MailDetailDlpPolicy report

The MailDetailDlpPolicy REST URI provides details about the Exchange mail data loss prevention (DLP) policies and rules used in processing email messages. The start and end date/time of the report can be specified in the request.

https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailDetailDlpPolicy[?ODATA options]

The following fields can be specified in $select, $filter and $orderby ODATA2 query options. All fields are returned if no $select option is provided.

Name

WCF Type*

EDM Type*

[In/Out]** Description

Example values

Added in service version

Action

string

None specified

[In/Out] Description of the action taken on the message, if any. This field may be blank, or null if no action was performed. For information about valid Action values, see MailFilterList report.

SetSpamConfidenceLevel, RejectMessage

2013-V1

Date

System.DateTime

Edm.DateTime

[In/Out] The date and time the message was processed.

Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM")

2013-V1

Direction

string

None specified

[In/Out] Specifies whether the email message was being sent into (Inbound) or out from (Outbound) the organization when it was processed.

Values are restricted to Inbound and Outbound.

2013-V1

DlpPolicy

string

None specified

[In/Out] The name of the DLP policy that was applied to the message. For information about valid DlpPolicy values, see MailFilterList report.

Financial Data Detection, HIPAA Detection, PII Detection

2013-V1

Domain

string

Not specified

[In/Out] The fully qualified domain name that was processing the email message.

example.onmicrosoft.com

2013-V1

EndDate

System.DateTime

Edm.DateTime

[In] This field is used to limit the report period. Use this field in a $filter query option to set the end date and time of the reporting period. If you supply EndDate in the $filter option, you must also supply StartDate.

Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM")

2013-V1

EventType

string

None specified

[In/Out] The type of scanning event logged. For information about valid EventType values, see MailFilterList report.

SpamContentFiltered, SpamIPBlock

2013-V1

Justification

string

None specified

[In/Out] The text justification for the event performed on the message. This value is set by the administrator when they create the DLP policy.

HIPAA compliance

2013-V1

MessageId

string

None specified

[In/Out] The Internet MessageID header of the message, if one was supplied. This value can also be explicitly null.

If no ID was provided for the message, the report data will show <d:MessageId m:null="true" /> for Atom, and "MessageId":null for JSON.

2013-V1

MessageSize

int

Edm.Int64

[In/Out] The message size in bytes.

130840

2013-V1

MessageTraceId

System.Guid

Edm.Guid

[In/Out] An identifier used to get the detailed message transfer trace information. The internal format of the MessageTraceId field should be considered opaque, as the format may change. For more information about message tracing, see MessageTrace report.

ae4ad8f6-7613-411c-e67e-08cfc740629

2013-V1

Organization

string

None specified

[In/Out] The fully qualified domain name that was processing the email message.

example.onmicrosoft.com

2013-V1

RecipientAddress

string

None specified

[In/Out] The SMTP email address of the user that the message was addressed to.

userone@example.onmicrosoft.com

2013-V1

SenderAddress

string

None specified

[In/Out] The SMTP email address of the user the message was from.

usertwo@example.onmicrosoft.com

2013-V1

SensitiveInformationConfidence

int

Edm.Int64

[In/Out] The integer confidence rating that the sensitive-information detection algorithms assigned to this message, from 1 (low confidence) to 10 (high confidence).

5

2013-V1

SensitiveInformationCount

int

Edm.Int64

[In/Out] The number of instances of sensitive information detected in the message.

12

2013-V1

SensitiveInformationType

string

None specified

Text string indicating the type of sensitive information detected in the message. These value are defined in the DLP policy rule.

Credit Card, SSN, EIN

2013-V1

StartDate

System.DateTime

Edm.DateTime

[In] This field is used to limit the report period. Use this field in a $filter query option to set the start date and time of the reporting period. If you provide a StartDate in the $filter option, you must also specify and EndDate.

Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM")

2013-V1

Subject

string

None specified

[In/Out] The subject line of the message, if one was present on the message.

Free M0ney WoN!

2013-V1

TransportRule

string

None specified

The name of the Exchange transport rule executed in the processing step. For information about valid TransportRule values, see MailFilterList report.

PII Detction

2013-V1

UserAction

string

None specified

The action the moderator or administrator performed on the message.

Override, False Positive

2013-V1

*WCF Type refers to the .NET Framework data type assigned to the field when you create a Windows Communications Framework (WCF) Service Reference in Visual Studio. The EDM Type refers to the ADO.NET Entity Data Model (EDM) types returned in Atom-formatted reports.

**[In/Out]: see the Input parameters and report output columns section.

Each entry in the report includes several fields of metadata. For more information, see Common metadata returned by the Office 365 Reporting web service.

The Date field indicates when the messages were handled by the Office 365 system, and are reported in the time zone of those servers.

Using StartDate and EndDate

The StartDate and EndDate fields do not provide useful information in the report results, and are always set to 0001-01-01T00:00:00Z in the report output. They are intended to enable easy restriction of the reporting time window, and provide finer precision than would be available in a "daily" report.

This can be especially helpful, for example, when recording email DLP policy and rule processing activity on an hourly basis. When using these fields, you must include both StartDate and EndDate fields in the $filter option. They are both considered optional, but if you provide one, you have to provide the other. If the StartDate/EndDate pair are not provided in the query, the default reporting time period is the previous two weeks.

No examples are provided for this report at this time.

The [In/Out] indicators in the fields table have the following meanings:

  • Fields marked [In] in the fields table are primarily intended for use in $filter=, $orderby= and other query options that restrict which entries the report returns. Fields marked [In] in the fields table can be included the $select= option, and they will appear in the report entries, but they will contain no useful data.

  • Fields marked [In/Out] in the fields table can be used in both column selection ($select=) and entry restriction ($filter= and $orderby=) options. When you include one of these fields in the $select= option, they will appear in the report entries, and will contain useful data when it is available.

The MailDetailDlpPolicy report was introduced in Office 365 service version 2013-V1. For more information about versioning, see Versioning in the Office 365 Reporting web service.

The MailDetailDlpPolicy report returns the same information as the Get-MailDetailDlpPolicyReport Windows PowerShell cmdlet.

The account you access the reports from must have administrative permissions in that Office 365 organization. If the account can view this report in the Office 365 control panel, then the account has permissions to retrieve the data from the REST web service. This report requires the user to be assigned to the View-Only Recipients Role. In the default Office 365 permissions structure, users with the following administrator permissions can access this report: billing administrator, global administrator, password administrator, service administrator, and user management administrator.

Information available in this report contains the exact date and time for each event. You can use any feasible time-period and duration by including the StartDate and EndDate fields in the $filter option. Times are reported in the time zone of the server scanning the email.

The information for this report is available for a period of 7 days, or until the subscription is cancelled.

Events may be delayed by up to 24 hours before they appear in a report.

Show:
© 2014 Microsoft