This endpoint can be used to retrieve messages that triggered a DLP or Content Examination policy.
Pre-requisites
In order to successfully use this endpoint the logged in user must be a Mimecast administrator with at least the Monitoring | Data Leak Prevention | Read permission.
URI
To use this endpoint you send a POST request to:
/api/dlp/get-logs
Request Headers
The following request headers must be included in your request:
Field
Description
Authorization
Please see the Authorization guide for more information on building the Authorization header.
x-mc-req-id
A randomly generated GUID, for example,
8578FCFC-A305-4D9A-99CB-F4D5ECEFE297
x-mc-app-id
The Application ID provided with your Registered API Application.
x-mc-date
The current date and time in the following format, for example,
Tue, 24 Nov 2015 12:50:11 UTC
Request Body
{
"data": [
{
"from": "2015-11-16T14:49:18+0000",
"oldestFirst": false,
"searchField": "String",
"actions": [
"String"
],
"to": "2015-11-16T14:49:18+0000",
"routes": [
"String"
],
"query": "String"
}
]
}
data
Field
Type
Required
Description
oldestFirst
Boolean
Optional
Determines the order of messages returned. If true, the oldest messages will be returned first. If false, the most recent messages will be returned first. Default value is false.
routes
Array of Strings
Optional
The route of messages to filter based on. Possible values are inbound, outbound and internal.
searchField
String
Optional
The field to search within. Possible values are senderAddress, recipientAddress, subject, policy or all (any fields). Default value is all.
query
String
Required if serachField is present
The string to search for messages.
from
Date String
Optional
The start date in ISO 8601 date time format (e.g. 2011-12-03T10:15:30+0000).
to
Date String
Optional
The end date in ISO 8601 date time format (e.g. 2011-12-03T10:15:30+0000).
actions
Array of Strings
Optional
Actions to filter the messages. Possible values are delete, hold, bouce, smart_folder, disable_smart_folder, content_expire, meta_expire, stationery, disable_stationery, gcc, secure_delivery, delivery_route, document_policy, disable_document_policy, secure_messaging, disable_secure_messaging_policy, attach_set_policy, remove_email, tag, link, block, none, and notification.
Response
{
"fail": [],
"meta": {
"status": 200
},
"data": [
{
"dlpLogs": [
{
"senderAddress": "String",
"action": "String",
"eventTime": "2015-11-16T14:49:18+0000",
"messageId": "String",
"policy": "String",
"route": "String",
"subject": "String",
"recipientAddress": "String"
}
]
}
]
}
meta object
Field
Type
Description
status
Number
The function level status of the request.
meta
Field
Type
Description
status
Number
The function level status of the request.
data
Field
Type
Description
dlpLogs
dlpLogs Object
An object containing DLP log results
dlpLogs Object
Field
Type
Description
senderAddress
String
Email address of the sender
recipientAddress
String
Email address of the recipient
subject
String
The message subject
eventTime
Date String
The timestamp of the DLP event in ISO 8601 date time format (e.g. 2011-12-03T10:15:30+0000).
route
String
The message direction. Possible values are inbound, outbound or internal.
policy
String
The name of a DLP or Content Examination configuration that triggered the message.
action
String
The action taken against the message.
messageId
String
The message-id value of the message.
Sample Code
Sample code is provided to demonstrate how to use the API and is not representative of a production application. To use the sample code; complete the required variables as described, populate the desired values in the request body, and execute in your favorite IDE. Please see the Global Base URL's page to find the correct base URL to use for your account.
POST {base_url}/api/dlp/get-logs
Authorization: MC {accesskKey}:{Base64 encoded signed Data To Sign}