发送邮件,如果可用。country The country or region from which the message originated, if available.

  • 语言邮件的编写顺序的语言代码 (例如,en 表示邮件已用英语编写的)。language The language code in which the message was written (for example, en denotes the message was written in English).

  • helo 字符串连接邮件服务器的 HELO 或 EHLO 字符串。helo string The HELO or EHLO string of the connecting mail server.

  • reverse_dns发送 IP 地址,也称为反向 DNS 地址的 PTR 记录。reverse_dns The PTR record of the sending IP address, also known as the reverse DNS address.

有关恶意软件检测到的邮件报告中还包含以下字段:The following fields are also included in reports about malware-detected messages:

  • event_type这将始终为恶意软件event_type This will always be Malware.

  • 文件名恶意软件中包含的文件的名称。filename The name of the file that contained the malware.

  • malware_name已检测到的恶意软件的名称。malware_name The name of the malware that was detected.

报告中还包含以下字段,以便于你了解与邮件流规则匹配的邮件:The following fields are also included in reports about messages that matched a mail flow rule:

  • 规则 id规则 ID 匹配,为示例 368067fd-c36c-4b56-9f38-08d0ffcf8b23。每个规则均具有唯一 id。您可以获取此值通过远程 Windows PowerShellruleid The rule ID that was matched, for example 368067fd-c36c-4b56-9f38-08d0ffcf8b23. Each rule has a unique ID. You can get this value via remote Windows PowerShell

  • 操作应用操作。有关可用操作的列表,请参阅Mail flow 规则操作在 Exchange Onlineaction The action that was applied. For a list of available actions, see Mail flow rule actions in Exchange Online.

  • 严重级别审核严重性匹配的规则。severity The audit severity of the rule that was matched.

  • set_time规则匹配时的日期和时间 (采用 UTC) 发生。set_time The date and time (in UTC) when the rule match occurred.

  • 模式规则的模式。可能的值为:mode The mode of the rule. Possible values are:

    • 强制实施将强制实施规则的所有操作。Enforce All actions on the rule will be enforced.

    • 使用策略提示测试将发送所有策略提示操作,但其他强制实施操作不会作用于。Test with Policy Tips Any Policy Tip actions will be sent, but other enforcement actions will not be acted on.

    • 不使用策略提示的情况下测试在日志文件中,将列出操作,但不是会以任何方式通知发件人和强制实施操作不会作用于。Test without Policy Tips Actions will be listed in a log file, but senders will not be notified in any way, and enforcement actions will not be acted on.

报告中还包含有关匹配 DLP 策略的邮件的以下字段:The following fields are also included in reports about messages that matched a DLP policy:

  • dlpid匹配 DLP 策略 ID。每个策略有一个唯一的 id。您可以通过远程 Windows PowerShell 此值。dlpid The DLP policy ID that was matched. Each policy has a unique ID. You can get this value via remote Windows PowerShell.

  • sender_override最终用户报告重写或误报规则。sender_override An end user reported either an override or false positive for a rule.

  • Sender_just应替代理由文本由最终用户提供作为数据分类的原因。Sender_just The justification text provided by the end user as the reason the data classification should be overridden.

  • dcid匹配的数据分类的 ID。dcid The ID of the data classification that was matched.

  • dc_count匹配的数据分类的计数。dc_count The count of the data classification that was matched.

  • dc_conf匹配的数据分类可信度级别。信任级别的详细说明,请参阅开发 Sensitive Information Rule Packages中的"实体规则"部分。dc_conf The confidence level of the data classification that was matched. For a detailed explanation of the confidence level, see the "Entity rules" section in Developing Sensitive Information Rule Packages.

备注

邮件流规则报告以前定义的ruleid操作严重性set_time,和模式字段也会显示在 DLP 报告。The ruleid, action, severity, set_time, and mode fields defined previously for mail flow rule reports also appear in DLP reports.