Retrieves quarantine events of the services that Cloud Email and Collaboration
Protection
protects.
HTTPS Request
GET https://<serviceURL>/v1/siem/quarantine_events
Request Parameters
ImportantThe request must contain the required parameters.
|
Parameter
|
Description
|
Required Parameter
|
|
service |
Name of the protected service whose quarantine events you want to retrieve.
Currently, the value must be exchange.
|
Optional Parameter
|
|
start
end |
Start and end time during which quarantine events are to retrieve. Format: ISO
8601 timestamp to the second or millisecond in UTC,
yyyy-mm-ddThh:mm:ss[.mmm]Z. For example,
2016-07-22T01:51:31Z or
2016-07-22T01:51:31.001Z.
The request retrieves quarantine evens within a maximum of 7 days before the
point of time when the request is sent according to the
start and
end settings:
|
limit |
Number of quarantine events to display at a time. A maximum of 500 quarantine
events are allowed.
If not specified, the value is set to 500 by default.
If the total quarantine events requested exceed the specified limit, a URL is
provided in the next_link field in the response. Use this
URL to form a second request to retrieve the remaining quarantine events for the
previous request. Repeat this until all quarantine events for the first request
are obtained.
|
Request Example
Example 1: retrieve all quarantine events of Exchange Online within five minutes before
the
point of time when the request is
sent
GET https://api.tmcas.trendmicro.com/v1/siem/quarantine_events?service=exchange Authorization: Bearer 1de231142eef3f83928da98dc251fbebb6cafed4
Example 2: retrieve quarantine events of Exchange Online from 2018-09-23 03:35:07.000
to
2018-09-25 05:47:07:000 (UTC), with the number of events to display at a time being
10
-
GET https://api.tmcas.trendmicro.com/v1/siem/quarantine_events?service=exchange& start=2018-09-23T03:35:07.000Z&end=2018-09-25T05:47:07.000Z&limit=10 Authorization: Bearer 1de231142eef3f83928da98dc251fbebb6cafed4
-
If the total quarantine events requested exceed 10, use the URL in the next_link field in the response to form a second request as:
GET https://api.tmcas.trendmicro.com/v1/siem/quarantine_events?service=exchange& start=2018-09-23T03:35:07.000Z&end=2018-09-25T05:47:07.000Z&limit=10&page_id=<randomly generated value>= Authorization: Bearer 1de231142eef3f83928da98dc251fbebb6cafed4
Response
On success, the service sends back an HTTP 200 response and returns a response body
in JSON
format; otherwise, the service sends back an error message in JSON format with error
details. For more information about errors, see API responses.
Response Example for Exchange Online
HTTP/1.1 200 Content-Type: application/json { "traceId": "ff20f32e-3bb2-4102-84d1-62f92c415901", "current_link": "https://api.tmcas.trendmicro.com/v1/siem/quarantine_events?service=exchange", "next_link": "", "last_log_item_generation_time": "2021-10-26T01:48:36.687Z", "quarantine_events": [ { "service": "Exchange Online", "message": { "affected_user": "username@example.com", "mailbox": "username@example.com", "detection_time": "2021-10-25T09:51:26.697Z", "mail_unique_id": "AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AJUMWJ_w_F0WJ1OxbHWzuuAABMEsyEwAA", "mail_log_id": "1d9f27ea-3579-11ec-8159-00224809f763", "mail_message_id": "<HK0PR02MB3698C584C7E6844016D0455C98839@HK0PR02MB3698.apcprd02.prod.outlook.com>", "mail_message_delivery_time": "2021-10-25T09:51:00.000Z", "mail_message_sender": "username@example.com", "mail_message_recipient": [ "castest2@ewdevnew.onmicrosoft.com" ], "mail_message_subject": "FW: mitigation restore test 1025 1009", "mail_status": "Quarantined", "location": "username@example.com\\Sent Items", "mail_quarantine_type": "Quarantine", "triggered_security_filter": "File Blocking", "security_risk_name": "mitigation", "threat_type": "Phishing" } }, { "service": "Exchange Online", "message": { "affected_user": "username@example.com", "mailbox": "username@example.com", "detection_time": "2021-10-26T01:48:36.687Z", "mail_unique_id": "AAkALgAAAAAAHYQDEapmEc2byACqAC-EWg0AJUMWJ_w_F0WJ1OxbHWzuuAABMEt6hwAA", "mail_log_id": "d485296b-35fe-11ec-8159-00224803dc63", "mail_message_id": "<HK0PR02LK36982A5C844MD294E01BCFE198849@skzafjdshlmjdls.fdsafda.prod.outlook.com>", "mail_message_delivery_time": "2021-10-26T01:48:00.000Z", "mail_message_sender": "username@example.com", "mail_message_recipient": [ "castest2@ewdevnew.onmicrosoft.com" ], "mail_message_subject": "FW: mitigation restore test 1026 0948", "mail_status": "Quarantined", "location": "username@example.com\\Sent Items", "mail_quarantine_type": "Quarantine", "triggered_security_filter": "File Blocking", "security_risk_name": "mitigation", "threat_type": "Phishing" } } ] }
Response Example for Exchange Online (Inline Mode)
Response Fields
The following table describes the available fields for the response body. For more
information about quarantine event related fields, see Quarantine in
the Cloud Email and Collaboration
Protection Online Help.
NoteAll time-related fields in the table are set to Coordinated Universal Time (UTC).
|
Field
|
Data Type
|
Description
|
||
current_link |
String
|
URL in the current request
|
||
next_link |
String
|
URL for the follow-up request if the requested quarantine events exceed the
specified limit to display at a time. Use this URL to form a second request to
retrieve the remaining quarantine events for the previous request. Repeat this
until all quarantine events for the first request are obtained.
|
||
last_log_item_generation_time |
ISO 8601 timestamp
|
Date and time when the last quarantine event in the current request was
generated, that is, the detection_time of the last
quarantine event in the current request
|
||
quarantine_events |
JSON array
|
Details of the requested quarantine event
|
||
quarantine_events/service |
String
|
Name of the requested service
The value options are as follows:
|
||
quarantine_events/message |
JSON array
|
Details of one quarantine event
|
||
quarantine_events/message/affected_user |
String
|
Mailbox that received an email message triggering the quarantine event, or user
account that uploaded or modified a file triggering the quarantine event
|
||
quarantine_events/message/mailbox |
String
|
Email address of an email message
|
||
quarantine_events/message/detection_time |
ISO 8601 timestamp
|
Date and time when the quarantine event is detected
|
||
quarantine_events/message/mail_unique_id |
String
|
Unique ID of an email message
|
||
quarantine_events/message/mail_log_id |
String
|
ID that uniquely identifies a quarantine event
|
||
quarantine_events/message/mail_message_id |
String
|
ID of the email message that triggered the quarantine event
|
||
quarantine_events/message/mail_message_delivery_time |
ISO 8601 timestamp
|
Date and time when the email message was sent
|
||
quarantine_events/message/mail_message_sender |
String
|
Email address of the sender
|
||
quarantine_events/message/mail_message_recipient |
Array
|
Email address(es) of the recipient(s)
|
||
quarantine_events/message/mail_message_subject |
String
|
Subject of the email message that triggered the quarantine event
|
||
quarantine_events/message/action_source |
String
|
Indicates that the email message is quarantined through the Mitigation API. The
value is API.
|
||
quarantine_events/message/mail_status |
String
|
Email status
|
||
quarantine_events/message/location |
String
|
Location where the quarantine event was detected
|
||
quarantine_events/message/triggered_security_filter |
String
|
Name of the security filter that detected the security event
|
||
quarantine_events/message/security_risk_name |
String
|
Name of the security risk detected
|
||
quarantine_events/message/mail_quarantine_type |
String
|
The value is quarantine.
|
||
quarantine_events/message/threat_type |
String
|
Threat type detected in the security event
|
||
quarantine_events/message/mail_blob_path |
String
|
Path of the blob for storing the email.
|
||
quarantine_events/message/mail_backup_blob_path |
String
|
Path of the backup blob for storing the email.
|
||
quarantine_events/message/mail_message_direction |
String
|
Mail direction, indicating whether the email is inbound or outbound message
|