Dela via


MailDetailMalware report

The MailDetailMalware REST URI provides details about the processing steps taken on email messages identified as containing malware while the message was being processed. The start and end date/time of the report can be specified in the request.

Applies to: Office 365

In this article
REST URI
Fields
Remarks
Examples
Input parameters and report output columns
Compatibility
Corresponding PowerShell cmdlets
Permissions
Data granularity, persistence and availability

REST URI

https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailDetailMalware[?ODATA options]

Fields

The following fields can be specified in $select, $filter and $orderby ODATA2 query options. All fields are returned if no $select option is provided.

Name

WCF Type*

EDM Type*

[In/Out]** Description

Example values

Added in service version

Action

string

None specified

[In/Out] Description of the action taken on the message, if any. This field may be blank, or null if no action was performed. For information about valid Action values, see MailFilterList report.

SetSpamConfidenceLevel, RejectMessage

2013-V1

Date

System.DateTime

Edm.DateTime

[In/Out] The date and time the message was detected as containing malware.

Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM")

2013-V1

Direction

string

None specified

[In/Out] Specifies whether the email message was being sent into (Inbound) or out from (Outbound) the organization when it was detected as containing malware.

Values are restricted to Inbound and Outbound.

2013-V1

Domain

string

Not specified

[In/Out] The fully qualified domain name that was processing the email message.

example.onmicrosoft.com

2013-V1

EndDate

System.DateTime

Edm.DateTime

[In] This field is used to limit the report period. Use this field in a $filter query option to set the end date and time of the reporting period. If you supply EndDate in the $filter option, you must also supply StartDate.

Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM")

2013-V12013-V1

EventType

string

None specified

[In/Out] The type of scanning event logged. For information about valid EventType values, see MailFilterList report.

SpamContentFiltered, SpamIPBlock

2013-V1

FileName

string

None specified

[In/Out] The file name of the attachment that was determined to carry the malware.

MalwareFileName.ext

2013-V1

Index

int

Edm.Int64

[In/Out] Multiple actions can be performed on a single message. This value indicates the order in which malware-processing rules were applied to the message. When used in a $filter= option the eq operand is not allowed.

4

2013-V1

MalwareName

string

None specified

The industry-standard name of the detected malware file.

SQL Slammer

2013-V1

MessageId

string

None specified

[In/Out] The Internet MessageID header of the message, if one was supplied. This value can also be explicitly null.

If no ID was provided for the message, the report data will show <d:MessageId m:null="true" /> for Atom, and "MessageId":null for JSON.

2013-V1

MessageSize

int

Edm.Int64

[In/Out] The message size in bytes.

130840

2013-V1

MessageTraceId

System.Guid

Edm.Guid

[In/Out] An identifier used to get the detailed message transfer trace information. The internal format of the MessageTraceId field should be considered opaque, as the format may change. For more information about message tracing, see MessageTrace report.

ae4ad8f6-7613-411c-e67e-08cfc740629

2013-V1

Organization

string

None specified

[In/Out] The fully qualified domain name that was processing the email message.

example.onmicrosoft.com

2013-V1

RecipientAddress

string

None specified

[In/Out] The SMTP email address of the user that the message was addressed to.

userone@example.onmicrosoft.com

2013-V1

SenderAddress

string

None specified

[In/Out] The SMTP email address of the user the message was purportedly from. Because sender addresses are commonly spoofed in malware email messages, they are not considered completely reliable.

usertwo@example.onmicrosoft.com

2013-V1

StartDate

System.DateTime

Edm.DateTime

[In] This field is used to limit the report period. Use this field in a $filter query option to set the start date and time of the reporting period. If you provide a StartDate in the $filter option, you must also specify and EndDate.

Short Date (for example, 03/10/2013) or Date Time with quotes (for example, "03/10/2013 4:55 PM")

2013-V1

Subject

string

None specified

[In/Out] The subject line of the message, if one was present on the message.

Free M0ney WoN!

2013-V1

*WCF Type refers to the .NET Framework data type assigned to the field when you create a Windows Communications Framework (WCF) Service Reference in Visual StudioV. The EDM Type refers to the ADO.NET Entity Data Model (EDM) types returned in Atom-formatted reports.

**[In/Out]: see the Input parameters and report output columns section.

Remarks

Each entry in the report includes several fields of metadata. For more information, see Common metadata returned by the Office 365 Reporting web service.

The Date field indicates when the messages were handled by the Office 365 system, and are reported in the time zone of those servers.

Using StartDate and EndDate

The StartDate and EndDate fields do not provide useful information in the report results, and are always set to 0001-01-01T00:00:00Z in the report output. They are intended to enable easy restriction of the reporting time window, and provide finer precision than would be available in a "daily" report.

This can be especially helpful, for example, when recording email-based denial-of-service attacks on an hourly basis. When using these fields, you must include both StartDate and EndDate fields in the $filter option. They are both considered optional, but if you provide one, you have to provide the other. If the StartDate/EndDate pair are not provided in the query, the default reporting time period is the previous two weeks. The Examples section below shows how to use the StartDate and EndDate fields.

Examples

The following example MailDetailMalware REST URL requests information about malware that was detected between September 1, 2012 and January 1, 2013, sorted by the MalwareName field, in Atom XML format. In this instance, the report indicates that no malware was detected during that period for the organization, indicated by there being no entry elements in the feed element.

https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailDetailMalware?
    $select=Action,Date,Direction,FileName,MalwareName&
    $filter=StartDate%20eq%20datetime'2012-09-01T00:00:00Z'%20and%20EndDate%20eq%20datetime'2013-01-01T00:00:00Z'%20&
    $orderby=MalwareName&
    $format=Atom
<?xml version="1.0" encoding="utf-8"?>
<feed xml:base="https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/" 
    xmlns="http://www.w3.org/2005/Atom" 
    xmlns:d="https://schemas.microsoft.com/ado/2007/08/dataservices"
    xmlns:m="https://schemas.microsoft.com/ado/2007/08/dataservices/metadata">
  <id>https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailDetailMalware</id>
  <title type="text">MailDetailMalware</title>
  <updated>2013-02-08T07:31:25Z</updated>
  <link rel="self" title="MailDetailMalware" href="MailDetailMalware" />
  <author>
    <name />
  </author>
</feed>

Input parameters and report output columns

The [In/Out] indicators in the fields table have the following meanings:

  • Fields marked [In] in the fields table are primarily intended for use in $filter=, $orderby= and other query options that restrict which entries the report returns. Fields marked [In] in the fields table can be included the $select= option, and they will appear in the report entries, but they will contain no useful data.

  • Fields marked [In/Out] in the fields table can be used in both column selection ($select=) and entry restriction ($filter= and $orderby=) options. When you include one of these fields in the $select= option, they will appear in the report entries, and will contain useful data when it is available.

Compatibility

The MailDetailMalware report was introduced in Office 365 service version 2013-V1. For more information about versioning, see Versioning in the Office 365 Reporting web service.

Corresponding PowerShell cmdlets

The MailDetailMalware report returns the same information as the Get-MailDetailMalwareReport Windows PowerShell cmdlet.

Permissions

The account you access the reports from must have administrative permissions in that Office 365 organization. If the account can view this report in the Office 365 control panel, then the account has permissions to retrieve the data from the REST web service. This report requires the user to be assigned to the View-Only Recipients Role. In the default Office 365 permissions structure, users with the following administrator permissions can access this report: billing administrator, global administrator, password administrator, service administrator, and user management administrator.

Data granularity, persistence and availability

Information available in this report contains the exact date and time for each event. You can use any feasible time-period and duration by including the StartDate and EndDate fields in the $filter option. Times are reported in the time zone of the server scanning the email message.

The information for this report is available for a period of 7 days, or until the subscription is cancelled.

Events may be delayed by up to 24 hours before they appear in a report.