MailDetailDlpPolicy report
The MailDetailDlpPolicy REST URI provides details about the Exchange mail data loss prevention (DLP) policies and rules used in processing email messages. The start and end date/time of the report can be specified in the request.
Applies to: Office 365
In this article
REST URIs
Fields
Remarks
Examples
Input parameters and report output columns
Compatibility
Corresponding PowerShell cmdlets
Permissions
Data granularity, persistence, and availability
REST URIs
https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailDetailDlpPolicy[?ODATA options]
Fields
The following fields can be specified in $select, $filter and $orderby ODATA2 query options. All fields are returned if no $select option is provided.
Name |
WCF Type* |
EDM Type* |
[In/Out]** Description |
Example values |
Added in service version |
|---|---|---|---|---|---|
Action |
string |
None specified |
[In/Out] Description of the action taken on the message, if any. This field may be blank, or null if no action was performed. For information about valid Action values, see MailFilterList report. |
SetSpamConfidenceLevel, RejectMessage |
2013-V1 |
Date |
System.DateTime |
Edm.DateTime |
[In/Out] The date and time the message was processed. |
Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM") |
2013-V1 |
Direction |
string |
None specified |
[In/Out] Specifies whether the email message was being sent into (Inbound) or out from (Outbound) the organization when it was processed. |
Values are restricted to Inbound and Outbound. |
2013-V1 |
DlpPolicy |
string |
None specified |
[In/Out] The name of the DLP policy that was applied to the message. For information about valid DlpPolicy values, see MailFilterList report. |
Financial Data Detection, HIPAA Detection, PII Detection |
2013-V1 |
Domain |
string |
Not specified |
[In/Out] The fully qualified domain name that was processing the email message. |
example.onmicrosoft.com |
2013-V1 |
EndDate |
System.DateTime |
Edm.DateTime |
[In] This field is used to limit the report period. Use this field in a $filter query option to set the end date and time of the reporting period. If you supply EndDate in the $filter option, you must also supply StartDate. |
Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM") |
2013-V1 |
EventType |
string |
None specified |
[In/Out] The type of scanning event logged. For information about valid EventType values, see MailFilterList report. |
SpamContentFiltered, SpamIPBlock |
2013-V1 |
Justification |
string |
None specified |
[In/Out] The text justification for the event performed on the message. This value is set by the administrator when they create the DLP policy. |
HIPAA compliance |
2013-V1 |
MessageId |
string |
None specified |
[In/Out] The Internet MessageID header of the message, if one was supplied. This value can also be explicitly null. |
If no ID was provided for the message, the report data will show <d:MessageId m:null="true" /> for Atom, and "MessageId":null for JSON. |
2013-V1 |
MessageSize |
int |
Edm.Int64 |
[In/Out] The message size in bytes. |
130840 |
2013-V1 |
MessageTraceId |
System.Guid |
Edm.Guid |
[In/Out] An identifier used to get the detailed message transfer trace information. The internal format of the MessageTraceId field should be considered opaque, as the format may change. For more information about message tracing, see MessageTrace report. |
ae4ad8f6-7613-411c-e67e-08cfc740629 |
2013-V1 |
Organization |
string |
None specified |
[In/Out] The fully qualified domain name that was processing the email message. |
example.onmicrosoft.com |
2013-V1 |
RecipientAddress |
string |
None specified |
[In/Out] The SMTP email address of the user that the message was addressed to. |
userone@example.onmicrosoft.com |
2013-V1 |
SenderAddress |
string |
None specified |
[In/Out] The SMTP email address of the user the message was from. |
usertwo@example.onmicrosoft.com |
2013-V1 |
SensitiveInformationConfidence |
int |
Edm.Int64 |
[In/Out] The integer confidence rating that the sensitive-information detection algorithms assigned to this message, from 1 (low confidence) to 10 (high confidence). |
5 |
2013-V1 |
SensitiveInformationCount |
int |
Edm.Int64 |
[In/Out] The number of instances of sensitive information detected in the message. |
12 |
2013-V1 |
SensitiveInformationType |
string |
None specified |
Text string indicating the type of sensitive information detected in the message. These value are defined in the DLP policy rule. |
Credit Card, SSN, EIN |
2013-V1 |
StartDate |
System.DateTime |
Edm.DateTime |
[In] This field is used to limit the report period. Use this field in a $filter query option to set the start date and time of the reporting period. If you provide a StartDate in the $filter option, you must also specify and EndDate. |
Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM") |
2013-V1 |
Subject |
string |
None specified |
[In/Out] The subject line of the message, if one was present on the message. |
Free M0ney WoN! |
2013-V1 |
TransportRule |
string |
None specified |
The name of the Exchange transport rule executed in the processing step. For information about valid TransportRule values, see MailFilterList report. |
PII Detction |
2013-V1 |
UserAction |
string |
None specified |
The action the moderator or administrator performed on the message. |
Override, False Positive |
2013-V1 |
*WCF Type refers to the .NET Framework data type assigned to the field when you create a Windows Communications Framework (WCF) Service Reference in Visual Studio. The EDM Type refers to the ADO.NET Entity Data Model (EDM) types returned in Atom-formatted reports.
**[In/Out]: see the Input parameters and report output columns section.
Remarks
Each entry in the report includes several fields of metadata. For more information, see Common metadata returned by the Office 365 Reporting web service.
The Date field indicates when the messages were handled by the Office 365 system, and are reported in the time zone of those servers.
Using StartDate and EndDate
The StartDate and EndDate fields do not provide useful information in the report results, and are always set to 0001-01-01T00:00:00Z in the report output. They are intended to enable easy restriction of the reporting time window, and provide finer precision than would be available in a "daily" report.
This can be especially helpful, for example, when recording email DLP policy and rule processing activity on an hourly basis. When using these fields, you must include both StartDate and EndDate fields in the $filter option. They are both considered optional, but if you provide one, you have to provide the other. If the StartDate/EndDate pair are not provided in the query, the default reporting time period is the previous two weeks.
Examples
No examples are provided for this report at this time.
Input parameters and report output columns
The [In/Out] indicators in the fields table have the following meanings:
Fields marked [In] in the fields table are primarily intended for use in $filter=, $orderby= and other query options that restrict which entries the report returns. Fields marked [In] in the fields table can be included the $select= option, and they will appear in the report entries, but they will contain no useful data.
Fields marked [In/Out] in the fields table can be used in both column selection ($select=) and entry restriction ($filter= and $orderby=) options. When you include one of these fields in the $select= option, they will appear in the report entries, and will contain useful data when it is available.
Compatibility
The MailDetailDlpPolicy report was introduced in Office 365 service version 2013-V1. For more information about versioning, see Versioning in the Office 365 Reporting web service.
Corresponding PowerShell cmdlets
The MailDetailDlpPolicy report returns the same information as the Get-MailDetailDlpPolicyReport Windows PowerShell cmdlet.
Permissions
The account you access the reports from must have administrative permissions in that Office 365 organization. If the account can view this report in the Office 365 control panel, then the account has permissions to retrieve the data from the REST web service. This report requires the user to be assigned to the View-Only Recipients Role. In the default Office 365 permissions structure, users with the following administrator permissions can access this report: billing administrator, global administrator, password administrator, service administrator, and user management administrator.
Data granularity, persistence, and availability
Information available in this report contains the exact date and time for each event. You can use any feasible time-period and duration by including the StartDate and EndDate fields in the $filter option. Times are reported in the time zone of the server scanning the email.
The information for this report is available for a period of 7 days, or until the subscription is cancelled.
Events may be delayed by up to 24 hours before they appear in a report.