Retrieves policy event logs that meet specified criteria.
HTTP Request
GET https://<serviceURL>/api/v1/log/policyeventlog?[&domain=<domain>][&event=<event>][&start=<start>][&end=<end>][&limit=<limit>][&token=<token>]
Request Parameters
|
Parameter
|
Required
|
Description
|
||
|
domain
|
No
|
Domain from which you want to retrieve policy event logs.
If this parameter is not specified, the request retrieves the logs from all
domains.
|
||
|
direction
|
No
|
Direction of the logs that you want to retrieve. Options include:
|
||
|
event
|
No
|
General type of security event from which you want to retrieve policy event logs.
Options include:
Each general event type in the request is mapped to one or more specific event
types returned in the response. For more information about the mapping
relationships, see Mapping Between Event Types in the Request
and Response.
If this parameter is not specified, the request retrieves the logs of all
events.
|
||
|
start
end
|
No
|
Start and end time period to retrieve logs.
Format: ISO 8601 timestamp to the second or millisecond in UTC,
yyyy-mm-ddThh:mm:ss[.mmm]Z
Example: 2016-07-22T01:51:31Z or
2016-07-22T01:51:31.001Z
The request retrieves logs generated within a maximum of 72 hours before the
request is sent according to the
start and end
settings:
|
||
|
limit
|
No
|
Maximum number of log items to return in each response.
The default value is 500.
If the total log items requested exceed the specified limit, a token is provided
in the
nextToken parameter in the response. Use this token to
form a second request to retrieve the next set of log items.Repeat this until the
nextToken parameter is not returned in
a response. |
||
|
token
|
No
|
Use the value of
nextToken returned in the previous response
to retrieve the next set of log items. |
HTTP Request Example
GET https://<serviceURL>/api/v1/log/policyeventlog?domain=example.com&type=threat&start=2020-11-25T00:00:00Z&end=2020-11-25T23:59:59Z&limit=1&token=DKxIuQeL7Nq3aNgQtaaH2w== HTTP/1.1 Authorization: Basic c2FtcGxlOmZqZmo0OTBpNGpnaDAzM2dsajQzYXB3ZW1hMzEwdjEwamIxZ2lrM2oz Accept-Encoding: gzip
Response
On success, the service sends back an HTTP 200 response and returns a response body
in JSON
format; otherwise, the response body contains error details. For more information
about
errors, see API Response Codes.
|
Status Code
|
Description
|
|
200
|
Successful.
The policy event logs are returned in the response body.
|
The response body is an array of log objects in JSON format.
Response Example
HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
{
"nextToken":"Lu2XNNHim8CZpKoJEJKREAjmXh/VoNgdN+uQAm++Re58FzwrlUuCI6lb5iDncJua9jq3yQdyvMPOTYfsF9Pi/hYnZNb+hsiDE0BZm9wYYhUk87xgZrbcYMnC1tedtNk+G4TBWDX4LxpOvZ8aabecUQ==",
"logs": [
{
"timestamp": "2020-11-25T01:14:32.872Z",
"genTime": "2020-11-25T08:02:03Z",
"eventType": "Suspicious Objects",
"eventSubtype": "Suspicious URLs",
"domainName": "example.com",
"sender": "sender@example.com",
"headerFrom": "header_sender@example.com",
"recipients": [
"rcpt1@example.com",
"rcpt2@example.com"
],
"headerTo": [
"header_rcpt1@example.com",
"header_rcpt2@example.com"
],
"direction": "in",
"messageID": "<20200725033505.DC75B100860D8@example.com>",
"subject": "response sample",
"size": 6564,
"policyName": "test_policy: example.com: Virus",
"policyAction": "Bypass",
"details": "{\"urlInfo\":[{\"url\":\"https://mcusercontent.com/87564ad664ceeac44909ec631/images/a8730208-6096-404c-9dd6-1c61c47a2861.png);background-repeat:\",\"extractType\":\"body\"}]}"
}
]
}
Response Parameters
|
Name
|
Type
|
Description
|
|
nextToken
|
String
|
Token string for the follow-up request if the total log items requested exceed
the specified limit to retrieve at a time.
Use this string to form a second request to retrieve the next set of log
items.
Repeat this until the
NextToken parameter is not returned in
a response. |
|
logs
|
JSON array
|
Overall information of the requested policy event log items.
|
|
timestamp
|
ISO 8601 timestamp
|
Date and time when the security event was detected.
|
|
genTime
|
ISO 8601 timestamp
|
Date and time when the policy event log was generated.
|
|
eventType
|
String
|
Specific type of the security event.
Each specific event type returned in the response is mapped to a general event
type in the request. For more information about the mapping relationships, see
Mapping Between Event Types in the Request
and Response.
|
|
eventSubtype
|
String
|
Subtype of the security event.
|
|
domainName
|
String
|
Domain to which the email message belongs.
|
|
sender
|
String
|
Email address of the sender in an SMTP session.
|
|
headerFrom
|
String
|
Email address of the sender in the mail header.
|
|
recipients
|
String array
|
Email address(es) of the recipient(s) in an SMTP session.
|
|
headerTo
|
String array
|
Email address(es) of the recipient(s) in the mail header.
|
|
direction
|
String
|
Direction of the email message that triggered the event.
|
|
messageID
|
String
|
ID of the email message that triggered the event.
|
|
subject
|
String
|
Subject of the email message that triggered the event.
|
|
size
|
Integer
|
Size of the email message that triggered the event, in bytes.
|
|
policyName
|
String
|
Name of the configured policy that was violated.
|
|
policyAction
|
String
|
Action that Trend Micro Email
Security took after detecting
the event.
|
|
details
|
JSON object string
|
Details of the policy event log items.
Details are provided only for the following returned event types:
For more information, see Mapping Between Event Types in the Request
and Response.
|