Retrieves policy event logs that meet specified criteria.
HTTP Request
GET https://<serviceURL>/api/v1/log/policyeventlog?[&domain=<domain>][&event=<event>][&start=<start>][&end=<end>][&limit=<limit>][&token=<token>]
Request Parameters
|
Parameter |
Required |
Description |
|---|---|---|
|
domain |
No |
Domain from which you want to retrieve policy event logs. If this parameter is not specified, the request retrieves the logs from all domains. |
|
direction |
No |
Direction of the logs that you want to retrieve. Options include:
|
|
event |
No |
General type of security event from which you want to retrieve policy event logs. Options include:
Each general event type in the request is mapped to one or more specific event types returned in the response. For more information about the mapping relationships, see Mapping Between Event Types in the Request and Response. If this parameter is not specified, the request retrieves the logs of all events. Important:
If you use this parameter in the request, specify one event type at a time. |
|
start end |
No |
Start and end time period to retrieve logs. Format: ISO 8601 timestamp to the second or millisecond in UTC, yyyy-mm-ddThh:mm:ss[.mmm]Z Example: 2016-07-22T01:51:31Z or 2016-07-22T01:51:31.001Z The request retrieves logs generated within a maximum of 72 hours before the request is sent according to the start and end settings:
|
|
limit |
No |
Maximum number of log items to return in each response. The default value is 500. If the total log items requested exceed the specified limit, a token is provided in the nextToken parameter in the response. Use this token to form a second request to retrieve the next set of log items. Repeat this until the nextToken parameter is not returned in a response. |
|
token |
No |
Use the value of nextToken returned in the previous response to retrieve the next set of log items. |
HTTP Request Example
GET https://<serviceURL>/api/v1/log/policyeventlog?domain=example.com&type=threat&start=2020-11-25T00:00:00Z&end=2020-11-25T23:59:59Z&limit=1&token=DKxIuQeL7Nq3aNgQtaaH2w== HTTP/1.1 Authorization: Basic c2FtcGxlOmZqZmo0OTBpNGpnaDAzM2dsajQzYXB3ZW1hMzEwdjEwamIxZ2lrM2oz Accept-Encoding: gzip
Response
On success, the service sends back an HTTP 200 response and returns a response body in JSON format; otherwise, the response body contains error details. For more information about errors, see API Response Codes.
|
Status Code |
Description |
|---|---|
|
200 |
Successful. The policy event logs are returned in the response body. |
The response body is an array of log objects in JSON format.
Response Example
HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
{
"nextToken":"Lu2XNNHim8CZpKoJEJKREAjmXh/VoNgdN+uQAm++Re58FzwrlUuCI6lb5iDncJua9jq3yQdyvMPOTYfsF9Pi/hYnZNb+hsiDE0BZm9wYYhUk87xgZrbcYMnC1tedtNk+G4TBWDX4LxpOvZ8aabecUQ==",
"logs": [
{
"timestamp": "2020-11-25T01:14:32.872Z",
"genTime": "2020-11-25T08:02:03Z",
"eventType": "Suspicious Objects",
"eventSubtype": "Suspicious URLs",
"domainName": "example.com",
"sender": "sender@example.com",
"headerFrom": "header_sender@example.com",
"recipients": [
"rcpt1@example.com",
"rcpt2@example.com"
],
"headerTo": [
"header_rcpt1@example.com",
"header_rcpt2@example.com"
],
"direction": "in",
"messageID": "<20200725033505.DC75B100860D8@example.com>",
"subject": "response sample",
"size": 6564,
"policyName": "test_policy: example.com: Virus",
"policyAction": "Bypass",
"details": "{\"urlInfo\":[{\"url\":\"https://mcusercontent.com/87564ad664ceeac44909ec631/images/a8730208-6096-404c-9dd6-1c61c47a2861.png);background-repeat:\",\"extractType\":\"body\"}]}"
}
]
}
Response Parameters
|
Name |
Type |
Description |
|---|---|---|
|
nextToken |
String |
Token string for the follow-up request if the total log items requested exceed the specified limit to retrieve at a time. Use this string to form a second request to retrieve the next set of log items. Repeat this until the NextToken parameter is not returned in a response. |
|
logs |
JSON array |
Overall information of the requested policy event log items. |
|
timestamp |
ISO 8601 timestamp |
Date and time when the security event was detected. |
|
genTime |
ISO 8601 timestamp |
Date and time when the policy event log was generated. |
|
eventType |
String |
Specific type of the security event. Each specific event type returned in the response is mapped to a general event type in the request. For more information about the mapping relationships, see Mapping Between Event Types in the Request and Response. |
|
eventSubtype |
String |
Subtype of the security event. |
|
domainName |
String |
Domain to which the email message belongs. |
|
sender |
String |
Email address of the sender in an SMTP session. |
|
headerFrom |
String |
Email address of the sender in the mail header. |
|
recipients |
String array |
Email address(es) of the recipient(s) in an SMTP session. |
|
headerTo |
String array |
Email address(es) of the recipient(s) in the mail header. |
|
direction |
String |
Direction of the email message that triggered the event. |
|
messageID |
String |
ID of the email message that triggered the event. |
|
subject |
String |
Subject of the email message that triggered the event. |
|
size |
Integer |
Size of the email message that triggered the event, in bytes. |
|
policyName |
String |
Name of the configured policy that was violated. |
|
policyAction |
String |
Action that Trend Micro Email Security took after detecting the event. |
|
details |
JSON object string |
Details of the policy event log items. Details are provided only for the following returned event types:
For more information, see Mapping Between Event Types in the Request and Response. |