This endpoint can be used to get messages containing information flagged by an Impersonation Protection configuration.
Pre-requisites
In order to successfully use this endpoint the logged in user must be a Mimecast administrator with at least the Monitoring | Impersonation Protection | Read permission.
URI
To use this endpoint you send a POST request to:
/api/ttp/impersonation/get-logs
Request Headers
The following request headers must be included in your request:
Field
Description
Authorization
Please see the Authorization guide for more information on building the Authorization header.
x-mc-req-id
A randomly generated GUID, for example,
8578FCFC-A305-4D9A-99CB-F4D5ECEFE297
x-mc-app-id
The Application ID provided with your Registered API Application.
x-mc-date
The current date and time in the following format, for example,
An object defining paging options for the request.
Paginiation Object
Field
Type
Required
Description
pageSize
Number
Optional
The number of results to request.
pageToken
String
Optional
The value of the 'next' or 'previous' fields from an earlier request.
data
Field
Type
Required
Description
oldestFirst
Boolean
Optional
Default false. Orders results with the most recent first.
taggedMalicious
Boolean
Optional
Filters for messages tagged malicious (true) or not tagged malicious (false). Omit for no tag filtering.
searchField
String
Optional
The field to search, must be one of: senderAddress, recipientAddress, subject, policy, or all (meaning all of the preceding fields). Defaults to all if a search string is provided.
identifiers
Array of String
Optional
Filters logs by identifiers, can include any of newly_observed_domain, internal_user_name, reply_address_mismatch, and targeted_threat_dictionary.
query
String
Optional
Required if searchField is not null. A character string to search for in the logs.
from
Date String
Optional
Start date of logs to return in the following format 2015-11-16T14:49:18+0000. Default is the start of the current day.
to
Date String
Optional
End date of logs to return in the following format 2015-11-16T14:49:18+0000. Default is time of request.
actions
Optional
Array of String
An array of actions to filter by. Can include any of: hold, bounce, and/or none.
A pageToken value that can be used to request the next page of results. Only returned if there are more results to return.
previous
String
A pageToken value that can be used to request the previous page of results. Only returned if there is a previous page.
totalCount
Number
The total number of IMPERSONATION log lines found for the request (regardless of the page size).
data array
Field
Type
Description
impersonationLogs
Object
An object describing the log event
impersonationLogs Object
Field
Type
Description
hits
Number
The number of identifiers that the message triggered.
taggedMalicious
Boolean
Whether the message was tagged as malicious.
senderIpAddress
String
The source IP address of the message.
senderAddress
String
The email address of the sender of the message.
Subject
String
The subject of the email.
identifiers
Array of String
The properties of the message that triggered the action: similar_internal_domain, newly_observed_domain, internal_user_name, reply_address_mismatch, and/or targeted_threat_dictionary.
eventTime
Date String
The time at which the log was recorded.
action
String
The action triggered by the email.
definition
String
The name of the policy definition that triggered the log.
id
String
A token that can be used to retrieve this log again.
recipientAddress
String
The email address of the recipient of the email.
taggedExternal
Boolean
Whether the message was tagged as coming from an external address.
impersonationResults
impersonationResults Object
An array of objects containing details about the message's impersonation triggers.
messageId
String
The message-id of the identified message.
impersonationResults Object
Field
Type
Description
impersonationDomainSource
String
The trigged impersionation type. Response will be one of: similar_internal_domain, newly_observed_domain, internal_user_name, reply_address_mismatch, targeted_threat_dictionary, custom_external_domain, mimecast_external_domain, advanced_similar_internal_domain, advanced_custom_external_domain, advanced_mimecast_external_domain, custom_name_list.
stringSimilarToDomain
String
The string that is suspiciously similar to a known value within the Mimecast configuration. Multiple triggers will be comma-separated.
similarDomain
String
The known value within the Mimecast configuration that was matched against. Multiple triggers will be comma-separated.
fail array
When a request is successful the fail array will be empty.
Field
Type
Description
errors
Array of error objects
An array of error objects describing the error returned from the API.
errors object
Field
Type
Description
message
String
The error message.
code
String
The Mimecast code associated with the error.
retryable
Boolean
If the error is retryable
Sample Code
Sample code is provided to demonstrate how to use the API and is not representative of a production application. To use the sample code; complete the required variables as described, populate the desired values in the request body, and execute in your favorite IDE. Please see the Global Base URL's page to find the correct base URL to use for your account.
POST {base_url}/api/ttp/impersonation/get-logs
Authorization: MC {accesskKey}:{Base64 encoded signed Data To Sign}
x-mc-date: {dateTime}
x-mc-req-id: {unique id}
x-mc-app-id: {applicationId}
Content-Type: application/json
Accept: application/json
{
"meta": {
"pagination": {
"pageSize": 25,
"pageToken": "String"
}
},
"data": [
{
"oldestFirst": False,
"taggedMalicious": True,
"searchField": "String",
"identifiers": [
"Array of String"
],
"query": "String",
"from": "2016-10-01T14:49:18+0000",
"to": "2017-10-13T23:59:59+0000",
"actions": [
"Array of String"
]
}
]
}
import base64
import hashlib
import hmac
import uuid
import datetime
import requests
# Setup required variables
base_url = "https://xx-api.mimecast.com"
uri = "/api/ttp/impersonation/get-logs"
url = base_url + uri
access_key = "YOUR ACCESS KEY"
secret_key = "YOUR SECRET KEY"
app_id = "YOUR APPLICATION ID"
app_key = "YOUR APPLICATION KEY"
# Generate request header values
request_id = str(uuid.uuid4())
hdr_date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S") + " UTC"
# DataToSign is used in hmac_sha1
dataToSign = ':'.join([hdr_date, request_id, uri, app_key])
# Create the HMAC SHA1 of the Base64 decoded secret key for the Authorization header
hmac_sha1 = hmac.new(base64.b64decode(secret_key), dataToSign.encode(), digestmod=hashlib.sha1).digest()
# Use the HMAC SHA1 value to sign the hdrDate + ":" requestId + ":" + URI + ":" + appkey
sig = base64.b64encode(hmac_sha1).rstrip()
# Create request headers
headers = {
'Authorization': 'MC ' + access_key + ':' + sig.decode(),
'x-mc-app-id': app_id,
'x-mc-date': hdr_date,
'x-mc-req-id': request_id,
'Content-Type': 'application/json'
}
payload = {
"meta": {
"pagination": {
"pageSize": Number,
"pageToken": "ENTER PAGE TOKEN OR REMOVE FIELD"
}
},
"data": [
{
"oldestFirst": False,
"taggedMalicious": True,
"searchField": "String",
"identifiers": [
"Array of String"
],
"query": "String",
"from": "2016-10-01T14:49:18+0000",
"to": "2017-10-13T23:59:59+0000",
"actions": [
"Array of String"
]
}
]
}
r = requests.post(url=url, headers=headers, data=str(payload))
print(r.text)
static void Main(string[] args)
{
//Setup required variables
string baseUrl = "https://xx-api.mimecast.com";
string uri = "/api/ttp/impersonation/get-logs";
string accessKey = "YOUR ACCESS KEY";
string secretKey = "YOUR SECRET KEY";
string appId = "YOUR APPLICATION ID";
string appKey = "YOUR APPLICATION KEY";
//Generate request header values
string hdrDate = System.DateTime.Now.ToUniversalTime().ToString("R");
string requestId = System.Guid.NewGuid().ToString();
//Create the HMAC SHA1 of the Base64 decoded secret key for the Authorization header
System.Security.Cryptography.HMAC h = new System.Security.Cryptography.HMACSHA1(System.Convert.FromBase64String(secretKey));
//Use the HMAC SHA1 value to sign the hdrDate + ":" requestId + ":" + URI + ":" + appkey
byte[] hash = h.ComputeHash(System.Text.Encoding.Default.GetBytes(hdrDate + ":" + requestId + ":" + uri + ":" + appKey));
//Build the signature to be included in the Authorization header in your request
string signature = "MC " + accessKey + ":" + System.Convert.ToBase64String(hash);
//Build Request
System.Net.HttpWebRequest request = (System.Net.HttpWebRequest)System.Net.WebRequest.Create(baseUrl + uri);
request.Method = "POST";
request.ContentType = "application/json";
//Add Headers
request.Headers[System.Net.HttpRequestHeader.Authorization] = signature;
request.Headers.Add("x-mc-date", hdrDate);
request.Headers.Add("x-mc-req-id", requestId);
request.Headers.Add("x-mc-app-id", appId);
//Add request body
//Create and write data to stream
string postData = @"{
""meta"": {
""pagination"": {
""pageSize"": 25,
""pageToken"": ""ENTER PAGE TOKEN OR REMOVE FIELD""
}
},
""data"": [
{
""oldestFirst"": False,
""taggedMalicious"": True,
""searchField"": ""String"",
""identifiers"": [
""Array of String""
],
""query"": ""String"",
""from"": ""2016-10-01T14:49:18+0000"",
""to"": ""2017-10-13T23:59:59+0000"",
""actions"": [
""Array of String""
]
}
]
}";
byte[] payload = System.Text.Encoding.UTF8.GetBytes(postData);
System.IO.Stream stream = request.GetRequestStream();
stream.Write(payload, 0, payload.Length);
stream.Close();
//Send Request
System.Net.HttpWebResponse response = (System.Net.HttpWebResponse)request.GetResponse();
//Output response to console
System.IO.StreamReader reader = new System.IO.StreamReader(response.GetResponseStream());
string responseBody = "";
string temp = null;
while ((temp = reader.ReadLine()) != null)
{
responseBody += temp;
};
System.Console.WriteLine(responseBody);
System.Console.ReadLine();
}