This endpoint can be used to get messages containing information flagged by an Impersonation Protection configuration.
Pre-requisites
In order to successfully use this endpoint the logged in user must be a Mimecast administrator with at least the Monitoring | Impersonation Protection | Read permission.
URI
To use this endpoint you send a POST request to:
/api/ttp/impersonation/get-logs
Request Headers
The following request headers must be included in your request:
Field
Description
Authorization
Please see the Authorization guide for more information on building the Authorization header.
x-mc-req-id
A randomly generated GUID, for example,
8578FCFC-A305-4D9A-99CB-F4D5ECEFE297
x-mc-app-id
The Application ID provided with your Registered API Application.
x-mc-date
The current date and time in the following format, for example,
Tue, 24 Nov 2015 12:50:11 UTC
Request Body
{
"meta": {
"pagination": {
"pageSize": Number,
"pageToken": "String"
}
},
"data": [
{
"oldestFirst": False,
"taggedMalicious": True,
"searchField": "String",
"identifiers": [
"Array of String"
],
"query": "String",
"from": "2016-10-01T14:49:18+0000",
"to": "2017-10-13T23:59:59+0000",
"actions": [
"Array of String"
]
}
]
}
meta
Field
Type
Required
Description
pagination
Object
Optional
An object defining paging options for the request.
Paginiation Object
Field
Type
Required
Description
pageSize
Number
Optional
The number of results to request.
pageToken
String
Optional
The value of the 'next' or 'previous' fields from an earlier request.
data
Field
Type
Required
Description
oldestFirst
Boolean
Optional
Default false. Orders results with the most recent first.
taggedMalicious
Boolean
Optional
Filters for messages tagged malicious (true) or not tagged malicious (false). Omit for no tag filtering.
searchField
String
Optional
The field to search, must be one of: senderAddress, recipientAddress, subject, policy, or all (meaning all of the preceding fields). Defaults to all if a search string is provided.
identifiers
Array of String
Optional
Filters logs by identifiers, can include any of newly_observed_domain, internal_user_name, reply_address_mismatch, and targeted_threat_dictionary.
query
String
Optional
Required if searchField is not null. A character string to search for in the logs.
from
Date String
Optional
Start date of logs to return in the following format 2015-11-16T14:49:18+0000. Default is the start of the current day.
to
Date String
Optional
End date of logs to return in the following format 2015-11-16T14:49:18+0000. Default is time of request.
actions
Optional
Array of String
An array of actions to filter by. Can include any of: hold, bounce, and/or none.
Response
{
"fail": [],
"meta": {
"status": Number,
"pagination": {
"pageSize": Number,
"next": "String",
"totalCount": Number
}
},
"data": [
{
"impersonationLogs": [
{
"hits": Number,
"taggedMalicious": Boolean,
"senderIpAddress": "String",
"senderAddress": "String",
"subject": "String",
"identifiers": [
"Array of String"
],
"eventTime": "Date String",
"action": "String",
"definition": "String",
"id": "String",
"recipientAddress": "String",
"taggedExternal": Boolean,
"impersonationResults": [
{
"impersonationDomainSource": "String",
"stringSimilarToDomain": "String"
}
],
"messageId": "String"
}
]
}
]
}
meta object
Field
Type
Description
status
Number
The function level status of the request.
pagination
Object
An object containing paging information.
Pagination object
Field
Type
Description
pageSize
Number
The number of results requested.
next
String
A pageToken value that can be used to request the next page of results. Only returned if there are more results to return.
previous
String
A pageToken value that can be used to request the previous page of results. Only returned if there is a previous page.
totalCount
Number
The total number of IMPERSONATION log lines found for the request (regardless of the page size).
data array
Field
Type
Description
impersonationLogs
Object
An object describing the log event
impersonationLogs Object
Field
Type
Description
hits
Number
The number of identifiers that the message triggered.
taggedMalicious
Boolean
Whether the message was tagged as malicious.
senderIpAddress
String
The source IP address of the message.
senderAddress
String
The email address of the sender of the message.
Subject
String
The subject of the email.
identifiers
Array of String
The properties of the message that triggered the action: similar_internal_domain, newly_observed_domain, internal_user_name, reply_address_mismatch, and/or targeted_threat_dictionary.
eventTime
Date String
The time at which the log was recorded.
action
String
The action triggered by the email.
definition
String
The name of the policy definition that triggered the log.
id
String
A token that can be used to retrieve this log again.
recipientAddress
String
The email address of the recipient of the email.
taggedExternal
Boolean
Whether the message was tagged as coming from an external address.
impersonationResults
impersonationResults Object
An array of objects containing details about the message's impersonation triggers.
messageId
String
The message-id of the identified message.
impersonationResults Object
Field
Type
Description
impersonationDomainSource
String
The trigged impersionation type. Response will be one of: similar_internal_domain, newly_observed_domain, internal_user_name, reply_address_mismatch, targeted_threat_dictionary, custom_external_domain, mimecast_external_domain, advanced_similar_internal_domain, advanced_custom_external_domain, advanced_mimecast_external_domain, custom_name_list.
stringSimilarToDomain
String
The string that is suspiciously similar to a known value within the Mimecast configuration. Multiple triggers will be comma-separated.
similarDomain
String
The known value within the Mimecast configuration that was matched against. Multiple triggers will be comma-separated.
fail array
When a request is successful the fail array will be empty.
Field
Type
Description
errors
Array of error objects
An array of error objects describing the error returned from the API.
errors object
Field
Type
Description
message
String
The error message.
code
String
The Mimecast code associated with the error.
retryable
Boolean
If the error is retryable
Sample Code
Sample code is provided to demonstrate how to use the API and is not representative of a production application. To use the sample code; complete the required variables as described, populate the desired values in the request body, and execute in your favorite IDE. Please see the Global Base URL's page to find the correct base URL to use for your account.
POST {base_url}/api/ttp/impersonation/get-logs
Authorization: MC {accesskKey}:{Base64 encoded signed Data To Sign}